The Master Boot Record (MBR) is an important part of your hard disk drive. FIXDSKNT.EXE and FIXDISK.EXE are both simple command line utilities that work together to safely remove unknown boot sector viruses while providing a virus data file that can be used at a later date for analysis and data recovery.
FIXDSKNT saves the first track of the hard disk to a data file. If this file is created before a virus infection, it can be used as a rescue file should your boot record later become infected. If you encounter a new boot virus that cannot be disinfected, FIXDSKNT can also be used to save a copy of your infected boot record. That copy can then be sent to our development team for analysis as well as for updating Command's F-PROT Professional for Windows NT.
FIXDSKNT produces a rescue file containing an image of the MBR and the boot sector of all physical hard drives. By default, the rescue file created by FIXDSKNT is called RESCUE.DAT. However, if you wish, you can specify a different filename for it.
To use the FIXDSKNT utility to create a rescue file, perform the following steps:
|If you prefer, you can save your rescue file to an MS-DOS system diskette. This would provide the additional ease-of-use of having a bootable diskette that contains your computer's Command's F-PROT Professional rescue file.|
This will write the rescue file, RESCUE.DAT, to the floppy diskette in your A: drive. If you would like to save the rescue file under a different name, add that name to the above-mentioned command. For example, to create a rescue file called TEST.DAT type:FIXDSKNT A:
This will store a rescue file called TEST.DAT on the floppy diskette in your A: drive.FIXDSKNT A:TEST.DAT
You must boot your computer using a DOS system disk to use FIXDISK.EXE. It is a 16 bit program and will not function correctly under Windows NT, but it is helpful for replacing an image of the boot area.
FIXDISK.EXE can be used to repair the boot record of your computer. FIXDISK can attempt a generic repair or, if you have a previously saved rescue file, it can replace your damaged or infected boot area with that file, allowing you to continue your computing as normal.
If nothing is specified, FIXDISK offer the following options:
|REPAIR||Saves the first track and attempts a repair of the boot area.|
|SAVE||Takes an image of the boot area and backs up the first track to a file.|
|UNDO||Restores the boot area to its original state before repair.|
|FIND||Searches drive for a rescue file.|
|RESCUE||Used with the following switches for saving and restoring a rescue file:
CREATE Creates a file that contains the MBR and boot sector.
RESTORE Restores the file that was previously saved.
Should you encounter an unknown virus that cannot be disinfected, you can use the FIND command to restore the uninfected MBR from the rescue file that was created by either FIXDSKNT or FIXDISK's RESCUE command. This will allow access to your valuable data files. Use of the FIND and other FIXDISK-related commands is detailed below.
This will attempt a generic repair of the MBR. Should this fail, it will search the hard drive for a rescue file. For example:FIXDISK REPAIR A:
The Save command stores an image of the first track of the drive and the boot sector. This is the preferred method to use if sending Command Software a suspected virus sample for analysis. Also, if you use NTFS, it is recommended that you save this information to a floppy diskette as you could then use Command's F-PROT Professional's DOS recovery utilities if necessary.This will prompt you to enter a network path and a file name. The file name should be in the 8.3 format so that the DOS version of Command's F-PROT Professional can be used, if needed, to recover your data. Additionally, the file name must include the .dat extension.FIXDISK SAVE C:
Using the Undo command allows you to restore the boot area to the state it was in before you repaired it. It will ask for the name of the rescue file, so have that information on hand.FIXDISK UNDO C:
This will skip the generic repair and search for the rescue file on the hard drive. This search is done on a track-by-track basis and may take some time. If you have already deleted the rescue file, but its contents have not yet been overwritten, this command will recover the information and restore your hard drive.FIXDISK FIND
This command is used to restore a rescue file. The RESCUE command is always used in conjunction RESTORE command.
The RESTORE command can be used if you have a specific, previously saved rescue file that you would like to use for boot record disinfection.This will prompt you for the rescue filename to use for recovering the MBR and boot sector.FIXDISK RESCUE RESTORE
There are two ways to safely disinfect a boot sector virus via FIXDISK. The easiest way is with a previously created Command's F-PROT Professional rescue diskette. A second method is used if you have just attempted to install Command's F-PROT Professional and have detected a pre-existing master boot record or boot sector virus.
FIXDISK RESCUE RESTORE
F-PROT /HARD /DISINF
|Note that FIXDISK will repair only MBR viruses that have not modified the partition table. However, if the virus has modified the partition table AND you have a FIXDISK-created rescue file, a successful repair can be made.|
Should attempts to disinfect a boot sector virus fail, check the CMOS setup of the infected system. Some boot sector virus variants will attempt to protect themselves by modifying the CMOS.
For instance, sometimes a virus will turn OFF the boot sector protection in CMOS, infect the boot sector and then turn the protection back on. Make sure the boot sector protection is turned OFF.
A second method that some viruses use to infect systems consists of changing the boot sequence so that the system boots first from C: instead of A:. Thus, when you perform a cold boot, the virus loads first and then searches the floppy drive for a copy of DOS, appearing to boot properly. Make sure that the boot sequence in CMOS has A: selected as the initial boot drive.