A note from one (me) there are dealing with mbr/kernel rootkits almost every day.
"MBR rootkit use IRP hooks to filter out every attempt to read and write the MBR. Disk.sys Windows driver, disk class driver used for managing disk devices, was hooked and the original Windows functions pointed by the driver and used to handle disk packet requests were replaced by the rootkit ones. Of course every reference to the original address was overwritten by the rootkit, so that it was more difficult for a security product to discover the original function address and restore the legal function.
The new version of MBR rootkit is smarter enough to give researchers some bad days, due to improved hooking techniques.
It doesn't hook anymore disk.sys driver, it goes deeper. It checks which is the lower device to which the device \Device\Harddisk0\DR0 - belonging to disk.sys driver - is attached to.
MBR rootkit and many other ones are all real in the wild attacks that are showing the difficulties of security industry to fight against these threats."
That´s why we need special diagnose and fix tools to deal with them, what I mean is, if BG and other AV companies really could fix them, then it would in many cases be very damaging such as eliminating your internet connection completely or removing legitimate files that are required for your computer to run.