Master Boot Record (MBR) Repair
Infections in the Master Boot Record (MBR) are a tricky business, and may sometimes require a user to take additional steps to completely remove the infection.
If available, the Description of the relevant malware may provide removal details tailored to the suspect malware or specific infection scenario.
If specific removal instructions are not yet available, this page provides more general actions for repairing an infected MBR. Click the link to jump to the relevant instructions:
- Automatic Disinfection
- Contact Support
- Advanced: Manual MBR Repair
- Additional Options
In some cases, F-Secure's security products can disinfect the MBR without further action from the user.
If a suspicious hidden file is detected and FSAV does not immediately remove the file, there are several actions you can perform by manually selecting one of the displayed option:
- If you don't want to do anything about the hidden item, select "None" as the action
- If you don't want to be notified about the file in the future, select "Exclude" as the action
- If you are sure the item is not part of a normal program, you can rename it by selecting "Rename" as the action. This will prevent the hidden program from starting in the future. You should use the "Rename" action very carefully, because renaming important files may break the computer.
In certain cases, more complex malware (e.g., rootkits) may have sufficiently altered the MBR so that regular automatic disinfection is not possible, or not fully effective.
If you suspect this is the case, you may wish to send a sample of the suspect MBR to our Labs for further analysis.
For detailed instructions on how to obtain a sample of the suspect MBR for submission, please see the following Support KB Article:
Note: MBR repair, if incorrectly performed, may result in additional damage; it is only advisable for advanced users.
In certain cases, a user may attempt to manually replace the suspect MBR with a clean version.
Users attempting manual data recovery and repair may want to use our free utility program, the F-Secure Rescue CD, to do so.
Windows includes tools to replace an infected MBR with a copy of the original, clean MBR. To do so:
- Boot into the Recovery Console.
- Depending on the operating system in question, run the appropriate command on all infected drives:
- On Windows XP, run: fixmbr
- On Windows 7, run: bootrec
Note: For further information on use of the 'fixmbr' command, please refer to the relevant Microsoft documentation.