The Master Boot Record (MBR) is an important part of your hard disk drive. FIXDSKNT.EXE and FIXDISK.EXE are both easy-to-use command line utilities that work together to safely remove unknown boot sector viruses while providing a virus data file that can be used at a later date for analysis and data recovery.
FIXDSKNT saves the first track of the hard disk to a data file. If this file is created before a virus infection, it can be used as a rescue file should your boot record later become infected. If you encounter a new boot virus that cannot be disinfected, FIXDSKNT can also be used to save a copy of your infected boot record. That copy can then be sent to our development team for analysis as well as for updating Command AntiVirus for Windows NT.
FIXDSKNT produces a rescue file containing an image of the MBR and the boot sector of all physical hard drives. By default, the rescue file created by FIXDSKNT is called RESCUE.DAT. However, if you wish, you can specify a different filename for it.
To use the FIXDSKNT utility to create a rescue file, perform the following steps:
- On your hard drive, change to the directory that contains FIXDSKNT.EXE. This will usually be the directory that contains your Command AntiVirus for Windows NT program files.
- Insert a clean, formatted diskette into your system's A: drive.
| If you prefer, you can save your rescue file to an MS-DOS system diskette. This would provide the additional ease-of-use of having a bootable diskette that contains your computer's Command AntiVirus rescue file. |
- Type the following command:
FIXDSKNT A:This will write the rescue file, RESCUE.DAT, to the floppy diskette in your A: drive. If you would like to save the rescue file under a different name, add that name to the above-mentioned command. For example, to create a rescue file called TEST.DAT type:
FIXDSKNT A:TEST.DATThis will store a rescue file called TEST.DAT on the floppy diskette in your A: drive.
- After you have made a rescue file, you can remove the floppy diskette from its drive and label it accordingly. Be sure to put the diskette in a safe place.Should you ever need to use the rescue file that you have created on your diskette, it can be moved back to your computer via the FIXDISK.EXE utility (not to be confused with the FIXDSKNT utility mentioned in the preceding instructions). The following section provides details on how to use FIXDISK.
You must boot your computer using a DOS system disk to use FIXDISK.EXE. It is a 16 bit program and will not function correctly under Windows NT, but it is helpful for replacing an image of the boot area.
FIXDISK.EXE can be used to repair the boot record of your computer. FIXDISK can attempt a generic repair or, if you have a previously saved rescue file, it can replace your damaged or infected boot area with that file, allowing you to continue your computing as normal.
If nothing is specified, FIXDISK offer the following options:
Switch Description REPAIR Saves the first track and attempts a repair of the boot area. SAVE Takes an image of the boot area and backs up the first track to a file. UNDO Restores the boot area to its original state before repair. FIND Searches drive for a rescue file. RESCUE Used with the following switches for saving and restoring a rescue file: CREATE Creates a file that contains the MBR and boot sector.
RESTORE Restores the file that was previously saved.
Should you encounter an unknown virus that cannot be disinfected, you can use the FIND command to restore the uninfected MBR from the rescue file that was created by either FIXDSKNT or FIXDISK's RESCUE command. This will allow access to your valuable data files. Use of the FIND and other FIXDISK-related commands is detailed below.
This will attempt a generic repair of the MBR. Should this fail, it will search the hard drive for a rescue file. For example:
FIXDISK REPAIR A:
The Save command stores an image of the first track of the drive and the boot sector. This is the preferred method to use if sending Command Software a suspected virus sample for analysis. Also, if you use NTFS, it is recommended that you save this information to a floppy diskette as you could then use the Command AntiVirus DOS recovery utilities if necessary.
FIXDISK SAVE C:This will prompt you to enter a network path and a file name. The file name should be in the 8.3 format so that the DOS version of Command AntiVirus can be used, if needed, to recover your data. Additionally, the file name must include the .dat extension.
Using the Undo command allows you to restore the boot area to the state it was in before you repaired it. It will ask for the name of the rescue file, so have that information on hand.
FIXDISK UNDO C:
This will skip the generic repair and search for the rescue file on the hard drive. This search is done on a track-by-track basis and may take some time. If you have already deleted the rescue file but its contents have not yet been overwritten, this command will recover the information and restore your hard drive.
FIXDISK FIND
This command is used to restore a rescue file. The RESCUE command is always used in conjunction with the RESTORE command.
Restore
The RESTORE command can be used if you have a specific, previously saved rescue file that you would like to use for boot record disinfection.
FIXDISK RESCUE RESTOREThis will prompt you for the rescue file name to use for recovering the MBR and boot sector.
There are two ways to safely disinfect a boot sector virus via FIXDISK. The easiest way is with a previously created Command AntiVirus rescue diskette. A second method is used if you have just attempted to install Command AntiVirus and have detected a pre-existing master boot record or boot sector virus.
- Select START / SHUTDOWN.
- Turn off the power to the system.
- Insert a clean, write-protected boot diskette.
- Turn the power on.
- Insert the Command AntiVirus rescue disk.
Type:
FIXDISK RESCUE RESTOREWhen you are asked for a filename, type:
A:RESCUE.DAT- Remove diskette from the floppy drive.
- Insert Command AntiVirus installation diskette that contains F-PROT.EXE.
Type the following:
F-PROT /HARD /DISINF- If no viruses are found, remove the diskette and reboot as normal.
- If a virus is found, follow the instructions in the next section.
- Select START / SHUTDOWN.
- Boot the system with a standard DOS diskette version 5.0 or later. Make sure the disk is write-protected and virus free.
- Try running F-PROT.EXE (this is the DOS version of Command AntiVirus) from the installation diskettes. You may be able to recover the MBR/boot sector without needing to reinstall Windows NT.
- If F-PROT.EXE cannot recover the MBR/boot sector, try running FIXDISK.EXE. It is available on the installation diskettes. If F�PROT.EXE or FIXDISK.EXE do not clean the infection, the only option available is to re-install Windows NT as described below.
- If F-PROT.EXE or FIXDISK.EXE have removed the infection, do not continue to steps 7-12. Instead, continue from step 13.
- At the prompt, type SYS C: and change over to drive C:
- Rename CONFIG.SYS to CONFIG.TMP and AUTOEXEC.BAT to AUTOEXEC.TMP.
- Make a new CONFIG.SYS with ONLY your CD-ROM driver loaded (check the CD-ROM drive manual for this).
- Boot the system on C.
- Reinstall the Windows NT operating system from the CD. Perform an upgrade, not a new installation.
- Create a STARTUP diskette as recommended.
- Create a RESCUE diskette as recommended in Chapter Two, Installation, in this manual.
- Install Command AntiVirus for Windows NT.
- Perform a full scan of your hard drives.
| Note that FIXDISK will repair only MBR viruses that have not modified the partition table. However, if the virus has modified the partition table AND you have a FIXDISK-created rescue file, a successful repair can be made. |
Should attempts to disinfect a boot sector virus fail, check the CMOS setup of the infected system. Some boot sector virus variants will attempt to protect themselves by modifying the CMOS.
For instance, sometimes a virus will turn OFF the boot sector protection in CMOS, infect the boot sector and then turn the protection back on. Make sure the boot sector protection is turned OFF.
A second method that some viruses use to infect systems consists of changing the boot sequence so that the system boots first from C instead of A. Thus, when you perform a cold boot, the virus loads first and then searches the floppy drive for a copy of DOS, appearing to boot properly. Make sure that the boot sequence in CMOS has A: selected as the initial boot drive.