TopWare Tools

home *** CD-ROM | disk | FTP | other *** search

/ TopWare Tools / TOOLS.iso / tools / top1345 / adinf.txt < prev next >

Wrap

Text File | 1994-01-27 | 102.0 KB | 2,044 lines

▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ▓▓▓▓▓┌──────────────────────────────────────────────────────────────────╖▓▓▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓╪╪╪╪╪╪╪╪░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ Moscow 1994. ▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓╪╪╪╪╪╪╪╪╪╪░░▓▓▓╪╪╪╪╪╪╪╪░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓╪╪╪░░░░░╪╪╪░░▓╪╪╪╪╪╪╪╪╪╪╪░░▓▓╪╪╪░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓╪╪╪░░▓▓▓╪╪╪░░▓╪╪╪░░░░░░╪╪╪░░▓╪╪╪░░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓╪╪╪╪╪╪╪╪╪╪╪░░▓╪╪╪░░▓▓▓▓╪╪╪░░▓▓░░░░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╪╪╪╪╪╪░▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓╪╪╪╪╪╪╪╪╪╪╪░░▓╪╪╪░░▓▓▓▓╪╪╪░░▓╪╪╪░▓▓╪╪╪╪╪╪╪░▓▓▓▓▓▓▓╪╪╪╪╪╪░░▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓╪╪╪░░░░░╪╪╪░░▓╪╪╪░░▓▓▓▓╪╪╪░░▓╪╪╪░░▓╪╪╪╪╪╪╪╪╪░▓▓▓▓▓╪╪╪░░░░░▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓╪╪╪░░▓▓▓╪╪╪░░▓╪╪╪░░▓▓▓▓╪╪╪░░▓╪╪╪░░▓╪╪╪░░░░╪╪╪░▓▓▓▓╪╪╪░░▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓╪╪╪░░▓▓▓╪╪╪░░▓╪╪╪╪╪╪╪╪╪╪╪░░▓▓╪╪╪░░▓╪╪╪░░▓▓╪╪╪░░╪╪╪╪╪╪╪╪╪░▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓░░░▓▓▓▓▓░░░▓╪╪╪╪╪╪╪╪╪╪░░▓▓▓╪╪╪░░▓╪╪╪░░▓▓╪╪╪░░▓▓░╪╪╪░░░░▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░░░░░░░░░▓▓▓╪╪╪░░▓╪╪╪░░▓▓▓╪╪╪░░▓▓╪╪╪░░▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░▓▓╪╪╪░░▓▓▓▓▓╪╪╪░░╪╪╪░░▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░░▓▓▓▓▓▓▓░░░╪╪╪░░▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╪╪╪░░▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓ (c) Dmitry Mostovoy ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╪╪╪░░▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓╘══════════════════════════════════════════════════════════════════╝░░▓▓▓▓ ▓▓▓▓▓▓▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▓▓▓▓ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ┌───────────────────────────────────────────────────────────╖ │ Advanced Diskinfoscope (ADinf) ║██ │ ║██ │ Anti-virus Center ║██ │ ║██ │ Designed by (c) Dr. Dmitry Mostovoy ║██ │ 1991-1994 ║██ │ ║██ │ Moscow, Russia ║██ ╘═══════════════════════════════════════════════════════════╝██ █████████████████████████████████████████████████████████████ Version 9.22 of January 6 1994 Size 100 000 bytes (noncommercial version - 97008) ---------------------------------------- USER's GUIDE ---------------------------------------- DialogueScience, Inc. Moscow, Russia 1994 CONTENTS BEFORE YOU BEGIN What is Advanced Diskinfoscope ADinf? ................ Copy protection!...................................... What do you need to run ADinf......................... GETTING STARTED Installing Advanced Diskinfoscope ADinf............... Using ADinf jointly with Sheriff...................... Installing ADinf on a Sheriff-protected computer... Installing Sheriff on an ADinf-protected computer.. Starting ADinf from AUTOEXEC.BAT file................. Starting ADinf from DOS prompt........................ Starting ADinf in batch mode.......................... Command options....................................... Starting ADinf in interactive mode.................... ADinf MAIN MENU Scanning the drives................................... Creating diskinfo tables.............................. Checking floppy diskettes............................. Stealth search mode................................... Customizing the ADinf operation....................... USEFUL TIPS It is always safe .................................... Holding viruses in leash.............................. Speedkeys............................................. ADinf STRATEGY How does ADinf inspect a disk?........................ IF THINGS GO WRONG, ANYWAY Responding to ADinf report messages................... Changes in memory size........................... Changes in MASTER BOOT sector or BOOT sector..... New bad clusters................................. Changes in directory system...................... Changes in file system........................... Viewing & editing files of changed information... ERROR AND WARNING MESSAGES................................. QUESTIONS AND ANSWERS...................................... ACKNOWLEDGMENTS........................................... REFERENCES................................................. DISTRIBUTOR IN RUSSIA...................................... BEFORE YOU BEGIN WHAT IS ADVANCED DISKINFOSCOPE ADinf? Timely detection of infection guarantees successful curing ! Advanced Diskinfoscope ADinf is a disk information inspector, more precisely, a disk infection meter: how it works is described later. It surpasses most other anti-virus programs as it scans a disk by reading its sectors one by one through BIOS without the assistance of DOS to pinpoint even such formidable infectors like STEALTH viruses known to intercept more than twenty DOS functions, infectors in disk drivers as well as viruses yet unrecognized. Nearly no other anti-virus utility has such a reconnaissance power. Additionally, ADinf reads a disk directly addressing BIOS to spot and kill boot sector infectors even if they have taken control over the interrupt INT 13h. Advanced Diskinfoscope ADinf is the an anti-virus utility which, if properly used by booting your system from a hard disk (instead of from a write-protected bootable diskette as required by other anti-virus programs), will alert you for nearly every virus in your computer - known, unknown or potential ones. Thus ADinf countermines the spiteful projects of computermites - the virus designers. This is not the end of its mission - it leaps seven leagues ahead. Besides detecting infectors, ADinf can scrupulously x-ray your system for full data integrity, security and any other slight modifications of data. This is particularly desirable in a multiuser environment. You will appreciate its instant disk checks. ADinf Cure Module (AinfExt.exe) - a separate program which may be supplied with ADinf - maintains a small database describing the files on your hard disk. When ADinf reports virus infection, you may instantly use it to clean your machine. It kills up to ninty six percent of the existing viruses as well as, that is most important, presently unknown viruses. Code inspector Dinf - the forerunner of ADinf - was awarded a prize at the 2nd All-Union Anti-Virus Programs Contest in 1990, Kiev (USSR). The designer will be glad to receive from users remarks and suggestions for improving ADinf - Advanced Diskinfoscope. COPY PROTECTION! ADinf is copy-protected against unauthorized duplication. At the first start, ADinf retrieves information about your system and will refuse to function if it is illegally copied on some other computer. Copy protection, however, does not restrict owners' rights to install the program on any number of computers but safeguards against software piracy. WHAT DO YOU NEED TO RUN ADinf ADinf runs on IBM PC/XT/AT, PS2 or compatibles with one or two hard disks and one or two floppy disks under MS or PC-DOS ver. 3.20 or higher or DR-DOS. It needs about 100 kb free to run from a hard disk and supports partitions larger than 32 Mb. ADinf gains access to video memory directly by-passing BIOS and supports CGA, EGA, VGA and Hercules video-adapters. ADinf can scan drives directly by BIOS under MS Windows and DESQview multitasking environment. ADinf can work together with HyperDisk cache versions older then 4.50. GETTING STARTED INSTALLING ADVANCED DISKINFOSCOPE ADinf To install ADinf in your computer, insert the original diskette into drive A and type A:\install, press Enter. And answer all the questions of the setup program. The setup program behaves differently, depending on whether you are installing ADinf for the first time or upgrading an older version in your machine. IF THIS IS THE FIRST TIME YOU ARE INSTALLING ADinf IN YOUR MACHINE, the setup program, after copying the files from the original diskette, will prompt you to tack ADinf to your AUTOEXEC.BAT file. Using the UP and DOWN keys, you can choose a place for tacking ADinf in your AUTOEXEC.BAT file and then press <Enter> to confirm your choice. If you press <ESC> at this moment AUTOEXEC.BAT file will not be modified. The old status of your AUTOEXEC.BAT file will be saved in the file AUTOEXEC.ADI. If you do not want to add ADinf to your AUTOEXEC.BAT file choose DON'T ADD from the query. Thereafter the setup program prompts you to create ADinf diskinfo tables containing the status of drives in your machine. IF YOU ARE UPGRADING AN OLDER VERSION ALREADY INSTALLED IN YOUR MACHINE, the setup program will ask your permission to overwrite the old ADinf version but will not prompt you to tack ADinf to your AUTOEXEC.BAT file nor will it create diskinfo tables afresh as ADinf will continue to utilize the tables created by the previous version. USING ADinf JOINTLY WITH SHERIFF INSTALLING ADinf ON A SHERIFF-PROTECTED COMPUTER To install Advanced DiskinfoScope, if your computer is already protected by the Sheriff protection firmware: 1. switch off the Sheriff protection firmware, 2. Install ADinf as described above, 3. Start ADinf in interactive mode, 4. select OPTIONS from the main menu, 5. select SETUP PARAMETERS from the submenu, 6. choose SHERIFF SERIAL NO in submenu. In the box displayed on the screen, type the first five figures in the serial number of your Sheriff firmware and press Enter. 7. quit ADinf and 8. switch on the Sheriff protection firmware. INSTALLING SHERIFF ON AN ADinf-PROTECTED COMPUTER To install the Sheriff protection firmware, if Advanced DiskinfoScope is already installed in your computer, 1. start ADinf in interactive mode, 2. select OPTIONS from the main menu, 3. select SETUP PARAMETERS from the submenu, 4. choose SHERIFF SERIAL NO in submenu. In the box displayed on the screen, type the first five figures in the serial number of your Sheriff firmware and press Enter. 4. install Sheriff as described in its user's manual. Advanced Diskinfoscope ADinf can be started either automatically from the AUTOEXEC.BAT file or manually by typing its command line at the DOS prompt. STARTING ADinf FROM AUTOEXEC.BAT FILE To run ADinf automatically in batch mode, modify your AUTOEXEC.BAT file by adding a line as follows (at the time of installation you can tell the setup program to do this automatically) C:\ADINF\ADinf -d -a -b -lD:\TMP C: D: ─────────┐ ─┐ ─┐ ─┐ ───────┐ ─────┐ │ │ │ │ │ └─ Drives to be scanned │ │ │ │ │ │ │ │ │ │ Save report in │ │ │ │ └ C:\TMP directory │ │ │ │ │ │ │ └───────── Black screen background │ │ └──────────── No dialog pauses │ └─────────────── Check only once a day └─────────────────────── Directory where ADinf is installed The options which the ADinf command line accepts are described in detail under the section COMMAND OPTIONS. STARTING ADinf FROM DOS PROMPT Advanced Diskinfoscope ADinf can be run in batch mode or in interactive mode by typing its command line at the DOS prompt and then pressing <Enter>. STARTING ADinf IN BATCH MODE In the batch mode ADinf checks the drives one after another, executing the options specified in its command line. To run ADinf in batch mode, at the DOS prompt type: C:\ADINF\ADinf [<Options>] C: D: ───┬───── ─┐ ─┐ │ └──┴─── drives to be scanned │ └───────────────── Directory where ADinf is installed and press <Enter>. Advanced Diskinfoscope accepts in its command line the options described below. COMMAND OPTIONS In the command line the options must be preceded with a hyphen '-' or a slash "/" and separated with a blank space and may be typed in upper- or lower-case. Asterisked items are used only in batch mode and have no effect in interactive mode. OPTION │ ITS FUNCTION ═══════════════╪════════════════════════════════════════════════ *1) -a │ To suppress certain minor dialog pauses, │ for example, when running from │ AUTOEXEC.BAT file. ───────────────┼──────────────────────────────────────────────── *2) -b │ To blacken the screen background for │ better view when ADinf is run from │ AUTOEXEC.BAT file. ───────────────┼──────────────────────────────────────────────── 3) -co[lor] │ To set color display on a monitor. │ ADinf automatically recognizes whether a │ computer is fitted with a color or │ monochrome monitor. Use this switch if │ something goes wrong. ───────────────┼──────────────────────────────────────────────── *4) -d │ To run ADinf "ONLY ONCE A DAY" and not to │ initiate at repeated bootings on the same │ day, even if specified in AUTOEXEC.BAT file. ───────────────┼──────────────────────────────────────────────── 5) -cl[<path>]│ To write scan report in a file of the path │ specified after -cl, e.g., -clC:\ADINF\. │ If the switch -cl is specified without any │ path, the report is saved in the current │ directory. If a log file already exists, the │ report is appended to it. Or you may also │ specify a file for writing the report, │ choosing the SAVE LOG IN FILE item from the │ DO YOU WISH TO UPDATE DISKINFO TABLES? panel │ displayed on pressing ESC from the SCAN REPORT │ window. This panel is displayed, only if the │ FAST SCAN and INFO MODE in the PROGRAM MODES │ submenu are set to OFF. ───────────────┼──────────────────────────────────────────────── 6) -e │ To undo the attribute HIDDEN assigned to │ diskinfo files. ───────────────┼──────────────────────────────────────────────── 7) -f │ To run in fast scan mode without verifying │ the CRC of files. Diskinfo tables are not │ updated. Same as FAST SCAN in OPTIONS menu. ───────────────┼──────────────────────────────────────────────── 8) -g │ To switch off the Hard Disk Parameter Tables │ checks in RAM BIOS variables area. ───────────────┼──────────────────────────────────────────────── 9) -i │ To toggle INFO MODE. Diskinfo tables are │ not updated after the completion of check │ ups. This switch must NOT be used jointly │ with -d switch. Same as INFO MODE item in │ OPTIONS menu. ───────────────┼──────────────────────────────────────────────── 10) -l[<path>] │ To write the scan report in a file of the path │ specified after the switch -l, e.g., │ -lC:\ADINF\. If the switch -l is specified │ with any path, the report is saved in the │ current directory. Differs from the -ßl switch │ in that the report is overwritten on a log │ file, if the file already exists. ───────────────┼──────────────────────────────────────────────── 11) -m │ To disable the mouse. ───────────────┼──────────────────────────────────────────────── 12) -mo[no] │ To set monochrome display on a monitor. │ ADinf automatically recognizes whether a │ computer is fitted with a color or │ monochrome monitor. Use this switch when │ you want black-and-white display on │ your color monitor, particularly on laptops │ and notebooks with LCD VGA display. ───────────────┼──────────────────────────────────────────────── 13) -n │ To hide the title screen even where it ought │ to be displayed. By default, it is displayed │ only in interactive mode. ───────────────┼──────────────────────────────────────────────── 14) -nam │ To disable the mouse arrow pointer and to use │ the standard mouse cursor. ───────────────┼──────────────────────────────────────────────── 15) -nr │ Do not wait for retraces on CGA-monitor. ───────────────┼──────────────────────────────────────────────── 16) -os │ To start ADinf with the old style interface of │ ADinf prior to version. 9.00 if you prefer it. │ This switch disables the ADinf's internal font │ table from being loaded into EGA/VGA adapters, │ so it is useful when ADinf conflicts with any │ resident programs, say, programs that load │ national fonts into the display adapter. ───────────────┼──────────────────────────────────────────────── 17) -p │ To construct "PERSONAL" diskinfo tables │ particularly useful in a multiuser PC. │ For greater detail, see the section │ CUSTOMIZING THE ADinf OPERATION. ───────────────┼──────────────────────────────────────────────── 18) -r │ To run under DR-DOS. ADinf detects its │ environment by the version number. If to │ query on system version, DOS returns 3.31 │ (which is what DR DOS 5.00 does), ADinf │ does not use the unreleased MS or PC-DOS │ capabilities. In future DR-DOS may return │ some other number. If ADinf hangs under │ DR-DOS later than 5.0, run it with -r option. │ Use this option, if you are running your │ computer under Compaq-DOS or any other opera- │ ting system not fully compatible with MS-DOS. ───────────────┼──────────────────────────────────────────────── 19) -s │ To toggle beeps ON and OFF. Same as │ SOUND item in OPTIONS menu ───────────────┼──────────────────────────────────────────────── 20) -Setup: │ To specify the directory or full pathname of │ the file for writing the ADinf status │ information. By default, the file │ A-Dinf-░.░░░ is saved in the directory where │ ADinf.exe is is installed. You have to │ define a different directory for this file, │ if ADinf is installed on a write-protected │ area in the disk. For this, in the ADinf │ setup command line, specify the directory │ pathname, say, as follows: │ ADinf C: D: -Setup:D:\READWR\ │ to save the ADinf configuration status │ information in file D:\READWR\A-Dinf-░.░░░. │ You can also specify several filenames for │ saving the ADinf configuration status │ information in different files containing │ different lists of filename extensions, names │ of tables, disk access methods, etc. For │ this, specify the names of files for saving │ various ADinf configuration information in │ the setup command line, say, as: │ ADinf C: D: -Setup:My_Setup. │ A file My_Setup.░░░ will be created in the │ directory where ADinf.exe is installed. If │ you type │ ADinf C: D: -Setup:D:\SET\My_Setup, │ a file My_Setup.░░░ will be created in the │ directory D:\SET. │ │ NOTE. If you type the path or the filename │ wrongly, you will not get any warning │ message. ───────────────┼──────────────────────────────────────────────── *21) -w │ To create new diskinfo tables in batch │ mode. Same as CREATE TABLES in MODE menu. ───────────────┼──────────────────────────────────────────────── 22) -13 │ To disable the check that verifies whether or │ not the interrupt vector is pointing to BIOS. │ If you have SHADOW BIOS which permits writing │ in memory address areas installed in your │ computer, disable SHADOW BIOS when you start │ ADinf for the first time on your computer so │ that ADinf may retrieve and save the address │ of Int 13h handler. Thereafter you may switch │ on SHADOW BIOS and use the -13 switch. ───────────────┼──────────────────────────────────────────────── 23) -76 │ To disable ADinf internal Int 76h handler. ═══════════════╧════════════════════════════════════════════════ STARTING ADinf IN INTERACTIVE MODE If no drives are specified in the command line, e.g., C:\ADINF>ADinf, on pressing <Enter>, ADinf starts in interactive mode and displays its main menu in the top line across the screen. ADinf MAIN MENU When you start ADinf in interactive mode, the screen top line displays the main menu containing five titles: ADinf, DRIVES, MODE, OPTIONS & QUIT. The SCAN DRIVES command from the MODE title is automaticallly selected, so you may just press <Enter> to start scanning the drives for which diskinfo tables have already been created. You move across the menu bar with <Right> and <Left> arrow keys. Arrow to any item and press <Enter> to pull down its local menu. Using <Up> or <Down> arrow key, you move to an option in these local menus and press <Enter> to select it. If the option is a command, press <Enter> to execute it or <Esc> to cancel it. Alternatively, to select an item from the main menu you may press the highlighted letter in the menu title or click the left button of your mouse on the menu title. To close a menu panel that is presently pulled down, press <Esc> or click the left button of your mouse anywhere free on the screen. The bottom line of the screen displays the name of the drive being scanned, addressing route (through BIOS or INT13h or INT 25h) brief messages and prompts, type of diskinfo tables (C for common and P for personal) and the size of the memory space presently free on your system. MENU ITEM │ ITS PURPOSE ═════════════╪═══════════════════════════════════════════════ ADinf │ To view ADinf ver. No and other relevant info. ─────────────┼─────────────────────────────────────────────── DRIVE │ To specify the drives to be scanned. ─────────────┼─────────────────────────────────────────────── MODE │ To choose SCAN DRIVES, SCAN SELECTED, │ CREATE TABLE or STEALTH-SEARCH mode. ─────────────┼─────────────────────────────────────────────── OPTIONS │ To customize ADinf operation parameters. │ (For more information see CUSTOMIZING THE │ ADinf OPERATION below). ─────────────┼─────────────────────────────────────────────── QUIT │ To end an ADinf session. ═════════════╧═══════════════════════════════════════════════ In the interactive mode, you can: (1) scan hard drives in your computer, (2) check floppy diskettes for infection, (3) create ADinf diskinfo tables for your drives, (4) scan for active Stealth-viruses in your computer, (5) customize certain ADinf parameters to suit your preferences, (6) scan all files in your drives or only those files whose extensions are specified in the file extension list, (7) revise the list of extensions of files to be taken under control by ADinf, associate viewers and editors with extensions for viewing and editing files of particular extensions and specify the type of file CRC for scanning. (1) SCANNING THE DRIVES When you start ADinf in interactive mode, the SCAN DRIVES command from the MODE title is automaticallly selected, therefore just press <Enter> to start scanning the drives for which diskinfo tables have already been created. To scan only selected drives in your computer: first, move to DRIVES in the main menu with <Right> or <Left> arrow, and press <Enter> to pull down the DRIVES local menu. Then move the selection bar to the drive you want to scan and press <Enter>. A plus sign (+) on the left of the drive name indicates the drive is selected. A drive is deselected by pressing <Enter> again - the plus sign changes to minus sign, signifying it is not selected for scanning. You may select as many drives as you like for scanning in one run. Then, arrow to MODE in the main menu and press <Enter>. A local menu drops down containing SCAN DRIVES, SCAN SELECTED, CREATE TABLES and STEALTH SEARCH commands. Arrow to SCAN SELECTED and press <Enter> to start ADinf for scanning the drives specified in the DRIVES panel. You can abort scanning of any disk at any time by pressing <Esc> or clicking two mouse buttons together. And ADinf will respond with a query: ┌──────────────── Stop scanning ? ─────────────────╖ │ No this drive all drives ║██ ╘══════════════════════════════════════════════════╝██ ████████████████████████████████████████████████████ If you choose NO or click the mouse right button, scanning is resumed; if you choose THIS DRIVE, ADinf will proceed to scan all other disks and if you choose ALL DRIVES, ADinf abandons its mission to return to main menu. If, without selecting any drives, on pressing <Enter> to start scanning, you get the following error message: ┌─────────────────── Warning ! ────────────────────╖ │ No drives selected! ║██ │ Press ESC ║██ │ Select some from "DRIVES" menu. ║██ ╘══════════════════════════════════════════════════╝██ ████████████████████████████████████████████████████ In such cases, on pressing <Esc>, ADinf automatically returns you to DRIVES menu. Select drive(s) and run ADinf again in scan mode. (2) CREATING DISKINFO TABLES The procedure is the same as described above, the only difference being now you choose CREATE TABLES command from the MODE menu. (3) CHECKING FLOPPY DISKETTES Most of the viruses migrate from computer to computer via diskettes. A clean diskette gets easily infected: insert it into a contaminated computer and just open its directory for viewing - it may become a virus carrier. But inserting an infected diskette into a computer is not sufficient to inject a virus into your computer: either an infected program on the diskette has to be started or the computer has to be booted from an infected diskette. In order to be certain that the diskettes in your possession, or the diskettes you pass on to or obtain from others are clean, always check them with ADinf. When a diskette is checked with ADinf for the first time, a diskinfo table containing vital information about the diskette is saved on it. Therefore, prior to passing a diskette to others, always check it with ADinf and save the diskinfo tables on it. If the receiver has Advanced Diskinfoscope installed in his computer, he can check the integrity of the data on the diskette. Likewise, you can check up whether a diskette obtained from others is virus-infected or clean. The diskinfo tables written by ADinf on a diskette contain full information essential for scanning (the list of files under check, types of CRC of files, names of viewers and editors for the files on the diskette). Therefore the diskinfo tables created on a diskette by ADinf in one computer may not tally with the configuration of ADinf diskinfo tables on a different computer. (4) STEALTH SEARCH MODE Stealth viruses, as their name implies, are capable of stealthily hiding themselves in an infected machine. The early specimens of infectors did not possess this property and so could be detected visually when an infected file is opened for viewing. Even simple antivirus utilities could suppress their multiplication and thus virus failed to be epidemic hazardous. Advancement in new antivirus techniques catalyzed new trends in virus design and the appearance of invisible infectors was the natural step in the evolution of virus technology. Viruses designed on hiding algorithms cannot be viewed with the operating system tools. For example, when an infected file is viewed by pressing F3, Norton Commander does not show anything unusual because the virus removes its body when the file is opened for reading, and infects it back on closing. This is one of the hiding methods and there are several other masking techniques. Boot infectors also hide themselves when an infected sector is opened for reading. In the early development stages, the design of stealth viruses was ahead of the potentialities of the antivirus utilities. And thus the viruses V-4096, XPEH and some other specimens proliferated far and wide. The present ADINF version easily detects newly designed Stealth viruses. For instance, most of the antivirus utilities were ineffective against the epidemic outbreak in the summer and autumn of 1991 due to the incidence of DIR virus written with an unknown detection-dodging algorithm. But on those computers protected by ADINF, this virus was easily trapped and prevented from doing harm. Hiding algorithm is the weakest link in the design of stealth viruses. This algorithm is the key to successful detection of this virus on an infected machine. Discrepancy in the file size or CRC given by DOS and its actual size or CRC is a definite symptom of virus infection. Hiding capability of the stealth virus betrays its presence in an infected file! Such a comparison algorithm is incorporated in ADINF code. To detect STEALTH viruses in your machine 1) arrow to DRIVES in the main menu, 2) mark the drives you want to scan for stealth virus by pressing <ENTER> on the drive name A, B, C, ... A drive selected for scanning is tagged with plus sign "+" on the left of the drive name letter. If you press <ENTER> on a marked drive letter name, the drive is unselected. 3) After selecting drives for scanning, press the right <arrow> key to move to MODE in the main menu and select STEALTH SEARCH from the MODE submenu. Finally press <ENTER> to start scanning of the selected drives for stealth viruses. You may stop scanning any drive at any time as described under SCANNING THE DRIVES. While scanning for stealth viruses, ADINF checks the MASTER-BOOT sector, BOOT sectors of logical drives and then compares the sizes and CRC of files given by DOS with the actual values which it determines by directly reading the sectors, accessing them via BIOS. As soon as it detects any discrepancy in these values, ADINF stops scanning the drives in order not to spread infection to other clean directories and displays the message: ┌──────────────────────────── Attention! ────────────────────────────╖ │ ║██ │ For file ║██ │ C:\AAAA.COM ║██ │ size reported by DOS differs from its real length! ║██ │ ║██ │ DOS reports: 5883, real: 9889 bytes, difference: 4016. ║██ │ ║██ │ There may be an active STEALTH-VIRUS in the memory! ║██ │ ║██ │ CONTINUE STOP VIEWER REBOOT ║██ │ ║██ │ Further scanning may inject infection into clean files being ║██ │ checked by ADINF! Recommend you to stop scanning, insert into ║██ │ drive A a write-protected system diskette, & choosing REBOOT, ║██ │ reboot your computer with a clean operating system. Disinfect ║██ │ the infected files, prior to starting the computer from your ║██ │ hard disk! ║██ │ ║██ ╘════════════════════════════════════════════════════════════════════╝██ ██████████████████████████████████████████████████████████████████████ Choosing VIEWER from this panel, you can view the suspect file. ADINF's built-in viewer will print the file contents on the screen by reading it directly through BIOS. Choosing REBOOT from this panel, you can clean your computer memory for stealth and other viruses. For this, insert in drive A (or the drive appropriate to your system) a write-protected bootable diskette containing a clean operating system and an antivirus utility capable of killing stealth virus, say, V-Hunter. And choose REBOOT from this panel to reboot your machine and then run the antivirus program on the diskette. If the virus residing in your machine is already known, V-Hunter will kill it. If not, the virus is definitely a hitherto unknown stealth infector and you should call for help from some Antivirus Service available nearest to you or restore your information from a backup copy. ADinf automatically checks for Stealth viruses in newly created files, because certain Stealth viruses infect files only when they are created, for example, while copying from a diskette or exploding from a compressed file. By default, this mode is ON. Since this checks consumes a certain amount of time, you may switch it OFF, choosing the menu route: OPTIONS->SETUP PARAMETERS->INFO UNDER CHECK->SS NEW FILES. (5) CUSTOMIZING THE ADinf OPERATION Using the OPTIONS title from the main menu, you can customize certain ADinf parameters to suit your convenience and preferences. The menu tree structure of the OPTIONS title is schematically represented below: OPTIONS │ ├─ TABLES ├─ PROGRAM MODES ──┐ └─ SETUP PARAMETERS ─┐├─ SOUND │├─ FAST SCAN │└─ INFO MODE │ ├── EXTENSIONS LIST ────┐ ├── INFO UNDER CHECK ───┐├─ EXTENSIONS ├── TABLES FILE NAME │└─ CRC TYPES ├── PERS. TABLES PATH │ ├── DRIVE ACCESS TYPE ├── EXTENSIONS ├── TREEINFO.NCD FILE ├── STABLE FILES ├── PATH TO VIEWERS ├── BOOT-SECTORS ├── FILE LIST SORTING ──┐├── BAD CLUSTERS ├── SHERIFF SERIAL NO │├── DIRECTORIES └── CURE FILE SUPPORT ─┐│├── SKIP TREES ││├── HDP TABLES ││└── SS NEW FILES ││ │├─── BY EXTENSION │├─── BY DIRECTORY │└─── KEEP UNSORTED │ ├──── ADINFEXT NAME ├──── FOR COMMON TABLES └──── FOR PERSONAL TABLES The second level menu of OPTIONS title contains three items: TABLES, PROGRAM MODES and SETUP PARAMETERS. --- TABLES has two commands: COMMON to construct tables for a machine as a whole regardless of the number of users operating the computer, and PERSONAL - only for you. These two choices are toggled with <Enter>. Ordinarily, ADinf creates diskinfo tables in the root directory of the drive being checked. In "PERSONAL" mode these tables are created in the directory containing ADinf. You can copy ADinf in your directory or on a separate floppy and thus conduct a personal check to detect the changes that occurred in your absence. This check from a floppy should be used with great caution. If you run ADinf from a floppy containing the diskinfo tables of some other computer, the consequences would be disastrous especially if you restore the MASTER BOOT or BOOT sector of your system. You can also specify a directory for saving the personal diskinfo tables. For this choose PERS. TABLES PATH from the PROGRAM MODES item in the OPTIONS title of the main menu and type the full pathname in the on-screen panel displayed and press <Enter>. --- The PROGRAM MODES menu contains three toggling commands: SOUND, FAST SCAN and INFO MODE. SOUND beeps are toggled ON and OFF with <Enter>. FAST SCAN is toggled ON and OFF with <Enter>. When FAST SCAN is set to ON, file CRCs are not calculated and diskinfo tables and TREEINFO.NCD files are not updated. INFO MODE, when set to ON, will not update diskinfo tables and TREEINFO.NCD files every time ADinf is run, even if the diskinfo of your system has changed since the last check. --- The SETUP PARAMETERS menu contains ten items for customizing certain ADinf operation paramters to suit your preference and convenience. On choosing EXTENSIONS LIST from the SETUP PARAMETERS menu, and pressing <Enter>, a local menu containing two options, EXTENSIONS and CRC TYPE drops down. On choosing EXTENSIONS and pressing <Enter>, you get two panels, viz., a FILE EXTENSION LIST containing the extensions of files under control, their viewers and editors and a SELECT EXTENSION panel showing editing keys. ┌ Files:┬── Viewer ───┬─ Editor ─┐ │ .COM │ wpview.exe │ nu.exe │██ │▒▒.EXE▒│▒wpview.exe▒▒│▒nu.exe▒▒▒│<─┐ │ .SYS │ wpview.exe │ edit.com │██│ │ .BAT │ wpview.exe │ edit.com │██│ │ .LIB │ wpview.exe │ edit.com │██│ │ .OVL │ wpview.exe │ nu.exe │██│ │ .OVY │ wpview.exe │ nu.exe │██│ ┌──── Select extension ──────╖ │ .DRV │ wpview.exe │ nu.exe │██│ │ ║██ │ .BAK │ wpview.exe │ nu.exe │██│ │ Use keys: ║██ │ .ZIP │ arcview.exe │ │██│ │ ║██ │ .ARJ │ arcview.exe │ │██└──┤ <Enter> - Edit; ║██ │ .PAK │ arcview.exe │ │██ │ <Up>,<Dn> - Select; ║██ └───────┴─────────────┴──────────┘██ │ Gray <+> - Add; ║██ ██████████████████████████████████ │ Gray <-> - Delete; ║██ │ <Esc> - Quit. ║██ │ ║██ ╘════════════════════════════╝██ ██████████████████████████████ You may edit the file extension list for adding the extensions of files to be taken under control by Advanced Diskinfoscope or for deleting the extensions of files you no longer need to control. ADDING AND DELETING FILE EXTENSIONS To delete a file extension, select the extension you want to delete with <Up> or <Dn> key, and then press gray <->. Press <Esc> to quit the panel. To add a file extension, press gray <+>. At once the selection bar jumps to an empty row created at the table bottom. Type the file extension. After you are done, press <Esc> to finish or <Enter> to edit the viewer and editor columns. EDITING THE VIEWER AND EDITOR COLUMNS By editing the VIEWER and EDITOR fields, you may associate with each file extension a separate viewer and editor capable of displaying and reading a file with a particular extension. After adding or deleting file extensions, while you are still in the extension panel, press <Enter> to invoke EDIT MODE: immediately the SELECT EXTENSION panel changes to EDIT MODE panel. ┌ Files:┬── Viewer ───┬─ Editor ─┐ │ .COM │ wpview.exe │ nu.exe │██ │▒▒.EXE▒│▒wpview.exe▒▒│▒nu.exe▒▒▒│<─┐ │ .SYS │ wpview.exe │ edit.com │██│ │ .BAT │ wpview.exe │ edit.com │██│ │ .LIB │ wpview.exe │ edit.com │██│ │ .OVL │ wpview.exe │ nu.exe │██│ │ .OVY │ wpview.exe │ nu.exe │██│ ┌────── Edit mode ────────┐ │ .DRV │ wpview.exe │ nu.exe │██│ │ │██ │ .BAK │ wpview.exe │ nu.exe │██│ │ Use keys: │██ │ .ZIP │ arcview.exe │ │██│ │ │██ │ .ARJ │ arcview.exe │ │██└────┤ <Enter> - Done; │██ │ .PAK │ arcview.exe │ │██ │ <ESC> - Cancel; │██ └───────┴─────────────┴──────────┘██ │ <Ins> - Ins/Ovt; │██ ██████████████████████████████████ │ <Tab> - field. │██ │ │██ └─────────────────────────┘██ ███████████████████████████ To edit an item in the viewer or editor column of the file extension list, press <Tab> to jump to an appropriate column. After you have finished editing the viewer and editor columns, press <Enter> to save the edits. You may edit the text in INSERT or OVERTYPE mode, by toggling your preference with the <Ins> key. After you are DONE with editing, press <Enter> to finish. Press <Esc> to cancel the edit command. SELECTING THE CRC TYPE First arrow to EXTENSIONS LIST from the SETUP PARAMETERS menu and press <Enter> to drop down the local menu containing two items: EXTENSIONS and CRC TYPE. On choosing CRC TYPE and pressing <Enter>, the screen displays two panels as follows: ┌ Files:┬CRC type┐ │ .COM │ Fast │██ │ .EXE │▒Fast▒▒▒│<──┐ ┌─────────── CRC types selection ───────────╖ │ .SYS │ Full │██ │ │ ║██ │ .BAT │ Full │██ │ │ FAST CRCs provide virus protection and ║██ │ .LIB │ No CRC │██ │ │ high scan speed. For full disk checks ║██ │ .OVL │ No CRC │██ │ │ select FULL CRC. But scan rate will be ║██ │ .OVY │ No CRC │██ │ │ slower. Use NO CRC for fast disk checks.║██ │ .DRV │ No CRC │██ └───┤ for fast disk scanning ║██ └───────┴────────┘██ │ ║██ ██████████████████ │ Use keys: ║██ │ ║██ │ <Up>,<Dn>, ║██ │ <Home>,<End> - select files, ║██ │ <Space> - select CRC type. ║██ │ ║██ ╘════════════ <Esc>,<Enter> - end selection ╝██ █████████████████████████████████████████████ You can specify for each file extension the type of CRC to be calculated while scanning. The CRC TYPES available are FAST, FULL and NO CRC and their functions are as follows: CRC TYPE │ Function ═════════════════╪══════════════════════════════════════════ NO CRC │ CRC for the file is not calculated. ─────────────────┼────────────────────────────────────────── FAST CRC │ provides safe virus protection at │ sufficiently fast scanning rate for COM │ and EXE files only. ────────────────┼────────────────────────────────────────── FULL CRC │ guarantees the best control over data │ security but at a slower scanning rate. ═════════════════╧══════════════════════════════════════════ To specify the type of CRC for a file extension, choose CRC TYPE from the FILES LIST submenu and press <Enter>. Move the selection bar to the desired file extension with <Up> or <Dn> key and repeatedly press <Space> to set the CRC type you want. Finally, press <Enter> or <Esc> to finish. The INFO UNDER CHECK menu contains seven items for setting the parameters so that ADinf may check the drives the way you want it to do. Advanced Diskinfoscope can check all the files on your disks or only those files whose extensions you specify in the file extension list. If you want to keep a strict control over your disks, choose ALL FILES from the EXTENSIONS submenu in INFO UNDER CHECK submenu. But if you want to save time, you may limit the extensions of files to be checked. The previous section describes how to edit the file extension list. The list of files to be scanned can be specified separately for the COMMON and PERSONAL commands in the OPTION menu. For COMMON tables the default setting is BY LIST to scan COM, EXE, SYS, BAT, BIN, LIB, OVL, OVY, DRV, PIF and PGM files only. This list is quite adequate to safeguard against virus infection. For PERSONAL tables the default setting is ALL FILES and list includes COM, EXE, SYS, BAT, BIN, LIB, OVL, OVY, DRV, BAK, ZIP, ARJ, PAK, PIF and PGM files. You may however edit the default list of file extensions and thus define any group of files to put under the stringent control of Advanced Diskinfoscope. Using the STABLE FILES panel, you can specify a list of files which should always remain intact. ADinf checks these files by their full CRC and will report any slightest modifications it detects as suspicious. To edit a file in this list, move the selection bar to its filename and press <Enter>. A cursor appears. Now you can edit the filename as with any text editor. Once you are done with editing, press <Enter>. Use <Del> or <Bksp> to delete a filename from the list. Using the BOOT-SECTORS panel, you can tell ADinf to check or not to check the boot-sector of a drive. For this, move to the drive name letter and repeatedly pressing <Enter>, toggle CHECK or DON'T CHECK whichever is appropriate. You may have to switch off BOOT-SECTORS, particularly, when a drive is compacted with STACKER because it modifies the boot sector of the drive it compresses. Using the BAD CLUSTERS panel, you can tell ADinf to check or not to check for bad clusters newly created in a drive. You handle this panel in the same way as described in the previous paragraph. Using the DIRECTORIES panel, you can tell ADinf to check or not to check for changes (newly created and deleted directories) in the directory tree structure of a drive. SKIP TREES. You can tell ADinf to skip its checks for those directories that are frequently accessed or the directories containing frequently edited files. For this, after ADinf has created its tables for the drives in your machine, (ADinf automatically creates these tables when you run ADinf for the first time, or choosing CREATE TABLES from the MODE title of the main menu, you can create them afresh any time you like), 1) select OPTIONS from the main menu, 2) choose SETUP PARAMETERS from the OPTIONS submenu, 3) choose INFO UNDER CHECK, 4) choose SKIP TREES from the INFO UNDER CHECK submenu, 5) arrow to the desired drive name letter in the list column at the left-edge of the panel, 6) press TAB or ENTER to open an on-screen panel displaying the tree structure of the selected drive, 7) arrow to the desired directory or subdirectory which you want to exclude from the ADinf checks and press Enter (you may also use your mouse). The selected directory is then displayed in a contrasting color, while all other directories in black. In a checking session, Advanced DiskinfoScope also scans those directories and subdirectories that you have marked for exclusion from checks, only it does not produce a status report for these directories and subdirectories, unless it expertizes them as suspicious (see SUSPICIOUS CHANGES below). Using the HDP TABLES panel, you can tell ADinf to check or not to check the Hard Disk Parameters (HDP) tables in the memory in BIOS area. Press <Enter> to toggle between TABLES ARE UNDER CHECK and TABLES NOT UNDER CHECK. A check mark near the item indicates that it is currently active. By default, ADinf does not check the Hard Disk Parameter tables. Using the SS NEW FILES panel, you can switch the automatic search for Stealth viruses in new files ON and OFF. For full information, see the Section SEARCHING FOR STEALTH VIRUSES. TABLE FILE NAME. By default, Advanced DiskinfoScope saves its diskinfo table for each hard disk separately in a file in the same drive and names it ADinf═x═▓▓▓ (where x is the drive name letter). The viruses specifically designed to dodge detection by ADinf may alter the contents of the ADinf diskinfo tables. To fool such viruses, you may rename the ADinf diskinfo table file as follows: 1. select OPTIONS from the main menu, 2. choose SETUP PARAMETERS from the OPTIONS submenu, 3. choose TABLE FILE NAME. In the on-screen box displaying ADinf═x═▓▓▓, type a new name and press Enter. If you make a typing mistake or want to change the file name, back up all the way to first character and retype a new name. On choosing PERS. TABLES PATH from the SETUP PARAMETERS menu, you get a pane for specifying the full path of the directory where you want ADinf to save the diskinfo tables. If no path is specified, the personal tables are saved in the directory where ADinf.exe is installed. DRIVE ACCESS TYPE. Using the DRIVE ACCESS TYPE command from the SETUP PARAMETERS submenu from the OPTIONS menu, you can tell ADinf how should it access a disk for checking infection -- through BIOS, or INT 13h or INT 25h/26h. ADinf scans the disks partitioned by DOS FDISK utility, directly accessing them through BIOS. If necessary, you may tell ADinf to access drives through INT 13h or INT 25h/26h. For this, 1. select OPTIONS from the main menu, 2. choose SETUP PARAMETERS from the OPTIONS submenu, 3. choose DRIVE ACCESS TYPE. A panel will pop up on the screen displaying drive names and their access paths (BIOS by default). To change the access path of a drive: 1. arrow to the drive name letter, 2. specify your choice by repeatedly pressing the <Space> or <Enter> or clicking the left button of your mouse to toggle from BIOS to INT 13h and then to INT 25h/26h, 3. press <Esc> or click the mouse right button to finish. TREEINFO.NCD FILE. When this mode is selected, ADinf will automatically update the drive TREEINFO.NCD file created by Norton Commander and Norton Change Directory utility and there is no need to tell Norton Commander to scan your drives to update these files as ADinf compiles the full tree structure of your drives and can write them in the TREEINFO.NCD files. By default this mode is unselected. On choosing PATH TO VIEWERS from the SETUP PARAMETERS menu, you get a pane for specifying the full path of the directories where ADinf may search for external viewers and editors. You may specify several paths, separating them with an intervening semicolon [;]. Using the FILE LIST SORTING command, you can tell ADinf to display the new, changed, deleted, moved and renamed files in its report after sorting them either by the filename extensions or by directories. SHERIFF SERIAL NO. Choosing this command from the submenu of OPTIONS title in the main menu, you may type the first five digits of the serial number of the Sheriff protection firmware, if it is installed in your computer (refer to USING ADinf JOINTLY WITH SHERIFF). Using the CURE FILE SUPPORT item, you can activate or disable the ADinf Cure Module - the separate program ADinfExt.exe - for curing either by the personal or by common diskinfo tables. For this, select CURE FILE SUPPORT from the INFO UNDER CHECK menu and press <Enter>. You get a pane displaying three items: ADINFEXT NAME, FOR COMMON TABLES and FOR PERSONAL TABLES. Arrow to your option and press <Enter> to pull down a pane for setting SUPPORT or DON'T SUPPORT. For each drive set your option with <Enter> to clean or not to clean the files controlled by the common or personal diskinfo tables. In the course of installation of the ADinfCure Module, its setup program prompts you to rename the ADinfext.exe file in order to dodge the viruses that damage executable files whose names begin with the letters ADIN. ADinf automatically recognizes the renamed ADinfext program. Using the ADINFEXT NAME option, you can change the name of this file. At every start-up ADinf runs in interactive mode, executing the parameters set in the previous session. If the -i, -f, - s or -p options are specified in the command line, ADinf additionally implements them. USEFUL TIPS IT IS ALWAYS SAFE: (1) to run some anti-virus utility, say the very popular and effective V-Hunter (or SCAN), to check your system for infection of known viruses prior to installing ADinf in your computer, (2) to run ADinf a few times a day, especially if you swap floppies quite often, (3) to prevent accidental damage, loss and virus infection, make a copy of the original ADinf and never run the program from the original diskette. IMPORTANT!!! Whenever ADinf displays a warning or an error message, REFER TO WARNING AND ERROR MESSAGES IN ADinf USER'S GUIDE FOR HELP AND REMEDY. ADinf reads a disk directly addressing to BIOS. These addressings cannot be intercepted by computer infectors nor by any other memory resident program. Therefore disk read-write cache utiliies may create certain problems. ADinf is friendly to disk-read caches but conflicts with a write cache utility as they both compete to concurrently address to BIOS and this is illegal. Such conflicts can be avoided in two ways: 1) first disable the write-cache program prior to starting ADinf and after ADinf completes its checks, you may switch on the cache back again. For instance, to hide your drives C and D from write-caching by SmartDrv.exe, use the command: SmartDrv C D and to switch it back again use the command: SmartDrv C+ D+. 2) The other way of avoiding this conflict is to tell ADinf to access all your drives, except drive C, via Int 13. For this, choose OPTIONS from the main menu, then choose SETUP PARAMETERS from the submenu and finally choose DRIVE ACCESS TYPE from the local menu. Arrow to the drive name letters in your machine one after another and repeatedly pressing the <Space> key, set "Int 13" as the drive access path for all drives. For the drive C, leave the default setting as it is. After this ADinf will not conflict with your write-cache utility, but virus detection becomes somewhat less reliable. NOTE: Beginning from version 9.00 onwards, ADinf is fully compatible with HyperDisk write-cache version 4.50 or later. No problems arise with this cache utility. HOLDING VIRUSES IN LEASH (1) Never leave the changes reported by Advanced Diskinfoscope unattended. If you do not know the cause for such changes, take immediate action to remedy the situation. (2) If you are not able to understand the ADinf messages, call an expert service personnel to get help. These two simple measures, if taken in time, will help to keep your computer away from infectors which otherwise may infiltrate your system unnoticed. SPEEDKEYS You may use the following keyboard shortcuts to speed up your work in an ADinf session: ╔════════════════╤════════════════════════════════════════╗ ║ ESC │ to abort ADinf scanning mission, ║ ║ Alt+D │ temporary exit to DOS, ║ ║ Alt+V │ to call any DOS command, ║ ║ Alt+S │ to toggle sound ON or OFF ║ ║ Alt+P │ to edit internal paths for viewers, ║ ║ F1 │ to get on-line help on key usage, ║ ║ F10 │ to end an ADinf session. ║ ╚════════════════╧════════════════════════════════════════╝ ADinf STRATEGY HOW DOES ADinf INSPECT A DISK When ADinf is started for the first time, it first reads vital information about such parameters of your system as the memory size, the address of INT 13 handler in BIOS, Hard Disk Parameter Tables, the MASTER-BOOT and BOOT sectors, a list of bad clusters, directory tree, information on all files under control, then creates a DISKINFO TABLE for every drive scanned and saves in it the retrieved information for collation in subsequent checks. ADinf also checks whether INT 13h was pointing to BIOS or not before DOS was loaded. In all these check-ups ADinf, as already noted, scans your disk, sector by sector, directly addressing BIOS without the use of INT 21h and 13h in order to detect memory-resident viruses that have intercepted these vital interrupts. At every subsequent start, ADinf first reads the parameters listed above and compares them with those saved in the diskinfo tables. In the course of inspection it makes a note of any slightest modification in the size of the memory allotted to DOS, Hard Disk Parameter Tables, MASTER BOOT, sector, BOOT sectors of every logical drive, as well as a list of new bad clusters, directories and files newly created or deleted since the last check as well as changed files. And after checking up every drive under its control, if ADinf expertises a change in diskinfo as "suspicious", it immediately issues an on-screen WARNING to alert you for possible virus infection. If the changes are "harmless", (say, changes in file creation date and time) it produces a SCAN REPORT. You can view the report in interactive mode or save in a log file. ADinf regards a change "suspicious", if a file is modified: a) without any change in date and time (most of well designed viruses do not change date and time); b) with an invalid date setting (greater than 31, 12, and the current number for day , month and year, respectively). Some viruses label infected files by setting such strange dates. c) with an invalid time setting (greater than 59, 59 and 23 for second, minute and hour, respectively). d) For a file included in the STABLE FILES list, a change, however slight it may be, is reported as suspicious. Good clusters may be marked BAD by certain viruses for hiding themselves in them. ADinf also alerts about such situations. IF THINGS GO WRONG, ANYWAY... RESPONDING TO ADINF SCAN REPORT MESSAGES Regardless of the operation mode - batch mode or interactive mode, Advanced Diskinfoscope, after checking a drive, always prints a SCAN REPORT on the screen, whether or not the disk information has been changed since the last check. If there are no changes disk information and the -a switch is not included in the command line, you get panel as shown below ┌──────────────────────── Drive C: Scan Report ──────────────────────╖ │ ║██ │ Current time is 23h 45m 13s 31 December 1991 ║██ │ Tables were created at 23h 11m 6s 31 December 1991 ║██ │ ║██ │ 133 directories and 1276 files scanned ║██ │ ║██ │ No changes found. ║██ ╘═════════════════════════════════════════════════ Press any key ...═╝██ ██████████████████████████████████████████████████████████████████████ After waiting for two minutes (counted down in the highlighted bar), unless you press a key earlier, ADinf will automatically proceed to scan the next drive (if any) or return to the main menu. When ADinf detects changes in any one of the vital parameters of your system, it highlights the changes of disk information in the scan report: ┌──────────────────────── Drive C: Scan Report ──────────────────────╖ │ ║██ │ Current time is 0h 2m 12s 1 January 1992 ║██ │ Tables were created at 23h 46m 22s 31 December 1991 ║██ │ ║██ │ 133 directories and 1278 files scanned ║██ │ ║██ ├────────────────────── Changes in Diskinfo ─────────────────────────╢██ │ ║██ │ ▒▒▒F1▒▒▒▒▒▒▒Master▒boot▒sector▒:▒Okay.▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ║██ │ F2 Boot Record : Okay. ║██ │ F3 New Bad Cluster : None ║██ │ F4 New Directories : 1 ║██ │ F5 Deleted Directories : 1 ║██ │ F6 Changed Files : None ║██ │ F7 New Files : 9 ║██ │ F8 Deleted Files : 7 ║██ │ F9 Moved Files : None ║██ │ R Renamed Files : 2 ║██ │ ║██ ╘════════════════════════ Use: <Up>,<Dn>,<PgUp>,<PgDn>,<Enter>,<Esc> ╝██ ██████████████████████████████████████████████████████████████████████ The report is quite self-explanatory and therefore we only describe briefly how to handle it. Press the key in the first column near a changed item to get detailed information about the changes . These keys, however, are inoperative, if ADinf types "OKAY" or "NONE" against an item in the scan report. The <Up>, <Dn>, <PgUp>, <PgDn> keys move the selection bar over the item list, <Enter> opens the selected item and <Esc> quits the table. If ADinf expertizes that a change in any one of the items in the report is "suspicious", it superimposes on the scan report a warning panel ┌────────────── ATTENTION!!! ─────────────╖ │ CHANGES IN YOUR COMPUTER SHOW ║██ │ SIGNS OF VIRUS ACTIVITY ║██ ╘═════════════════════════════════════════╝██ ███████████████████████████████████████████ When you come across this warning message and, if ADinf Cure Module (ADinfExt.exe) is installed in your machine, on pressing <ESC>, you get the panel shown below: ┌──────────── Do you wish to update diskinfo table ? ───────────╖ │ ║██ │ UPDATE DON'T UPDATE CURE SAVE LOG IN FILE ║██ ╘═══════════════════════════════════════════════════════════════╝██ █████████████████████████████████████████████████████████████████ If you select CURE ADinf will continue its checks on other drives and after all work it will ask you to put in the drive A bootable floppy disk with ADinf Cure Module and after it ADinf will reboot your system. If ADinf Cure Module is not available on your machine, then on seeing this warning message, immediately abort the ADinf program and run some antivirus utility, say V-Hunter or SCAN or any other program available in your system. For this purpose, first press <Alt+V> to invoke the DOS prompt (see the section SPEEDKEYS) and then type the command line: V-Hunter * or SCAN C: D: E: F:. Anti-virus utilities, despite their ability to detect and clean a large number of viruses, are nevertheless limited in their efficacy: they safeguard your computer only for the viruses they recognize and are helpless, if some new virus has infiltrated into your machine. It is here Advanced Diskinfoscope comes to your rescue. Closely study the "suspicious" changes it highlights in red in its scan report. If you cannot diagnose the cause for these changes, call for a knowledgeable service personnel. Certain viruses, while infecting a file, corrupt its creation time and date. Although, ADinf does not highlight such changes as "suspicious", if you find rather a large number of files with changes or modifications in system files like COMMAND.COM or NC.EXE, you must be on the alert and remedy the situation. CHANGES IN MEMORY SIZE At every start ADinf checks the amount of memory allotted to DOS. It may change due to mechanical faults developed in the memory chips or to installation of memory-resident programs and drivers which occupy higher memory addresses. Many viruses also reside in higher addresses, thereby reducing the amount of memory allotted to DOS. When the memory size is reduced, ADinf alerts you as follows ┌─────────────────── Attention! ────────────────────╖ │ Memory size in your computer changed! ║██ │ ║██ │ Old size: 640k, New size: 639k (Change 1k) ║██ │ ║██ │ May be, boot infector in your computer! ║██ │ ║██ │ SAVE NEW SIZE IN TABLE CONTINUE ║██ ╘═══════════════════════════════════════════════════╝██ █████████████████████████████████████████████████████ If you know for certain why the DOS memory area has been changed, you may choose SAVE NEW SIZE IN TABLE and press <Enter>. ADinf will then resume scanning. The new memory size saved in the table will be used in all subsequent checking sessions. If you do not know the reason for the changes in the memory size, choose CONTINUE and press <Enter>. Be attentive to every modification ADinf reports. Memory size may also increase, say, when you remove some memory-resident driver which snatches memory from DOS. In such cases ADinf displays a milder message: ┌─────────────────── Attention! ────────────────────╖ │ Memory size in your computer changed! ║██ │ ║██ │ Old size: 640k, New size: 639k (Change 1k) ║██ │ ║██ │ SAVE NEW SIZE IN TABLE CONTINUE ║██ ╘═══════════════════════════════════════════════════╝██ █████████████████████████████████████████████████████ If you know for certain why the DOS-resident memory area has been increased, you may choose SAVE NEW SIZE IN TABLE and press <Enter> to resume scanning. CHANGES IN MASTER BOOT SECTOR OR BOOT SECTOR On detecting any change in the master boot sector containing the partition table or change in the boot sectors of your drives, Advanced Diskinfoscope alerts you by the warning message: ┌─────────────────── Attention! ───────────────────┐ │ │██ │ Boot record changed! │██ │ │██ │ May be, virus in your computer! │██ │ │██ │ CONTINUE RESTORE MORE... │██ └──────────────────────────────────────────────────┘██ ████████████████████████████████████████████████████ Choosing MORE..., you can compare the contents of your system tables before and after modifications. If you are unable to decipher these changes, stop work on your computer and call for a qualified service personnel. If you are certain that the changes in your partition table or boot sector are due to virus activity or to program bugs, you can easily restore your the previous sector by choosing RESTORE. On pressing <Enter>, ADinf will ascertain your intention by displaying a query ┌─────── ARE YOU QUITE SURE ? ────────╖ │ YES NO ║██ ╘═════════════════════════════════════╝██ ███████████████████████████████████████ If you answer YES, ADinf will repair your system by copying the images of the original sectors saved in its diskinfo tables. Before proceeding to restore the sector, ADinf will prompt you to type a name for the file to save the infected boot sector for future detailed analysis. If you don't want to save the infected boot sector, simply press <Esc> to clear the query panel. After repairing the partition table or the boot sector, ADinf will recommend you to reboot your system. Please, do reboot the system - otherwise the virus may remain in the memory and reinfect your disk. NEW BAD CLUSTERS New bad clusters may appear on your disk in two different ways. When some disk manager like Norton Disk Doctor is run to test the disk surface, unusable clusters are marked BAD by these diagnostic programs. In such cases the message on new bad clusters in scan report is unimportant and ADinf will not warn about new bad clusters in subsequent sessions. In case you had not tested your disk with such a diagnostic program, new bad clusters, if any, are evidently due to recent virus infection. Continue to check your disk and pay special attention to all changes reported by ADinf. As a rule, a virus hiding in a cluster, which it marks BAD to dodge detection, inevitably corrupts the boot sector, partition table or files as the virus obtains control from them for its malicious activity. CHANGES IN DIRECTORY SYSTEM Advanced Diskinfoscope, as already noted in overview, is not just an anti-virus utility. It is a full-fledged diagnostic center - it detects any change that has occurred in the diskinfo. For example, the sample scan report reproduced above informs one directory has been newly created since the last check. On pressing F4, the directory tree of the drive scanned is displayed, highlighting the name of the newly-created directory (EXAMPLE) in a contrasting color (yellow): ┌─────────────── New directories ───────────────╖ │ \ ██ │░░├─░EXAMPLE░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ■██ │ ├─ EXE ▒██ │ ├─ WINDOWS ▒██ │ ├─ DOC ▒██ │ │ ├─ HELP! ▒██ │ │ ├──INTERRPT ▒██ │ │ │ ├─ A ▒██ │ │ │ ├─ B ▒██ │ │ │ └─ C ▒██ │ │ └─ DOS.DOC ▒██ │ ├──BC ▒██ │ │ ├─ LIB ▒██ │ │ ├─ BIN ▒██ │ │ ├─ INCLUDE ██ ├──┴──┴──┴──────■▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒─╢██ │ Full Name: ║██ │ C:\EXAMPLE ║██ ╘════════════════════ Files:<Enter>; Exit:<ESC> ╝██ █████████████████████████████████████████████████ Move the selection bar with <Up>,<Dn>,<PgUp>,<PgDn> keys over any one of the directories and press <Enter>. A panel displays the files in the directory that are under control. If there are no files under control, you get a NO FILES UNDER CHECK message. Press <Esc> [or <Enter>] to clear the panel. Now on pressing <Esc> to clear the scan report panel, ADinf will respond: ┌──────────── Do you wish to update diskinfo table ? ───────────╖ │ ║██ │ UPDATE DON'T UPDATE SAVE LOG IN FILE ║██ ╘═══════════════════════════════════════════════════════════════╝██ █████████████████████████████████████████████████████████████████ To save the SCAN REPORT in a file, choose SAVE LOG TO FILE and press <Enter>. You are prompted to type a name for the log file. Either accept the name proposed in the panel (report is saved in a log file in the directory where ADinf is installed) or type a name, indicating the path, say, C:\ADINF\ADINF.log\<filename> and press <Enter>. In case you have specified the pathname not properly or if the diskette is write-protected, ADinf will respond ┌──────────────────────── Warning! ──────────────────────╖ │ ║██ │ Cannot create file for writing log file. ║██ │ ║██ │ Press ESC ║██ ╘════════════════════════════════════════════════════════╝██ ██████████████████████████████████████████████████████████ Fix up the mistake and press <Enter>. After saving the report in the log file, ADinf will reprint the above panel on the screen. Choose either UPDATE or DON'T UPDATE and press <Enter> to clear the panel. Likewise, if you open a deleted directory entry highlighted in the scan report, the panel displays a list of files that were in the directory before deletion. CHANGES IN FILE SYSTEM If the ADinf scan report informs any changes in newly created, renamed, moved, deleted and changed files, you can get detailed information about these changes. The sample scan report informs nine new files have been created in drive C since the last check. Press the F7 key and you get a panel listing the names of all newly created files. ┌───────────────── New files ───────────────────╖ │░C:\ADINF\ADINF.LOG░░░░░░░░░░░░░░░░░░░░░░░░░░░░██ │ C:\WORD\ADINFMAN.DOC ■██ │ C:\PCX\PCXGRAB.EXE ▒██ │ C:\PCX\README.TXT ▒██ │ C:\NC\INREAD.TXT ▒██ │ C:\WINWORD\HELP.DOC ▒██ │ C:\WINDOWS\CONTROL.EXE ▒██ │ C:\WINDOWS\CONTROL.HLP ▒██ │ C:\MASTER\MANUAL.LST ▒██ │ ▒██ │ ▒██ │ ▒██ │ ██ ├───────────────■▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒─╢██ │ File information: ║██ │ Date : 1 January 1992 ║██ │ Time : 0h 15m 12s ║██ │ Length: 1962 ║██ ╘═════ View<F3>;Edit<F4>;Delete<Del>;Exit:<Esc> ╝██ █████████████████████████████████████████████████ VIEWING AND EDITING FILES OF CHANGED INFORMATION To view and edit one of these files in the panel, first move the selection bar onto the desired file with <Up> or <Dn> key and then press <Alt+F3> or <Alt+F4> to view or edit it. If a viewer and an editor are associated with the extension of the file under consideration, then the file is at once opened on pressing these keys for viewing and editing. The directories where ADinf searches for external viewers and editors are specified in a list showing their full pathnames separated by a semicolon. You can edit this list, choosing OPTIONS->PATH TO VIEWERS from the main menu or pressing the key combination <Alt+P>. If no viewer or editor is specified in the FILE EXTENSION LIST (see the section REVISING THE FILE EXTENSION LIST), you will be prompted to select a MASTER viewer or an editor, depending on the keys pressed. Type the command line of the viewer or editor and press <Enter>. Or you may press <Esc> to cancel the command. Pressing <F3>, you may also use a simple built-in viewer activated via BIOS. If the viewer associated with a file extension is unsatisfactory, you can use the MASTER VIEWER and MASTER EDITOR toggle keys <Shift+F3> and <Shift+F4>, respectively, to quickly change over to another viewer and editor to experiment whether better display is possible. On pressing these keys, you are prompted to select MASTER VIEWER or MASTER EDITOR program. Type the name of some other viewer or editor and press <Enter>. Thereafter you can view or edit the file with the help of newly appointed viewer or editor. Press <Esc> to cancel the SELECT MASTER VIEWER or MASTER EDITOR panel. To delete a file of changed information, first move the selection to the name of the file and then press <Del>. ADinf will then ascertain your intention by an on-screen query and will delete the file only after you confirm your decision. NOTE. External viewers and editors do not display many of the Stealth- virus because the disk is read through DOS, though ADinf detects them by scanning the disk with the help of BIOS. Use the simple built-in viewer (pressing the F3 key) in such cases. ERROR AND WARNING MESSAGES Advanced Diskinfoscope is an intelligent and user-friendly system. Whenever it suspects a situation as precarious, it alerts you displaying a warning message and whenever it feels your action or response is illegal or unwarranted, it displays an error message. The following is an alphabetical list of error and warning messages that may be displayed on the screen while you are running ADinf on your computer. The cause for each message, followed by a brief description of actions you can take are also given under each item. BEFORE DOS WAS LOADED INT 13H WAS ADDRESSED TO RAM (NOT TO ROM BIOS). This warning may appear when ADinf is started on your machine for the first time. At the first start ADinf determines the value of the INT 13h vector before DOS was loaded and checks whether the vector was addressed to BIOS or not. If not, ADinf displays this warning message and determines the address of INT 13h by another method. CANNOT CREATE FILE FOR WRITING LOG ADinf complains its inability to create a file for writing log, if you do not properly specify the pathname or if the diskette is write-protected. CANNOT START PROGRAM When you called some external viewer or editor, ADinf failed to start the program due to lack of memory space or the directory containing the program is not specified in the PATH= settings. DISK x: ACCESS DENIED. By this message ADinf complains its inability to read the BOOT sector of the drive under check, for example, if the diskette is not inserted into the drive. ERROR WHILE CHECKING DRIVE ADinf was not able to read the sectors in the drive being scanned. Restart ADinf once again and if the error message is repeated, test your hard disk with some diagnostic tool. ERROR WHILE RESTORING This message is displayed when ADinf encounters a writing error while restoring the MASTER-BOOT or the BOOT-sector. Try to restore your system by running ADinf once again. And if the error is repeated, test your hard disk with some diagnostic tool. ERROR WHILE WRITING LOG FILE ADinf complains its inability to create a file for writing log, if you do not properly specify the pathname or if the diskette is write-protected or when there is not enough room for writing the log file. IN ADINF NONCOMMERCIAL VERSION YOU CANNOT WRITE LOG. PLEASE, BUY A FULL-FLEDGED ADINF VERSION. The message is straightforward and needs no explanation. ERROR WHILE WRITING TABLE This message is displayed when the diskette is write-protected or when isn't enough room to write the tables. INSUFFICIENT MEMORY. This message tells you that ADinf failed to execute some operation due to lack of memory space. If you get this message, remove unnecessary memory- resident programs and drivers, reboot your system and start ADinf once again. INVALID KEY ADinf displays this error message, if you have typed an invalid drive in the command line or you have forgotten to type a hyphen or a slash before the command options. Check up your command line and restart the program. INVALID OPTION IN COMMAND LINE ADinf displays this error message, if you type an invalid option in the command line. Check up your command line and restart the program. LENGTH OF ADINF.EXE FILE CHANGED This message is displayed when ADinf is infected. If you get this message, continue scanning and carefully note the changes reported by ADinf and take appropriate measures. MAY BE, ADINF.EXE FILE INFECTED PAY SPECIAL ATTENTION TO CHANGES IN FILES At every start the full-scale Advanced Diskinfoscope version runs special tests to detect self-infection. If you get this message, continue scanning and carefully note the changes reported by ADinf and take appropriate measures. NO DISKINFO TABLE FOR DRIVE X: This message may appear under several circumstances: 1. No diskinfo tables were ever created for the drive; 2. Diskinfo tables were created with a different version of Advanced Diskinfoscope; 3. Diskinfo tables have been corrupted; 4. The TABLES item in OPTIONS menu is not properly set; for example, you might have created them using the COMMON tables option, but you are now testing the machine under the PERSONAL tables option or vice versa. 5. You have changed path to personal tables in PERS. TABLES PATH item in SETUP PARAMETERS. The cause for the error that generated this warning is diagnosed in the message bar at the bottom line of the screen. ADinf will prompt you to create new tables to fix up the problem. SORRY, ILLEGAL ADINF COPY, SIR! NEITHER SHALT THOU STEAL. THE TEN COMMANDMENTS ADinf is copy-protected. If you install an illegal copy on your computer it will refuse to function and display the above message. This message may also appear when you try to copy even a legally purchased program from one computer to another. In such cases, reinstall the program from the original diskette. THERE ARE MORE THAN xxx DIRECTORIES To check a disk at a fast scan rate, ADinf creates diskinfo tables in the memory. The maximum number of tables which ADinf can construct is defined in its source code. You get this message, if your disk contains more directories than the threshold value (rather a rare situation in practice) The designer however will be glad to correct the threshold specifically for you, so please contact him. THERE ARE MORE THAN xxx FILES ON THE DISK. The cause of this message is the same as in the case of the message THERE ARE MORE THAN xxx DIRECTORIES. First, try the BY LIST option in the LIST menu - if it does not work, then from the FILE EXTENSION LIST delete a few extensions of files that do not need strict inspection for viruses. THE NUMBER OF PHYSICAL HARD DRIVES HAS CHANGED: OLD: 0, NEW 0 This message is displayed, whenever you add or remove a physical disk from your computer. In such cases, using the CREATE TABLES from the MODE title of the main menu, create tables for your reconfigured system afresh. If you get this message when no changes have been made to the configuration of your system, there is probably some virus in your computer. HARD DISK PARAMETER TABLE IN BIOS VARIABLES AREA FOR PHYSICAL DRIVE 8OH CHANGED! Adinf complains of such changes whenever you replace the hard drive in your system. In such cases, choose SAVE NEW INFO from the on-screen warning message panel and press <Enter>. ADinf will do the rest for you. If, however, you have not replaced a new hard drive, this message may forewarn a virus attack in your computer. In such cases, choose MORE INFO from the on-screen warning message panel and press <Enter> to obtain detailed information about your Hard Disk Parameter Table. Certain memory resident programs or some BIOSes may modify the HARD DISK PARAMETER TABLE and if you frequently get this message, you may disable the check by choosing the TABLES NOT UNDER CHECK command. Its menu path is as follows: OPTIONS -> SETUP PARAMETERS -> INFO UNDER CHECK -> HDP TABLES -> TABLES NOT UNDER CHECK . By default, this check is disabled. WRONG PATH. PRESS ALT+P TO SPECIFY PATHES. MULTIPLE PATHS ARE ALLOWED; A SEMICOLON (;) MUST SEPARATE PATHS. You get this message when ADinf doesn't find any external viewer or editor. Directories where ADinf searches for external viewers and editors must be specified in a pane showing their full pathnames separated by a semi- colon ';'. You can edit this list, choosing OPTIONS->PATH TO VIEWERS from the main menu or pressing the key combination <Alt+P>. ADVANCED DISKINFOSCOPE QUESTIONS AND ANSWERS (A Guide to Commonly Asked Questions) This file answers in detail several questions that users quite frequently ask about ADinf. All questions pertaining to a subject have been unified and arranged topically. The menu tree structure described below may not fully agree with the menu structure of the ADinf previous versions as I have answered the questions with specific reference to ADinf version 8.00 and higher. ══════════════════════════════════════════════════════════════════════════ Q Can ADinf check a disk compacted with Stacker or Sstor? A ADinf does check a disk compacted with Stacker or Sstor, scanning not thru BIOS but using Int 25h. Normally, ADinf itself gains access to such disks via Int 25h. For a Stacker-compacted DOS logical drive having the same name as the original drive where Stacker compressed file is saved, you must set Int 25h as the drive access path (choosing the DISK ACCESS TYPE command from the SETUP PARAMETERS submenu of OPTIONS menu). Furthermore, you must tell ADinf not to check the boot sector of a stacker-compacted disk (choosing DON'T CHECK from BOOT SECTORS menu of the INFO UNDER CHECK submenu) because Stacker always modifies BOOT sectors of its drive. For scanning a Sstor-compacted disk, you must tell ADinf not to check for new bad clusters (choosing DON'T CHECK from BAD CLUSTERS menu of the INFO UNDER CHECK submenu). ══════════════════════════════════════════════════════════════════════════ Q I, being a programmer, naturally change a large number of files on my disk everyday. How can I tell ADinf to keep quite about these legal modifications in its morning reports? A You can easily mark directories as working directories. For this, choose SKIP TREE from the INFO UNDER CHECK submenu. Then choosing a drive from the on-screen panel, pop up its structure tree, mark the directories and subdirectories where you are likely to change the fi- les everyday. ADinf will not report about unharmful changes in a file under a marked directory. But if it suspects any change (in size or CRC of a file) as fatal, ADinf will alert you. ══════════════════════════════════════════════════════════════════════════ Q I have only one partition spread over my 120 Mb disk. Whenever I start checking, ADinf aborts its mission and reports "more than 2620 files in your disk". How can I fix up this error? A Unfortunately, this is a constraint inherent in the program. To speed up checking, ADinf piles up disk structure information in the computer memory; this obviously puts a limit on the size of diskinfo table. To come round this problem, tell ADinf to confine its checks to COM, EXE, SYS, BAT, OVL, LIB and DRV files by editing the file extension list (choosing EXTENSIONS from the LIST menu). The number of such files in your disk is not likely to more than the built-in threshold for ADinf to abort its checks. ══════════════════════════════════════════════════════════════════════════ Q What is ADinf Cure Module? If this is a curing module, is it better or worse than V-Hunter or NAV? Where can I buy it? A ADinf Cure Module (ADinfExt.exe) is a curing module tailored to enhance the powers of Advanced DiskInfoscope. It differs radically from V-Hunter: it kills existing and as yet unknown viruses with equal efficacy. It maintains a small database containing full information about all files in your disk. When ADinf detects a virus, the curing module can be used to kill it. Database is automatically updated by ADinf when disk information changes in your system. V-Hunter and ADinfExt cannot be compared: each deploys a different strategy to antivirus problem: they ideally supplement each other. First, ADinfExt does not kill all but only about 97% viruses (not bad, isn't it? Particularly, admitting its capabilities to clean your computer from as yet unknown viruses. Second, it is helpless when you are handling someone else's diskettes because it requires the database containing disk information. V-Hunter, on the other hand, applies the traditional defence principle: to every attack it designs a counterattack and can therefore kill only the viruses known to it, but is helpless against new viruses. It is therefore a good idea to have both these programs available in your machine. ADinf Cure Module was tested on a collection of 750 most widespead infectors unknown to the program and successfully removed 97% of them. You can buy ADinf Cure Module from any dealer distributing V-Hunter - are distributed by DialogueScience Inc., Moscow, Russia both are the products from DialogueScience Inc., Moscow, Russia. ══════════════════════════════════════════════════════════════════════════ Q What is fast CRC which ADinf computes? When I modified a few bytes at the end of an EXE file, ADinf ignored them while checking under fast CRC mode. Why? A ADinf conducts its checks in one of three alternative modes: fast CRC (cyclic redundancy checks), full CRC and No CRC. The method by which ADinf computes fast CRC is closely related to the internal structure of an executable file. Therefore fast CRC is best suited for COM and EXE files as it guarantees reliable virus detection without the need for computing the CRC of the whole file. So, all all changes in certain file areas, unless they are generated by a virus, are ignored by ADinf while checking under fast CRC mode. ══════════════════════════════════════════════════════════════════════════ Q Why is ADinf very sluggish in checking a write-cached disk? Why does ADinf hang up on a cached machine or disk? A ADinf efficiently checks a read-cached disk but may face problems on write-cached disk when both ADinf and the cache simultaneously address BIOS, creating conflicts. There are two ways of avoiding such conflicts: first disable the write-cache prior to starting ADinf and toggle it on when checking is complete. For example, SmartDrv.exe is toggled on and off from drives C and D by the com- mands SmartDrv C D, and SmartDrv C+ D+. Alternatively, tell ADinf to check all drives except C via Int 13h, choosing DRIVE ACCESS TYPE from the OPTIONS menu. But such a checking mode is less reliable. Starting from version 9.00, ADinf is fully compatible with HyperDisk write-cache ver. 4.50 or later. No problems arise with this utility any longer. ══════════════════════════════════════════════════════════════════════════ Q Can I put net drives under ADinf control? A Unfortunately, you can't. ADinf checks a drive, reading it sector by sector. Therefore it can check local drives only and must be installed on each LAN workstation separately. ══════════════════════════════════════════════════════════════════════════ Q Can Adinf run under MS Windows and DESQview? A Yes, it can. ADinf works under MS Windows and DESQview and can scan drives directly via BIOS while working under Windows or DESQview. ══════════════════════════════════════════════════════════════════════════ Q What is the purpose of personal tables? A ADinf supports two types of tables, common & personal, for storing disk information. They don't differ in structure. Common tables are saved in the root directory of logical drives and personal table in the directory where adinf.exe is installed. Common tables are helpful in regularly checking a limited number of program files of particular extensions. Whereas personal tables are better suited for in-depth checking. You may even choose all types of files on your disk and specify FULL for CRC type. Such a check is all-inclusive though time consuming. ══════════════════════════════════════════════════════════════════════════ Q I feel my machine is infected but ADinf is keeping silent. Can a virus dodge detection by ADinf? A This is a commonly asked question, and there is only one answer to it. Unfortunately, there is no panacea against PC virus infection, nor can there be ever one. ADinf is the best virus detector today. But you must keep in mind its capabilities and limitations. Let us examine the situtations where ADinf may keep quite. If you have installed ADinf on an already infected machine, it will not notice any virus because it detects viruses through the changes in file information. And in our case there are no changes in file information and so it does not alert you. If the virus is hiding its presence, i.e., you have a stealth virus in the machine; ADinf will certainly detect it, if you run under the STEALTH SEARCH mode (see Stealth Search in the file ADinf.txt). This is a very useful mode and run ADinf from time to time under this mode. Second, ADinf may fail to notice the viruses tailored specifically to infect a file only at the time of its creation. If they are at the same time hiding themselves, you may trap them, running ADinf in STEALTH SEARCH mode. If they are NOT hiding their presence, you can easily detect them with your naked eyes. For example, suppose you are copying a file from drive A to drive C and you notice that the size of the source file does not tally with the size of the target file. You can easily detect such infectors, running ADinf as follows: write a batch (call it say TRAP) which copies several executable files, say, to your RAM drive and then copies them from the RAM drive back to the source drive. Add a PARK command at its last line. Run the spcial TRAP batch file before turning off your computer. When you start the computer next time, ADinf will report about such viruses, if any. For greater reliability, you better include files to be copied in STABLE FILES list (its menu path is OPTIONS-> SETUP PARAMETERS -> INFO UNDER CHECK -> STABLE FILES). Finally, because of its beneficent policy - aggresive stategy and ingenious tactics - ADinf is irritating virus designers. One fine morning it is not excepted that you may find in your machine a new virus specially tailored to dodge detection by ADinf. Today only one virus belonging to DIR group is known that tries to delete the files with a name beginning with "AIDS" and "ADIN" from your disk. What is broiling in the sinistrous minds of these evil-mongers, God alone knows. ══════════════════════════════════════════════════════════════════════════ ACKNOWLEDGMENTS The idea of writing Advanced Diskinfoscope crystallized in a series of discussions and disputes. The program was initially compiled in 1989 as a simple Disk Inspector (Dinf) which today has grown into a powerful diagnostic tool to keep in line with the suggestions and remarks of its numerous users and well-wishers. I express my sincere gratitude to Vitaly Ladygin for donating countless hours in developing the underlying principles of the program and for writing two subroutines of ADinf, to Prof. Nikolai Bezrukov for advice and encouragement, to Aleksandr V. Lapinsky for valuable suggestions on MS Windows support, Yuri V. Kravatsky for designing the pseudographic mouse cursor support library, to Aleksandr S. Samotokhin for extending his helping hand with his unfathonamble knowledge in videoadapters whenever I needed and finally to Dr.Naidu Psv for taking upon himself the tedious task of thoroughly revising and translating the Russian manuscript of the USER'S GUIDE. REFERENCES ADinf is a registered trademark of DialogueScience Inc., Moscow, Russia. MS-DOS and WINDOWS are registered trademarks of Microsoft Corporation, USA. DR-DOS is a registered trademark of Digital Research Corporation, USA. IBM PC XT/AT PS2 and PC DOS are registered trademarks of International Business Machines Corporation. SCAN is a registered trademark of McAfee Associates, USA. NORTON UTILITIES is a registered trademark of Symantec Corporation, USA. V-Hunter is a registered trademark of DialogueScience Inc., Moscow, Russia. SHERIFF is a trademark of DialogueScience Inc., Moscow, Russia. STACKER is a trademark of Stac Electronics, USA. HERCULES is a registered trademark of Hercules Computer Technology Inc., USA. DISTRIBUTOR IN RUSSIA Sergei Antimonov, General Director, DialogueScience, Inc., Ul. Vavilov 40, Room No.103-a, Moscow 117967 GSP-1, Russia. Tel/Fax: (+7-095) 938-2970, 137-0150 BBS: (+7-095) 938-2856 (14400/V.32bis, 19200/ZyXEL) - common access (+7-095) 938-2969 (14400/V.32bis, 19200/ZyXEL) - subscribers only FidoNet: 2:5020/69 , 2:5020/69.4 E-mail : lyu@dials.msk.su - Sales and Support Department bob@dials.msk.su - Modem link service dmost@dials.msk.su - ADinf author