The Master Boot Record is an important part of your hard disk drive. FIXDISK.EXE is a simple command line utility designed to safely remove unknown boot sector viruses while providing a virus data file for analysis and recovery.
|FIXDISK will save the first track of the disk to a data file. If this file is created before a virus infection, it can be used as a rescue file. Also, should you encounter a new virus that cannot be disinfected, please send us the saved file and our development team will analyze it and update Command AntiVirus.|
During the installation process, Command AntiVirus instructs FIXDISK to save the MBR as a hidden RESCUE file in the root directory. This file is called F-PROT.SYS and it can be used by FIXDISK to repair the damage done by a boot sector or MBR virus.
If nothing is specified, FIXDISK offers the following options.
FIXDISK SWITCH OPTIONS
REPAIR Attempts a generic repair of the MBR. UNDO Replaces the MBR with a rescue file. FIND Searches drive for a rescue file. RESCUE Used with the following switches for saving and restoring a rescue file
Should you encounter an unknown virus that cannot be disinfected, you can use the FIND command to restore the infected MBR from the data file created by RESCUE. This will allow access to your valuable data files.
This option attempts a generic repair of the MBR. Should this fail, it will search the hard drive for a rescue file. For example:FIXDISK REPAIR C:
The "Save" command will take an image of the first track of the drive and the boot sector. This is the preferred method to use if sending Command Software a suspected virus sample for analysis.
This will skip the generic repair and search for the rescue file on the hard drive. This search is done on a track-by-track basis and may take some time.FIXDISK FIND
This command is used to create and restore a rescue file.
CREATE produces a rescue file that contains an image of the MBR and the boot sector of all physical hard drives. If a file name is specified, it will be used. Including a floppy drive letter creates the F-PROT.SYS file on that drive. For example:FIXDISK RESCUE CREATE
The F-PROT.SYS hidden, system, read-only file will be created on the root directory of the boot drive. This file contains not only the MBR and boot sector of the boot drive, but the MBRs of any other physical hard drives in the system.
To create a similar file called RESCUE.DAT on drive A: type:FIXDISK RESCUE CREATE A:
To create a rescue file called TEST.DAT on drive A: type:FIXDISK RESCUE CREATE A:TEST.DAT
FIXDISK RESCUE RESTORE
This command prompts you for a rescue file name that can be used to recover the MBR and boot sector.
Should attempts to disinfect a boot sector virus fail, check the CMOS setup of the infected system. Some boot sector virus variants will attempt to protect themselves by modifying the CMOS in two ways:
The FIXDISK utility safely disinfects a boot system virus in two different ways. The easiest is with a previously created STARTUP diskette and the second is used if you have just attempted to install Command AntiVirus and have detected a pre-existing boot sector virus.
The instructions on how to disinfect your system with the Windows Startup diskette assumes that you have previously installed Command AntiVirus on your computer. Before you begin this disinfection process, be sure to have the following items readily available:
- A virus-free, write-protected Windows Startup diskette.
- A blank, formatted floppy diskette. This diskette must not be write-protected.
- The Command AntiVirus installation diskette that contains the FIXDISK.EXE program.
- The Command AntiVirus installation diskette that contains the F-PROT.EXE program.
|In this disinfection procedure, you can use a virus-free, write-protected MS-DOS backup diskette (version 5.0 or higher) in place of the Windows Startup diskette. However, if your Windows 95 system is using VFAT32, then you must use a VFAT32 system disk instead of an MS-DOS bootup diskette.|
When you have all of the items mentioned above, you can start the disinfection procedure:
- If your computer is on, turn it off. In windows, this is done by selecting the START button on the taskbar and then choosing SHUTDOWN.
- Insert the Windows Startup diskette into the A drive.
- Turn your computer on.
- When the A: prompt appears, remove the Windows Startup diskette and replace it with the Command AntiVirus diskette that contains F-PROT.EXE.
Scan your hard drive for viruses by typing the following command at the A prompt:
F-PROT /NOMEM /HARD /DISINF
|If you are using an MS-DOS bootup disk rather than a Windows 95 Startup disk, you can omit the /NOMEM switch in Step 5.|
If a virus is found, choose to have Command AntiVirus disinfect it. Then, perform steps 1 through 5 again to make sure that the virus has been removed. If, on that subsequent scan, you find the virus is still on your drive, proceed to the next step.
- If your computer is on, shut it down completely.
- Insert the Windows Startup diskette into A drive.
- Turn your computer on.
If Command AntiVirus has never been installed on your system, remove the Windows Startup diskette from the A drive and replace it with the Command AntiVirus installation diksette that contains FIXDISK.EXE. Then, type:FIXDISK REPAIR C: [ENTER]
However, if Command AntiVirus has been previously installed on you system, type:FIXDISK RESCUE RESTORE [ENTER]
|Without the rescue file, FIXDISK will only repair MBR viruses that have not modified the partition table. However, if a rescue file is available for FIXDISK, even partition tables that have been modified will be repaired.|
When you receive the message stating "Please enter the directory path and name of the rescue file:", remove the Command AntiVirus installation diskette from A drive and replace it with the blank floppy diskette. Then, answer by typing:A:RESCUE.DAT [ENTER]
- When you are asked "Are you certain you wish to repair the disk?," type "Y". The repair will take place immediately.
- When you are prompted to reboot the computer, remove the floppy diskette from the A: drive and label it "Command AntiVirus Boot Record Data." In the unlikely event that you have found a new virus, you can send us the RESCUE.DAT file found on your Command AntiVirus Boot Record Data diskette. We will then examine the file and contact you with a solution.
- Perform steps 1 through 5 again to insure that the virus has been successfully removed.
If no viruses are found via the scan in step 13, remove the Command AntiVirus diskette from your floppy drive and and reboot your system as normal.
F-PROT /NOMEM /HARD /DISINF [ENTER]
If the scan detects a virus, allow Command AntiVirus to disinfect it. After the disinfection, run steps 9 through 13 again to insure that no viruses remain on your system. If on the succeeding scan no viruses are detected, proceed to the next step.