How to Detect and Remove an MBR Infection

🔍 What Is an MBR Infection?

An MBR (Master Boot Record) infection happens when malware compromises the first sector of your hard drive—the part that loads before your operating system. This type of infection is especially dangerous because:

• It executes before Windows or any antivirus loads.
• It can bypass traditional security software.
• It may prevent your system from booting.
• It is often used by rootkits or ransomware to gain persistence.

⚠️ Step 1: Recognizing the Signs

Watch for these warning signs that may indicate your MBR is compromised:

• Unexpected boot errors like “No Bootable Device Found”
• Blue Screen of Death (BSOD) on startup
• System restarts before Windows loads
• Error messages such as “Operating System Not Found”
• Disk access errors
• Alerts from security software about boot sector modifications

🧪 Step 2: Scanning for an MBR Infection

Use the methods below to scan your system for signs of an MBR infection:

🖥️ Method 1: Check Using Command Prompt

1. Boot into Windows or Windows Recovery Environment (WinRE).
2. Open Command Prompt and enter:

wmic partition get BootPartition,PrimaryPartition,SizeCode language: JavaScript (javascript)

3. If the BootPartition is set on an unexpected volume, it could indicate an infection.

🔎 Method 2: Use FRST (Farbar Recovery Scan Tool)

1. Download FRST from BleepingComputer.
2. Run a scan.
3. Review the scan log for an MBR.dat entry. If unknown boot code is detected, your MBR may be compromised.

🛡️ Method 3: Bootable Antivirus Scan

1. Download a bootable antivirus (e.g., Kaspersky Rescue Disk, Trend Micro Rescue Disk).
2. Boot from the rescue media.
3. Run a full system scan to detect MBR-level infections.

🧹 Step 3: Removing an MBR Infection

Once confirmed, remove the infection using one of the following methods:

🔧 Method 1: Rebuild MBR via Windows Recovery

1. Boot into Windows Recovery Mode (WinRE).
2. Open Command Prompt and enter:

bootrec /fixmbr
bootrec /fixboot
bootrec /scanos
bootrec /rebuildbcd

3. Restart your PC.

🧰 Method 2: Fix with FRST

1. Boot into WinRE.
2. Run FRST.
3. Create a Fixlist containing:

Start
MBR: Windows 10
End

4. Click Fix in FRST and reboot when complete.

🛡️ Method 3: Use Bootable Antivirus Tools

1. Boot from a rescue USB or CD.
2. Perform a full scan.
3. Remove any infections found in the MBR.

✅ Step 4: Verify the MBR Is Clean

After disinfecting your system, verify the MBR is restored properly:

1. Boot into Windows and open Command Prompt.
2. Type:

bootsect /nt60 ALL

3. Reboot your PC and confirm that the system starts without errors.

---

For more advanced malware threats, check out:

• Rootkits 101
• Free Virus and Malware Removal Guide
• Learning HijackThis!
• Setting Up a Virtual Machine for Malware Testing & Analysis

Stay alert, stay protected.