How to check MBR for virus infection? (via MBRCheck)

You are here: Home » Tutorials » Secure Windows 7 » This Article

How to check MBR for virus infection? (via MBRCheck)

Often, viruses are very tricky and infect your MBR (Master Boot Record). This is pretty annoying, so let’s find out how to check the MBR for virus infections and how to remove the MBR virus.

How to check MBR for Viruses

The master boot record contains the primary partition tables, which makes it a very important disk record. Code in the MBR (Master Boot Record) is executed automatically on boot up, that’s why the MBR is often the target of viruses. Some viruses will always return unless you don’t remove them from the MBR.

1. Repair Corrupt / Broken MBR

If your MBR is corrupt or broken, you can often easily fix it by running a few Windows commands. We have covered this in another article: How to repair MBR in Windows 7

2. Check MBR for viruses

Geekstogo.com provides a useful tool called MBRCheck, which will scan your MBR for any viruses. You should do this if you think your MBR might be infected.

Download MBRCheck.exe

After downloading MBRCheck.exe, stop all your security programs, run it and confirm all UAC prompts. You can run this while you are logged into Windows or if you can’t log in, do this either via safe-mode with command prompt or system repair tools (boot from Windows 7 DVD, repair, run command prompt).

Check MBR for Viruses

My MBR looks fine, it detected Windows 7 and Windows XP MBR code that are required to boot the operating system. If MBRCheck.exe finds a virus it will display it and you can proceed with removing the virus. However, if you need further advise, you can post the .log file that will be added to your desktop if MBRCheck.exe finds a virus.

Or you might like these sexy wallpaper, tweaks and themes:

Written by oliversk Sunday, August 22nd, 2010

Was it helpful? Please bookmark it and spread the word

You love Windows, Gaming and everything digital? Great, we too! We have thousands of great Windows 7 themes, registry tweaks, tutorials, so please use our search box if you look for anything specific. If you have some awesome desktop themes, tips or want to write for us, then drop us a mail: win7themes at googlemail.com

One Response to How to check MBR for virus infection? (via MBRCheck)

Joey E said:
February 3, 2012 at 5:40 am

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 93):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF8C76000 \WINDOWS\system32\KDCOM.DLL
0xF8B86000 \WINDOWS\system32\BOOTVID.dll
0xF8727000 ACPI.sys
0xF8C78000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8716000 pci.sys
0xF8776000 isapnp.sys
0xF8C7A000 intelide.sys
0xF89F6000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8786000 MountMgr.sys
0xF86F7000 ftdisk.sys
0xF8C7C000 dmload.sys
0xF86D1000 dmio.sys
0xF89FE000 PartMgr.sys
0xF8796000 VolSnap.sys
0xF86B9000 atapi.sys
0xF87A6000 disk.sys
0xF87B6000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF8699000 fltmgr.sys
0xF8687000 sr.sys
0xF8670000 KSecDD.sys
0xF865D000 WudfPf.sys
0xF85D0000 Ntfs.sys
0xF85A3000 NDIS.sys
0xF8589000 Mup.sys
0xF87C6000 agp440.sys
0xF87E6000 \SystemRoot\system32\DRIVERS\dc21x4.sys
0xF8A26000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF87F6000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF8A36000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8806000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8816000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF850D000 \SystemRoot\system32\DRIVERS\ks.sys
0xF8A4E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF8826000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8A5E000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF84E9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8836000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF8C1A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF84D2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF8846000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF8856000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF8A7E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF84C1000 \SystemRoot\system32\DRIVERS\psched.sys
0xF8866000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF8A8E000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF8A9E000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF8491000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF8876000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8AAE000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8C82000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF840B000 \SystemRoot\system32\DRIVERS\update.sys
0xF8C3E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF8886000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF8896000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8C86000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF8AC6000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF8C8A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8E0D000 \SystemRoot\System32\Drivers\Null.SYS
0xF8C8E000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8ADE000 \SystemRoot\System32\drivers\vga.sys
0xF83F7000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF8C92000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF8AEE000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8AFE000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8C72000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF83C4000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF836B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF831B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF82F9000 \SystemRoot\System32\drivers\afd.sys
0xF88B6000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF822E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF81BE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF8530000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF88D6000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF8B1E000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF848D000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF88E6000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF81A6000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8C98000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF846D000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8B46000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8D4D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xBF012000 \SystemRoot\System32\ATMFD.DLL
0xF7645000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF6CDC000 \SystemRoot\system32\DRIVERS\srv.sys
0xF62DF000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF615E000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\axroiuog.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 17):
0 System Idle Process
4 System
392 C:\WINDOWS\system32\smss.exe
440 csrss.exe
464 C:\WINDOWS\system32\winlogon.exe
508 C:\WINDOWS\system32\services.exe
520 C:\WINDOWS\system32\lsass.exe
680 C:\WINDOWS\system32\svchost.exe
764 svchost.exe
852 C:\WINDOWS\system32\svchost.exe
908 svchost.exe
1016 svchost.exe
1420 C:\WINDOWS\explorer.exe
1736 C:\WINDOWS\system32\ctfmon.exe
2024 C:\Program Files\Mozilla Firefox\firefox.exe
696 C:\Program Files\Mozilla Firefox\plugin-container.exe
1504 C:\Documents and Settings\Administrator\My Documents\Downloads\MBRCheck.exe

\\.\C: –> \\.\PhysicalDrive0 at offset 0×00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: IC35L040AVER07-0, Rev: ER4OA46A

Size Device Name MBR Status
——————————————–
37 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Found non-standard or infected MBR.
Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit: