Disinfecting DOS boot record viruses that store the boot sector
1. Hard disk
1.1. Disinfecting DOS boot record viruses in Windows 95/98/Me and DOS1.2. Disinfecting DOS boot record viruses in Windows NT/2000/XP/2003/Vista
2. Floppy disk
2.1. Disinfecting DOS boot record viruses on floppy disks in Windows 95/98/Me/NT/2000/XP/2003/Vista and OS/22.2. Disinfecting DOS boot record viruses on floppy disks in DOS
1. Hard disk
1.1. Disinfecting DOS boot record viruses in Windows 95/98/Me and DOS
- Backup any important data on the hard drive
- Switch off the PC, wait several seconds and boot from a clean system disk to prevent the virus from being loaded into memory.
- Create a set of Sophos Anti-Virus Emergency SAV disks.
- Put the first floppy disk, containing a copy of 'SWEEP.EXE' in the floppy disk drive and at the A: prompt type:
SWEEP *: -DI
- When requested insert the floppy disk containing the virus data.
- Run another scan to check that the virus has been removed.
If infection persists replace the boot sector using the DOS utility SYS.COM. Contact support if in doubt.
- Switch off the PC, wait several seconds then boot from a clean system disk to prevent the virus from being loaded into memory. This system disk must be formatted with the same version of the operating system as the PC.
- At the command prompt type
DIR C:
- Check that the contents of the infected drive are visible. If they
are not contact support for advice.
- To overwrite the DOS boot sector enter
SYS C:
If a virus fragment is reported in upper memory then it probably indicates the presence of a virus. Contact support for advice.
1.2. Disinfecting DOS boot record viruses in Windows NT/2000/XP/2003/Vista
Do not switch the PC off. It may not be able to boot again.
If the PC has booted Windows NT/2000/XP/2003/Vista the SAV32CLI command line scanner may be able to disinfect the virus:
- Backup any important data on the hard drive
- Close down all programs.
- Start the Command prompt.
- Change to the directory where SAV32CLI.EXE is installed. By default, this is C:\Program Files\Sophos SWEEP for NT.
- To disinfect a DOS boot record virus type the command:
SAV32CLI -MBR -DI
If your PC cannot boot into Windows NT/2000/XP/2003/Vista or if disinfection has failed then contact support.
2. Floppy disk
2.1. Disinfecting DOS boot record viruses on floppy disks in Windows 95/98/Me/NT/2000/XP/2003/Vista and OS/2
- Start the Sophos Anti-Virus GUI.
- Select the 'Immediate' tab.
- Go to Options|Configuration... select the 'Action' tab, tick 'Disinfect boot sectors' and 'Request confirmation'. Click 'OK'.
- Double-click the 'A:' icon to scan the floppy disk drive.
- Click 'OK' when asked if the disk should be disinfected.
- Scan the floppy disk again to confirm that disinfection succeeded.
If disinfection failed use Windows Explorer to copy the files to another disk. Reformat the floppy disk.
2.2. Disinfecting DOS boot record viruses on floppy disks in DOS
At the command prompt:
- Change to the directory where Sophos Anti-Virus is installed.
- Type the following command and insert the floppy disk when prompted:
SWEEP A: -DI -MU
- Check the floppy disk again to confirm that disinfection was successful.
If disinfection failed copy the files to another disk using COPY or XCOPY (not DISKCOPY). Reformat the floppy disk.
