Table of Contents Index Page Technical Support Introduction Installation Using F-Prot Boot Record Support DOS Recovery Network Administration

4. BOOT RECORD SUPPORT

The Master Boot Record is an important part of your hard disk drive. FIXDISK.EXE is a simple command line utility designed to safely remove unknown boot sector viruses while providing a virus data file for analysis and recovery.

FIXDISK.EXE

FIXDISK will save the first track of the disk to a data file. If this file is created before a virus infection, it can be used as a rescue file. Also, should you encounter a new virus that cannot be disinfected, please send us the saved file and our development team will analyze it and update Command AntiVirus.

During the installation process, Command AntiVirus instructs FIXDISK to save the MBR as a hidden RESCUE file in the root directory. This file is called F-PROT.SYS and it can be used by FIXDISK to repair the damage done by a boot sector or MBR virus.

If nothing is specified, FIXDISK offers the following options.

FIXDISK SWITCH OPTIONS
REPAIR Attempts a generic repair of the MBR.
UNDO Replaces the MBR with a rescue file.
FIND Searches drive for a rescue file.
RESCUE Used with the following switches for saving and restoring a rescue file

CREATE Creates a file that contains the MBR and boot sector

RESTORE Asks for a filename to repair an MBR and/or boot sector.

Should you encounter an unknown virus that cannot be disinfected, you can use the FIND command to restore the infected MBR from the data file created by RESCUE. This will allow access to your valuable data files.

REPAIR

This option attempts a generic repair of the MBR. Should this fail, it will search the hard drive for a rescue file. For example:

FIXDISK REPAIR C:

SAVE

The "Save" command will take an image of the first track of the drive and the boot sector. This is the preferred method to use if sending Command Software a suspected virus sample for analysis.

FIND

This will skip the generic repair and search for the rescue file on the hard drive. This search is done on a track-by-track basis and may take some time. 

FIXDISK FIND

RESCUE

This command is used to create and restore a rescue file.

Create

CREATE produces a rescue file that contains an image of the MBR and the boot sector of all physical hard drives. If a file name is specified, it will be used. Including a floppy drive letter creates the F-PROT.SYS file on that drive. For example:

FIXDISK RESCUE CREATE

The F-PROT.SYS hidden, system, read-only file will be created on the root directory of the boot drive. This file contains not only the MBR and boot sector of the boot drive, but the MBRs of any other physical hard drives in the system.

To create a similar file called RESCUE.DAT on drive A: type:

FIXDISK RESCUE CREATE A:

To create a rescue file called TEST.DAT on drive A: type:

FIXDISK RESCUE CREATE A:TEST.DAT

Restore

FIXDISK RESCUE RESTORE

This command prompts you for a rescue file name that can be used to recover the MBR and boot sector.

CMOS ATTACKS

Should attempts to disinfect a boot sector virus fail, check the CMOS setup of the infected system. Some boot sector virus variants will attempt to protect themselves by modifying the CMOS in two ways:

  1. The virus will turn OFF the boot sector protection in CMOS, infect the boot sector and then turn the protection back on. Make sure the boot sector protection is turned OFF.
  2. The virus will change the boot sequence to boot from C: first. When you try to perform a cold boot, the virus loads first, searches the floppy for a copy of DOS and appears to boot properly. Make sure the boot sequence has drive A first.

DISINFECTING A BOOT SECTOR VIRUS

The FIXDISK utility safely disinfects a boot system virus in two different ways. The easiest is with a previously created STARTUP diskette and the second is used if you have just attempted to install Command AntiVirus and have detected a pre-existing boot sector virus.

DISINFECTING WITH A STARTUP DISKETTE

The instructions on how to disinfect your system with the Windows Startup diskette assumes that you have previously installed Command AntiVirus on your computer. Before you begin this disinfection process, be sure to have the following items readily available:

  1. A virus-free, write-protected Windows Startup diskette.
  2. A blank, formatted floppy diskette. This diskette must not be write-protected.
  3. The Command AntiVirus installation diskette that contains the FIXDISK.EXE program.
  4. The Command AntiVirus installation diskette that contains the F-PROT.EXE program.
In this disinfection procedure, you can use a virus-free, write-protected MS-DOS backup diskette (version 5.0 or higher) in place of the Windows Startup diskette. However, if your Windows 95 system is using VFAT32, then you must use a VFAT32 system disk instead of an MS-DOS bootup diskette.

When you have all of the items mentioned above, you can start the disinfection procedure:

  1. If your computer is on, turn it off. In windows, this is done by selecting the START button on the taskbar and then choosing SHUTDOWN.
  2. Insert the Windows Startup diskette into the A drive.
  3. Turn your computer on.
  4. When the A: prompt appears, remove the Windows Startup diskette and replace it with the Command AntiVirus diskette that contains F-PROT.EXE.

  5. Scan your hard drive for viruses by typing the following command at the A prompt: 

F-PROT /NOMEM /HARD /DISINF
If you are using an MS-DOS bootup disk rather than a Windows 95 Startup disk, you can omit the /NOMEM switch in Step 5.

If a virus is found, choose to have Command AntiVirus disinfect it. Then, perform steps 1 through 5 again to make sure that the virus has been removed. If, on that subsequent scan, you find the virus is still on your drive, proceed to the next step.

  1. If your computer is on, shut it down completely.
  2. Insert the Windows Startup diskette into A drive.
  3. Turn your computer on.

  4. If Command AntiVirus has never been installed on your system, remove the Windows Startup diskette from the A drive and replace it with the Command AntiVirus installation diksette that contains FIXDISK.EXE. Then, type: 

    FIXDISK REPAIR C: [ENTER]

    However, if Command AntiVirus has been previously installed on you system, type:

    FIXDISK RESCUE RESTORE [ENTER]
Without the rescue file, FIXDISK will only repair MBR viruses that have not modified the partition table. However, if a rescue file is available for FIXDISK, even partition tables that have been modified will be repaired.

  1. When you receive the message stating "Please enter the directory path and name of the rescue file:", remove the Command AntiVirus installation diskette from A drive and replace it with the blank floppy diskette. Then, answer by typing:

    A:RESCUE.DAT [ENTER]
  2. When you are asked "Are you certain you wish to repair the disk?," type "Y". The repair will take place immediately.
  3. When you are prompted to reboot the computer, remove the floppy diskette from the A: drive and label it "Command AntiVirus Boot Record Data." In the unlikely event that you have found a new virus, you can send us the RESCUE.DAT file found on your Command AntiVirus Boot Record Data diskette. We will then examine the file and contact you with a solution.
  4. Perform steps 1 through 5 again to insure that the virus has been successfully removed.

If no viruses are found via the scan in step 13, remove the Command AntiVirus diskette from your floppy drive and and reboot your system as normal.

DISINFECT WITHOUT A STARTUP DISKETTE

  1. Select START / SHUTDOWN
  2. Boot the system with a standard DOS version 5.0 or later.
  3. At the A: prompt, type SYS C: (You're right, it's not Windows 95 DOS).
  4. Change over to drive C:
  5. Rename CONFIG.SYS to CONFIG.TMP and AUTOEXEC.BAT to AUTOEXEC.TMP
  6. Make a new CONFIG.SYS with ONLY your CD-ROM driver loaded (check the CD-ROM drive manual for this).
  7. Boot the system on C.
  8. Insert the Windows 95 CD into your CD-ROM drive and create a Windows Startup diskette.
  9. After you have created the Startup diskette, turn off your computer.
  10. If it has been removed, insert the Windows Startup diskette into A drive.
  11. Turn you computer on.
  12. When the A: prompt appears, remove the Winodws Startup diskette and replace it with the Command AntiVirus diskette that contain F-PROT.EXE.
  13. Scan your hard drive for viruses by typing the follwing command at the A prompt:

    F-PROT /NOMEM /HARD /DISINF [ENTER]

    If the scan detects a virus, allow Command AntiVirus to disinfect it. After the disinfection, run steps 9 through 13 again to insure that no viruses remain on your system. If on the succeeding scan no viruses are detected, proceed to the next step.

  14. Install Command AntiVirus for Windows 95 according to the installation instructions in this manual. Once the installation is complete, you can continue your computing as normal.