Master Boot Record (MBR) Repair
Infections in the Master Boot Record (MBR) can be a tricky business.
Occasionally, the user may need to perform additional steps to completely remove the infection.
If available, the Description of the threat may provide specific instructions for repairing an infected MBR.
If a Description for the threat is not available, this page provides more general advise for MBR repair.
In some cases, F-Secure's security products can disinfect the MBR without further action from the user.
If a suspicious hidden file is detected and the F-Secure security product does not immediately remove the file, there are several actions you can perform by manually selecting one of the displayed options:
- If you don't want to do anything about the hidden item, select "None" as the action
- If you don't want to be notified about the file in the future, select "Exclude" as the action
- If you are sure the item is not part of a normal program, you can rename it by selecting "Rename" as the action. This will prevent the hidden program from starting in the future. You should use the "Rename" action very carefully, because renaming important files may break the computer.
In certain cases, more complex malware (e.g., rootkits) may have sufficiently altered the MBR so that regular automatic disinfection is not possible, or not fully effective.
If you suspect this is the case, you may wish to submit a sample of the suspect MBR to our Labs for further analysis.
Submitting a sample of an infected MBR
For detailed instructions on how to obtain a sample of the suspect MBR for submission, please see the following Support KB Article:
Windows includes tools to replace an infected MBR with a copy of the original, clean MBR. To do so:
- Boot into the Recovery Console.
- On Windows XP, run: fixmbr
- On Windows 7, run: bootrec
Note: For further information on use of the 'fixmbr' command, please refer to the relevant Microsoft documentation.