Scan your team's MBR for Bootkits

The bootkits are malicious programs that have the ability to infect the hard drive boot sector (MBR) to run before the operating system and all its programs, including antivirus, they load. This feature allows them to compromise the machine very effectively and be more difficult to detect.

The following diagram shows in summary what happens when we turn on the computer:

The first thing to load is the BIOS, a program that is stored on the motherboard of the machine. Then the code of the first sector of the hard disk (MBR) is executed, which is in charge of looking for an operating system to start, that is where the bootkits are installed modifying the original MBR and compromising everything that happens afterwards.

Programs to analyze the MBR:

There are many tools that allow you to quickly scan the MBR for known bootkits, the following are some of them. Please note that deleting this kind of malwares can cause some problems with the system startup (you may need to recover the MBR), so before deleting any detected file take it easy 🙂

Bitdefender Bootkit Removal Tool, it is compatible with 32 and 64 bit Windows computers, you just have to download and run it to analyze the MBR:

Download: Bootkit Removal Tool 32 bit | for 64 bit

RootkitBuster from Trend Micro It is another similar program, it only works in 32-bit Windows, it allows to analyze the MBR and the whole computer for rootkits (it is a more complete scan). It is worth mentioning that bootkits are a type of rootkit, the difference as the name implies is that they infect the boot sector:

If you perform a full scan beware of false positives, the tool may detect problems in personal files that are not actually infected, pay attention before deleting them.

Download: RootkitBuster

Kaspersky TDSSKiller, compatible with 32 and 64 bits, it detects several known bootkits including those of the TDL family that in 2011 infected millions of computers:

Download: TDSSKiller

All these tools are run from Windows itself, but there are also others that can be run directly from CD or USB stick to carry out an analysis from the outside and without any malware being able to do its part to hide itself.

Two that I think are very good and complete are Kaspersky Rescue Disk and Panda SafeCD, both allow to analyze the boot sectors and all the files on the computer in search of malware.

I hope the information is useful and as always in case you need help or have doubts with the use of the programs you can leave a comment or go through the Forum.

See also: Rootkit on the network card.