Removing Viruses

The first step is the same for any computer virus, no matter what the type. After the first step, the type of virus determines subsequent steps.

Use an Antivirus Scanner

Always try using a commercial antivirus scanner to remove any virus. In some cases, like NTFS volumes, you may need to boot to the volume first, and then run the antivirus scanner. In Windows 2000, AVBOOT, is a good, no frills boot virus remover if kept up to date. Steps after this point assume you don’t have an antivirus scanner or it did not recognize and remove the virus.

Removing Boot Viruses

Removing most boot and MBR viruses involves many of the same steps as presented in Chapter 2. The hardest part in a Windows world is to determine what type of boot floppy you have to use to clean the virus and to restore the boot areas to their clean state. Each of the different Windows file systems, FAT, VFAT, FAT32, and NTFS, have their own boot files.

Boot with a clean disk

First, you need to boot with a known, clean, write-protected diskette that will recognize the disk partition. This means you can’t use a FAT32 boot disk on a FAT volume, or a FAT disk on a NTFS partition, and vice versa.


If the boot virus or the damage it can cause is unknown and your boot floppy gets you access to the disk partition, copy unbacked-up, crucial files to diskette. There is always a small chance that in the cleaning process, you could worsen the process further and make the partition inaccessible. If you cannot access the disk partition through a boot disk, you might have to reinstall the operating system and restore data from tape.

Making a 3.x or 9x boot floppy

For Windows 3.x and Windows 9x systems with FAT and VFAT, you can create a boot disk by using the SYS A: or FORMAT A: /S at the command-line prompt. You can also use My Computer right-click Floppy A: Format and choose Copy System files, in Windows 9x to accomplish the same thing. I then copy SYS.COM, FORMAT.EXE, and FDISK.EXE to the disk to use in troubleshooting.

Making a Windows 98 Fat32 emergency boot floppy

The Windows 98 install CD-ROM contains a folder called \TOOLS\MTSUTIL\FAT32EBD. It contains a file, FAT32EBD.EXE , that will create a FAT32 Emergency Boot Floppy diskette. You can also make a more comprehensive boot floppy in Windows 9x by making a Startup Diskette during the install process. You can make one at anytime by choosing Start Settings Control Panel Add/Remove Programs Startup. Like the other boot disk options talked about in this section, make sure to write-protect the diskette to prevent computer virus infection.

Making a Windows NT boot floppy

Format a floppy disk on a Windows NT computer. Copy NTLDR, BOOT.INI, NTDETECT.COM , and NTBOOTDD.SYS (for BIOS-disabled SCSI adapter) to floppy. If needed, modify BOOT.INI so that ARC path (disk controller, disk drive, partition) points to system partition on NT computer. After it is created, you can use the floppy to start Windows NT or 2000, and bypass the initially corrupted boot files. Only the boot files necessary to reach the NT partition are loaded off the boot floppy. The emergency boot process loads other files directly off the hard drive. If NTOSKRNL.EXE or other boot files on the hard drive are corrupt, you will need to run NT’s repair option to fix.

Removing the Boot Virus Manually

Using SYS and FDISK

With Windows 3.x and 9x you can use SYS C: off a clean boot floppy to restore the boot sector, or FDISK /MBR to restore the master boot record. The same rules of when and when not to run this command that were presented in Chapter 2 apply. Don’t run FDISK /MBR unless you know doing so will not harm the disk.


Don’t use FDISK /MBR with Windows NT! Using FDISK to restore the Master Boot Record can have disastrous consequences in NT and 2000. FDISK /MBR only rewrites the MBR and not the entire boot record, and will often overwrite NT disk signatures. If your computer has NT fault-tolerant disks, running FDISK /MBR can remove the redundancy. It’s better to be safe than sorry, so don’t run FDISK /MBR in an NT or 2000 environment.

Using ERD in Windows NT

Oftentimes using an Emergency Repair Disk (ERD) is the only way to recover a corrupted NT boot or system files. An ERD must have been created before the infection occurred (using RDISK.EXE /S in NT 4.0). Put your NT installation CD-ROM in the drive and boot up using the installation setup diskettes. Select R to repair the NT installation. Choose Inspect boot sector and Restore Startup Environment. NT’s repair option will prompt you for your ERD disk when appropriate. If you have a boot or MBR virus, one of these cleaning techniques should remove the malicious code.


Windows 2000 has a Manual Repair and Fast Repair in the Emergency Repair process. Either process does the same thing, but the Fast Repair does it without lots of prompting.

Using Windows 2000 Recovery Console

You can replace a corrupted MBR or boot sector using 2000’s new Recovery Console . Start the computer from the Windows 2000 Setup CD-ROM or floppy diskettes. Press Enter at the Setup Notification screen, then R to repair, then C to access the Recovery Console. It will ask you to select the current valid 2000 installation, and prompt you for the local administrator’s password. You will then be able to type in commands in the console window. Type FIXMBR to overwrite the master boot code with a new copy or type FIXBOOT to replace the boot sector of the hard drive.

DiskProbe and DiskSave

The Windows NT Server Resource Kit CD-ROM contains two vital disk-editing utilities. One, DISKPROBE.EXE , and another, DISKSAVE.EXE . Both are command-line utilities that can be used to back up, fix, and restore boot sectors, MBR, and partition tables. Although both contain copious instructions, they are not for novices to use. With DiskProbe you will have to work directly with hexadecimal code on the disk and compare what you find with what you should have, and make modifications. DISKSAVE is the easier of the two utilities. It allows single keystroke saves, and restores the boot sector, MBR, and partition table. DISKSAVE must be run from a DOS prompt and saved sectors are stored as binary file images. I’ve used DISKSAVE to send other researchers virus-infected boot sectors through email.

Get Malicious Mobile Code now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.