Table of Contents Index Page Technical Support Introduction Installation Using F-Prot Boot Record Support DOS Recovery Network Administration

4. BOOT RECORD SUPPORT

The Master Boot Record is an important part of your hard disk drive. FIXDISK.EXE is a simple command line utility designed to safely remove unknown boot sector viruses while providing a virus data file for analysis and recovery.

FIXDISK.EXE

FIXDISK will save the first track of the disk to a data file. If this file is created before a virus infection, it can be used as a rescue file. Also, should you encounter a new virus that cannot be disinfected, please send us the saved file and our development team will analyze it and update F-PROT.
During the installation process, F-PROT instructs FIXDISK to save the MBR as a hidden RESCUE file in the root directory. This file is called F-PROT.SYS and it can be used by FIXDISK to repair the damage done by a boot sector or MBR virus.

If nothing is specified, FIXDISK offers the following options.

FIXDISK SWITCH OPTIONS
REPAIR Attempts a generic repair of the MBR.
UNDO Replaces the MBR with a rescue file.
FIND Searches drive for a rescue file.
RESCUE Used with the following switches for saving and restoring a rescue file

CREATE Creates a file that contains the MBR and boot sector

RESTORE Asks for a filename to repair an MBR and/or boot sector.
Should you encounter an unknown virus that cannot be disinfected, you can use the FIND command to restore the infected MBR from the data file created by RESCUE. This will allow access to your valuable data files.

REPAIR

This will attempt a generic repair of the MBR. Should this fail, it will search the hard drive for a rescue file. For example: 
FIXDISK REPAIR C:

SAVE

The "Save" command will take an image of the first track of the drive and the boot sector. This is the preferred method to use if sending Command Software a suspected virus sample for analysis.

FIND

This will skip the generic repair and search for the rescue file on the hard drive. This search is done on a track-by-track basis and may take some time. 
FIXDISK FIND

RESCUE

This command is used to create and restore a rescue file.

Create

CREATE produces a rescue file that contains an image of the MBR and the boot sector of all physical hard drives. If a filename is specified, that will be used. Including a floppy drive letter creates the F-PROT.SYS file on that drive. For example: 
FIXDISK RESCUE CREATE
The F-PROT.SYS hidden, system, read-only file will be created on the root directory of the boot drive. This file contains not only the MBR and boot sector of the boot drive, but the MBRs of any other physical hard drives in the system.

To create a similar file called RESCUE.DAT on drive A: type: 

FIXDISK RESCUE CREATE A:
To create a rescue file called TEST.DAT on drive A: type: 
FIXDISK RESCUE CREATE A:TEST.DAT

Restore

FIXDISK RESCUE RESTORE
This will prompt you for a rescue filename to use to recover the MBR and boot sector.

CMOS ATTACKS

Should attempts to disinfect a boot sector virus fail, check the CMOS setup of the infected system. Some boot sector virus variants will attempt to protect themselves by modifying the CMOS in two ways:
  1. The virus will turn OFF the boot sector protection in CMOS, infect the boot sector and then turn the protection back on. Make sure the boot sector protection is turned OFF.
  2. The virus will change the boot sequence to boot from C: first. When you try to perform a cold boot, the virus loads first, searches the floppy for a copy of DOS and appears to boot properly. Make sure the boot sequence has drive A: first.

DISINFECTING A BOOT SECTOR VIRUS

The FIXDISK utility safely disinfects a boot system virus in two different ways. The easiest is with a previously created STARTUP diskette and the second is used if you have just attempted to install F-PROT and have detected a pre-existing boot sector virus.

DISINFECT WITH A STARTUP DISKETTE

  1. Select START / SHUTDOWN.
  2. Turn off the power to the system.
  3. Insert the STARTUP diskette.
  4. Turn the power on.
  5. Type the following:
    FIXDISK RESCUE RESTORE
  6. When it asks for a filename, type:
    A:RESCUE.DAT
  7. Remove the STARTUP diskette.
  8. Insert disk # 3 of the F-PROT installation diskettes.
  9. Type the following:
    F-PROT /HARD /DISINF
  10. If no viruses are reported, remove the diskette and reboot your system normally.
  11. If a virus is found, go to the next section on disinfection without a STARTUP diskette.

DISINFECT WITHOUT A STARTUP DISKETTE

  1. Select START / SHUTDOWN
  2. Boot system with a standard DOS version 5.0 or later.
  3. SYS C: (You're right, it's not Windows 95 DOS)
  4. Change over to drive C:
  5. Rename CONFIG.SYS to CONFIG.TMP and AUTOEXEC.BAT to AUTOEXEC.TMP
  6. Make a new CONFIG.SYS with ONLY your CD-ROM driver loaded (check the CD-ROM drive manual for this)
  7. Boot the system on C:
  8. Re-install the Windows 95 operating system from the CD
  9. Create a STARTUP diskette as recommended.
  10. Create a RESCUE diskette as recommended in Chapter Two, "Installation", in this manual.
  11. Install F-PROT for Windows 95.
  12. Perform a full scan of your hard drives.
Note that FIXDISK will only repair MBR viruses that have not modified the partition table.