²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²² ²²²²²ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ·²²²²²² ²²²²²³²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²º°°²²²² ²²²²²³²²²²²²²²²²²²ØØØØØØØØ°²²²²²²²²²²²²²²²²²²²²²²²²² Moscow 1995 ²²²²²º°°²²²² ²²²²²³²²²²²²²²²²ØØØØØØØØØØ°°²²²ØØØØØØØØ°²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²º°°²²²² ²²²²²³²²²²²²²²²ØØØ°°°°°ØØØ°°²ØØØØØØØØØØØ°°²²ØØØ°²²²²²²²²²²²²²²²²²²²²²²²²º°°²²²² ²²²²²³²²²²²²²²ØØØ°°²²²ØØØ°°²ØØØ°°°°°°ØØØ°°²ØØØ°°²²²²²²²²²²²²²²²²²²²²²²²²º°°²²²² ²²²²²³²²²²²²²ØØØØØØØØØØØ°°²ØØØ°°²²²²ØØØ°°²²°°°°²²²²²²²²²²²²²²²²ØØØØØØ°²²º°°²²²² ²²²²²³²²²²²²ØØØØØØØØØØØ°°²ØØØ°°²²²²ØØØ°°²ØØØ°²²ØØØØØØØ°²²²²²²²ØØØØØØ°°²²º°°²²²² ²²²²²³²²²²²ØØØ°°°°°ØØØ°°²ØØØ°°²²²²ØØØ°°²ØØØ°°²ØØØØØØØØØ°²²²²²ØØØ°°°°°²²²º°°²²²² ²²²²²³²²²²ØØØ°°²²²ØØØ°°²ØØØ°°²²²²ØØØ°°²ØØØ°°²ØØØ°°°°ØØØ°²²²²ØØØ°°²²²²²²²º°°²²²² ²²²²²³²²²ØØØ°°²²²ØØØ°°²ØØØØØØØØØØØ°°²²ØØØ°°²ØØØ°°²²ØØØ°°ØØØØØØØØØ°²²²²²²º°°²²²² ²²²²²³²²²²°°°²²²²²°°°²ØØØØØØØØØØ°°²²²ØØØ°°²ØØØ°°²²ØØØ°°²²°ØØØ°°°°²²²²²²²º°°²²²² ²²²²²³²²²²²²²²²²²²²²²²²°°°°°°°°°°²²²ØØØ°°²ØØØ°°²²²ØØØ°°²²ØØØ°°²²²²²²²²²²º°°²²²² ²²²²²³²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°°²²ØØØ°°²²²²²ØØØ°°ØØØ°°²²²²²²²²²²²º°°²²²² ²²²²²³²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°°°²²²²²²²°°°ØØØ°°²²²²²²²²²²²²º°°²²²² ²²²²²³²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²ØØØ°°²²²²²²²²²²²²²º°°²²²² ²²²²²³²²²²² (c) Dmitry Mostovoy ²²²²²²²²²²²²²²²²²²²ØØØ°°²²²²²²²²²²²²²²º°°²²²² ²²²²²³²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²°°°²²²²²²²²²²²²²²²º°°²²²² ²²²²²³²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²º°°²²²² ²²²²²ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°°²²²² ²²²²²²²°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°²²²² ²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²² ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· ³ Advanced Diskinfoscope (ADinf) ºÛÛ ³ ºÛÛ ³ Anti-virus Center ºÛÛ ³ ºÛÛ ³ (c) Dr. Dmitry Mostovoy ºÛÛ ³ 1991-1995 ºÛÛ ³ ºÛÛ ³ Moscow, Russia ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ Version 9.32 of February 1995 Size 100 000 bytes (noncommercial version - 96306) ---------------------------------------- USER's GUIDE ---------------------------------------- DialogueScience, Inc. Moscow, Russia 1994 CONTENTS BEFORE YOU BEGIN What is Advanced Diskinfoscope ADinf? ................ Copy protection!...................................... What do you need to run ADinf......................... GETTING STARTED Installing Advanced Diskinfoscope ADinf............... Using ADinf jointly with Sheriff...................... Installing ADinf on a Sheriff-protected computer... Installing Sheriff on an ADinf-protected computer.. Starting ADinf from AUTOEXEC.BAT file................. Starting ADinf from DOS prompt........................ Starting ADinf in batch mode.......................... Command options....................................... Starting ADinf in interactive mode.................... ADinf MAIN MENU Scanning the drives................................... Creating diskinfo tables.............................. Checking floppy diskettes............................. Stealth search mode................................... Customizing the ADinf operation....................... USEFUL TIPS It is always safe .................................... Holding viruses in leash.............................. Speedkeys............................................. ADinf STRATEGY How does ADinf inspect a disk?........................ IF THINGS GO WRONG, ANYWAY Responding to ADinf report messages................... Changes in memory size........................... Changes in MASTER BOOT sector or BOOT sector..... New bad clusters................................. Changes in directory system...................... Changes in file system........................... Viewing & editing files of changed information... ERROR AND WARNING MESSAGES................................ ACKNOWLEDGMENTS........................................... REFERENCES................................................. DISTRIBUTOR IN RUSSIA...................................... BEFORE YOU BEGIN The ADinf program is supplied "AS IS" without any warranty, either expressed or implied, of workmanship, merchantability, and fitness for a particular purpose. In no event will JV DIALOGUESCIENCE, INC., or its authorized dealers or the designer of the program be liable to the purchaser for any consequential problems arising out of the use or the inability to use the program. WHAT IS ADVANCED DISKINFOSCOPE ADinf? Timely detection of infection guarantees successful curing ! Advanced Diskinfoscope ADinf is a disk information inspector, more precisely, a disk infection meter: how it works is described later. It surpasses most other anti-virus programs as it scans a disk by reading its sectors one by one through BIOS without the assistance of DOS to pinpoint even such formidable infectors like STEALTH viruses known to intercept more than twenty DOS functions, infectors in disk drivers as well as viruses yet unrecognized. Nearly no other anti-virus utility has such a reconnaissance power. Additionally, ADinf reads a disk directly addressing BIOS to spot and kill boot sector infectors even if they have taken control over the interrupt INT 13h. Advanced Diskinfoscope ADinf is an anti-virus utility which, if properly used by booting your system from a hard disk (instead of from a write-protected bootable diskette as required by other anti-virus utilities), will alert you for nearly every virus in your computer - known, unknown or potential ones. Thus, ADinf countermines the spiteful projects of virus designers. This is not the end of its mission - it leaps seven leagues ahead. Besides detecting infectors, ADinf can scrupulously x-ray your system for full data integrity, security and any other slight modifications of data. This is particularly desirable in a multiuser environment. You will appreciate its instant disk checks. ADinf Cure Module (ADinfExt.exe) - a separate program which can be ordered with ADinf - maintains a small database describing the files on your hard disk. When ADinf reports virus infection, you may instantly use it to clean your machine. It kills up to ninety seven percent of the existing viruses as well as, that is most important, presently unknown viruses. Disk inspector Dinf - the forerunner of ADinf - was awarded a prize at the 2nd All-Union Anti-Virus Programs Contest in 1990, Kiev (Ukraina). The designer will be glad to receive from users remarks and suggestions for improving ADinf - the Advanced Diskinfoscope. COPY PROTECTION! ADinf is copy-protected against unauthorized duplication. At the first start, ADinf retrieves information about your system and will refuse to function if it is illegally copied on some other computer. Copy protection, however, does not restrict owners' rights to install the program on any number of computers but safeguards against software piracy. The noncommercial version of the ADinf program and its accompanying documentation are supplied without any restriction whatsoever in the event of its use or distribution for noncommercial and nonprofitable purposes. The noncommercial version does not essentially differ from the full-fledged version of the ADinf program: it demonstrates the capabilities of the ADinf program on your system. The noncommercial version (1) does not support PERSONAL tables, (2) cannot repair files through ADinf Cure Module, (3) cannot exclude directories (subdirectories) from checks, (4) cannot save the check results in a log file. WHAT DO YOU NEED TO RUN ADinf ADinf runs on IBM PC/XT/AT, PS2 or compatibles with one or two hard disks and one or two floppy disks under MS or PC-DOS ver. 3.20 or higher, DR-DOS 5.00 and 6.00, Novell DOS 7.00 and Compaq DOS 3.31. It needs about 100 kb free to run from a hard disk. ADinf gains access to video memory directly by-passing BIOS and supports CGA, EGA, VGA and Hercules video-adapters. ADinf can scan drives directly by BIOS under MS Windows and DESQview multitasking environment. ADinf can work together with HyperDisk cache versions older then 4.50. GETTING STARTED INSTALLING ADVANCED DISKINFOSCOPE ADinf To install ADinf, insert the diskette containing the ADinf program into drive A (or B whichever is appropriate to your system), log on to the ADINF directory with the commands > a: (or b:) and press Enter > cd: \adinf and press Enter and type > install and press Enter. And answer all the questions of the setup program. The setup program behaves differently, depending on whether you are installing ADinf for the first time or upgrading an older version in your machine. IF THIS IS THE FIRST TIME YOU ARE INSTALLING ADinf IN YOUR MACHINE, the setup program, after copying the files from the original diskette, will prompt you to tack ADinf to your AUTOEXEC.BAT file. Using the UP and DOWN keys, you can choose a place for tacking ADinf in your AUTOEXEC.BAT file and then press to confirm your choice. If you press at this moment AUTOEXEC.BAT file will not be modified. The old status of your AUTOEXEC.BAT file will be saved in the file AUTOEXEC.ADI. If you do not want to add ADinf to your AUTOEXEC.BAT file choose DON'T ADD from the query. Thereafter the setup program prompts you to create ADinf diskinfo tables containing the status of drives in your machine. IF YOU ARE UPGRADING AN OLDER VERSION ALREADY INSTALLED IN YOUR MACHINE, the setup program will ask your permission to overwrite the old ADinf version but will not prompt you to tack ADinf to your AUTOEXEC.BAT file nor will it create diskinfo tables afresh as ADinf will continue to utilize the tables created by the previous version. USING ADinf JOINTLY WITH SHERIFF INSTALLING ADinf ON A SHERIFF-PROTECTED COMPUTER To install Advanced DiskinfoScope, if your computer is already protected by the Sheriff protection firmware: 1. switch off the Sheriff protection firmware, 2. Install ADinf as described above, 3. Start ADinf in interactive mode, 4. select OPTIONS from the main menu, 5. select SETUP PARAMETERS from the submenu, 6. choose SHERIFF SERIAL NO in submenu. In the box displayed on the screen, type the first five figures in the serial number of your Sheriff firmware and press Enter. 7. quit ADinf and 8. switch on the Sheriff protection firmware. INSTALLING SHERIFF ON AN ADinf-PROTECTED COMPUTER To install the Sheriff protection firmware, if Advanced DiskinfoScope is already installed in your computer, 1. start ADinf in interactive mode, 2. select OPTIONS from the main menu, 3. select SETUP PARAMETERS from the submenu, 4. choose SHERIFF SERIAL NO in submenu. In the box displayed on the screen, type the first five figures in the serial number of your Sheriff firmware and press Enter. 4. install Sheriff as described in its user's manual. Advanced Diskinfoscope ADinf can be started either automatically from the AUTOEXEC.BAT file or manually by typing its command line at the DOS prompt. STARTING ADinf FROM AUTOEXEC.BAT FILE To run ADinf automatically in batch mode, modify your AUTOEXEC.BAT file by adding a line as follows (at the time of installation you can tell the setup program to do this automatically) C:\ADINF\ADinf -d -a -b -lc:\TMP C: D: ÄÄÄÄÄÄÄÄÄ¿ Ä¿ Ä¿ Ä¿ ÄÄÄÄÄÄÄ¿ ÄÄÄÄÄ¿ ³ ³ ³ ³ ³ ÀÄ Drives to be scanned ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ Save report in ³ ³ ³ ³ À C:\TMP directory ³ ³ ³ ³ ³ ³ ³ ÀÄÄÄÄÄÄÄÄÄ Black screen background ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄ No dialog pauses ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Check only once a day ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Directory where ADinf is installed The options which the ADinf command line accepts are described in detail under the section COMMAND OPTIONS. STARTING ADinf FROM DOS PROMPT Advanced Diskinfoscope ADinf can be run in batch mode or in interactive mode by typing its command line at the DOS prompt and then pressing . STARTING ADinf IN BATCH MODE In the batch mode ADinf checks the drives one after another, executing the options specified in its command line. To run ADinf in batch mode, at the DOS prompt type: C:\ADINF\ADinf [] C: D: ÄÄÄÂÄÄÄÄÄ Ä¿ Ä¿ ³ ÀÄÄÁÄÄÄ drives to be scanned ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Directory where ADinf is installed and press . Advanced Diskinfoscope accepts in its command line the options described below. COMMAND OPTIONS In the command line the options must be preceded with a hyphen '-' or a slash "/" and separated with a blank space and may be typed in upper- or lower-case. Asterisked items are used only in batch mode and have no effect in interactive mode. OPTION ³ ITS FUNCTION ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ *1) -a ³ To suppress certain minor dialog pauses, ³ for example, when running from ³ AUTOEXEC.BAT file. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ *2) -b ³ To blacken the screen background for ³ better view when ADinf is run from ³ AUTOEXEC.BAT file. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 3) -co[lor] ³ To set color display on a monitor. ³ ADinf automatically recognizes whether a ³ computer is fitted with a color or ³ monochrome monitor. Use this switch if ³ something goes wrong. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ *4) -d ³ To run ADinf "ONLY ONCE A DAY" and not to ³ initiate at repeated bootings on the same ³ day, even if specified in AUTOEXEC.BAT file. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 5) -cl[]³ To write scan report in a file of the path ³ specified after -cl, e.g., -clC:\ADINF\. ³ If the switch -cl is specified without any ³ path, the report is saved in the current ³ directory. If a log file already exists, the ³ report is appended to it. Or you may also ³ specify a file for writing the report, ³ choosing the SAVE LOG IN FILE item from the ³ DO YOU WISH TO UPDATE DISKINFO TABLES? panel ³ displayed on pressing ESC from the SCAN REPORT ³ window. This panel is displayed, only if the ³ FAST SCAN and INFO MODE in the PROGRAM MODE ³ submenu are set to OFF. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 6) -e ³ To undo the attribute HIDDEN assigned to ³ diskinfo files. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 7) -f ³ To run in fast scan mode without verifying ³ the CRC of files. Diskinfo tables are not ³ updated. Same as FAST SCAN in OPTIONS menu. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 8) -g ³ To switch off the Hard Disk Parameter Tables ³ checks in RAM BIOS variables area. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 9) -i ³ To toggle INFO MODE. Diskinfo tables are ³ not updated after the completion of check ³ ups. This switch must NOT be used jointly ³ with -d switch. Same as INFO MODE item in ³ OPTIONS menu. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 10) -l[] ³ To write the scan report in a file of the path ³ specified after the switch -l, e.g., ³ -lc:\adinf\. If the switch -l is specified ³ without any path, the report is saved in the ³ current directory. Differs from the -cl switch ³ in that the report is overwritten on a log ³ file, if the file already exists. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 11) -m ³ To disable the mouse. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 12) -mo[no] ³ To set monochrome display on a monitor. ³ ADinf automatically recognizes whether a ³ computer is fitted with a color or ³ monochrome monitor. Use this switch when ³ you want black-and-white display on ³ your color monitor, particularly on laptops ³ and notebooks with LCD VGA display. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 13) -n ³ To hide the title screen even where it ought ³ to be displayed. By default, it is displayed ³ only in interactive mode. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 14) -nam ³ To disable the mouse arrow pointer and to use ³ the standard mouse cursor. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 15) -nr ³ Do not wait for retraces on CGA-monitor. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 16) -os ³ To start ADinf with the old style interface of ³ ADinf prior to version. 9.00 if you prefer it. ³ This switch disables the ADinf's internal font ³ table from being loaded into EGA/VGA adapters, ³ so it is useful when ADinf conflicts with any ³ resident programs, say, programs that load ³ national fonts into the display adapter. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 17) -p ³ To construct "PERSONAL" diskinfo tables ³ particularly useful in a multiuser PC. ³ For greater detail, see the section ³ CUSTOMIZING THE ADinf OPERATION. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 18) -r ³ To run under DR-DOS. ADinf detects its ³ environment by the version number. If to ³ query on system version, DOS returns 3.31 ³ (which is what DR DOS 5.00 does), ADinf ³ does not use the unreleased MS or PC-DOS ³ capabilities. In future DR-DOS may return ³ some other number. If ADinf hangs under ³ DR-DOS later than 5.0, run it with -r option. ³ Use this option, if you are running your ³ computer under Compaq-DOS or any other opera- ³ ting system not fully compatible with MS-DOS. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 19) -s ³ To toggle beeps ON and OFF. Same as ³ SOUND item in OPTIONS menu ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 20) -Setup: ³ To specify the directory or full pathname of ³ the file for writing the ADinf status ³ information. By default, the file ³ A-Dinf-°.°°° is saved in the directory where ³ ADinf.exe is installed. You have to ³ define a different directory for this file, ³ if ADinf is installed on a write-protected ³ area in the disk. For this, in the ADinf ³ setup command line, specify the directory ³ pathname, say, as follows: ³ ADinf C: D: -Setup:D:\READWR\ ³ to save the ADinf configuration status ³ information in file D:\READWR\A-Dinf-°.°°°. ³ You can also specify several filenames for ³ saving the ADinf configuration status ³ information in different files containing ³ different lists of filename extensions, names ³ of tables, disk access methods, etc. For ³ this, specify the names of files for saving ³ various ADinf configuration information in ³ the setup command line, say, as: ³ ADinf C: D: -Setup:My_Setup. ³ A file My_Setup.°°° will be created in the ³ directory where ADinf.exe is installed. If ³ you type ³ ADinf C: D: -Setup:D:\SET\My_Setup, ³ a file My_Setup.°°° will be created in the ³ directory D:\SET. ³ ³ NOTE. If you type the path or the filename ³ wrongly, you will not get any warning ³ message. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ *21) -w ³ To create new diskinfo tables in batch ³ mode. Same as CREATE TABLES in MODE menu. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 22) -13 ³ To disable the check that verifies whether or ³ not the interrupt vector is pointing to BIOS. ³ If you have SHADOW BIOS which permits writing ³ in memory address areas installed in your ³ computer, disable SHADOW BIOS when you start ³ ADinf for the first time on your computer so ³ that ADinf may retrieve and save the address ³ of Int 13h handler. Thereafter you may switch ³ on SHADOW BIOS and use the -13 switch. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 23) -76 ³ To disable ADinf internal Int 76h handler. ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ STARTING ADinf IN INTERACTIVE MODE If no drives are specified in the command line, e.g., C:\ADINF>ADinf, on pressing , ADinf starts in interactive mode and displays its main menu in the top line across the screen. ADinf MAIN MENU When you start ADinf in interactive mode, the screen top line displays the main menu containing five titles: ADinf, DRIVES, MODE, OPTIONS & QUIT. The SCAN DRIVES command from the MODE title is automatically selected, so you may just press to start scanning the drives for which diskinfo tables have already been created. You move across the menu bar with and arrow keys. Arrow to any item and press to pull down its local menu. Using or arrow key, you move to an option in these local menus and press to select it. If the option is a command, press to execute it or to cancel it. Alternatively, to select an item from the main menu you may press the highlighted letter in the menu title or click the left button of your mouse on the menu title. To close a menu panel that is presently pulled down, press or click the right button of your mouse anywhere free on the screen. The bottom line of the screen displays the name of the drive being scanned, addressing route (through BIOS or INT13h or INT 25h) brief messages and prompts, type of diskinfo tables (C for common and P for personal) and the size of the memory space presently free on your system. MENU ITEM ³ ITS PURPOSE ÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ADinf ³ To view ADinf ver. No and other relevant info. ÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ DRIVE ³ To specify the drives to be scanned. ÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ MODE ³ To choose SCAN DRIVES, SCAN SELECTED, ³ CREATE TABLE or STEALTH-SEARCH mode. ÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ OPTIONS ³ To customize ADinf operation parameters. ³ (For more information see CUSTOMIZING THE ³ ADinf OPERATION below). ÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ QUIT ³ To end an ADinf session. ÍÍÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ In the interactive mode, you can: (1) scan hard drives in your computer, (2) check floppy diskettes for infection, (3) create ADinf diskinfo tables for your drives, (4) scan for active Stealth-viruses in your computer, (5) customize certain ADinf parameters to suit your preferences, (6) scan all files in your drives or only those files whose extensions are specified in the file extension list, (7) revise the list of extensions of files to be taken under control by ADinf, associate viewers and editors with extensions for viewing and editing files of particular extensions and specify the type of file CRC for scanning. (1) SCANNING THE DRIVES When you start ADinf in interactive mode, the SCAN DRIVES command from the MODE title is automatically selected, therefore just press to start scanning the drives for which diskinfo tables have already been created. To scan only selected drives in your computer: first, move to DRIVES in the main menu with or arrow, and press to pull down the DRIVES local menu. Then move the selection bar to the drive you want to scan and press . A plus sign (+) on the left of the drive name indicates the drive is selected. A drive is deselected by pressing again - the plus sign changes to minus sign, signifying it is not selected for scanning. You may select as many drives as you like for scanning in one run. Then, arrow to MODE in the main menu and press . A local menu drops down containing SCAN DRIVES, SCAN SELECTED, CREATE TABLES and STEALTH SEARCH commands. Arrow to SCAN SELECTED and press to start ADinf for scanning the drives specified in the DRIVES panel. You can abort scanning of any disk at any time by pressing or clicking two mouse buttons together. And ADinf will respond with a query: ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Stop scanning ? ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· ³ No this drive all drives ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ If you choose NO or click the mouse right button, scanning is resumed; if you choose THIS DRIVE, ADinf will proceed to scan all other disks and if you choose ALL DRIVES, ADinf abandons its mission to return to main menu. If, without selecting any drives, on pressing to start scanning, you get the following error message: ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Warning ! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· ³ No drives selected! ºÛÛ ³ Press ESC ºÛÛ ³ Select some from "DRIVES" menu. ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ In such cases, on pressing , ADinf automatically returns you to DRIVES menu. Select drive(s) and run ADinf again in scan mode. (2) CREATING DISKINFO TABLES The procedure is the same as described above, the only difference being now you choose CREATE TABLES command from the MODE menu. (3) CHECKING FLOPPY DISKETTES Most of the viruses migrate from computer to computer via diskettes. A clean diskette gets easily infected: insert it into a contaminated computer and just open its directory for viewing - it may become a virus carrier. But inserting an infected diskette into a computer is not sufficient to inject a virus into your computer: either an infected program on the diskette has to be started or the computer has to be booted from an infected diskette. In order to be certain that the diskettes in your possession, or the diskettes you pass on to or obtain from others are clean, always check them with ADinf. When a diskette is checked with ADinf for the first time, a diskinfo table containing vital information about the diskette is saved on it. Therefore, prior to passing a diskette to others, always check it with ADinf and save the diskinfo tables on it. If the receiver has Advanced Diskinfoscope installed in his computer, he can check the integrity of the data on the diskette. Likewise, you can check up whether a diskette obtained from others is virus-infected or clean. The diskinfo tables written by ADinf on a diskette contain full information essential for scanning (the list of files under check, types of CRC of files, names of viewers and editors for the files on the diskette). Therefore the diskinfo tables created on a diskette by ADinf in one computer may not tally with the configuration of ADinf diskinfo tables on a different computer. (4) STEALTH SEARCH MODE Stealth viruses, as their name implies, are capable of stealthily hiding themselves in an infected machine. The early specimens of infectors did not possess this property and so could be detected visually when an infected file is opened for viewing. Even simple antivirus utilities could suppress their multiplication and thus virus failed to be epidemic hazardous. Advancement in new antivirus techniques catalyzed new trends in virus design and the appearance of invisible infectors was the natural step in the evolution of virus technology. Viruses designed on hiding algorithms cannot be viewed with the operating system tools. For example, when an infected file is viewed by pressing F3, Norton Commander does not show anything unusual because the virus removes its body when the file is opened for reading, and infects it back on closing. This is one of the hiding methods and there are several other masking techniques. Boot infectors also hide themselves when an infected sector is opened for reading. In the early development stages, the design of stealth viruses was ahead of the potentialities of the then antivirus utilities. And thus the viruses V-4096, XPEH and some other specimens proliferated far and wide. The present ADINF version easily detects newly designed Stealth viruses. For instance, most of the antivirus utilities were ineffective against the epidemic outbreak in the summer and autumn of 1991 due to the incidence of DIR virus written with a then unknown detection-dodging algorithm. But on those computers protected by ADINF, this virus was easily trapped and prevented from doing harm. Hiding algorithm is the weakest link in the design of stealth viruses. This algorithm is the key to successful detection of this virus on an infected machine. Discrepancy in the file size or CRC given by DOS and its actual size or CRC is a definite symptom of virus infection. Hiding capability of the stealth virus betrays its presence in an infected file! Such a comparison algorithm is incorporated in ADINF code. To detect STEALTH viruses in your machine 1) arrow to DRIVES in the main menu, 2) mark the drives you want to scan for stealth virus by pressing on the drive name A, B, C, ... A drive selected for scanning is tagged with plus sign "+" on the left of the drive name letter. If you press on a marked drive letter name, the drive is unselected. 3) After selecting drives for scanning, press the right key to move to MODE in the main menu and select STEALTH SEARCH from the MODE submenu. Finally press to start scanning of the selected drives for stealth viruses. You may stop scanning any drive at any time as described under SCANNING THE DRIVES. While scanning for stealth viruses, ADINF checks the MASTER-BOOT sector, BOOT sectors of logical drives and then compares the sizes and CRC of files given by DOS with the actual values which it determines by directly reading the sectors, accessing them via BIOS. As soon as it detects any discrepancy in these values, ADINF stops scanning the drives in order not to spread infection to other clean directories and displays the message: ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Attention! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· ³ ºÛÛ ³ For file ºÛÛ ³ C:\AAAA.COM ºÛÛ ³ size reported by DOS differs from its real length! ºÛÛ ³ ºÛÛ ³ DOS reports: 5883, real: 9889 bytes, difference: 4016. ºÛÛ ³ ºÛÛ ³ There may be an active STEALTH-VIRUS in the memory! ºÛÛ ³ ºÛÛ ³ CONTINUE STOP VIEWER REBOOT ºÛÛ ³ ºÛÛ ³ Further scanning may inject infection into clean files being ºÛÛ ³ checked by ADINF! Recommend you to stop scanning, insert into ºÛÛ ³ drive A a write-protected system diskette, & choosing REBOOT, ºÛÛ ³ reboot your computer with a clean operating system. Disinfect ºÛÛ ³ the infected files, prior to starting the computer from your ºÛÛ ³ hard disk! ºÛÛ ³ ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ Choosing VIEWER from this panel, you can view the suspect file. ADINF's built-in viewer will print the file contents on the screen by reading it directly through BIOS. Choosing REBOOT from this panel, you can clean your computer memory for stealth and other viruses. For this, insert in drive A (or the drive appropriate to your system) a write-protected bootable diskette containing a clean operating system and an antivirus utility capable of killing stealth virus, say, V-Hunter. And choose REBOOT from this panel to reboot your machine and then run the antivirus program on the diskette. If the virus residing in your machine is already known, V-Hunter will kill it. If not, the virus is definitely a hitherto unknown stealth infector and you should call for help from some Antivirus Service available nearest to you or restore your information from a backup copy. ADinf automatically checks for Stealth viruses in newly created files, because certain Stealth viruses infect files only when they are created, for example, while copying from a diskette or exploding from a compressed file. By default, this mode is ON. Since this checks consumes a certain amount of time, you may switch it OFF, choosing the menu route: OPTIONS->SETUP PARAMETERS->INFO UNDER CHECK->SS NEW FILES. (5) CUSTOMIZING THE ADinf OPERATION Using the OPTIONS title from the main menu, you can customize certain ADinf parameters to suit your convenience and preferences. The menu tree structure of the OPTIONS title is schematically represented below: OPTIONS ³ ÃÄ TABLES ÃÄ PROGRAM MODES ÄÄ¿ ÀÄ SETUP PARAMETERS Ä¿ÃÄ SOUND ³ÃÄ FAST SCAN ³ÀÄ INFO MODE ³ ÃÄÄ EXTENSION LIST ÄÄÄÄ¿ ÃÄÄ INFO UNDER CHECK ÄÄÄ¿ÃÄ EXTENSIONS ÃÄÄ TABLE FILE NAME ³ÀÄ CRC TYPES ÃÄÄ PERS. TABLE PATH ³ ÃÄÄ DRIVE ACCESS TYPE ÃÄÄ EXTENSIONS ÃÄÄ TREEINFO.NCD FILE ÃÄÄ STABLE FILES ÃÄÄ PATH TO VIEWERS ÃÄÄ BOOT-SECTORS ÃÄÄ FILE LIST SORTING ÄÄ¿ÃÄÄ BAD CLUSTERS ÃÄÄ SHERIFF SERIAL NO ³ÃÄÄ DIRECTORIES ÀÄÄ CURE FILE SUPPORT Ä¿³ÃÄÄ SKIP TREES ³³ÃÄÄ HDP TABLES ³³ÀÄÄ SS NEW FILES ³³ ³ÃÄÄÄ BY EXTENSION ³ÃÄÄÄ BY DIRECTORY ³ÀÄÄÄ KEEP UNSORTED ³ ÃÄÄÄÄ ADINFEXT NAME ÃÄÄÄÄ FOR COMMON TABLES ÃÄÄÄÄ FOR PERSONAL TABLES ÀÄÄÄÄ CURE MODULE SETUP (***) (***) - available only for ADinf Cure Module versions later than 3.30 The second level menu of OPTIONS title contains three items: TABLES, PROGRAM MODES and SETUP PARAMETERS. --- TABLES has two commands: COMMON to construct tables for a machine as a whole regardless of the number of users operating the computer, and PERSONAL - only for you. These two choices are toggled with . Ordinarily, ADinf creates diskinfo tables in the root directory of the drive being checked. In "PERSONAL" mode these tables are created in the directory containing ADinf. You can copy ADinf in your directory or on a separate floppy and thus conduct a personal check to detect the changes that occurred in your absence. This check from a floppy should be used with great caution. If you run ADinf from a floppy containing the diskinfo tables of some other computer, the consequences would be disastrous especially if you restore the MASTER BOOT or BOOT sector of your system. You can also specify a directory for saving the personal diskinfo tables. For this choose PERS. TABLES PATH from the PROGRAM MODES item in the OPTIONS title of the main menu and type the full pathname in the on-screen panel displayed and press . --- The PROGRAM MODES menu contains three toggling commands: SOUND, FAST SCAN and INFO MODE. SOUND beeps are toggled ON and OFF with . FAST SCAN is toggled ON and OFF with . When FAST SCAN is set to ON, file CRCs are not calculated and diskinfo tables and TREEINFO.NCD files are not updated. INFO MODE, when set to ON, will not update diskinfo tables and TREEINFO.NCD files every time ADinf is run, even if the diskinfo of your system has changed since the last check. --- The SETUP PARAMETERS menu contains ten items for customizing certain ADinf operation parameters to suit your preference and convenience. On choosing EXTENSION LIST from the SETUP PARAMETERS menu, and pressing , a local menu containing two options, EXTENSIONS and CRC TYPE drops down. On choosing EXTENSIONS and pressing , you get two panels, viz., a FILE EXTENSION LIST containing the extensions of files under control, their viewers and editors and a SELECT EXTENSION panel showing editing keys. Ú Files:ÂÄÄ Viewer ÄÄÄÂÄ Editor Ä¿ ³ .COM ³ wpview.exe ³ nu.exe ³ÛÛ ³±±.EXE±³±wpview.exe±±³±nu.exe±±±³<Ä¿ ³ .SYS ³ wpview.exe ³ edit.com ³ÛÛ³ ³ .BAT ³ wpview.exe ³ edit.com ³ÛÛ³ ³ .LIB ³ wpview.exe ³ edit.com ³ÛÛ³ ³ .OVL ³ wpview.exe ³ nu.exe ³ÛÛ³ ³ .OVY ³ wpview.exe ³ nu.exe ³ÛÛ³ ÚÄÄÄÄ Select extension ÄÄÄÄÄÄ· ³ .DRV ³ wpview.exe ³ nu.exe ³ÛÛ³ ³ ºÛÛ ³ .BAK ³ wpview.exe ³ nu.exe ³ÛÛ³ ³ Use keys: ºÛÛ ³ .ZIP ³ arcview.exe ³ ³ÛÛ³ ³ ºÛÛ ³ .ARJ ³ arcview.exe ³ ³ÛÛÀÄÄ´ - Edit; ºÛÛ ³ .PAK ³ arcview.exe ³ ³ÛÛ ³ , - Select; ºÛÛ ÀÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÙÛÛ ³ Gray <+> - Add; ºÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³ Gray <-> - Delete; ºÛÛ ³ - Quit. ºÛÛ ³ ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ You may edit the file extension list for adding the extensions of files to be taken under control by Advanced Diskinfoscope or for deleting the extensions of files you no longer need to control. ADDING AND DELETING FILE EXTENSIONS To delete a file extension, select the extension you want to delete with or key, and then press gray <->. Press to quit the panel. To add a file extension, press gray <+>. At once the selection bar jumps to an empty row created at the table bottom. Type the file extension. After you are done, press to finish or to edit the viewer and editor columns. EDITING THE VIEWER AND EDITOR COLUMNS By editing the VIEWER and EDITOR fields, you may associate with each file extension a separate viewer and editor capable of displaying and reading a file with a particular extension. After adding or deleting file extensions, while you are still in the extension panel, press to invoke EDIT MODE: immediately the SELECT EXTENSION panel changes to EDIT MODE panel. Ú Files:ÂÄÄ Viewer ÄÄÄÂÄ Editor Ä¿ ³ .COM ³ wpview.exe ³ nu.exe ³ÛÛ ³±±.EXE±³±wpview.exe±±³±nu.exe±±±³<Ä¿ ³ .SYS ³ wpview.exe ³ edit.com ³ÛÛ³ ³ .BAT ³ wpview.exe ³ edit.com ³ÛÛ³ ³ .LIB ³ wpview.exe ³ edit.com ³ÛÛ³ ³ .OVL ³ wpview.exe ³ nu.exe ³ÛÛ³ ³ .OVY ³ wpview.exe ³ nu.exe ³ÛÛ³ ÚÄÄÄÄÄÄ Edit mode ÄÄÄÄÄÄÄÄ¿ ³ .DRV ³ wpview.exe ³ nu.exe ³ÛÛ³ ³ ³ÛÛ ³ .BAK ³ wpview.exe ³ nu.exe ³ÛÛ³ ³ Use keys: ³ÛÛ ³ .ZIP ³ arcview.exe ³ ³ÛÛ³ ³ ³ÛÛ ³ .ARJ ³ arcview.exe ³ ³ÛÛÀÄÄÄÄ´ - Done; ³ÛÛ ³ .PAK ³ arcview.exe ³ ³ÛÛ ³ - Cancel; ³ÛÛ ÀÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÙÛÛ ³ - Ins/Ovt; ³ÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³ - field. ³ÛÛ ³ ³ÛÛ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ To edit an item in the viewer or editor column of the file extension list, press to jump to an appropriate column. After you have finished editing the viewer and editor columns, press to save the edits. You may edit the text in INSERT or OVERTYPE mode, by toggling your preference with the key. After you are done with editing, press to finish. Press to cancel the edit command. SELECTING THE CRC TYPE First arrow to the EXTENSION LIST from the SETUP PARAMETERS menu and press to drop down the local menu containing two items: EXTENSIONS and CRC TYPE. On choosing CRC TYPE and pressing , the screen displays two panels as follows: Ú Files:ÂCRC type¿ ³ .COM ³ Fast ³ÛÛ ³ .EXE ³±Fast±±±³<ÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄ CRC types selection ÄÄÄÄÄÄÄÄÄÄÄ· ³ .SYS ³ Full ³ÛÛ ³ ³ ºÛÛ ³ .BAT ³ Full ³ÛÛ ³ ³ FAST CRCs provide virus protection and ºÛÛ ³ .LIB ³ No CRC ³ÛÛ ³ ³ high scan speed. For full disk checks ºÛÛ ³ .OVL ³ No CRC ³ÛÛ ³ ³ select FULL CRC. But scan rate will be ºÛÛ ³ .OVY ³ No CRC ³ÛÛ ³ ³ slower. Use NO CRC for fast disk checks.ºÛÛ ³ .DRV ³ No CRC ³ÛÛ ÀÄÄÄ´ for fast disk scanning ºÛÛ ÀÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÙÛÛ ³ ºÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³ Use keys: ºÛÛ ³ ºÛÛ ³ ,, ºÛÛ ³ , - select files, ºÛÛ ³ - select CRC type. ºÛÛ ³ ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍ , - end selection ¼ÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ You can specify for each file extension the type of CRC to be calculated while scanning. The CRC TYPES available are FAST, FULL and NO CRC and their functions are as follows: CRC TYPE ³ Function ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ NO CRC ³ CRC for the file is not calculated. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ FAST CRC ³ provides safe virus protection at ³ sufficiently fast scanning rate for COM ³ and EXE files only. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ FULL CRC ³ guarantees complete control over data ³ security but at a slower scanning rate. ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ To specify the type of CRC for a file extension, choose CRC TYPE from the FILES LIST submenu and press . Move the selection bar to the desired file extension with or key and repeatedly press to set the CRC type you want. Finally, press or to finish. The INFO UNDER CHECK menu contains seven items for setting the parameters so that ADinf may check the drives the way you want it to do. Advanced Diskinfoscope can check all the files on your disks or only those files whose extensions you specify in the file extension list. If you want to keep a strict control over your disks, choose ALL FILES from the EXTENSIONS submenu in INFO UNDER CHECK submenu. But if you want to save time, you may limit the extensions of files to be checked. The previous section describes how to edit the file extension list. The list of files to be scanned can be specified separately for the COMMON and PERSONAL commands in the OPTION menu. For COMMON tables the default setting is BY LIST to scan COM, EXE, SYS, BAT, BIN, LIB, OVL, OVY, DRV, PIF and PGM files only. This list is quite adequate to safeguard against virus infection. For PERSONAL tables the default setting is ALL FILES and list includes COM, EXE, SYS, BAT, BIN, LIB, OVL, OVY, DRV, BAK, ZIP, ARJ, PAK, PIF and PGM files. You may however edit the default list of file extensions and thus define any group of files to put under the stringent control of Advanced Diskinfoscope. Using the STABLE FILES panel, you can specify a list of files which should always remain intact. ADinf checks these files by their full CRC and will report any slightest modifications it detects as suspicious. To edit a file in this list, move the selection bar to its filename and press . A cursor appears. Now you can edit the filename as with any text editor. Once you are done with editing, press . Use or to delete a filename from the list. Using the BOOT-SECTORS panel, you can tell ADinf to check or not to check the boot-sector of a drive. For this, move to the drive name letter and repeatedly pressing , toggle CHECK or DON'T CHECK whichever is appropriate. You may have to switch off BOOT-SECTORS, particularly, when a drive is compacted with STACKER because it modifies the boot sector of the drive it compresses. Using the BAD CLUSTERS panel, you can tell ADinf to check or not to check for bad clusters newly created in a drive. You handle this panel in the same way as described in the previous paragraph. Using the DIRECTORIES panel, you can tell ADinf to check or not to check for changes (newly created and deleted directories) in the directory tree structure of a drive. SKIP TREES. You can tell ADinf to skip its checks for those directories that are frequently accessed or the directories containing frequently edited files. For this, after ADinf has created its tables for the drives in your machine, (ADinf automatically creates these tables when you run ADinf for the first time, or choosing CREATE TABLES from the MODE title of the main menu, you can create them afresh any time you like), 1) select OPTIONS from the main menu, 2) choose SETUP PARAMETERS from the OPTIONS submenu, 3) choose INFO UNDER CHECK, 4) choose SKIP TREES from the INFO UNDER CHECK submenu, 5) arrow to the desired drive name letter in the list column at the left-edge of the panel, 6) press TAB or ENTER to open an on-screen panel displaying the tree structure of the selected drive, 7) arrow to the desired directory or subdirectory which you want to exclude from the ADinf checks and press Enter (you may also use your mouse). The selected directory is then displayed in a contrasting color, while all other directories in black. In a checking session, Advanced DiskinfoScope also scans those directories and subdirectories that you have marked for exclusion from checks, only it does not produce a status report for these directories and subdirectories, unless it expertizes them as suspicious (see SUSPICIOUS CHANGES below). Using the HDP TABLES panel, you can tell ADinf to check or not to check the Hard Disk Parameters (HDP) tables in the memory in BIOS area. Press to toggle between TABLES ARE UNDER CHECK and TABLES NOT UNDER CHECK. A check mark near the item indicates that it is currently active. By default, ADinf does not check the Hard Disk Parameter tables. Using the SS NEW FILES panel, you can switch the automatic search for Stealth viruses in new files ON and OFF. For full information, see the Section SEARCHING FOR STEALTH VIRUSES. TABLE FILE NAME. By default, Advanced DiskinfoScope saves its diskinfo table for each hard disk separately in a file in the same drive and names it ADinfÍxͲ²² (where x is the drive name letter). The viruses specifically designed to dodge detection by ADinf may alter the contents of the ADinf diskinfo tables. To fool such viruses, you may rename the ADinf diskinfo table file as follows: 1. select OPTIONS from the main menu, 2. choose SETUP PARAMETERS from the OPTIONS submenu, 3. choose TABLE FILE NAME. In the on-screen box displaying ADinfÍxͲ²², type a new name and press Enter. If you make a typing mistake or want to change the file name, back up all the way to first character and retype a new name. On choosing PERS. TABLES PATH from the SETUP PARAMETERS menu, you get a pane for specifying the full path of the directory where you want ADinf to save the diskinfo tables. If no path is specified, the personal tables are saved in the directory where ADinf.exe is installed. DRIVE ACCESS TYPE. Using the DRIVE ACCESS TYPE command from the SETUP PARAMETERS submenu from the OPTIONS menu, you can tell ADinf how should it access a disk for checking infection -- through BIOS, or INT 13h or INT 25h/26h. ADinf scans the disks partitioned by DOS FDISK utility, directly accessing them through BIOS. If necessary, you may tell ADinf to access drives through INT 13h or INT 25h/26h. For this, 1. select OPTIONS from the main menu, 2. choose SETUP PARAMETERS from the OPTIONS submenu, 3. choose DRIVE ACCESS TYPE. A panel will pop up on the screen displaying drive names and their access paths (BIOS by default). To change the access path of a drive: 1. arrow to the drive name letter, 2. specify your choice by repeatedly pressing the or or clicking the left button of your mouse to toggle from BIOS to INT 13h and then to INT 25h/26h, 3. press or click the mouse right button to finish. TREEINFO.NCD FILE. When this mode is selected, ADinf will automatically update the drive TREEINFO.NCD file created by Norton Commander and Norton Change Directory utility and there is no need to tell Norton Commander to scan your drives to update these files as ADinf compiles the full tree structure of your drives and can write them in the TREEINFO.NCD files. By default this mode is unselected. On choosing PATH TO VIEWERS from the SETUP PARAMETERS menu, you get a pane for specifying the full path of the directories where ADinf may search for external viewers and editors. You may specify several paths, separating them with an intervening semicolon [;]. Using the FILE LIST SORTING command, you can tell ADinf to display the new, changed, deleted, moved and renamed files in its report after sorting them either by the filename extensions or by directories. SHERIFF SERIAL NO. Choosing this command from the submenu of OPTIONS title in the main menu, you may type the first five digits of the serial number of the Sheriff protection firmware, if it is installed in your computer (refer to USING ADinf JOINTLY WITH SHERIFF). Using the CURE FILE SUPPORT item, you can activate or disable the ADinf Cure Module - the separate program ADinfExt.exe - for curing either by the personal or by common diskinfo tables. For this, select CURE FILE SUPPORT from the INFO UNDER CHECK menu and press . You get a pane displaying three items: ADINFEXT NAME, FOR COMMON TABLES and FOR PERSONAL TABLES. Arrow to your option and press to pull down a pane for setting SUPPORT or DON'T SUPPORT. For each drive set your option with to clean or not to clean the files controlled by the common or personal diskinfo tables. In the course of installation, the setup program of the ADinf Cure Module prompts you to rename the ADinfext.exe file in order to dodge the viruses that damage executable files whose names begin with the letters ADIN. ADinf automatically recognizes the renamed ADinfext program. Using the ADINFEXT NAME option, you can change the name of this file. At every start-up ADinf runs in interactive mode, executing the parameters set in the previous session. If the -i, -f, - s or -p options are specified in the command line, ADinf additionally implements them. USEFUL TIPS IT IS ALWAYS SAFE: (1) to run some anti-virus utility, say the very popular and effective V-Hunter (or SCAN), to check your system for infection of known viruses prior to installing ADinf in your computer, (2) to run ADinf a few times a day, especially if you swap floppies quite often, (3) to prevent accidental damage, loss and virus infection, make a copy of the original ADinf and never run the program from the original diskette. IMPORTANT!!! Whenever ADinf displays a warning or an error message, REFER TO WARNING AND ERROR MESSAGES IN ADinf USER'S GUIDE FOR HELP AND REMEDY. ADinf reads a disk directly addressing to BIOS. These addressings cannot be intercepted by computer infectors nor by any other memory resident program. Therefore disk read-write cache utilities may create certain problems. ADinf is friendly to disk-read caches but conflicts with a write cache utility as they both compete to concurrently address to BIOS and this is illegal. Such conflicts can be avoided in two ways: 1) first disable the write-cache program prior to starting ADinf and after ADinf completes its checks, you may switch on the cache back again. For instance, to hide your drives C and D from write-caching by SmartDrv.exe, use the command: SmartDrv C D and to switch it back again use the command: SmartDrv C+ D+. 2) The other way of avoiding this conflict is to tell ADinf to access all your drives, except drive C, via Int 13. For this, choose OPTIONS from the main menu, then choose SETUP PARAMETERS from the submenu and finally choose DRIVE ACCESS TYPE from the local menu. Arrow to the drive name letters in your machine one after another and repeatedly pressing the key, set "Int 13" as the drive access path for all drives. For the drive C, leave the default setting as it is. After this ADinf will not conflict with your write-cache utility, but virus detection becomes somewhat less reliable. NOTE: Beginning from version 9.00 onward, ADinf is fully compatible with HyperDisk write-cache version 4.50 or later. No problems arise with this cache utility. HOLDING VIRUSES IN LEASH (1) Never leave the changes reported by Advanced Diskinfoscope unattended. If you do not know the cause for such changes, take immediate action to remedy the situation. (2) If you are not able to understand the ADinf messages, call an expert service personnel to get help. These two simple measures, if taken in time, will help you to keep your computer away from infectors which otherwise may infiltrate your system unnoticed. SPEEDKEYS You may use the following keyboard shortcuts to speed up your work in an ADinf session: ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º ESC ³ to abort ADinf scanning mission, º º Alt+D ³ temporary exit to DOS, º º Alt+V ³ to call any DOS command, º º Alt+S ³ to toggle sound ON or OFF º º Alt+P ³ to edit internal paths for viewers, º º F1 ³ to get on-line help on key usage, º º F10 ³ to end an ADinf session. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ ADinf STRATEGY HOW DOES ADinf INSPECT A DISK When ADinf is started for the first time, it first reads vital information about such parameters of your system as the memory size, the address of INT 13 handler in BIOS, Hard Disk Parameter Tables, the MASTER-BOOT and BOOT sectors, a list of bad clusters, directory tree, information on all files under control, then creates a DISKINFO TABLE for every drive scanned and saves in it the retrieved information for collation in subsequent checks. ADinf also checks whether INT 13h was pointing to BIOS or not before DOS was loaded. In all these check-ups ADinf, as already noted, scans your disk, sector by sector, directly addressing BIOS without the use of INT 21h and 13h in order to detect memory-resident viruses that have intercepted these vital interrupts. At every subsequent start, ADinf first reads the parameters listed above and compares them with those saved in the diskinfo tables. In the course of inspection it makes a note of any slightest modification in the size of the memory allotted to DOS, Hard Disk Parameter Tables, MASTER BOOT, sector, BOOT sectors of every logical drive, as well as a list of new bad clusters, directories and files newly created or deleted since the last check as well as changed files. And after checking up every drive under its control, if ADinf expertizes a change in diskinfo as "suspicious", it immediately issues an on-screen WARNING to alert you for possible virus infection. If the changes are "harmless", (say, changes in file creation date and time) it produces a SCAN REPORT. You can view the report in interactive mode or save in a log file. ADinf regards a change "suspicious", if a file is modified: a) without any change in date and time (most of well designed viruses do not change date and time); b) with an invalid date setting (greater than 31, 12, and the current number for day , month and year, respectively). Some viruses label infected files by setting such strange dates. c) with an invalid time setting (greater than 58, 59 and 23 for second, minute and hour, respectively). d) For a file included in the STABLE FILES list, a change, however slight it may be, is reported as suspicious. Good clusters may be marked BAD by certain viruses for hiding themselves in them. ADinf also alerts about such situations. IF THINGS GO WRONG, ANYWAY... RESPONDING TO ADINF SCAN REPORT MESSAGES Regardless of the operation mode - batch mode or interactive mode, Advanced Diskinfoscope, after checking a drive, always prints a SCAN REPORT on the screen, whether or not the disk information has been changed since the last check. If there are no changes disk information and the -a switch is not included in the command line, you get panel as shown below ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Drive C: Scan Report ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· ³ ºÛÛ ³ Current time is 23h 45m 13s 31 December 1991 ºÛÛ ³ Tables were created at 23h 11m 6s 31 December 1991 ºÛÛ ³ ºÛÛ ³ 133 directories and 1276 files scanned ºÛÛ ³ ºÛÛ ³ No changes found. ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ Press any key ...ͼÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ After waiting for two minutes (counted down in the highlighted bar), unless you press a key earlier, ADinf will automatically proceed to scan the next drive (if any) or return to the main menu. When ADinf detects changes in any one of the vital parameters of your system, it highlights the changes of disk information in the scan report: ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Drive C: Scan Report ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· ³ ºÛÛ ³ Current time is 0h 2m 12s 1 January 1992 ºÛÛ ³ Tables were created at 23h 46m 22s 31 December 1991 ºÛÛ ³ ºÛÛ ³ 133 directories and 1278 files scanned ºÛÛ ³ ºÛÛ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Changes in Diskinfo ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶÛÛ ³ ºÛÛ ³ ±±±F2±±±±±±±Master±boot±sector±:±Okay.±±±±±±±±±±±±±±±±±±± ºÛÛ ³ F3 Boot Record : Okay. ºÛÛ ³ F4 New Bad Cluster : None ºÛÛ ³ F5 New Directories : 1 ºÛÛ ³ F6 Deleted Directories : 1 ºÛÛ ³ F7 Changed Files : None ºÛÛ ³ F8 New Files : 9 ºÛÛ ³ F9 Deleted Files : 7 ºÛÛ ³ M Moved Files : None ºÛÛ ³ R Renamed Files : 2 ºÛÛ ³ ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ Use: ,,,,, ¼ÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ The report is quite self-explanatory and therefore we only describe briefly how to handle it. Press the key in the first column near a changed item to get detailed information about the changes . These keys, however, are inoperative, if ADinf types "OKAY" or "NONE" against an item in the scan report. The , , , keys move the selection bar over the item list, opens the selected item and quits the table. If ADinf expertizes that a change in any one of the items in the report is "suspicious", it superimposes on the scan report a warning panel ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ATTENTION!!! ÄÄÄÄÄÄÄÄÄÄÄÄÄ· ³ CHANGES IN YOUR COMPUTER SHOW ºÛÛ ³ SIGNS OF VIRUS ACTIVITY ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ When you come across this warning message and, if ADinf Cure Module (ADinfExt.exe) is installed in your machine, on pressing , you get the panel shown below: ÚÄÄÄÄÄÄÄÄÄÄÄÄ Do you wish to update diskinfo table ? ÄÄÄÄÄÄÄÄÄÄÄ· ³ ºÛÛ ³ UPDATE DON'T UPDATE CURE SAVE LOG IN FILE ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ If you select CURE ADinf will continue its checks on other drives and after all work it will ask you to put in the drive A bootable floppy disk with ADinf Cure Module and after it ADinf will reboot your system. If ADinf Cure Module is not available on your machine, then on seeing this warning message, immediately abort the ADinf program and run some antivirus utility, say V-Hunter or SCAN or any other program available in your system. For this purpose, first press to invoke the DOS prompt (see the section SPEEDKEYS) and then type the command line: V-Hunter * or SCAN C: D: E: F:. Anti-virus utilities, despite their ability to detect and clean a large number of viruses, are nevertheless limited in their efficacy: they safeguard your computer only for the viruses they recognize and are helpless, if some new virus has infiltrated into your machine. It is here Advanced Diskinfoscope comes to your rescue. Closely study the "suspicious" changes it highlights in red in its scan report. If you cannot diagnose the cause for these changes, call for a knowledgeable service personnel. Certain viruses, while infecting a file, corrupt its creation time and date. Although, ADinf does not highlight such changes as "suspicious", if you find rather a large number of files with changes or modifications in system files like COMMAND.COM or NC.EXE, you must be on the alert and remedy the situation. CHANGES IN MEMORY SIZE At every start ADinf checks the amount of memory allotted to DOS. It may change due to mechanical faults developed in the memory chips or to installation of memory-resident programs and drivers which occupy higher memory addresses. Many viruses also reside in higher addresses, thereby reducing the amount of memory allotted to DOS. When the memory size is reduced, ADinf alerts you as follows ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Attention! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· ³ Memory size in your computer changed! ºÛÛ ³ ºÛÛ ³ Old size: 640k, New size: 639k (Change 1k) ºÛÛ ³ ºÛÛ ³ May be, boot infector in your computer! ºÛÛ ³ ºÛÛ ³ SAVE NEW SIZE IN TABLE CONTINUE ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ If you know for certain why the DOS memory area has been changed, you may choose SAVE NEW SIZE IN TABLE and press . ADinf will then resume scanning. The new memory size saved in the table will be used in all subsequent checking sessions. If you do not know the reason for the changes in the memory size, choose CONTINUE and press . Be attentive to every modification ADinf reports. Memory size may also increase, say, when you remove some memory-resident driver which snatches memory from DOS. In such cases ADinf displays a milder message: ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Attention! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· ³ Memory size in your computer changed! ºÛÛ ³ ºÛÛ ³ Old size: 639k, New size: 640k (Change 1k) ºÛÛ ³ ºÛÛ ³ SAVE NEW SIZE IN TABLE CONTINUE ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ If you know for certain why the DOS-resident memory area has been increased, you may choose SAVE NEW SIZE IN TABLE and press to resume scanning. CHANGES IN MASTER BOOT SECTOR OR BOOT SECTOR On detecting any change in the master boot sector containing the partition table or change in the boot sectors of your drives, Advanced Diskinfoscope alerts you by the warning message: ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Attention! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ÛÛ ³ Boot record changed! ³ÛÛ ³ ³ÛÛ ³ May be, virus in your computer! ³ÛÛ ³ ³ÛÛ ³ CONTINUE RESTORE MORE... ³ÛÛ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ Choosing MORE..., you can compare the contents of your system tables before and after modifications. If you are unable to decipher these changes, stop work on your computer and call for a qualified service personnel. If you are certain that the changes in your partition table or boot sector are due to virus activity or to program bugs, you can easily restore your the previous sector by choosing RESTORE. On pressing , ADinf will ascertain your intention by displaying a query ÚÄÄÄÄÄÄÄ ARE YOU QUITE SURE ? ÄÄÄÄÄÄÄÄ· ³ YES NO ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ If you answer YES, ADinf will repair your system by copying the images of the original sectors saved in its diskinfo tables. Before proceeding to restore the sector, ADinf will prompt you to type a name for the file to save the infected boot sector for future detailed analysis. If you don't want to save the infected boot sector, simply press to clear the query panel. After repairing the partition table or the boot sector, ADinf will recommend you to reboot your system. Please, do reboot the system - otherwise the virus may remain in the memory and reinfect your disk. NEW BAD CLUSTERS New bad clusters may appear on your disk in two different ways. When some disk manager like Norton Disk Doctor is run to test the disk surface, unusable clusters are marked BAD by these diagnostic programs. In such cases the message on new bad clusters in scan report is unimportant and ADinf will not warn about new bad clusters in subsequent sessions. In case you had not tested your disk with such a diagnostic program, new bad clusters, if any, are evidently due to recent virus infection. Continue to check your disk and pay special attention to all changes reported by ADinf. As a rule, a virus hiding in a cluster, which it marks BAD to dodge detection, inevitably corrupts the boot sector, partition table or files as the virus obtains control from them for its malicious activity. CHANGES IN DIRECTORY SYSTEM Advanced Diskinfoscope, as already noted in overview, is not just an anti-virus utility. It is a full-fledged diagnostic center - it detects any change that has occurred in the diskinfo. For example, the sample scan report reproduced above informs one directory has been newly created since the last check. On pressing F4, the directory tree of the drive scanned is displayed, highlighting the name of the newly-created directory (EXAMPLE) in a contrasting color (yellow): ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ New directories ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· ³ \ ÛÛ ³°°ÃÄ°EXAMPLE°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°° þÛÛ ³ ÃÄ EXE ±ÛÛ ³ ÃÄ WINDOWS ±ÛÛ ³ ÃÄ DOC ±ÛÛ ³ ³ ÃÄ HELP! ±ÛÛ ³ ³ ÃÄÄINTERRPT ±ÛÛ ³ ³ ³ ÃÄ A ±ÛÛ ³ ³ ³ ÃÄ B ±ÛÛ ³ ³ ³ ÀÄ C ±ÛÛ ³ ³ ÀÄ DOS.DOC ±ÛÛ ³ ÃÄÄBC ±ÛÛ ³ ³ ÃÄ LIB ±ÛÛ ³ ³ ÃÄ BIN ±ÛÛ ³ ³ ÃÄ INCLUDE ÛÛ ÃÄÄÁÄÄÁÄÄÁÄÄÄÄÄÄþ±±±±±±±±±±±±±±±±±±±±±±±±±±±±ĶÛÛ ³ Full Name: ºÛÛ ³ C:\EXAMPLE ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ Files:; Exit: ¼ÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ Move the selection bar with ,,, keys over any one of the directories and press . A panel displays the files in the directory that are under control. If there are no files under control, you get a NO FILES UNDER CHECK message. Press [or ] to clear the panel. Now on pressing to clear the scan report panel, ADinf will respond: ÚÄÄÄÄÄÄÄÄÄÄÄÄ Do you wish to update diskinfo table ? ÄÄÄÄÄÄÄÄÄÄÄ· ³ ºÛÛ ³ UPDATE DON'T UPDATE SAVE LOG IN FILE ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ To save the SCAN REPORT in a file, choose SAVE LOG TO FILE and press . You are prompted to type a name for the log file. Either accept the name proposed in the panel (report is saved in a log file in the directory where ADinf is installed) or type a name, indicating the path, say, C:\ADINF\ADINF.log\ and press . In case you have specified the pathname not properly or if the diskette is write-protected, ADinf will respond ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Warning! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· ³ ºÛÛ ³ Cannot create file for writing log file. ºÛÛ ³ ºÛÛ ³ Press ESC ºÛÛ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ Fix up the mistake and press . After saving the report in the log file, ADinf will reprint the above panel on the screen. Choose either UPDATE or DON'T UPDATE and press to clear the panel. Likewise, if you open a deleted directory entry highlighted in the scan report, the panel displays a list of files that were in the directory before deletion. CHANGES IN FILE SYSTEM If the ADinf scan report informs any changes in newly created, renamed, moved, deleted and changed files, you can get detailed information about these changes. The sample scan report informs nine new files have been created in drive C since the last check. Press the F8 key and you get a panel listing the names of all newly created files. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ New files ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· ³°C:\ADINF\ADINF.LOG°°°°°°°°°°°°°°°°°°°°°°°°°°°°ÛÛ ³ C:\WORD\ADINFMAN.DOC þÛÛ ³ C:\PCX\PCXGRAB.EXE ±ÛÛ ³ C:\PCX\README.TXT ±ÛÛ ³ C:\NC\INREAD.TXT ±ÛÛ ³ C:\WINWORD\HELP.DOC ±ÛÛ ³ C:\WINDOWS\CONTROL.EXE ±ÛÛ ³ C:\WINDOWS\CONTROL.HLP ±ÛÛ ³ C:\MASTER\MANUAL.LST ±ÛÛ ³ ±ÛÛ ³ ±ÛÛ ³ ±ÛÛ ³ ÛÛ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄþ±±±±±±±±±±±±±±±±±±±±±±±±±±±±ĶÛÛ ³ File information: ºÛÛ ³ Date : 1 January 1992 ºÛÛ ³ Time : 0h 15m 12s ºÛÛ ³ Length: 1962 ºÛÛ ÔÍÍÍÍÍ View;Edit;Delete;Exit: ¼ÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ VIEWING AND EDITING FILES OF CHANGED INFORMATION To view and edit one of these files in the panel, first move the selection bar onto the desired file with or key and then press or to view or edit it. If a viewer and an editor are associated with the extension of the file under consideration, then the file is at once opened on pressing these keys for viewing and editing. The directories where ADinf searches for external viewers and editors are specified in a list showing their full pathnames separated by a semicolon. You can edit this list, choosing OPTIONS->PATH TO VIEWERS from the main menu or pressing the key combination . If no viewer or editor is specified in the FILE EXTENSION LIST (see the section REVISING THE FILE EXTENSION LIST), you will be prompted to select a MASTER viewer or an editor, depending on the keys pressed. Type the command line of the viewer or editor and press . Or you may press to cancel the command. Pressing , you may also use a simple built-in viewer activated via BIOS. If the viewer associated with a file extension is unsatisfactory, you can use the MASTER VIEWER and MASTER EDITOR toggle keys and , respectively, to quickly change over to another viewer and editor to experiment whether better display is possible. On pressing these keys, you are prompted to select MASTER VIEWER or MASTER EDITOR program. Type the name of some other viewer or editor and press . Thereafter you can view or edit the file with the help of newly appointed viewer or editor. Press to cancel the SELECT MASTER VIEWER or MASTER EDITOR panel. To delete a file of changed information, first move the selection to the name of the file and then press . ADinf will then ascertain your intention by an on-screen query and will delete the file only after you confirm your decision. NOTE. External viewers and editors do not display many of the Stealth- virus because the disk is read through DOS, though ADinf detects them by scanning the disk with the help of BIOS. Use the simple built-in viewer (pressing the F3 key) in such cases. ERROR AND WARNING MESSAGES Advanced Diskinfoscope is an intelligent and user-friendly system. Whenever it suspects a situation as precarious, it alerts you displaying a warning message and whenever it feels your action or response is illegal or unwarranted, it displays an error message. The following is an alphabetical list of error and warning messages that may be displayed on the screen while you are running ADinf on your computer. The cause for each message, followed by a brief description of actions you can take are also given under each item. BEFORE DOS WAS LOADED INT 13H WAS ADDRESSED TO RAM (NOT TO ROM BIOS). This warning may appear when ADinf is started on your machine for the first time. At the first start ADinf determines the value of the INT 13h vector before DOS was loaded and checks whether the vector was addressed to BIOS or not. If not, ADinf displays this warning message and determines the address of INT 13h by another method. CANNOT CREATE FILE FOR WRITING LOG ADinf complains its inability to create a file for writing log, if you do not properly specify the pathname or if the diskette is write-protected. CANNOT START PROGRAM When you called some external viewer or editor, ADinf failed to start the program due to lack of memory space or the directory containing the program is not specified in the PATH= settings. DISK x: ACCESS DENIED. By this message ADinf complains its inability to read the BOOT sector of the drive under check, for example, if the diskette is not inserted into the drive. ERROR WHILE CHECKING DRIVE ADinf was not able to read the sectors in the drive being scanned. Restart ADinf once again and if the error message is repeated, test your hard disk with some diagnostic tool. ERROR WHILE RESTORING This message is displayed when ADinf encounters a writing error while restoring the MASTER-BOOT or the BOOT-sector. Try to restore your system by running ADinf once again. And if the error is repeated, test your hard disk with some diagnostic tool. ERROR WHILE WRITING LOG FILE ADinf complains its inability to create a file for writing log, if you do not properly specify the pathname or if the diskette is write-protected or when there is not enough room for writing the log file. LOG IS NOT SUPPORTED IN NONCOMMERCIAL VERSION! PLEASE, BUY A FULL-FLEDGED ADINF VERSION. The message is straightforward and needs no explanation. ERROR WHILE WRITING TABLE This message is displayed when the diskette is write-protected or when isn't enough room to write the tables. INSUFFICIENT MEMORY. This message tells you that ADinf failed to execute some operation due to lack of memory space. If you get this message, remove unnecessary memory- resident programs and drivers, reboot your system and start ADinf once again. INVALID KEY ADinf displays this error message, if you have typed an invalid drive in the command line or you have forgotten to type a hyphen or a slash before the command options. Check up your command line and restart the program. INVALID OPTION IN COMMAND LINE ADinf displays this error message, if you type an invalid option in the command line. Check up your command line and restart the program. LENGTH OF ADINF.EXE FILE CHANGED This message is displayed when ADinf is infected. If you get this message, continue scanning and carefully note the changes reported by ADinf and take appropriate measures. MAY BE, ADINF.EXE FILE INFECTED PAY SPECIAL ATTENTION TO CHANGES IN FILES At every start the full-scale Advanced Diskinfoscope version runs special tests to detect self-infection. If you get this message, continue scanning and carefully note the changes reported by ADinf and take appropriate measures. NO DISKINFO TABLE FOR DRIVE X: This message may appear under several circumstances: 1. No diskinfo tables were ever created for the drive; 2. Diskinfo tables were created with a different version of Advanced Diskinfoscope; 3. Diskinfo tables have been corrupted; 4. The TABLES item in OPTIONS menu is not properly set; for example, you might have created them using the COMMON tables option, but you are now testing the machine under the PERSONAL tables option or vice versa. 5. You have changed the path to personal tables in PERS. TABLES PATH item in SETUP PARAMETERS. The cause for the error that generated this warning is diagnosed in the message bar at the bottom line of the screen. ADinf will prompt you to create new tables to fix up the problem. SORRY, ILLEGAL ADINF COPY, SIR! NEITHER SHALT THOU STEAL. THE TEN COMMANDMENTS ADinf is copy-protected. If you install an illegal copy on your computer it will refuse to function and display the above message. This message may also appear when you try to copy even a legally purchased program from one computer to another. In such cases, reinstall the program from the original diskette. THERE ARE MORE THAN xxx DIRECTORIES To check a disk at a fast scan rate, ADinf creates diskinfo tables in the memory. The maximum number of tables which ADinf can construct is defined in its source code. You get this message, if your disk contains more directories than the threshold value (rather a rare situation in practice) The designer however will be glad to correct the threshold specifically for you, so please contact him. THERE ARE MORE THAN xxx FILES ON THE DISK. The cause of this message is the same as in the case of the message THERE ARE MORE THAN xxx DIRECTORIES. First, try the BY LIST option in the LIST menu - if it does not work, then from the FILE EXTENSION LIST delete a few extensions of files that do not need strict inspection for viruses. THE NUMBER OF PHYSICAL HARD DRIVES HAS CHANGED: OLD: 0, NEW 0 This message is displayed, whenever you add or remove a physical disk from your computer. In such cases, using the CREATE TABLES from the MODE title of the main menu, create tables for your reconfigured system afresh. If you get this message when no changes have been made to the configuration of your system, there is probably some virus in your computer. HARD DISK PARAMETER TABLE IN BIOS VARIABLES AREA FOR PHYSICAL DRIVE 8OH CHANGED! Adinf complains of such changes whenever you replace the hard drive in your system. In such cases, choose SAVE NEW INFO from the on-screen warning message panel and press . ADinf will do the rest for you. If, however, you have not replaced a new hard drive, this message may forewarn a virus attack in your computer. In such cases, choose MORE INFO from the on-screen warning message panel and press to obtain detailed information about your Hard Disk Parameter Table. Certain memory resident programs or some BIOSes may modify the HARD DISK PARAMETER TABLE and if you frequently get this message, you may disable the check by choosing the TABLES NOT UNDER CHECK command. Its menu path is as follows: OPTIONS -> SETUP PARAMETERS -> INFO UNDER CHECK -> HDP TABLES -> TABLES NOT UNDER CHECK . By default, this check is disabled. WRONG PATH. PRESS ALT+P TO SPECIFY PATHS. MULTIPLE PATHS ARE ALLOWED; A SEMICOLON (;) MUST SEPARATE PATHS. You get this message when ADinf doesn't find any external viewer or editor. Directories where ADinf searches for external viewers and editors must be specified in a pane showing their full pathnames separated by a semicolon ';'. You can edit this list, choosing OPTIONS -> PATH TO VIEWERS from the main menu or pressing . ACKNOWLEDGMENTS The idea of writing Advanced Diskinfoscope crystallized in a series of discussions and disputes. The program was initially compiled in 1989 as a simple Disk Inspector (Dinf) which today has grown into a powerful diagnostic tool to keep in line with the suggestions and remarks of its numerous users and well-wishers. I express my sincere gratitude to Vitaly Ladygin for donating countless hours in developing the underlying principles of the program and for writing two subroutines of ADinf, to Prof. Nikolai Bezrukov for advice and encouragement, to Aleksandr V. Lapinsky for valuable suggestions on MS Windows support, Yuri V. Kravatsky for designing the pseudographic mouse cursor support library, to Aleksandr S. Samotokhin for extending his helping hand with his unfathomable knowledge in videoadapters whenever I needed and finally to Dr.Naidu Psv for taking upon himself the tedious task of thoroughly revising and translating the Russian manuscript of the USER'S GUIDE. REFERENCES ADinf is a registered trademark of DialogueScience Inc., Moscow, Russia. MS-DOS and WINDOWS are registered trademarks of Microsoft Corporation, USA. DR-DOS is a registered trademark of Digital Research Corporation, USA. IBM PC XT/AT PS2 and PC DOS are registered trademarks of International Business Machines Corporation, USA. SCAN is a registered trademark of McAfee Associates, USA. NORTON UTILITIES is a registered trademark of Symantec Corporation, USA. V-Hunter is a registered trademark of DialogueScience Inc., Moscow, Russia. SHERIFF is a trademark of DialogueScience Inc., Moscow, Russia. STACKER is a trademark of Stac Electronics, USA. HERCULES is a registered trademark of Hercules Computer Technology Inc., USA. Other names are the registered trademarks or the trademarks of the respective companies. DialogueScience, Inc., Ul. Vavilov 40, Room No.103-a, Moscow 117967 GSP-1, Russia. Tel/Fax: (+7-095) 938-2970, 137-0150 BBS: (+7-095) 938-2856 (14400/V.32bis, 19200/ZyXEL) - general line (+7-095) 938-2969 (14400/V.32bis, 19200/ZyXEL) - subscribers only FidoNet: 2:5020/69 , 2:5020/69.4 E-mail : lyu@dials.msk.su - Sales and Support Department root@dials.msk.su - Modem link service dmost@dials.msk.su - ADinf author