How do I remove a copy MBR?

Hi MG,

I've run all the cleaning procedures but mbr.exe is reporting an infected copy MBR. Do I need to remove this? If so, can you tell me how?

I attach the log file for your perusal.

Many thanks, Krebbin.

 

This machine decided to run an NT Authority shutdown (Blaster, Sasser, take yer pick), even though all my tools said it was a clean drive:-(

Well, I decided to delete the partition, then reformatted the drive using Dos 6 fdisk.
Then ran an XP install with a re-reformat to NTFS and guess what, it's still bloody there!

Exactly the same as my attached log.

I can see I'm going to have to trash this drive, cos this is driving me nuts.

 

Ok, I might be talking to myself here, but I've discovered there are only 4 other posts on the net with this problem and none of them got fixed.

Plus they've all happened in the past 2 weeks.

I'm going to format a new drive and copy my data to that. It might just leave out the infected bit. I'll let you know.........

 

My advice if you get one of these errors after an MBR test:
copy of MBR has been found in sector 0x0DF8F900
malicious code @ sector 0x0DF8F903 !
PE file found in sector at 0x0DF8F919 !

Backup data, replace drive and copy data to new drive
On infected drive run HDDGuru's Low level format util
Clone new to old
Put old drive back and test with mbr.exe - it will be clean! Hoorah

 

Hi Chas, Yeah I was working under that assumption too, then I got the NT Authority system shutdown during a printer driver re-install!.

I'd already ran a few tests for malware and all of them came back clean, so I knew there was something well hidden that was still causing problems.

...and I really don't like a system telling me one thing while doing another!!

S'alright now though