What is the best way to remove a virus?
In order that downtime be short and losses low, do the minimum that you
must to restore the system to a normal state, starting with booting the
system from a clean diskette (see G8). It is *never* necessary to low-
level format a hard disk to recover from a virus infection!
If backups of infected or damaged files are available and, in making
them, appropriate care was taken to ensure that infected files have not
been included in the backups (see D10), restoring from backup is the
safest solution, even though it can be a lot of work if many files are
More commonly, a disinfecting program is used, though disinfection is
somewhat controversial and problematic (see E8). If the virus is a boot-
sector infector, you can continue using the computer with relative
safety (if the hard disk's partition table is left intact) by booting
from a clean system diskette. However, it is wise to go through all
your diskettes removing any infections as, sooner or later, you will be
careless and leave an infected diskette in the machine when it reboots,
or give an infected diskette to a someone who doesn't have appropriate
defenses to avoid infection.
Most PC boot-sector infections can be cured by the following simple
process--pay particular care to make the checks in Steps 2 and 3.
Note that removing an MBR virus in the following way may not be
desirable, and may even cause valuable information to be lost. For
instance, the One_Half virus gradually encrypts the infected hard drive
"inwards" (starting from the "end" and moving towards the beginning),
encrypting two more tracks at each boot. The information about the size
of the encrypted area is *only* stored in the MBR. If the virus is
removed using the method above, this information will be irrecoverably
lost and part of the disk with unknown size will remain encrypted.
1. Boot the PC from a clean system floppy--this must be MS-DOS
5.0 or version 6.0 or higher of PC-DOS or DR DOS. This
diskette should carry copies of the DOS utilities MEM, FDISK,
CHKDSK, UNFORMAT and SYS. (See G8 for help on making an
emergency boot diskette.)
2. Check that your memory configuration is "normal" with MEM
(see C10 for assistance here). Check that your hard disk
partitioning is normal--run FDISK and use the "Display
partition information" option to check this. MS-DOS 5.0 (or
later) users can use UNFORMAT /L /PARTN.
3. Try doing a DIR of your hard disk/s (C:, D:, etc).
You should continue with Step 4 *only* if all the tests in
Step 2 and this step pass. Do *NOT* continue if you were
unable to correctly access *all* your hard disks, as you will
quite possibly damage critical information making permanent
data damage or loss more likely.
4. Replace the program (code) part of the MBR by using the MS-,
or PC-DOS FDISK /MBR command. If you use DR DOS 6.0, or
later, select the FDISK menu option "Re-write Master Boot
5. Replace the DOS boot sector using the command SYS C: (or
whatever is correct for your first hard disk partition). For
this step, the version of DOS on your boot diskette must be
*exactly* the same as is installed on your hard disk (this
may mean you have to first reboot with a clean boot diskette
other than that used in Step 1). If you are using a disk
compression system, such as DoubleSpace of DriveSpace, check
the documentation on how to locate the physical drive on
which the compressed volume is installed, and apply the SYS
command to that instead. Usually this is drive H: or I:.
6. Reboot from your hard disk and check that all is well--if not
(which is unlikely if you made the recommended checks), seek
7. As you will get re-infected by forgetting an infected
diskette in your A: drive at boot time, you have to clean all
your floppies as well. This is harder, as there is no simple
way of doing this with standard DOS tools. You can copy the
files from each of your floppies, re-format them and copy the
files back, but this is a very tedious process (and prone to
destructive errors!). At this point you probably should
consider obtaining some good antivirus software.
FDISK /MBR will only overwrite the boot loader code in the MBR of the
*first* hard drive in a system. However, a few viruses will infect both
drives in a two drive system. Although the second hard drive is never
booted from in normal PC configurations, should the second drive from
such a machine ever be used as the first drive in a system, it will
still be infected and in need of disinfecting.
Internet FAQ top