If a drive is infected with a Stealth virus, the partition table and pointers have been offset. The offset pointer is contained in the MBR. Using the FDISK /MBR command on the computer refreshes the MBR--the pointer to the partition table is lost, as is the ability to boot. The only possible solution is to reinfect the drive and then try to remove the virus again using Fdisk or anti-virus software.
The only time that the FDISK /MBR command is effective against a virus is if it is a boot-sector-only virus (such as the Stoned virus).
If the sector is infected, recovery cannot be guaranteed. If the FDISK /MBR command is used and a Stealth virus is present, the computer can most likely not be recovered because the offsets are not constant.
Examples of Stealth viruses include:
- NY Bomber or NYB
When these symptoms occur, the first step is to run a virus scan. F-Prot, Norton, McAfee, and Dr. Soloman are programs that are commonly used and all have shareware downloads on the Internet. If one of these does not indicate a virus, try one of the others.
Other symptoms can include the following:
- The error message "Windows NT could not start because the following file is missing or corrupt: \<WINN ROOT>\COMPUTER32\NTOSKRNL.EXE."
- A black screen with a cursor blinking in the upper left corner.
Another option for protecting yourself is to boot from an MS-DOS disk and run Norton DiskEdit to view the partition table entries. The entries displayed are those from the indexed location from the active virus. Record the values that are displayed. If, after inoculation, the partition table entries are destroyed, you can manually type the recorded values and restore the partition table values to valid entries (but without the virus).
For additional information, please see the following article in the Microsoft Knowledge Base:
TITLE : FDISK /MBR Rewrites the Master Boot Record
Article ID: 166454 - Last Review: Oct 31, 2006 - Revision: 1