The first step is the same for any computer virus, no matter what the type. After the first step, the type of virus determines subsequent steps.
Always try using a commercial antivirus scanner to remove any virus.
In some cases, like NTFS volumes, you may need to boot to the volume
first, and then run the antivirus scanner. In Windows 2000,
AVBOOT, is a good, no frills boot virus remover
if kept up to date. Steps after this point assume you don’t
have an antivirus scanner or it did not recognize and remove the
virus.
Removing most boot and MBR viruses involves many of the same steps as presented in Chapter 2. The hardest part in a Windows world is to determine what type of boot floppy you have to use to clean the virus and to restore the boot areas to their clean state. Each of the different Windows file systems, FAT, VFAT, FAT32, and NTFS, have their own boot files.
First, you need to boot with a known, clean, write-protected diskette that will recognize the disk partition. This means you can’t use a FAT32 boot disk on a FAT volume, or a FAT disk on a NTFS partition, and vice versa.
Tip
If the boot virus or the damage it can cause is unknown and your boot floppy gets you access to the disk partition, copy unbacked-up, crucial files to diskette. There is always a small chance that in the cleaning process, you could worsen the process further and make the partition inaccessible. If you cannot access the disk partition through a boot disk, you might have to reinstall the operating system and restore data from tape.
- Making a 3.x or 9x boot floppy
For Windows 3.x and Windows 9x systems with FAT and VFAT, you can create a boot disk by using the
SYS A:orFORMAT A: /Sat the command-line prompt. You can also useMy Computer→right-click Floppy A:→Formatand chooseCopy System files, in Windows 9x to accomplish the same thing. I then copySYS.COM, FORMAT.EXE,andFDISK.EXEto the disk to use in troubleshooting.- Making a Windows 98 Fat32 emergency boot floppy
The Windows 98 install CD-ROM contains a folder called
\TOOLS\MTSUTIL\FAT32EBD. It contains a file,FAT32EBD.EXE, that will create a FAT32 Emergency Boot Floppy diskette. You can also make a more comprehensive boot floppy in Windows 9x by making aStartup Disketteduring the install process. You can make one at anytime by choosingStart→Settings→ControlPanel→Add/RemovePrograms→Startup. Like the other boot disk options talked about in this section, make sure to write-protect the diskette to prevent computer virus infection.- Making a Windows NT boot floppy
Format a floppy disk on a Windows NT computer. Copy
NTLDR,BOOT.INI,NTDETECT.COM, andNTBOOTDD.SYS(for BIOS-disabled SCSI adapter) to floppy. If needed, modifyBOOT.INIso thatARC path(disk controller, disk drive, partition) points to system partition on NT computer. After it is created, you can use the floppy to start Windows NT or 2000, and bypass the initially corrupted boot files. Only the boot files necessary to reach the NT partition are loaded off the boot floppy. The emergency boot process loads other files directly off the hard drive. IfNTOSKRNL.EXEor other boot files on the hard drive are corrupt, you will need to run NT’s repair option to fix.
- Using SYS and FDISK
With Windows 3.x and 9x you can use
SYS C:off a clean boot floppy to restore the boot sector, orFDISK /MBRto restore the master boot record. The same rules of when and when not to run this command that were presented in Chapter 2 apply. Don’t runFDISK /MBRunless you know doing so will not harm the disk.
Warning
Don’t use FDISK
/MBR
with
Windows NT! Using FDISK to restore the Master
Boot Record can have disastrous consequences in NT and 2000.
FDISK /MBR only rewrites the MBR and not the
entire boot record, and will often overwrite NT disk signatures. If
your computer has NT fault-tolerant disks, running FDISK
/MBR can remove the redundancy. It’s better to be
safe than sorry, so don’t run FDISK /MBR
in an NT or 2000 environment.
- Using ERD in Windows NT
Oftentimes using an
Emergency Repair Disk(ERD) is the only way to recover a corrupted NT boot or system files. An ERD must have been created before the infection occurred (using RDISK.EXE /S in NT 4.0). Put your NT installation CD-ROM in the drive and boot up using the installation setup diskettes. SelectRto repair the NT installation. ChooseInspect boot sector and Restore Startup Environment. NT’s repair option will prompt you for your ERD disk when appropriate. If you have a boot or MBR virus, one of these cleaning techniques should remove the malicious code.
Tip
Windows 2000 has a Manual Repair and Fast Repair in the Emergency Repair process. Either process does the same thing, but the Fast Repair does it without lots of prompting.
- Using Windows 2000 Recovery Console
You can replace a corrupted MBR or boot sector using 2000’s new
Recovery Console. Start the computer from the Windows 2000 Setup CD-ROM or floppy diskettes. Press Enter at theSetupNotificationscreen, thenRto repair, thenCto access the Recovery Console. It will ask you to select the current valid 2000 installation, and prompt you for the local administrator’s password. You will then be able to type in commands in the console window. Type FIXMBR to overwrite the master boot code with a new copy or type FIXBOOT to replace the boot sector of the hard drive.- DiskProbe and DiskSave
The Windows NT Server Resource Kit CD-ROM contains two vital disk-editing utilities. One,
DISKPROBE.EXE, and another,DISKSAVE.EXE. Both are command-line utilities that can be used to back up, fix, and restore boot sectors, MBR, and partition tables. Although both contain copious instructions, they are not for novices to use. WithDiskProbeyou will have to work directly with hexadecimal code on the disk and compare what you find with what you should have, and make modifications.DISKSAVEis the easier of the two utilities. It allows single keystroke saves, and restores the boot sector, MBR, and partition table.DISKSAVEmust be run from a DOS prompt and saved sectors are stored as binary file images. I’ve usedDISKSAVEto send other researchers virus-infected boot sectors through email.
Get Malicious Mobile Code now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
