PC users sometimes resort to drastic measures to remove a virus. The use [more precisely, misuse] of low-level programs like FDISK, to remove viruses, is more common than might be expected. In most cases, of course, viruses can be removed, with a minimum of fuss, using an anti-virus program. So wielding such tools as FDISK is heavy-handed. However, it's quite often worse than using a 'sledgehammer to crack a nut'; in many cases, 'the nut' fails to crack. It is worth examining what effect utilities like FDISK and FORMAT have on the hard disk; and how this relates to a virus infection.
Most users resort to the use of such 'heavy artillery' when their anti-virus program [or several anti-virus programs] have failed to remove a virus. This is uncommon, but it can happen, for a variety of reasons. It is advisable to contact Technical Support at this point, rather than panicking and seeking an 'easy solution', which may be worse than the problem. Of course, the 'advisable' course of action is not necessarily the one which is chosen. So let's take a look at exactly what effect FORMAT and FDISK have on a disk.
First, let's consider the use of the program FORMAT. This is designed to prepare a disk for use. If the hard disk is formatted using the syntax FORMAT C: /U /S
it will have the following effect on the disk
The data area of the disk is not overwritten. However, since the FAT and root directory is zeroed, data on the disk is not be easily recoverable [it would have to be 'stitched together', by hand, by someone experienced in data recovery techniques.
If the hard disk is formatted using the syntax specified above [after booting from a clean DOS system disk], any virus in the boot sector, or the file area, will be removed. This includes file viruses and viruses which infect the hard disk boot sector [such as Form or Daboys]. The command SYS C: will also remove a virus from the hard disk boot sector, since this will have the same effect as adding /S to the FORMAT command.
However, it should be noted that FORMAT affects only the area of the disk covered by the operating system. Viruses which infect the partition sector [Master Boot Record, MBR] will not be removed by a re-format of the hard disk. The partition sector is not affected by FORMAT. Partition sector viruses [Parity.b, StealthBoot, NYB, etc.] and multipartite viruses [Natas, Junkie, etc.], which infect the partition sector, will 'survive' a re-format of the hard disk. It should be remembered that boot sector viruses [most of which infect the partition sector of the hard disk] represent a significant percentage of the viruses reported to Technical Support.
FORMAT has a slightly different effect on floppy disks. In the first place, there is no partition sector on a floppy disk; the first sector on the disk is the boot sector. Consequently, the entire disk falls within the area controlled by the operating system. In addition, when a floppy disk is formatted, format-pattern is written to every sector, overwriting any data which was previously on the disk. A re-format of a floppy disk [using the syntax described above] will remove any virus.
Having discovered that FORMAT does not remove partition sector viruses, the unsuspecting user's next 'port of call' is to run FDISK.
FDISK is used to partition the hard disk [a PC's hard disk may be sub-divided into four partitions, or volumes]; and to set the active [or bootable] partition. Following the scenario outlined above, where the hard disk has been partitioned already, FDISK will refuse to re-partition the hard disk unless the active partition is first deleted.
So, what actually happens when FDISK is used? The partition table is deleted; and replaced with a new partition table, defined by the user. In addition, format-pattern is written to the start of each track on the hard disk [up to a certain point, which includes the root directory and File Allocation Table].
The important thing to note, with reference to removing a partition sector virus, is that it is only the partition table which is deleted and replaced. The partition executable code, and the error messages in the partition sector, remain untouched. Most partition sector viruses, however, modify the partition executable code, without affecting the partition table. So FDISK will have no effect on this type of virus. Of course, the first time our unsuspecting user realises this . . . is after re-formatting the hard disk [again!] and re-loading a backup.
Consider the plight of a user who has run FORMAT to re-format the hard disk [and then re-loaded a backup]; and who has then run FDISK to delete and replace the partition table [and re-loaded a backup, again] . . . only to discover that the hard disk is still infected.
It is worth raising the issue of FDISK /MBR at this point. Since this is frequently seen as an easy way of removing partitions sector viruses, it is important to outline what it does to the partition sector; and to explain why it is inadvisable to use this as a virus removal method.
FDISK /MBR re-writes the partition executable code and the error messages in the partition sector, without affecting the partition table. Since most partition sector viruses do not modify the partition table, this would appear to be a useful way of removing these viruses. However, let the incautious user beware!
So, what conclusions can be drawn from all this? The first thing to state is that neither FORMAT nor FDISK is necessary to remove a virus. If they are used at all, following a virus infection, it should be for convenience, not necessity. For example, it may be that the PC is infected by a multipartite virus; and there are a great number of infected files; in which case, it may be more convenient to simply re-load a backup. In any event, if this course of action is appropriate, things should be done in the following order.