FromTheRafters said:
[snip]
So neither is recommended for removing boot viruses?
I wouldn't entirely exclude FDISK and SYS, especially not FDISK, from the list
of available tools for repairing boot virus damage. After all, their respective
action on the boot sector or MBR is implemented in FIXBOOT and FIXMBR, two tools
used as part of the repair console of the newer OS.
Understood. My intention was to caution against possibly doing more
harm than good by implementing either of these without first determining
exactly which boot virus one is attempting to remove, and the system
specifics (dual boot, overlay, etc..) being dealt with.
Boot viruses is where AV software always did a lousy job. Lots of false alarms,
misidentification of the virus, and the worst - high percentage of unsuccessful
"disinfection" that ended in loss of access to partition(s), or loss of self
boot ability.
Having said that, you realize that the "exact" determination of the boot virus,
if there is one at all, is not always possible. Worse: Such determination by
AV cannot be trusted and shouldn't be acted upon, especially when multiple
products do not agree on the identification of the alleged virus, or what is
more often the case, only one product claims finding the virus, and the others
see none.
A better approach to boot viruses is the generic one. Follow some rules how to
safely use FDISK /MBR, or FIXMBR:
For platforms that run under DOS, Windows 9x, or Millennium:
- Prepare a boot disk on a clean PC that runs under the same OS which is
installed on the problem PC. Copy FDISK.EXE to the floppy and write-protect the
floppy. A utility that will prepare such floppy for the above mentioned
platforms is MakeResQ from
www.invircible.com/iv_tools.php
- Boot the problem PC from the floppy you made.
- When at the A: prompt, run FDISK /STATUS. You should see the details of all
partitions on installed fixed drives. If these details conform with the known
configuration of your drives, especially of the first one, then it's safe to run
FDISK /MBR on that drive.
If your antivirus still finds a virus after having run FDISK /MBR, then change
the antivirus.
Dual boot and overlays:
As I explained elsewhere in this thread, Microsoft's dual-boot is initiated by
the boot sector (NOT the MBR), pointing to the NT loader (NTLDR, followed by
NTdetect.com) and by the content of C:\boot.ini. FDISK /MBR is perfectly safe
to run for such drive.
As to boot overlays: There are two types of these, one originally written by
Ontrack (Disk Manager) and the other known as EZ-bios. FDISK /MBR is the
manufacturer recommended method to rewrite the MBR loader of Disk Manager, in
case it has been corrupted or affected by a virus! For both overlays, you will
have to rewrite the overlay anyway in case of virus infection, as the overlay
was most probably punched by the virus, having relocated the original MBR and
overwritten part of the overlay.
W2K and XP: If Windows starts normally and your AV claims finding a virus in
the MBR, then start the repair console and run FIXMBR. If the AV still claims
that it finds the virus after having run FIXMBR, then replace the antivirus as
it's false alarming.
Regards, Zvi
