Article ID: 166454 - View products that this article applies to.
This article was previously published under Q166454
In Microsoft Windows NT, using the MS-DOS FDISK /MBR command is not always appropriate when you cannot boot a computer. The problem is that the command rewrites the master boot record (MBR) only, and not the entire boot record. The FDISK /MBR command rewrites only the first 446 bytes of the master boot record, not the partition table. Windows NT disk signatures used for fault tolerance are also overwritten, and if the drive contained an FT member, it may not be recognized by Windows NT as an FT member afterward.
If a drive is infected with a Stealth virus, the partition table and pointers have been offset. The offset pointer is contained in the MBR. Using the FDISK /MBR command on the computer refreshes the MBR--the pointer to the partition table is lost, as is the ability to boot. The only possible solution is to reinfect the drive and then try to remove the virus again using Fdisk or anti-virus software.
The only time that the FDISK /MBR command is effective against a virus is if it is a boot-sector-only virus (such as the Stoned virus).
If the sector is infected, recovery cannot be guaranteed. If the FDISK /MBR command is used and a Stealth virus is present, the computer can most likely not be recovered because the offsets are not constant.
Examples of Stealth viruses include:
If you receive any of the following messages on a blue screen when you are booting Windows NT, you need to check for a virus:
0x0000007B INACCESSIBLE_BOOT_DEVICE 0x0000008F MBR_CHECKSUM_MISMATCH (0x4,0,0,0)
When these symptoms occur, the first step is to run a virus scan. F-Prot, Norton, McAfee, and Dr. Soloman are programs that are commonly used and all have shareware downloads on the Internet. If one of these does not indicate a virus, try one of the others.
Other symptoms can include the following:
Another option for protecting yourself is to boot from an MS-DOS disk and run Norton DiskEdit to view the partition table entries. The entries displayed are those from the indexed location from the active virus. Record the values that are displayed. If, after inoculation, the partition table entries are destroyed, you can manually type the recorded values and restore the partition table values to valid entries (but without the virus).
For additional information, please see the following article in the Microsoft Knowledge Base:
TITLE : FDISK /MBR Rewrites the Master Boot Record
Article ID: 166454 - Last Review: November 1, 2006 - Revision: 2.1