PC World Komputer 1997 May

home *** CD-ROM | disk | FTP | other *** search

/ PC World Komputer 1997 May / Pcwk0597.iso / antywir / adinf / adinf.txt < prev next >

Wrap

Text File | 1997-02-14 | 158KB | 3,257 lines

▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ▓▓▓▓▓┌──────────────────────────────────────────────────────────────────╖▓▓▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓╪╪╪╪╪╪╪╪░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ Moscow 1997 ▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓╪╪╪╪╪╪╪╪╪╪░░▓▓▓╪╪╪╪╪╪╪╪░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓╪╪╪░░░░░╪╪╪░░▓╪╪╪╪╪╪╪╪╪╪╪░░▓▓╪╪╪░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓╪╪╪░░▓▓▓╪╪╪░░▓╪╪╪░░░░░░╪╪╪░░▓╪╪╪░░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓╪╪╪╪╪╪╪╪╪╪╪░░▓╪╪╪░░▓▓▓▓╪╪╪░░▓▓░░░░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╪╪╪╪╪╪░▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓╪╪╪╪╪╪╪╪╪╪╪░░▓╪╪╪░░▓▓▓▓╪╪╪░░▓╪╪╪░▓▓╪╪╪╪╪╪╪░▓▓▓▓▓▓▓╪╪╪╪╪╪░░▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓╪╪╪░░░░░╪╪╪░░▓╪╪╪░░▓▓▓▓╪╪╪░░▓╪╪╪░░▓╪╪╪╪╪╪╪╪╪░▓▓▓▓▓╪╪╪░░░░░▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓╪╪╪░░▓▓▓╪╪╪░░▓╪╪╪░░▓▓▓▓╪╪╪░░▓╪╪╪░░▓╪╪╪░░░░╪╪╪░▓▓▓▓╪╪╪░░▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓╪╪╪░░▓▓▓╪╪╪░░▓╪╪╪╪╪╪╪╪╪╪╪░░▓▓╪╪╪░░▓╪╪╪░░▓▓╪╪╪░░╪╪╪╪╪╪╪╪╪░▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓░░░▓▓▓▓▓░░░▓╪╪╪╪╪╪╪╪╪╪░░▓▓▓╪╪╪░░▓╪╪╪░░▓▓╪╪╪░░▓▓░╪╪╪░░░░▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░░░░░░░░░▓▓▓╪╪╪░░▓╪╪╪░░▓▓▓╪╪╪░░▓▓╪╪╪░░▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░▓▓╪╪╪░░▓▓▓▓▓╪╪╪░░╪╪╪░░▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░░▓▓▓▓▓▓▓░░░╪╪╪░░▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╪╪╪░░▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓ (c) Dmitry Mostovoy ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╪╪╪░░▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓║░░▓▓▓▓ ▓▓▓▓▓╘══════════════════════════════════════════════════════════════════╝░░▓▓▓▓ ▓▓▓▓▓▓▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▓▓▓▓ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ┌───────────────────────────────────────────────────────────╖ │ Advanced Diskinfoscope (ADinf) ║██ │ Anti-virus Center ║██ │ ║██ │ (c) Dr. Dmitry Mostovoy ║██ │ 1991-1997 ║██ │ ║██ │ with Cure Module (ADinfExt) ║██ │ A Curing Companion to Advanced Diskinfoscope ║██ │ ║██ │ (c) Vitaly Ladygin, Denis Zuyev & Dmitry Mostovoy ║██ │ 1993-1997 ║██ │ ║██ │ ║██ │ Moscow, Russia ║██ ╘═══════════════════════════════════════════════════════════╝██ █████████████████████████████████████████████████████████████ ADinf version 11.00, released February 14, 1997 ADinf Cure Module version 3.05, released August 30, 1996 ADinf size (80386/8086) 109 000/113 000 bytes (Noncommercial version - 105 648/109 027 bytes) ---------------------------------------- USER's GUIDE ---------------------------------------- DialogueScience, Inc. Moscow, Russia 1997 CONTENTS ACKNOWLEDGEMENTS 1. BEFORE YOU BEGIN 1.1 What is ADVANCED DISKINFOSCOPE ADinf? 1.2 What is ADinf Cure Module? 1.3 Copy protection! 1.4 What do you need to run ADinf 1.5 Swapping 2. GETTING STARTED 2.1 Installing Advanced Diskinfoscope ADinf 2.2 Installing ADinf Cure Module 2.3 Using ADinf jointly with Sheriff 2.4 Running ADinf Cure Module under Sheriff 2.5 Starting ADinf from autoexec.bat file 2.6 Starting ADinf from the DOS prompt 2.7 Command line options 2.8 Batch file ERRORLEVELS 2.9 Interaction of ADinf with scanners of DSAV 2.10 Starting ADinf in interactive mode 2.11 Useful tips 2.12 Speedkeys 3. ADINF MAIN MENU 3.1 Menu titles and their purpose 3.2 Scanning the drives 3.3 Creating diskinfo tables 3.4 Checking floppy diskettes 3.5 Stealth search mode 3.6 Customizing the ADinf operation 4. RUNNING ADINF CURE MODULE 5. IF THINGS GO WRONG, ANYWAY... 5.1 Responding to ADinf messages 5.2 Changes in memory size 5.3 Changes in master boot record or boot sector 5.4 New bad clusters 5.5 Changes in file system 5.6 Incompatibility report 6. ERROR AND WARNING MESSAGES 7. QUESTIONS AND ANSWERS REFERENCES ACKNOWLEDGEMENTS The idea of writing Advanced Diskinfoscope crystallized in a series of discussions and disputes. It was initially compiled in 1989 as a simple Disk Inspector (Dinf) which today has grown into a powerful diagnostic tool with a file restoration facility to keep in line with the suggestions and remarks of its numerous users and well-wishers. I express my sincere gratitude to Vitaly Ladygin for donating countless hours in discussing the underlying of ADinf and for developing the basic principles of ADinf Cure Module, to Denis Zuyev for writing the Cure Module, to Prof. Nikolai Bezroukov for advice and encouragement, to Aleksandr Lapinsky for valuable suggestions on MS Windows support, to Yuri Kravatsky for designing the pseudographic mouse cursor support library, to Aleksandr Samotokhin for his help with his expert knowledge in video adapters whenever I needed, and for a subroutine in Cure Module. We would be glad to receive from our users remarks and suggestions for improving the performance of ADinf - Advanced Diskinfoscope. 1. BEFORE YOU BEGIN The ADinf program is supplied "AS IS" without any warranty, either expressed or implied, of workmanship, merchantability, and fitness for a particular purpose. In no event will DialogueScience, Inc., or its authorized dealers or the designer of the program be liable to the purchaser for any consequential problems arising out of the use or the inability to use the program. Timely detection of infection guarantees successful curing ! 1.1 What is ADVANCED DISKINFOSCOPE ADinf? Advanced Diskinfoscope ADinf is a unique and powerful disk information inspector (integrity checker) which scans a disk, reading its sectors one by one through BIOS without the aid of DOS to spot such formidable infectors such as various stealth viruses that are known, for example, to intercept more than twenty DOS functions, infectors in disk drivers, as well as viruses yet unrecognized. Additionally, it reads a disk directly addressing BIOS to spot and kill boot infectors even if they have taken control over the interrupt Int 13h. It is the only anti-virus utility which, if properly used by booting a system from a hard disk (instead of from a write-protected bootable diskette as required by other anti-virus programs), alerts for every virus in a computer - known, unknown or potential ones. Thus it countermines the aim of virus designers. Its mission does not end here - besides detecting infectors, ADinf scrupulously x-rays a system for full data integrity, security, and any other slight data modifications. This is particularly desirable in a multi-user PC. It is quite fast in its checks. ADinf strategy At the first start, ADinf reads vital data about such parameters as the memory size, the address of Int 13h handler in BIOS, Hard Disk Parameter Tables, the master boot record and boot sectors, bad clusters, directory tree, and data on all files under control; then creates a diskinfo table for every drive and saves in it the retrieved information for collation in subsequent checks. It also checks if Int 13h was pointing to BIOS before DOS was loaded. While scanning, ADinf checks a disk, sector by sect or, directly accessing via BIOS without the use of Int 21h and Int 13h to trap resident viruses that have intercepted these vital interrupts. At subsequent starts, ADinf first reads these parameters and compares them with those in its diskinfo tables. During scanning it notes any changes in the size of the memory allotted to DOS, Hard Disk Parameter Tables, master boot record, boot sectors of every logical drive, as well as new bad clusters, directories and files newly created or deleted since the last check, and changed files. After checking a drive, if a change in diskinfo is "suspicious", it alerts for possible virus infection. If the changes are "harmless", (say, changes in file creation date and time) it produces a scan report which can be viewed in interactive mode or saved in a log file. ADinf regards a change "suspicious", if a file is modified: a) without any change in date and time (most of well designed viruses do not change them); b) with an invalid date (greater than 31, 12, and the current number for day, month and year). Some viruses date files by such strange settings; c) with an invalid time (greater than 58, 59 and 23 for second, minute and hour) and d) for a file in the STABLE FILES list, any slightest change is reported suspicious. It also warns when good clusters are marked BAD by viruses for hiding themselves in them. 1.2 What is ADinf Cure Module? ADinf Cure Module restores your system after virus attacks, so that you need not search for an anti-virus utility capable of killing the viruses in your computer. In other words, it is a universal remover for viral stains, not knowing their structure, or their strategies. Therefore it does not need to know anything about the multifarious viruses already existing and those being created day by day. ADinf Cure Module simply sweeps viruses off your files and restores them in toto to their original status. The program was tested on a collection of 7000 various viruses unknown to the program and successfully removed 97 % of them. What ADinf Cure Module cannot do? You may doubt the 97 % efficiency claimed in the above paragraph, because every utility has its own field of application and limitations. ADinf Cure Module is not a panacea for each and every virus, but it does kill almost every virus. Nevertheless, a 97 % efficacy is an impressive performance. Curing strategy Despite the multitude of different viruses, paradoxically, there are only a few techniques by which a virus is imbedded in a file. This is the underlying principle of the basic strategy of ADinf Cure Module. In day to day operation, when you run ADinf regularly, it informs ADinf Cure Module about the changes, if any, in the diskinfo data of files since the last ADinf session. ADinf Cure Module immediately scans these files and stores the new diskinfo data in its tables for restoring them after a virus attack. When a virus attacks your file, ADinf at once detects the changes and calls for the Cure Module, which tries its best to reinstate the original shape of an infected file by comparing its status before and after infection. If ADinf Cure Module reports that a file has been restored successfully, it really means what it says. ADinf Cure Module, or Virus Hunter and Doctor Web? Which to choose? The only choice is all these three utilities. Each complements the other two and they work hand in hand together. ADinf Cure Module may fail to kill some virus - it is then Virus Hunter and Doctor Web come to your rescue. Newer and newer virus modifications are cropping up every day, some new virus may enter your computer much ahead of than an anti-virus is available. Precisely in such situations, ADinf Cure Module is your savior. Furthermore, virus codes may contain bugs which corrupt a file beyond the restoration power of usual virus scanners. But ADinf Cure Module in such cases reinstates the original shape of your file in toto. 1.3 Copy protection! ADinf is copy-protected against unauthorized duplication. At the first start, it retrieves vital information about your system and will not function on another computer. Copy-protection does not restrict the rights of legal owners to install the programs on several machines, but safeguards against software piracy. When you start your computer with a write-protected bootable ADinf Cure Module diskette, copy-protection system is disabled. Therefore one curing diskette is sufficient to cure any number of machines. 1.4 What do you need to run ADinf ADinf runs on IBM PC/XT/AT, PS2 or compatibles with one to four hard disks and one or two floppy disks under MS DOS 3.20-6.22, PC DOS 3.20-6.30, DR DOS 5.0 and 6.0, Novell DOS 7.0, and Compaq DOS 3.31. ADinf supports FAT and VFAT file systems. When curing from a DOS-bootable curing diskette, ADinf Cure Module correctly handles the long filenames of Windows 95. ADinf gains access directly to video memory bypassing BIOS and supports CGA, EGA, VGA and Hercules video-adapters. ADinf scans drives directly via BIOS under MS Windows, Windows 95, and DESQview multitasking environment. It is compatible with HyperDisk cache version 4.50 or higher. It can be run jointly with the Sheriff security protection system. ADinf can take under check about 32000 files per logical drive (it is practically unlimited number). Adinf Cure Module has a limitation of processing files (about 5000 executable files per logical drive). The incompatibility report in the Chapter 4 gives a list of equipment and programs which conflict with ADinf, and ways to come round this difficulty. 1.5 Swapping In machines with large disks, ADinf uses XMS and or a temporary file for swapping data. For speedy operation, ADinf needs 300-500 Kb of XMS. If sufficient XMS is not available, it creates a swap file, ADINF.SWP. A directory for this swap file is chosen as follows. If the DOS environment variables ADINFSWP, TMP, TEMP are specified in this particular order, the temporary file is created in the directory specified by these variables. If no environment variables are specified, a swap file is created in the directory where ADinf is installed or in the directory specified with -home command option. 2. GETTING STARTED 2.1 Installing Advanced Diskinfoscope ADinf IMPORTANT! Prior to installing ADinf on your machine, it is a good idea to make a copy of the original distribution diskette and use only the copy in your work. In case of damage, you can always restore the copy from the original diskette. To install ADinf, insert the copy of distribution diskette into a floppy drive, log on to ADINF directory, type install and press <Enter>. The screen displays a panel: ┌────────────────────── ?! ────────────────────────╖ │ Are you installing ADinf for the first time ║ │ or upgrading its old version ║ │ ║ │ First installation ▄ Upgrading old version ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════╝ The setup program behaves differently, depending on whether you are installing ADinf for the first time or upgrading an older version. If this is the first time you are installing ADinf, choose the FIRST INSTALLATION button. The setup program will prompt you to specify a directory for installing ADinf. ┌────── Type a directory for installing ADinf ─────╖ │ C:\ADINF ║ ╘══════════════════════════════════════════════════╝ Type the full pathname of the directory where you want to install the program and press <Enter>. By default, the setup program proposes to install ADinf in a directory named ADINF in drive C:. If there is sufficient space on drive C:, you may press <Enter>. In case there is no directory of the pathname specified in the panel, the setup program will ascertain your intention prior to creating this directory: ┌────────────── Directory not found: ──────────────╖ │ C:\ADINF ║ │ Create ▄ Cancel ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════╝ Choose the CREATE button to create the directory. If you have changed your mind or the directory path is wrongly typed, you can fix up the error by choosing the CANCEL button. Then the Setup returns you to the previous panel. After you have chosen a proper directory for installing ADinf an on-screen panel invites you to change the name of the ADinf executable file: ┌──────────────────────────────────────────────────╖ │ Adinf.exe ║ │ Now you should select executable file name. ║ │ ║ │ Renane the default filename ADinf.exe to some ║ │ other name, e.g., Myinf.exe, as some viruses ║ │ try to destroy files of names beginning with ║ │ the letters "ad". ║ │ ║ │ Edit file name and press <Enter>. ║ ╘══════════════════════════════════════════════════╝ The default name of the file is ADINF.EXE. Edit the highlighted top field to any other name for the reasons stated on the panel. After editing, press <Enter>. After copying the files from the diskette, Setup prompts you to tack ADinf to the AUTOEXEC.BAT file: ┌─────────────────────── ? ────────────────────────╖ │ Add ADinf to AUTOEXEC.BAT file ? ║ │ ║ │ Add ▄ Don't add ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════╝ By tacking ADinf to the AUTOEXEC.BAT file, you can automatically check the computer by ADinf every time the computer is started, but only once a day (if the -d option is included in the command line). To tack ADinf to the AUTOEXEC.BAT file, choose the ADD button. Setup will prompt you to specify the drives that are to be taken under ADinf control: ┌──────────────────── Help ────────────────────────╖ │ Specify the names of drives you want ║ │ to put under the control of Advanced ║ │ Diskinfoscope program. ║ │ ║ │ For selecting drives, press ║ │ ║ │ ->, <-, Tab - to move the cursor, ║ │ Space, Ins - to select, ║ │ Enter, Esc - to finish selection. ║ │ ║ ╘══════════════════════════════════════════════════╝ ┌─────────────────╖ │ C: D: E: F: ║ │ ^ ║ ╘═════════════════╝ It is always safe to put all drives in your system under the control of ADinf. Or, at least, the drives containing the frequently-used programs, including the operating system, must be put under the control of ADinf. After you have finished the selection of drives, Setup displays a panel for tacking ADinf to the AUTOEXEC.BAT file: ┌───────────────── Autoexec.bat file ──────────────────────╖ │PATH C:\WIN;C:\WIN\COMMAND;C:\DOS;C:\NC;C:\UT;C:\BC\BIN ║ │C:\WIN\COMMAND\MSCDEX.EXE /S /D:MSCDOO1 ║ │@ECHO OFF │PROMPT $p$g ■ │SET TEMP=C:\TMP ░ │mode con codepage prepare=((866) C:\WIN\COMMAND\ega3.cpi) ░ │mode con codepage select=866 ░ │swakeyb ░ │C:\ADINF\Adinf.exe -a -b -d -lC:\ADINF C: D: ░ │nc ╘════════════════════ ■ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ═╝ Arrow to the place on the on-screen panel where you want to tack ADinf and press <Enter> to finish. It is a good idea to tack ADinf after all programs, but before the call for a shell, such as the Norton Commander. The old status of AUTOEXEC.BAT file will be saved in the file AUTOEXEC.ADI. Press <Esc> to close the panel without modifying the file. Thereafter, you are prompted to create ADinf diskinfo tables for saving the status of your drives. If you do not want to create these tables at the time of installation, and want to postpone their creation to some other time, say, after the completion of installation, you may choose the DON'T CREATE button. ┌────────────────────── ? ─────────────────────────╖ │ Create ADinf tables ║ │ ║ │ Create ▄ Don't create ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════╝ If you opt to create diskinfo tables, Setup prompts to specify a new name for the ADinf diskinfo tables: ┌──────────────────────────────────────────────────╖ │ Adinf══.░░░ ║ │ ║ │ Rename the default filename ADinf══.░░░ for the ║ │ files containing ADinf diskinfo tables, e.g., to ║ │ MyTbl--.tbl, as some viruses corrupt files of ║ │ names beginning with the letters "ad". ║ │ ║ │ Edit the filename and press <Enter>. ║ ╘══════════════════════════════════════════════════╝ By default, these tables are named ADINF══.░░░. Edit the highlighted top line to any name for the reasons stated on the panel. After editing, press <Enter>. Now Setup begins to construct tables containing vital data about the drives in the system. This process may take some time, particularly if your disk is large. After successfully constructing diskinfo tables, Setup displays a logo panel with musical accompaniment. Press any key to return to the DOS prompt. This completes the installation procedure. If you have also procured the companion program ADinf Cure Module, it is the proper time to install it, although it can be done at any other time. If you are upgrading older ADinf version, first choose the UPGRADING OLD VERSION button from the panel which the Setup program displays at the beginning of installation procedure. Setup will ask your permission to overwrite the old version, but will not modify the AUTOEXEC.BAT file, nor will create diskinfo tables afresh since the tables created by earlier versions are compatible with later versions. You may also upgrade the version in your system, by starting the Setup program, by including the -update option in the command line. Parameters of Setup command line You can also use some parameters in the Setup command line. These parameters tell the Setup program where to install ADinf or to upgrade the old version, and specify some options. In certain cases, this speeds up installation or updating procedure. To install ADinf in the directory \UTIL\ADINF in drive D:, type the command install d:\util\adinf and press <Enter>. In this case, Setup will not prompt you to specify a directory for installation, and will immediately proceed to copy the files. If the directory specified does not exist, Setup will ascertain your intention prior to creating it. Thereafter, installation proceeds as described above. To speed up updating procedure and to suppress unnecessary dialogs, include the -update or -u option in the command line: install -update and press <Enter>. Immediately, Setup will search for the ADinf program and overwrite the upgraded version and other necessary files. Diskinfo tables will not be created afresh, since the tables created by earlier version are compatible with later versions. If the Setup does not find the ADinf executable file, it warns as follows: ┌─────────────────── WARNING! ─────────────────────╖ │ ADinf program not found on any drive! ║ │ ║ │ Press ESC ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════╝ Press <Esc>, and Setup will prompt you to type the full pathname of the program. It takes a long time to search the ADinf executable file, particularly, on high-volume disks. To speed up the search, you may include the pathname of the ADinf executable file in the command line of the Setup program as follows: install -update d:\util\adinf This command tells the Setup program to update the obsolete ADinf version in the \ADINF subdirectory of the \UTIL directory in drive D:. The following is a list of other options which can be included in the command line of the Setup program. Option │ Its function ═══════════════╪═════════════════════════════════════════════════════ -386 │ Depending on the type of the processor in your │ computer, Setup automatically install one of the two │ variants of ADinf program: one is designed for the │ 386 processors and higher, and the other variant │ is designed for the 286 processors or earlier. The │ -386 option forces the Setup program to install │ 386 ADinf variant. ───────────────┼───────────────────────────────────────────────────── -86 │ Install the ADinf variant for 286 processors or │ earlier. ───────────────┼───────────────────────────────────────────────────── -co │ Use color scheme for a color monitor. Include this │ option, if the video subsystem can operate in color │ mode, but Setup uses black and white mode. ───────────────┼───────────────────────────────────────────────────── -m │ Disable mouse in the course of installation. ───────────────┼───────────────────────────────────────────────────── -mo │ Force monochrome display mode. Setup recognizes │ whether your monitor is color or monochrome. Use │ this option when you want black-and-white display on │ a color monitor, particularly on LCD VGA laptops and │ notebooks. ───────────────┼───────────────────────────────────────────────────── -nam │ Disable the mouse arrow pointer and use the standard │ mouse cursor. ───────────────┼───────────────────────────────────────────────────── -nowin │ Do not copy the ADINF.ICO and ADINF.PIF files needed │ for running ADinf under Windows. ───────────────┼───────────────────────────────────────────────────── -os │ Start Setup with its old style interface prior to │ ADinf version 9.00. This option disables the ADinf │ internal font table from being loaded into EGA/VGA │ adapters, so it is useful when Setup conflicts with │ any resident programs, say, programs that load │ national fonts into the display adapter. ───────────────┴───────────────────────────────────────────────────── NETWORK installation ADinf installed on a network drive offers several advantages at workstations. First install ADinf on the network drive; you can then use it at any workstation of the network. Such an installation will be convenient for network administrators and maintenance personnel. Installation on network drive greatly reduces the time of installation on separate workstations. You use the original diskette only once to install ADinf on the network drive, while the program is installed on other workstations directly from the network drive without the aid of the original ADinf diskette. ADinf can be installed on a network drive in two different ways. In the first method, you simply copy the entire ADINF directory, along with all files in it, to the network drive. Then to install the program on any workstation, you simply run Setup from the workstation. Installation proceeds exactly as described above, except for one difference: Setup copies the ADinf files from the network drive. In this method, not only diskinfo tables and configuration file are created, but also the ADinf executable file is copied to the local drive. Since the files needed in installation are copied from the network drive rather than from the original diskette, ADinf is installed on local drives quickly. In the second method, ADinf is installed on the network drive, and users must run ADinf on the network drive from their workstations. This method is advantageous in that there is no need to upgrade the program at every workstation; it suffices to upgrade the program only in the network drive. However, the diskinfo tables and configuration tables are created at each workstation separately; they are not created in the network drive. To install ADinf on a network drive, include the full pathname of the network directory where you want to install the program in the command line of the Setup program. In this case, ADINF.EXE, ADINF.PIF (to run ADinf under Windows), all documentation files, as well as the INSTALL.EXE file will be copied to the ADinf directory on the network drive. Now to install ADinf on any local drive, run INSTALL.EXE on the server directly from the workstation. The Setup program runs as usual, except for the difference that the ADinf files are not copied to the local drive. First Setup prompts you to tack ADinf to your AUTOEXEC.BAT file. If ADinf is tacked to your AUTOEXEC.BAT file, the local drive will be checked every time the workstation is booted. Then you are prompted to specify the drives in the local disk that are to be taken under ADinf control. After specifying the drives to be controlled by ADinf, you can choose the line where ADinf is to be tacked to the AUTOEXEC.BAT file: ┌───────────────── Autoexec.bat file ──────────────────────╖ │@ECHO OFF ║ │PROMPT $p$g ║ │SET PATH=C:\WIN;C:\DOS;E:\NC;D:\UT;D:\ARC ░ │SET TEMP=C:\TMP ■ │MOUSE.COM /Y ░ │mode con codepage prepare=((866) C:\WIN\COMMAND\ega3.cpi) ░ │mode con codepage select=866 ░ │lsl.com ░ │ne2000.com ░ │ipxodi.com ░ │netx /c=c:\net\net.cfg ░ │f: ░ │echo * ░ │login ░ │echo * ░ │U:\ADINF\ADINF.EXE -a -b -d -l ╘════════════════════ ■ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ═╝ ATTENTION! ADinf will be run directly from the network drive; therefore, call to ADinf must be placed after the call to network program and login program. In the above example, call to ADinf comes after the calls to network drivers LSL.COM, NE2000.COM IPXODI.COM, network shell NETX.COM, and login by the command LOGIN. Finally, Setup prompts you to create diskinfo tables. Either you can create them at the time of installation or postpone to a later date. Upon completion of successful installation, Setup will inform you about the specifics of network installation of ADinf Cure Module ─ the curing companion of ADinf (refer to the item INSTALLING ADINF CURE MODULE). Press any key to return to the DOS prompt. The ADinf executable file is installed only on the network drive; therefore, it can be run only from the network drive. The local drive will contain only ADinf diskinfo tables and ADinf configuration files. When ADinf on the network drive is started, by default, it will search for its configuration file and personal diskinfo tables in C:\ADINF on the local drive. ADinf configuration file is usually created during installation, and it can updated at any time at the discretion of the user while customizing the operation of ADinf. If ADinf configuration file does not exist, it is automatically created. You can move the configuration file and personal diskinfo tables to a different directory. For this, rename the C:\ADINF directory, and at subsequent calls to ADinf, specify the full pathname of the new location through the -home command option. For example, if you rename the directory C:\ADINF to C:\AVIRCONF, at the next call to the program, include the -home option in the command line as follows: u:\adinf\adinf.exe -a -b -d -l -home:c:\avirconf 2.2 Installing ADinf Cure Module To install ADinf Cure Module, insert the copy diskette in drive A: or B:, log on to the ADINFEXT directory, run the INSTALL.EXE program and answer all its questions. Setup begins to search for the ADinf program on the drives in your hard disk. This may take some time, especially, if your disk has a large volume. To speed up the search, in the Setup command line you may specify the pathname, or just the name letter of the drive where ADinf is installed. For example, the command a:\install.exe d: restricts the search for ADinf to drive D:, and the command a:\install.exe d:\antivir restricts the search to the \ANTIVIR directory in drive D:. On detecting ADinf, Setup displays a query: ┌──────── Searching for ADinf on disk C: ─────────╖ │ ║ │ C:\ADINF\Adinf.exe ║ ├─────────────────── Found: 1 ─────────────────────╢ │ C:ADINF\adinf.exe ║ │ ┌──────────────── ?! ────────────────╖ ║ ╘═════│ Do you wish to continue searching? ║═══════╝ │ ║ │ Stop ▄ Continue▄ ║ │ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╘════════════════════════════════════╝ If the pathname displayed is correct, you may abort the search by choosing the STOP button; otherwise continue the search by choosing CONTINUE. If Setup does not find ADinf in the computer, you are prompted to install ADinf first and repeat the installation procedure of ADinf Cure Module. Thereafter, Setup prompts you to install ADinf Cure Module in the \ADINF directory in drive C: ┌───────────── Install in directory? ──────────────╖ │ C:\ADINF ║ │ Yes ▄ No ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════╝ Choose YES to accept the location; otherwise, choose NO and type the full pathname of the directory where you want to install ADinf Cure Module. On pressing YES, you are prompted to scan the machine for stealth viruses (refer the section STEALTH SEARCH MODE): ┌─────────── Scan for Stealth-viruses? ────────────╖ │ ║ │ Yes ▄ No ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════╝ Upon completion of the search for stealth viruses (supposing you have chosen YES), Setup prompts you to rename the ADINFEXT.EXE file for the reason stated in the panel: ┌──────────────────────────────────────────────────╖ │ Adinfext.exe ║ │ ║ │ Now you should select executable file name. ║ │ ║ │ Rename the default filename ADinfExt.exe to ║ │ some other name, e.g., MyinfExt.exe, as some ║ │ viruses try to destroy files of names beginning ║ │ with the letters "ad". ║ │ ║ │ Edit file name and press <Enter> ║ │ ║ ╘══════════════════════════════════════════════════╝ Edit the top highlighted line in the panel to any name and press <Enter>. Setup immediately begins to copy the working files of ADinf Cure Module to your disk. A beep is heard while copying, and after completing this process, a panel is displayed : ┌───── Cure Module ───────╖ │ Support COMMON tables ║ │ Support PERSONAL tables ║ ╘════════════════════<Esc>╝ On choosing the necessary curing support mode, COMMON TABLES, or PERSONAL TABLES, you are prompted to specify the drives for which cure mode is to be supported: ┌───── COMMON ─────╖ │ C: Support ║ │ D: Support ║ │ E: Don't support ║ │ F: Don't support ║ │ G: Don't support ║ ╘═════════════<Esc>╝ Arrow to the necessary drives one by one and press <Space> to select. After completing the selection of drives, press <Esc> twice to close the drive selection and Tables selection panels. You will be prompted to press any key. On pressing a key, the screen displays the CURE MODULE SETUP panel: ┌──────────────── Cure Module Setup ───────────────╖ │ Table type ║ │ () Complete ║ │ ( ) Abridged ║ ├──────────────────────────────────────────────────╢ │ Curing mode ║ │ () Files of EXE internal structure ║ │ ( ) Files of given extension ║ ├──────────────────────────────────────────────────╢ │ Edit Filename extension list... ║ ├──────────────────────────────────────────────────╢ │ Ok ▄ Cancel ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════╝ Specify the necessary table type and curing mode. How to handle this panel is described in detail under CURE FILE SUPPORT in CUSTOMIZING THE ADINF OPERATION. On choosing the OK button from this panel, you will be prompted to prepare a curing diskette: ┌──────────────────────── ?! ──────────────────────╖ │ Prepare the diskette? ║ │ Yes ▄ No ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════╝ Preparation of a curing diskette can be postponed to later date. However, it is a good idea to prepare it at the time of installation. For this, choose YES from this panel. Then you will be prompted to insert a clean diskette into drive A: ┌──────────────────────── ! ───────────────────────╖ │ Insert a clean diskette into drive A! ║ │ Ok ▄ Cancel ▄ DOS shell▄ ║ │ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════╝ If you have no clean diskette, you should choose DOS SHELL to clean or format a diskette. After inserting a clean diskette into drive A:, choose OK. Setup will then copy the necessary files of ADinf Cure Module and make the diskette bootable. If you are using non-standard booting drivers, you must manually copy them to the curing diskette and correct the CONFIG.SYS file on the diskette. To make the diskette bootable, Setup uses the DOS SYS.COM command. If this routine is not available in your machine or your operating system is earlier than 4.0, at the end of the installation procedure, you will be prompted to make the diskette bootable. For this, you may conveniently use the DiskTool program from Norton Utilities. On the prepared curing diskette, you will find an empty V-HUNTER directory. Copy the files from the Virus Hunter package to this directory: if necessary ADinf Cure Module will automatically call Virus Hunter for curing infected files. Upon successful preparation of the curing diskette, the screen displays a logo panel accompanied with music. Press any key to return to the DOS prompt. IMPORTANT! Close the write-protect notch on the curing diskette with a tab. ADinf Cure Module CANNOT be initiated from an unprotected diskette! One curing diskette is sufficient to cure several machines. Store the original curing diskette in a safe place. You will need it when a virus infiltrates into your computer. In addition to the pathname of the ADinf directory, the command line of the Setup program also accepts the following options: Option │ Its function ═══════════════╪═════════════════════════════════════════════════════ -co │ Use color scheme for a color monitor. Include this │ option, if the video subsystem can operate in color │ mode, but Setup uses black and white mode. ───────────────┼───────────────────────────────────────────────────── -m │ Disable mouse in the course of installation. ───────────────┼───────────────────────────────────────────────────── -mo │ Force monochrome display mode. Setup recognizes │ whether your monitor is color or monochrome. Use │ this option when you want black-and-white display on │ a color monitor, particularly on LCD VGA laptops and │ notebooks. ───────────────┼───────────────────────────────────────────────────── -nam │ Disable the mouse arrow pointer and use the standard │ mouse cursor. ───────────────┼───────────────────────────────────────────────────── -os │ Start Setup with its old style interface prior to │ ADinf version 9.00. This option disables the ADinf │ internal font table from being loaded into EGA/VGA │ adapters, so it is useful when Setup conflicts with │ any resident programs, say, programs that load │ national fonts into the display adapter. ───────────────┴───────────────────────────────────────────────────── NETWORK installation If ADinf is available on the network drive, you can also install ADinf Cure Module on the network drive. The Cure Module is installed on a network drive almost in the same way as on a local drive. While installing on a network drive, it is a good idea to specify the full pathname of the ADinf directory in the command line of the Setup program. After installing the Cure Module on the network drive, it is to be linked to every workstation. For this, start ADinf from a workstation. Goto OPTIONS => SETUP PARAMETERS ═> CURE MODULE SETUP to pull down the menu: ┌─── Cure Module ─────╖ │ For common tables ║ │ For personal tables ║ │ Cure Module Setup ║ ╘════════════════<Esc>╝ First choose whether cure support is to be implemented by COMMON TABLES or by PERSONAL TABLES, then choose the drives for which cure support is needed. Thereafter, choose the CURE MODULE SETUP item from the panel to pull down the CURE MODULE SETUP panel. How to handle this panel is described under CURE FILE SUPPORT in CUSTOMISING THE ADINF OPERATION. 2.3 Using ADinf jointly with Sheriff Installing ADinf on a Sheriff-guarded computer To install ADinf, if your computer is protected by the Sheriff protection hardware: 1. switch off Sheriff, and install ADinf as described above, 2. start ADinf in interactive mode, and go to OPTIONS ═> SETUP PARAMETERS ═>SHERIFF SERIAL No panel, 3. in the box, type the first five figures in the serial number of your Sheriff, and press <Enter>, 4. quit ADinf and switch on Sheriff. Installing Sheriff on an ADinf-installed computer To install the Sheriff, if ADinf is already installed in your computer: 1. start ADinf in interactive mode, and go to OPTIONS ═> SETUP PARAMETERS ═> SHERIFF SERIAL No panel, 2. in the box, type the first five figures in the serial number of your Sheriff, and press <Enter>, 3. install Sheriff as described in its User's Guide. 2.4 Running ADinf Cure Module under Sheriff ADinf Cure Module also runs on a computer guarded by a Sheriff protection system. But prior to curing an infected disk, the Sheriff protection system must be disabled, since curing is possible only after starting the computer from a write-protected bootable diskette. If Sheriff is on, it locks the access to hard disks when computer is started from an independent bootable diskette. After the completion of curing procedure, you may enable the Sheriff protection system. For enabling and disabling the Sheriff, refer to its User's Guide. 2.5 Starting ADinf from autoexec.bat file ADinf can be started automatically from the AUTOEXEC.BAT file or manually by typing its command at the DOS prompt. To run ADinf automatically at the time of booting, modify your AUTOEXEC.BAT file by adding a line as shown below (during installation you can tell the setup program to do this automatically) c:\adinf\adinf -d -a60 -b -ld:\tmp c: d: ────────┐ ─┐ ───┐ ─┐ ───────┐ ────┐ │ │ │ │ │ └─ Drives to be scanned │ │ │ │ │ │ │ │ │ │ │ │ │ │ └─ Save report in D:\TMP directory │ │ │ │ │ │ │ └────────── Black screen background │ │ └───────────── No dialog pauses │ └────────────────── Check only once a day └────────────────────────── Directory where ADinf is installed ADinf command line options are described below. 2.6 Starting ADinf from the DOS prompt Advanced Diskinfoscope ADinf can be run in batch mode or in interactive mode by typing its command line at the DOS prompt and pressing <Enter>. Starting ADinf in batch mode In the batch mode, ADinf successively checks the drives, executing the options specified in its command line. To run ADinf in batch mode, at the DOS prompt, type: adinf <drive> [<drive>...<drive>] [<option>...<option>] Here <drive> means the logical drives to be tested. At least one drive must be specified in for ADinf to run in batch mode. For example, type c:\adinf\adinf c: d: ────────┐ ────┐ │ └─── Drives to be scanned │ └────────────── Directory where ADinf is installed and press <Enter> to scan the drive C: and then the drive D:. In this example, ADinf is assumed to be installed in the C:\ADINF directory. In place of a long list of drive name letters, you may type the wild character * to test all the drives for which diskinfo tables are available in your machine. For example, to test all drives with personal diskinfo tables in batch mode, type c:\adinf\adinf -p * and press <Enter>. 2.7 Command line options ADinf accepts several command options. They must be preceded with a hyphen "-" or a slash "/" , and separated with a space. They may be typed in upper- or lower-case. Asterisked items in the table below are valid only in batch mode, and are inoperati ve in interactive mode. Option │ Its function ═══════════════╪═════════════════════════════════════════════════════ -@<filename> │ Tell ADinf to compile a list of files that │ subsequently need to be tested by anti-virus │ scanners. This list will include newly-created, │ changed, renamed, and moved (from one directory to │ another) files. This list is saved in a file of the │ filename specified after the character @. Files in │ this list can be checked through anti-virus programs │ Virus Hunter and Doctor Web by running them via the │ /@ command option (see the User's Guide of these │ programs). ───────────────┼───────────────────────────────────────────────────── -76 │ Disable the ADinf internal Int76 handler. ───────────────┼───────────────────────────────────────────────────── * -a[<time>] │ Hide minor dialogs, e.g., when started from │ AUTOEXEC.BAT file. When <time> parameter is │ specified, the panel showing the changes will │ automatically close after the lapse of xxx (seconds) │ set if the changes are not suspicious and the user │ does not press a key prior to the lapse of the value │ specified. This is an optional parameter, which you │ may or may not specify. For the <time> parameter, │ you may set a value from 1 to 511. ───────────────┼───────────────────────────────────────────────────── -admin │ Define, change, or cancel the administrator │ password. If a password is defined, the following │ will happen. When a ADinf operation is aborted by │ pressing <Ctrl+Break> or <F10>, or when the scanning │ of a drive is terminated by pressing <Esc>, after │ the completion of scanning mission you are prompted │ to type the administrator password. If the password │ is wrongly typed, the system will be rebooted - this │ security measure prevents users from skipping the │ checking of a drive when ADinf is started from the │ AUTOEXEC.BAT file. Moreover, when ADinf is started │ in interactive mode, you will be prompted to enter │ the password - this is done to prevent any user from │ introducing unauthorized changes in the program │ settings. │ │ To cancel a password that is defined, just press │ <Enter> when you are prompted to type and confirm │ the password. │ │ When you want to change or cancel the password, you │ will be prompted to type the currently active │ password. ───────────────┼───────────────────────────────────────────────────── * -b │ Tell ADinf not to color the screen background, but │ to display all messages and panels against the DOS │ background without clearing the screen that existed │ prior to starting ADinf. This mode gives a better │ view when ADinf is run from AUTOEXEC.BAT file. ───────────────┼───────────────────────────────────────────────────── -co[lor] │ Use color scheme for a color monitor. Include this │ switch, if the video subsystem can operate in color │ mode, but ADinf uses black and white mode. ───────────────┼───────────────────────────────────────────────────── * -d │ Run ADinf ONLY ONCE A DAY and not to initiate at │ subsequent starts on the same day, even if specified │ in the AUTOEXEC.BAT file. ───────────────┼───────────────────────────────────────────────────── -e │ Undo the attribute HIDDEN assigned to diskinfo files. ───────────────┼───────────────────────────────────────────────────── -f │ Run in fast mode without checking the CRC of files. │ Diskinfo tables are not updated. Same as FAST SCAN │ in OPTIONS menu. ───────────────┼───────────────────────────────────────────────────── -force13 │ Tell ADinf to redefine the address of Int 13h │ handler in BIOS. ───────────────┼───────────────────────────────────────────────────── -hd<n> │ Define the maximum number of nonremovable hard │ disks in a system. This option is necessary for │ machines equipped with Back Pack Microsolution │ devices which are removable hard disk cassettes │ connected to an LPT port. They are controlled by a │ special driver which misinforms the system that │ these disks are nonremovable hard disks. By │ specifying, for example, -hd2, you can tell ADinf │ that there are actually only two nonremovable hard │ disks in your system. ───────────────┼───────────────────────────────────────────────────── -home:<path> │ Define the directory where the ADinf configuration │ file and personal tables are to be saved (unless the │ directory for saving personal tables is explicitly │ specified, see the -p option). If this option is not │ specified, ADinf configuration file and personal │ tables are saved in the directory where ADinf is │ installed. If your computer is a workstation and │ ADinf is run directly from the network drive, the │ configuration tables and personal tables are saved, │ by default, in the C:\ADINF directory. ───────────────┼───────────────────────────────────────────────────── -i │ Toggle info mode. Diskinfo tables are not updated │ after the completion of checks. This option must NOT │ be used with the -d option. Same as INFO MODE in │ OPTIONS menu. ───────────────┼───────────────────────────────────────────────────── -l[+][<path>] │ Write the scan report for the drive in a file in the │ directory where the ADinf configuration file is │ located. If the <path> parameter is specified, scan │ report will be saved in a file of the pathname │ specified in the option. If a report file exists, │ the report of the current scanning mission is │ overwritten on the existing report file. If the plus │ sign is included, the report of the current scanning │ mission is appended at the end of the existing │ report file in order to retain the reports of the │ previous scanning missions. Scanning results can │ also be saved in a file by choosing the SAVE LOG IN │ FILE button from the panel displayed on closing the │ scanning report panel. ───────────────┼───────────────────────────────────────────────────── -m │ Disable the mouse. ───────────────┼───────────────────────────────────────────────────── -mo[no] │ Force monochrome display mode. ADinf recognizes │ whether your monitor is color or monochrome. Use │ this option when you want black-and-white display on │ a color monitor, particularly on LCD VGA laptops and │ notebooks. ───────────────┼───────────────────────────────────────────────────── -n │ Hide the title screen. By default, it is displayed │ only in interactive mode. ───────────────┼───────────────────────────────────────────────────── -nam │ Disable the mouse arrow pointer and use the standard │ mouse cursor. ───────────────┼───────────────────────────────────────────────────── -nr │ Do not wait for retraces on CGA-monitor. This option │ may generate "snow" on certain types of CGA-monitor. ───────────────┼───────────────────────────────────────────────────── -os │ Start ADinf with its old style interface prior to │ version 9.00. This option disables the ADinf │ internal font table from being loaded into EGA/VGA │ adapters, so it is useful when ADinf conflicts with │ any resident programs, say, programs that load │ national fonts into the display adapter. ───────────────┼───────────────────────────────────────────────────── -p[<path>] │ Use personal diskinfo tables created for a │ multi-user PC. By default, ADinf diskinfo tables are │ created in the root directory of a drive. In │ scanning with personal tables, diskinfo tables are │ created, by default, in the directory where ADinf is │ installed. A different location for diskinfo tables │ can be specified through the <path> of this option │ or through the menu OPTIONS ═> SETUP PARAMETERS ═> │ PERS. TABLES PATH. Refer the section CUSTOMIZING THE │ ADINF OPERATION. This check from a floppy should be │ used with great caution. If you run ADinf from a │ floppy containing the diskinfo tables of some other │ computer, the consequences would be disastrous │ especially if you restore the master boot or boot │ sector of your system. ───────────────┼───────────────────────────────────────────────────── -r │ Run under DR DOS. ADinf detects its environment │ automatically If ADinf hangs up under Novell-DOS │ later than 7.0, run it with -r option. Use this │ option, if your computer is running under Compaq DOS │ or any other OS not fully MS DOS compatible. ───────────────┼───────────────────────────────────────────────────── -s │ Toggle beeps ON/ OFF. Same as SOUND in OPTIONS menu. ───────────────┼───────────────────────────────────────────────────── -stop[<code>] │ If virus protection is the responsibility of a │ system analyst, he must configure ADinf to prevent │ it from reporting any changes to regular users, by │ properly choosing the list of ADinf-protected files │ and specifying the working directories. If ADinf is │ started from AUTOEXEC.BAT file with this option, on │ trapping a change, it halts the system and prompts │ the user to STOP work on computer and to call for │ the system analyst. │ The -stop option can be specified in two different │ ways: │ (1) When specified with no <code> value, this │ option halts operation when ADinf detects any change │ in disk information. │ (2) When specified with a <code> value, this │ option does not halt the operation when ADinf │ detects a diskinfo change defined by the <code>. The │ values of the <code> are as follows: │ DO NOT TERMINATE OPERATION when one of the following │ changes is detected │ 1 - change in master boot record (MBR); │ 2 - change in boot sector; │ 4 - new bad clusters; │ 8 - new directories; │ 16 - deleted directories; │ 32 - changes in files; │ 64 - new files; │ 128 - deleted files; │ 256 - files moved to other directories; │ 512 - renamed files; │ 1024 - any change which ADinf regards as │ "suspicious". See below for information │ on "suspicious changes"; │ 2048 - change in the size of ADinf executable file; │ 4096 - change in size of the memory allotted to DOS; │ 8192 - change in the number of physical disks; │ 16384 - changes in Hard Disk Parameter Tables (HDPT). │ │ You can tell ADinf NOT to halt the operation for a │ combination of changes by specifying the sum of the │ corresponding values of <code>. For example, to │ tell ADinf not to stop operation if it detects │ changes in the master boot record, boot sector, and │ files, specify -stop35. Here (35=1+2+32). │ │ SYSTEM SUPPORT SPECIALIST ONLY! │ │ 1. After adding this option to ADinf command line in │ the AUTOEXEC.BAT file, don't forget to update │ DISKINFO tables. Otherwise, ADinf will detect this │ change at the next startup and halt the system. │ │ 2. If ADinf displays STOP warning, pressing of <Esc> │ or <Enter> key will only reboot the machine. To get │ out of this loop, press <Ctrl+Break>. │ │ 3. The use of the key combination <Ctrl+Break> for │ hasing the unending reboot loop into which ADinf │ gets after the operation is halted by the -stop │ option can be reserved for use only by the system │ administrator by specifying a password. For more │ details see -admin option description. │ │ The -stop option is not operative when ADinf is run │ under Windows.xx or Windows 95. ───────────────┼───────────────────────────────────────────────────── * -w │ To create new diskinfo tables in batch mode. Same as │ CREATE TABLES in MODE menu. ───────────────┴──────────────────────────────────────────────────── 2.8 Batch file ERRORLEVELS ADinf sets an errorlevel, and this can be used in a batch file to determine what actions are then to be taken. The errorlevels set are as follows: Errorlevel │ Meaning ════════════╪═════════════════════════════════════════════════════ 0 │ Normal termination. All disks verified, no changes │ found. ────────────┼───────────────────────────────────────────────────── 10 │ Some changes were noticed, but they are not │ suspicious. ────────────┼───────────────────────────────────────────────────── 20 │ Suspicious changes were detected. ────────────┼───────────────────────────────────────────────────── 25 │ Checking of, at least, one drive terminated by user │ by pressing <Esc>. ────────────┼───────────────────────────────────────────────────── 30 │ ADinf operation terminated by user by pressing <F10>. ────────────┼───────────────────────────────────────────────────── 40 │ ADinf terminated its mission, since some virus is │ counteracting against checks. ────────────┼───────────────────────────────────────────────────── 50 │ Abnormal termination due to program internal bug. ────────────┴───────────────────────────────────────────────────── If two events take place concurrently, for instance, scanning of a drive aborted by pressing <Esc> and then ADinf operation terminated by pressing <F10>, the higher of the two levels is returned. In the example given above, the errorlevel returned is 30. 2.9 Interaction of ADinf with scanners of DSAV When new programs are copied to your computer, ADinf has no diskinfo information about them. Therefore, you have to check them with some anti-virus scanner, for example, Virus Hunter and Doctor Web, which are components of the DialogueScience DSAV kit . ADinf can compile a list of files that require subsequent verification by some anti-virus scanner. For this purpose, first ADinf forms a list containing the names of newly-created, renamed, and changed files. Then this list is passed to Virus Hunter and Doctor Web for scanning for viruses. In this way, you can speed up the verification of your computer, because the files that remained unchanged since the last session are already checked by these anti-virus scanners. The following is a sample batch file to run ADinf jointly with Doctor Web and Virus Hunter by transferring diskinfo changes (see /@ command line option). Such a joint operation greatly speeds up scanning sessions, while retaining the high checking reliability. First ADinf must be run to scan the computer. If it reports newly-created or changed files, they are first checked by Doctor Web and then by Virus Hunter. In case some virus is detected, an appropriate message is displayed. @echo off ADINF * /@c:\addtest.lst /a if errorlevel 50 goto end if errorlevel 40 goto vir_in_mem if errorlevel 30 goto end if not exist c:\addtest.lst goto end DRWEB /@+c:\addtest.lst /cl/ha/rv/hi/upn/ns if errorlevel 2 goto new_vir if errorlevel 1 goto vir V-HUNTER /@c:\addtest.lst /g/nb if errorlevel 3 goto end if errorlevel 2 goto end if errorlevel 1 goto vir :no_vir echo No viruses found goto end :vir_in_mem echo WARNING! There is an active virus counteracting against ADinf pause goto end :vir echo ATTENTION! There is a known virus in the machine pause goto end :new_vir echo ATTENTION! There is an unknown virus in the machine pause goto end :end WARNING 1. For reliable checking of disks, the list of file extensions and ADinf operation parameters must be properly specified such that no important changes in disk information escape unnoticed. WARNING 2. When ADinf or scanners detect viruses or suspect possible virus infection, it is not sufficient to analyze and cure only the infected files and system areas. It is always safe to cold start the system from a virus-free bootable diskette, first thoroughly test all drives and then restore the infected files from the original distribution disks. When such a possibility for restoration from original distribution diskettes is not available, you may use the curing procedure. WARNING 3. The errorlevel verification function in the batch file can be specified in such a manner that after the disk scanning mission is completed, curing mode is automatically called and then ADinf is restarted for final checking after the curing session is completed. But such an automatic curing mode is HAZARDOUS and requires an in-depth study of the computer configuration settings and utilization modes. Such a study must be made by a knowledgeable computer analyst familiar with the specifics of the computer configuration and users' needs. 2.10 Starting ADinf in interactive mode A command line with no drives specified, e.g., adinf starts ADinf in interactive mode and displays its main menu. At every start-up ADinf runs in interactive mode, executing the parameters set in the previous session. If the -i, -f, -s or -p options are specified in the command line, ADinf additionally implements them. 2.11 Useful tips It is always safe: (1) to run some anti-virus utility, say, Virus Hunter or Doctor Web, to clean your system prior to installing ADinf, (2) to run ADinf a few times a day, especially if you swap floppies often, and (3) to prevent accidental damage, loss and infection, always use only a copy of the ADinf original diskette. IMPORTANT! Never leave the changes reported by ADinf unattended. If you do not know the cause for such changes, take immediate action to remedy them. If the ADinf messages are obscure, refer the section ERROR AND WARNING MESSAGES and call for technic al help. These two simple measures, if taken in time, will keep your computer away from infectors which otherwise may infiltrate unnoticed. 2.12 Speedkeys You may use certain keyboard shortcuts to speed up work in an ADinf session: Shortcut │ Its function ══════════╪═══════════════════════════════════════════════════════ <Esc> │ abort ADinf scanning mission (this key is inoperative │ if ADinf is started with the -stop option), ──────────┼─────────────────────────────────────────────────────── <Alt+D> │ enter DOS shell, ──────────┼─────────────────────────────────────────────────────── <Alt+V> │ execute a DOS command, ──────────┼─────────────────────────────────────────────────────── <Alt+S> │ toggle sound ON or OFF, ──────────┼─────────────────────────────────────────────────────── <Alt+P> │ edit internal paths for viewers, ──────────┼─────────────────────────────────────────────────────── <F1> │ get on-line help on key usage, ──────────┼─────────────────────────────────────────────────────── <F10> │ end an ADinf session. ──────────┴─────────────────────────────────────────────────────── 3. ADINF MAIN MENU When you start ADinf in interactive mode, the screen top line shows the main menu of five titles: ADINF, DRIVES, MODE, OPTIONS, and QUIT. By default, the SCAN DRIVES command from the MODE title is selected, so just press <Enter> to scan the drives for which diskinfo tables are available in your machine. ┌───────────────────────────────────────────────────────────────────╖ │ ADinf Drives Mode Options Quit F1=Help ║ ├────────────────────┬───────────────╥──────────────────────────────╢ │┌─────────────────╖ │ ║ ║ ││┌Files ┬CRCtypes┐║ │ Scan drives ║ ║ │││.com │Fast │║ │ Scan selected ║ ║ │││.exe │Fast │║ │ Create tables ║ ║ │││.sys │CRC32 │║ │ Stealth search║ ║ │││.bat │CRC32 │║ ╘═══════════════╝ ║ │││.bin │No CRC │║ ║ │││.lib │No CRC │║ ║ │││.ovl │No CRC │║ ║ │││.ovy │No CRC │║ ║ │││.drv │No CRC │║ ║ │├┼──────┼────────┼╢ ║ │││Others│No CRC │║ ║ │╘╧══════╧════════╧╝ ║ │ ║ ├────┬──────┬────────────────────────────────┬───┬──────┬───────────╢ │ C: │ BIOS │ Scan all drives under check │ C │ 358K │ XMS:2576K ║ ╘════╧══════╧════════════════════════════════╧═══╧══════╧═══════════╝ You move across the menu bar with <Left> and <Right> keys. Arrow to an item and press <Enter> to pull down its local menu. Using <Up> or <Down> key, move to an option in local menus and press <Enter> to select it. If the option is a command, <Enter> executes it, <Esc> ßloses the menu panel without accomplishing any command. Alternatively, to select a main menu title, press or click the highlighted letter in the title name. To close a menu panel, press <Esc> or click an empty spot on the screen. The bottom line shows the name of the drive being scanned, drive acsess type (via BIOS or INT 13h or INT 25h), brief messages and prompts, diskinfo tables type (C for common and P for personal), the conventional memory space presently free, and XMS space presently free. 3.1 Menu titles and their purpose ────────┬────────────────────────────────────────────────────────── ADINF │ To view ADinf ver. No and other relevant information. ────────┼────────────────────────────────────────────────────────── DRIVE │ To select drives for scanning. ────────┼────────────────────────────────────────────────────────── MODE │ To choose SCAN DRIVES, SCAN SELECTED, CREATE TABLE, │ or STEALTH SEARCH mode. ────────┼────────────────────────────────────────────────────────── OPTIONS │ To customize ADinf operation parameters. (For details, │ see CUSTOMIZING THE ADinf OPERATION below). ────────┼────────────────────────────────────────────────────────── QUIT │ To end an ADinf session. ────────┴────────────────────────────────────────────────────────── In the interactive mode, you can: 1. scan hard drives in your computer, 2. check floppy diskettes for changes, 3. create ADinf diskinfo tables for your drives, 4. scan for active stealth viruses in your computer, 5. customize certain ADinf parameters to suit your preferences, scan all files in drives or only the files whose extensions are specified in the file extension list, 6. revise the list of extensions of files to put under ADinf control, associate viewers and editors with extensions for viewing and editing files of particular extensions and specify the type of file CRC for scanning. 3.2 Scanning the drives When ADinf is started in interactive mode, the SCAN DRIVES command from the MODE title is by default selected; therefore just press <Enter> to scan the drives for which diskinfo tables have already been created. To scan only particular drives, first arrow to DRIVES in the main menu and press <Enter> to pull down the DRIVES local menu. Then arrow to the drive you want to scan and press <Enter>. A plus sign (+) on the left of the drive name indicates the drive is selected. A drive is deselected by pressing <Enter> again ─ the plus sign changes to minus sign. You may select as many drives as you like for scanning in one run. Then, arrow to MODE in the main menu and press <Enter>. A local menu drops down contain ing SCAN DRIVES, SCAN SELECTED, CREATE TABLES and STEALTH SEARCH commands. Arrow to SCAN SELECTED and press <Enter> to start scanning the drives. You can abort scanning of any disk at any time by pressing <Esc> or clicking both mouse buttons together. ADinf then will respond: ┌──────────────── Stop scanning ? ─────────────────╖ │ No ▄ This drive ▄ All drives ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════╝ If you choose NO or click the mouse right button, scanning of all other drives is resumed; if you choose THIS DRIVE, only the current drive is skipped and if you choose ALL DRIVES, scanning is aborted. If no drive is selected, on pressing <Enter> to start scanning, you get the ┌─────────────────── Warning ! ────────────────────╖ │ No drives selected! ║ │ Press ESC ║ │ Select some from "DRIVES" menu. ║ ╘══════════════════════════════════════════════════╝ In such cases, press <Esc> to return to DRIVES menu. Select drive(s) and run ADinf again. 3.3 Creating diskinfo tables The procedure is the same as described above, the only difference is now you choose CREATE TABLES command from the MODE menu. 3.4 Checking floppy diskettes Most of the viruses migrate from computer to computer via diskettes. A clean diskette gets easily infected: insert it into a contaminated computer and just open its directory for viewing ─ it may become a virus carrier. But inserting an infected diskette into a computer is not sufficient to inject a virus into your computer: either an infected program on the diskette has to be started or the computer has to be booted from an infected diskette. In order to be certain that your diskettes, or the diskettes you pass on to or obtain from others are clean, always check them with ADinf. When a diskette is checked with ADinf for the first time, a diskinfo table containing vital information about the diskette is saved on it. Therefore, prior to passing a diskette to others, always check it with ADinf and save the diskinfo tables on it. If the receiver has Advanced Diskinfoscope installed in his computer, he can check the integrity of the data on the diskette. Likewise, you can check up whether a diskette obtained from others is virus-infected or clean. The diskinfo tables written by ADinf on a diskette contain full information essential for scanning (the list of files under check, types of CRC of files, names of viewers and editors for the files on the diskette). Therefore the diskinfo tables created on a diskette by ADinf in one computer may be compatible with the configuration of ADinf on another computer. 3.5 Stealth search mode Stealth viruses, as their name implies, are capable of stealthily hiding themselves in an infected machine. The early computer infectors did not possess this property and so could be detected visually when an infected file is opened for viewing. Even simple anti-virus utilities could suppress their multiplication and thus viruses were not epidemic hazardous. Advancement in new anti-virus techniques catalyzed new trends in virus design and the appearance of invisible infectors was the next natural step in the evolution of virus technology. Viruses designed on hiding algorithms cannot be viewed with operating system tools. For example, when an infected file is viewed by pressing <F3>, Norton Commander does not show anything unusual because the virus removes its body when the file is opened for reading, and returns back on closing. This is only one of the dodging tools and there are several other masking techniques. Boot infectors also hide themselves when an infected sector is opened for reading. In the early development stages, the stealth virus design was ahead of the potentialities of the then anti-virus utilities. Thus the viruses Frodo.4096, XPEH and some other specimens proliferated far and wide. ADinf easily detects newly designed stealth viruses. For instance, most of the anti-virus utilities were ineffective against the epidemic outbreak in the summer and autumn of 1991 due to the incidence of DIR-II virus written with a then unknown detection-dodging algorithm. But on the computers protected by ADinf, it was easily trapped and eradicated. Hiding algorithm itself is the weakest link in the stealth virus design. This algorithm itself is the key to successful detection of this virus on an infected machine. Discrepancy in the file size or CRC given by DOS and its actual size or CRC is a definite symptom of virus infection. Hiding capability of a stealth virus betrays its presence in an infected file! Such a comparison algorithm is implemented in ADinf. To detect stealth viruses in your machine 1. arrow to DRIVES in the main menu, 2. mark the drives you want to scan for stealth virus by pressing <Enter> on the drive name A:, B:, C:,..., 3. arrow to MODE in the main menu, 4. select STEALTH SEARCH, 5. press <Enter> to start scanning the selected drives for stealth viruses. You may stop scanning a drive any time as described under SCANNING THE DRIVES. While scanning for stealth viruses, ADinf checks the master boot sector, boot sectors of logical drives and then compares the sizes and CRC of files given by DOS with the actual values which it determines by directly reading the sectors, accessing via BIOS. If there is any discrepancy in these values, it stops scanning the drives in order not to spread infection to other clean directories and displays the message : ┌─────────────────────────── Attention! ────────────────────────────╖ │ For file ║ │ C:\AAAA.COM ║ │ size reported by DOS differs from its real length! ║ │ ║ │ DOS reports: 5883, real: 9889 bytes, difference: 4016. ║ │ ║ │ There may be an active STEALTH-VIRUS in the memory! ║ │ ║ │ Continue ▄ Stop ▄ View ▄ Reboot ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ║ │ Further scanning may inject infection into clean files being ║ │ checked by ADINF! Recommend you to stop scanning, insert into ║ │ drive A a write-protected system diskette, & choosing REBOOT, ║ │ reboot your computer with a clean operating system. Disinfect ║ │ the infected files, prior to starting the computer from your ║ │ hard disk! ║ ╘═══════════════════════════════════════════════════════════════════╝ Choosing VIEWER from this panel, you can view the suspect file. The viewer prints the file on the screen by reading it directly through BIOS. Choosing REBOOT, you can eradicate stealth and other viruses from your computer. For this, insert in drive A: (or the drive appropriate to your system) a write-protected bootable diskette containing a clean operating system and an anti-virus utility capable of killing stealth virus, say, Virus Hunter or Doctor Web. And choose REBOOT to reset the machine and then run the anti-virus program on the diskette. If the virus residing in your machine is already known, Virus Hunter or Doctor Web will kill it. If not, the virus is definitely a hitherto unknown stealth infector and you should call for help from some Anti-virus Service or restore your files from a backup copy. ADinf automatically checks for stealth viruses in newly created files, because certain stealth viruses infect files only when they are created, for example, while copying from a diskette or exploding a packed file. By default, this mode is ON. Since this check takes some time, you may switch it OFF, cascading through the menu route: OPTIONS => SETUP PARAMETERS => INFO UNDER CHECK => SS NEW FILES. 3.6 Customizing the ADinf operation The OPTIONS title in the main menu provides ample items to customize certain ADinf parameters to suit your preferences. It cascades as follows: OPTIONS │ ├─ TABLES ├─ PROGRAM MODES ──┐ └─ SETUP PARAMETERS ─┐├─ SOUND │├─ FAST SCAN │└─ INFO MODE │ ├── EXTENSION LIST ────┐ ├── INFO UNDER CHECK ───┐├─ EXTENSIONS ├── TABLE FILE NAME │└─ CRC TYPES ├── PERS. TABLE PATH │ ├── DRIVE ACCESS TYPE ├── EXTENSIONS ├── TREEINFO.NCD FILE ├── STABLE FILES ├── PATH TO VIEWERS ├── BOOT-SECTORS ├── FILE LIST SORTING ──┐├── BAD CLUSTERS ├── SHERIFF SERIAL NO │├── DIRECTORIES └── CURE FILE SUPPORT ─┐│├── SKIP TREES ││├── HDP TABLES ││├── SS NEW FILES ││└── SS CHANGED ││ │├─── BY EXTENSION │├─── BY DIRECTORY │└─── KEEP UNSORTED │ ├──── FOR COMMON TABLES ├──── FOR PERSONAL TABLES └──── CURE MODULE SETUP(***) (***) - available only for ADinf Cure Module versions later than 3.00 The OPTIONS title contains three items: TABLES PROGRAM MODES SETUP PARAMETERS TABLES item has two choices: COMMON to construct tables for a machine as a whole regardless of the number of users operating it, and PERSONAL ─ only for you. These two choices are toggled with <Enter>. Ordinarily, ADinf creates diskinfo tables in the root directory of the drive being checked. In PERSONAL mode, they are created in the directory containing ADinf. You can copy ADinf in your directory or on a separate floppy and thus conduct a personal check to detect the changes that occurred in your absence. This check from a floppy should be used with great caution. If you run ADinf from a floppy containing the diskinfo tables of some other computer, the consequences would be disastrous, especially if you restore the master boot or boot sector of your system. You can also specify a directory for saving the personal diskinfo tables. For this, choose PERS. TABLES PATH from PROGRAM MODES in OPTIONS from the main menu and type the full pathname in the on-screen panel and press <Enter>. See also -p and -home options. PROGRAM MODES menu contains three toggles: SOUND FAST SCAN INFO MODE SOUND beeps are toggled ON and OFF with <Enter>. FAST SCAN, when ON, file CRCs are not calculated and diskinfo tables and TREEINFO.NCD files are not updated. INFO MODE, when ON, diskinfo tables and TREEINFO.NCD files are not updated in every ADinf session, even if the diskinfo has changed since the last check. SETUP PARAMETERS menu provides ten items for customizing certain ADinf operation parameters to suit your preference and convenience: EXTENSION LIST INFO UNDER CHECK TABLE FILE NAME PERS. TABLES PATH DRIVE ACCESS TYPE TREEINFO.NCD FILE PATH TO VIEWERS FILE LIST SORTING SHERIFF SERIAL NO CURE FILE SUPPORT EXTENSION LIST menu contains two options EXTENSIONS and CRC TYPE. On choosing EXTENSIONS, you get two panels, viz., a FILE EXTENSION LIST containing the extensions of files under control, their viewers and editors and a SELECT EXTENSION panel showing editing keys: ┌ Files:┬── Viewer ───┬─ Editor ─╖ │ .COM │ wpview.exe │ nu.exe ║ │▒▒.EXE▒│▒wpview.exe▒▒│▒nu.exe▒▒▒║<─┐ │ .SYS │ wpview.exe │ edit.com ║ │ │ .BAT │ wpview.exe │ edit.com ║ │ │ .LIB │ wpview.exe │ edit.com ║ │ │ .OVL │ wpview.exe │ nu.exe ║ │ │ .OVY │ wpview.exe │ nu.exe ║ │ ┌──── Select extension ─────╖ │ .DRV │ wpview.exe │ nu.exe ║ │ │ ║ │ .BAK │ wpview.exe │ nu.exe ║ │ │ Use keys: ║ │ .ZIP │ arcview.exe │ ║ │ │ ║ │ .ARJ │ arcview.exe │ ║ └──┤ <Enter> - Edit; ║ │ .PAK │ arcview.exe │ ║ │ <Up>,<Dn> - Select; ║ ╘═══════╧═════════════╧══════════╝ │ Gray <+> - Add; ║ │ Gray <-> - Delete; ║ │ <Esc> - Quit. ║ ╘═══════════════════════════╝ You may edit the file extension list for adding the extensions of the files to put under ADinf control or for deleting the extensions of the files not needing control any longer. Adding and deleting file extension To delete a file extension, select the extension you want to delete with <Up> or <Down> key, and then press <Gray ->. Press <Esc> to quit the panel. To add a file extension, press <Gray +>. The selection bar jumps to an empty row created at the table bottom. Type the file extension. After you are done, press <Esc> to finish or <Enter> to edit the viewer and editor columns. Editing the VIEWER and EDITOR columns By editing the VIEWER and EDITOR fields, you may assign for each file extension a separate viewer and editor for displaying and reading a file with a particular extension. After adding or deleting file extensions, while you are still in the extension panel, press <Enter> to invoke EDIT MODE: the SELECT EXTENSION panel at once toggles to EDIT MODE: ┌ Files:┬── Viewer ───┬─ Editor ─╖ │ .COM │ wpview.exe │ nu.exe ║ │▒▒.EXE▒│▒wpview.exe▒▒│▒nu.exe▒▒▒║<─┐ │ .SYS │ wpview.exe │ edit.com ║ │ │ .BAT │ wpview.exe │ edit.com ║ │ │ .LIB │ wpview.exe │ edit.com ║ │ │ .OVL │ wpview.exe │ nu.exe ║ │ │ .OVY │ wpview.exe │ nu.exe ║ │ ┌─────── Edit mode ────────╖ │ .DRV │ wpview.exe │ nu.exe ║ │ │ ║ │ .BAK │ wpview.exe │ nu.exe ║ │ │ Use keys: ║ │ .ZIP │ arcview.exe │ ║ │ │ ║ │ .ARJ │ arcview.exe │ ║ └──┤ <Enter> - Done; ║ │ .PAK │ arcview.exe │ ║ │ <ESC> - Cancel; ║ ╘═══════╧═════════════╧══════════╝ │ <Ins> - Ins/Ovt; ║ │ <Tab> - Field. ║ ╘══════════════════════════╝ To edit an item in the viewer or editor column, press <Tab> to jump to the desired column. Edit as in any text editor and after you are done with editing, press <Enter> to save the edits. You may edit in INSERT or OVERTYPE mode, by toggling with <Ins>. Press <Enter> to finish or <Esc> to cancel the edit command. Selecting the CRC type First arrow to EXTENSIONS LIST in the SETUP PARAMETERS menu and press <Enter> to pull down a local menu of two items: EXTENSIONS and CRC TYPE. On choosing CRC TYPE and pressing <Enter>, the screen displays two panels: ┌ Files:┬CRC type╖ │ .COM │ Fast ║ │▒▒.EXE▒│▒Fast▒▒▒║<─┐ ┌─────────── CRC types selection ───────────╖ │ .SYS │ CRC32 ║ │ │ ║ │ .BAT │ CRC32 ║ │ │ FAST CRCs provide virus protection and ║ │ .LIB │ No CRC ║ │ │ high scan speed. For full disk checks ║ │ .OVL │ No CRC ║ │ │ select CRC16/32. But scan rate will be ║ │ .OVY │ No CRC ║ │ │ slower. Use NO CRC for fast disk ║ │ .DRV │ No CRC ║ └──┤ scanning. ║ ╘═══════╧════════╝ │ ║ │ Use keys: ║ │ ║ │ <Up>,<Dn>, ║ │ <Home>,<End> - select files; ║ │ <Space> - select CRC type. ║ │ ║ ╘════════════ <Esc>,<Enter> - end selection ╝ Each file extension can be assigned a separate CRC type to be calculated while scanning. CRC types available and their functions are: CRC type │ Function ═══════════════╪════════════════════════════════════════════════ NO CRC │ CRC for the file is not calculated. ───────────────┼──────────────────────────────────────────────── FAST CRC │ provides safe virus protection at sufficiently │ fast scanning rate for COM and EXE files only. ───────────────┼──────────────────────────────────────────────── CRC16 & CRC32 │ guarantee complete control over data security │ but at a slower scanning rate. ───────────────┴──────────────────────────────────────────────── Pro-ADinf also supports LAN64 CRC, i.e., the 64-bit CRC calculated for the whole file by the special hash function developed by the LAN Crypto Corporation. To specify a CRC for a file extension, choose CRC TYPE from the FILES LIST menu and press <Enter>. Arrow to the desired file extension, repeatedly press <Space> to set the CRC type. Finally, press <Enter> or <Esc> to finish. INFO UNDER CHECK menu contains nine items for setting the parameters so that ADinf may check the drives the way you want it to do: EXTENSIONS STABLE FILES BOOT SECTORS BAD CLUSTERS DIRECTORIES SKIP TREES HDP TABLES SS NEW FILES SS CHANGED EXTENSIONS Advanced Diskinfoscope can check ALL FILES on your disks or only files BY LIST of file extensions you specified. If you want to keep a rigorous control over your disks, choose ALL FILES from the EXTENSIONS submenu. But to save time, you may limit the extensions of files to be checked. The previous section describes how to edit the file extension list. The list of files to be scanned can be specified separately for the COMMON and PERSONAL mode in the OPTIONS menu. COMMON mode defaults to BY LIST for scanning COM, EXE, SYS, BAT, BIN, LIB, OV?, DRV, PGM, and DLL files only. This list is quite adequate to safeguard against virus infection. PERSONAL mode defaults to ALL FILES for scanning, but the list contains additionally BAK, ZIP, ARJ, PAK, LZH, PIF files. You may however edit the default list of file extensions to specify files to put under ADinf control. If you use ALL FILES for scanning, extension list gives some information separately for each extension, i.e. CRC type and viewer/editor names. STABLE FILES panel specifies a list of files which should always remain intact. ADinf checks these files by their CRC32 and will report any slightest modifications it detects as suspicious. To edit a file in this list, arrow to its filename and press <Enter>. A cursor appears. Now edit the filename as in a text editor. Once you are done with editing, press <Enter>. Press <Del> or <Bksp> to delete a filename from the list. BOOT SECTORS panel tells ADinf to check or not to check the boot sector of a drive. For this, arrow to the drive name letter and repeatedly pressing <Enter>, toggle CHECK or DON'T CHECK, whichever is appropriate. You may have to switch off BOOT SECTORS, particularly, when a drive is compressed with compactor such as Stacker, because it constantly modifies the boot sector of the drive it compresses. BAD CLUSTERS panel tells ADinf to check or not to check for bad clusters that are newly created in a drive. You handle this panel in the same way as described in the previous paragraph. By default, this mode is swithed off. DIRECTORIES panel tells ADinf to check or not to check for changes (newly created and deleted directories) in the directory tree of a drive. By default, this mode is swithed off. SKIP TREES tells ADinf to skip its checks for those directories that are frequently accessed or the directories containing frequently edited files. For this, after ADinf has created its tables for the drives in your machine, (they are automatically created when ADinf is installed for the first time), or choosing CREATE TABLES from the MODE title of the main menu, you can create them afresh any time you like as follows: first go to OPTIONS ═> SETUP PARAMETERS ═> INFO UNDER CHECK ═> SKIP TREES. Then arrow to the desired drive in column at the left-edge of the panel, press <Tab> or <Enter> to display the directory tree of the selected drive, arrow to the desired directory or subdirectory you want to exclude from the ADinf checks and press <Enter> (or click the mouse). The selected directory is then displayed in a contrasting color, all others in black. You can also deselect the subdirectories of a selected directory. In a checking session, ADinf also scans those directories and subdirectories marked for exclusion from checks, only it does not produce a status report for them, unless it expertizes them as suspicious (see SUSPICIOUS CHANGES). HDP TABLES panel tells ADinf to check or not to check the Hard Disk Parameters tables (HDPT) in the memory in BIOS variable area. Press <Enter> to toggle between TABLES ARE UNDER CHECK and TABLES NOT UNDER CHECK. Check mark indicates that the item is currently active. By default, ADinf does not check the HDPT. SS NEW FILES panel toggles the search mode for stealth viruses in new files between ON and OFF. By default, this mode is swithed on. For details, see under SEARCHING FOR STEALTH VIRUSES. SS CHANGED panel toggles the search mode for stealth viruses in changed files between ON and OFF. By default, this mode is swithed on. For details, see under SEARCHING FOR STEALTH VIRUSES. TABLE FILE NAME By default, ADinf saves its diskinfo table for each hard disk separately in a file in the same drive and names it ADINF=x=.▓▓▓ (where x is the drive name letter). The viruses which dodge ADinf may alter the ADinf diskinfo tables. To fool such viruses, you may rename the ADinf diskinfo table file. In the on-screen box displaying ADINF=x=.▓▓▓, type a new name and press <Enter>. If you make a typing mistake or want to change the file name, back up all the way to first character and retype a new name. PERS. TABLES PATH displays a panel for specifying the full path of the directory where you want ADinf to save the diskinfo tables. If no path is specified, personal tables are saved in the directory where ADinf executable file is installed or in the directory specified in -home option. DRIVE ACCESS TYPE command defines how ADinf should access a disk for checking infection - through BIOS, or Int 13h or Int 25h/26h. ADinf scans the disks partitioned by DOS fdisk utility, directly accessing them via BIOS. If necessary, you may set Int 13h or Int 25h/26h as the access type for a drive. In the panel displaying drive names and their access type (BIOS by default), to change the access type of a drive: 1. arrow to the drive name letter, 2. repeatedly pressing <Space> or <Enter> or clicking the mouse left button, set your choice BIOS or Int 13h or Int 25h/26h, 3. press <Esc> or click the mouse right button to finish. TREEINFO.NCD FILE tells ADinf to update or not to update the drive TREEINFO.NCD file created by Norton Commander and Norton Change Directory utility. So there is no need to tell Norton Commander to scan your drives to update these files as ADinf compiles the full tree structure of your drives and writes them in the TREEINFO.NCD files. By default this mode is unselected. PATH TO VIEWERS command displays a panel for specifying the full path of the directories where ADinf may search for external viewers and editors. You may specify several paths, separating them with an intervening semicolon ";". FILE LIST SORTING command tells ADinf to display the new, changed, deleted, moved and renamed files in its report after sorting them either by the filename extensions or by directories. SHERIFF SERIAL NO command displays a panel for typing the first five digits of the serial number of the Sheriff protection system, if it is installed in your computer (refer to USING ADINF JOINTLY WITH SHERIFF). CURE FILE SUPPORT is active only if ADinf Cure Module is installed. This command activates or disables the ADinf Cure Module - a companion program for curing either by personal or common diskinfo tables. You get a panel displaying tree items: FOR COMMON TABLES FOR PERSONAL TABLES CURE MODULE SETUP Arrow to your option and press <Enter> to pull down a panel for setting SUPPORT or DON'T SUPPORT. For each drive, set your option with <Enter> to support or not to support curing for the files controlled by the common or personal tables. CURE MODULE SETUP The last item CURE MODULE SETUP in CURE FILE SUPPORT menu is helpful in customizing the operation of ADinf Cure Module. On choosing this item, you get the "Cure Module Setup" dialog panel: ┌─────────────────── Cure Module Setup ─────────────────╖ │ Tables type ║ │ () Complete ║ │ ( ) Abridged ║ ├───────────────────────────────────────────────────────╢ │ Curing mode ║ │ () Files of EXE internal structure ║ │ ( ) Files of given extension ║ ├───────────────────────────────────────────────────────╢ │ Edit list of filename extensions... ║ ├───────────────────────────────────────────────────────╢ │ Ok ▄ Cancel ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╘═══════════════════════════════════════════════════════╝ Setting the cursor under the desired field, you can choose either COMPLETE or ABRIDGED tables by pressing the spacebar. Complete tables provide 97% file restoration efficiency. Abridged tables provide 94% restoration efficiency, but require less disk space and are perceptibly faster in restoration. The CURING MODE field gives two alternatives for choosing the type of the files to be cured. Choosing the FILES OF EXE INTERNAL STRUCTURE option, you can cure files having the EXE internal structure (irrespective of the filename extension), as well as files of extensions COM, EXE, SYS, BAT, and XTP. The other option, FILES OF GIVEN EXTENSION, as it name implies, restores files of the extension you specify. Table for the first option take longer time to construct and occupy more space than the tables needed for restoring under the second option. If you choose the FILES OF GIVEN EXTENSION option, the diskinfo tables contain data about files of extensions COM, EXE, SYS, BAT, and XTP as well as about files of extensions which you add to this list. For this purpose, choose the EDIT FILENAME EXTENSION LIST and press <Enter> to pull a dialog panel: ┌─────────── Edit Filename extension list ────────────────╖ │ ║ │ You can add extensions to the filename extension list. ║ │ ADinf cure Module currently supports the extensions: ║ │ EXE, COM, SYS, BAT, XTP. ║ │ If you have executable files with other extensions, you ║ │ can add by typing them in the next line, separating ║ │ them with a comma. ║ │ ┌─────────────────────────────────────────────────────┐ ║ │ │ │ ║ │ └─────────────────────────────────────────────────────┘ ║ │ Ok ▄ Cancel ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ║ ╘═════════════════════════════════════════════════════════╝ In the text field of this panel, type the filename extensions you want to add to this list. Remember, these filename extensions must also be specified under the filename extension list of ADinf program. 4. RUNNING ADINF CURE MODULE ADinf Cure Module runs in three different modes: 1. Creation mode for compiling diskinfo tables for the files in your machine; 2. Update mode for saving the latest diskinfo about files, and 3. Curing mode. In Tables Creation and Update modes, ADinf Cure Module is initiated automatically by the ADinf program. Tables are created only once for a machine. This is the only operation that takes some time to complete. Tables are automatically updated in ADinf sessions. Tables need some hard disk space, e.g., ~500K for a 200Mb disk holding a large number of programs. Table updating needs free disk space slightly more than the original table size. For running ADinf Cure Module in curing mode, proceed as follows. After examining the changes reported in the ADinf scan report, on pressing <Esc>, you get a panel: ┌─────────────── Do you wish to update diskinfo table ? ───────────╖ │ ║ │ Update ▄ Don't update ▄ Cure ▄ Save log in file▄ ║ │▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════════════════════╝ If you want to cure the changed files, choose the CURE button from this panel. ADinf immediately resumes its scanning mission, and after checking all other remaining drives, it prompts you to insert the bootable write-protected curing diskette into drive A:. After inserting the diskette, press any key. Curing diskette must be prepared in advance as described under the section INSTALLING ADINF CURE MODULE. It is very important that the curing diskette must be write-protected. In curing mode, ADinf Cure Module is automatically started from CONFIG.SYS file on bootable curing diskette. After starting ADinf Cure Module, specify the type of the tables (PERSONAL or COMMON) under which the system was scanned in the session when ADinf prompted you to cure the system. For personal tables, additionally specify the directory where they are located. Then from the list of changed files, choose the files which you want to restore. Files for curing are chosen by moving the selection bar over the list of changed files with <Up> or <Down> key and then pressing <Ins> or <Space>. To select all files in the list, press the <Gray +> key on the numeric keypad. You must also specify whether or not to save the infected files. They may be needed for mailing to the Anti-virus Department of DialogueScience for developing a curing routine for the virus in the file. You have a choice between saving all changed files or only one file ─ the first successfully cured file. Files are saved under their original names, but with a different extension: EXE files are assigned the extension EVR, and COM files are assigned the extension CVR. Upon completion of curing, the screen prints a curing report, displaying the number of cured and not-cured files, a list of filenames along with curing results. A file reported as CURED is verbatim restored to its pre-infection status. Restoration results are verified with 32-bit CRCs computed independently by three different methods. If ADinf Cure Module fails to kill some virus, run Virus Hunter, or Doctor Web, or some other virus scanner/remover. If the virus in your computer is known to these anti-virus programs, they will kill the virus. Now, run ADinf once again as a final check. If the scanning report still contains changed files, run ADinf Cure Module once again. Secondary curing will clean up your system from all minor modifications inevitably introduced in files by anti-virus utilities, though they have hardly any effect on the program performance. But it is better to be confident that your files have been restored in toto to their original shape. Finally, run ADinf once again, paying special attention to the files that were reported as changed. Anyway, check up the performance of a program by actually running it. 5. IF THINGS GO WRONG, ANYWAY ... 5.1 Responding to ADinf messages Regardless of the operation mode ─ batch or interactive ─ ADinf, after checking a drive, always prints a scan report on the screen, whether or not the disk information has been changed since the last check. If there are no such changes and the -a option is not included in the command line, you get a ┌──────────────────────── Drive C: Scan Report ─────────────────╖ │ ║ │ Current time is 23h 45m 13s 15 August 1996 ║ │ Tables were created at 23h 11m 6s 15 August 1996 ║ │ ║ │ 133 directories and 1276 files scanned ║ │ ║ │ No changes found ║ ╘════════════════════════════════════════════ Press any key ...═╝ After two minutes (counted down in the highlighted bar), unless you press a key earlier, next drive (if any) will be scanned or the main menu is returned. If there are any changes in any one of the vital parameters of your system, the changes are highlighted in the scan report. The scan report is straightforward and self-explanatory: therefore we only describe how to handle it. Press the key in the first column near a changed item to get detailed information about the changes. These keys, however, are disabled when ADinf reports OKAY or NONE against an item in the scan report. The <Up>, <Down>, <PgUp>, <PgDn> keys move the selection bar over the item list, <Enter> opens the selected item and <Esc> clears the table. ┌─────────────────────── Drive C: Scan Report ──────────────────────╖ │ ║ │ Current time is 0h 2m 12s 15 August 1996 ║ │ Tables were created at 23h 46m 22s 14 August 1996 ║ │ ║ │ 133 directories and 1278 files scanned ║ │ ║ ├───────────────────── Changes in Diskinfo ─────────────────────────╢ │ ▒▒▒F2▒▒▒▒▒▒▒Master Boot▒Sector▒:▒Okay▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ║ │ F3 Boot Record : Okay ║ │ F4 New Bad Cluster : None ║ │ F5 New Directories : 1 ║ │ F6 Deleted Directories : 1 ║ │ F7 Changed Files : None ║ │ F8 New Files : 9 ║ │ F9 Deleted Files : 7 ║ │ M Moved Files : None ║ │ R Renamed Files : 2 ║ │ ║ ╘═══════════════════════ Use: <Up>,<Dn>,<PgUp>,<PgDn>,<Enter>,<Esc> ╝ When ADinf expertizes that a change in any one of the vital parameters is "suspicious", it alerts you by superimposing on its scan report a warning ┌─────────────────────────── Warning ! ──────────────────────────╖ │ ║ │ Changes on your drive show ║ │ signs of VIRUS ACTIVITY! ║ │ ║ │ Master boot record damaged ║ │ Boot sector damaged ║ │ No date and time alterations in changed files ║ │ √ Strange time setting of changed files ║ │ Strange date setting of changed files ║ │ Changes in files marked STABLE ║ │ Stealth-viruses in new or changed files ║ │ ║ │ Press Esc... ║ │ ║ ╘════════════════════════════════════════════════════════════════╝ The types of detected changes which ADinf expertized as suspisious are highlighted and ticked off on the left of the line. When you get this warning and, if ADinf Cure Module is installed in your machine, press <Esc>, to call the panel: ┌─────────────── Do you wish to update diskinfo table ? ───────────╖ │ ║ │ Update ▄ Don't update ▄ Cure ▄ Save log in file▄ ║ │▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════════════════════╝ On choosing CURE, all other drives will be checked and you will be prompted to insert the bootable ADinf Cure Module diskette into drive A: and finally to reboot the system. If you do not have ADinf Cure Module, seeing this warning, immediately abort ADinf and run some virus scanner, say, Virus Hunter or Doctor Web or any other. Anti-virus utilities, despite their ability to detect and remove viruses, are nevertheless limited in their efficacy: they safeguard you only for the viruses they recognize and are helpless, if some new virus has infiltrated your machine. It is here ADinf comes to your rescue. Closely study the "suspicious" changes it highlights in its scan report. If you cannot diagnose the cause for these changes, call for some technical service agency. Certain viruses, while infecting a file, corrupt its creation time and date. Although, ADinf does not report such changes as "suspicious", if you find a large number of files with changes, particularly, in system files like COMMAND.COM or NC.EXE, you must be on the alert and remedy the situation. 5.2 Changes in memory size At every start, ADinf checks the memory allotted to DOS. This memory size may change due to mechanical faults in the memory chips or to installation of resident programs and drivers occupying higher memory addresses. Many viruses also reside in higher addresses, thereby reducing the memory allotted to DOS. When the memory size changes, ADinf alerts you as follows ┌─────────────────── Attention! ────────────────────╖ │ ║ │ Memory size in your computer changed! ║ │ ║ │ Old size: 640K, New size: 639K (Change 1K) ║ │ ║ │ Maybe, boot infector in your computer! ║ │ ║ │ Save new size in table▄ Continue ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ║ ╘═══════════════════════════════════════════════════╝ If you know for certain why the DOS memory area has been changed, you may choose SAVE NEW SIZE IN TABLE. ADinf will then resume scanning. The new memory size saved in the table will be used in all subsequent sessions. If you do not know the reason, choose CONTINUE. Be attentive to every change ADinf reports. Memory size may also increase, say, when you remove some resident driver which snatches memory from DOS. In such cases you get a milder message: ┌─────────────────── Attention! ────────────────────╖ │ ║ │ Memory size in your computer changed! ║ │ ║ │ Old size: 639K, New size: 640K (Change 1K) ║ │ ║ │ Save new size in table▄ Continue ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ║ ╘═══════════════════════════════════════════════════╝ If you know why the DOS-resident memory area has been increased, you may choose SAVE NEW SIZE IN TABLE and press <Enter> to resume scanning. 5.3 Changes in master boot record or boot sector On detecting any change in the master boot record containing the partition table or change in the boot sectors of your drives, ADinf alerts you by the warning: ┌─────────────────── Attention! ───────────────────╖ │ ║ │ Boot record changed! ║ │ ║ │ Maybe, virus in your computer! ║ │ ║ │ Continue ▄ Restore ▄ More... ▄ ║ │ ▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════╝ Choosing MORE..., you can compare the contents of your system tables before and after modifications. If you are unable to decipher these changes, switch off the computer and call for technical help. If you are certain that the changes in your partition table or boot sector are due to virus activity or to program bugs, you can restore your original sector, choosing RESTORE. On pressing <Enter>, ADinf ascertains your intention, and, after your confirmation, ADinf will repair your system by copying the images of the original sectors saved in its diskinfo tables. Before proceeding to restore the sector, ADinf will prompt you to type a name for the file to save the infected boot sector for future detailed analysis. If you don't want to save the infected boot sector, simply press <Esc> to clear the query panel. After repairing the partition table or the boot sector, ADinf will recommend you to reboot your system. Do reboot the system - otherwise the virus may still stick to the memory and once again infect your disk. 5.4 New bad clusters may appear on your disk in two different ways. When some disk manager like Norton Disk Doctor is run to test the disk surface, unusable clusters are marked BAD by these diagnostic programs. In such cases, the message on new bad clusters in scan report is unimportant and ADinf will not warn about new bad clusters in subsequent sessions. In case you had not tested your disk with such a diagnostic program, new bad clusters, if any, are evidently due to recent virus infection. Continue to check your disk and pay special attention to all changes reported by ADinf. As a rule, a virus hiding in a cluster, which it marks BAD to dodge detection, inevitably corrupts the boot sector, partition table or files as the virus takes over control from them for its malicious activity. 5.5 Changes in file system Advanced Diskinfoscope is not just an anti-virus utility, but a full-fledged diagnostic center - it detects any change that has occurred in the diskinfo. For example, the sample scan report reproduced above informs one directory has been newly created since the last check. On pressing <F4>, the directory tree of the drive scanned is displayed, highlighting the name of the newly-created directory (EXAMPLE) in a contrasting color (yellow): ┌─────────────────── New directories ──────────────────╖ │ \ │▒▒├─▒EXAMPLE▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ░ │ ├─ EXE ░ │ ├─ WINDOWS ░ │ ├─ DOC ░ │ │ ├─ HELP ░ │ │ ├──INTERRPT ░ │ │ │ ├─ A ░ │ │ │ ├─ B ░ │ │ │ └─ C ░ │ │ └─ DOS.DOC ░ │ ├──BC ░ │ │ ├─ LIB ░ │ │ ├─ BIN ░ │ │ ├─ INCLUDE ├──┴──┴──┴────── ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ─╢ │ Full Name: Cluster: 700 <2BCh> ║ │ C:\EXAMPLE ║ ╘════════════════════════════ Files:<Enter>; Exit:<ESC> ╝ Using the <Up>, <Down>, <PgUp>, <PgDn> keys, move the selection bar to some directory and press <Enter>. A panel displays the files in the directory that are under control. If there are no files under control, you get a NO FILES UNDER CHECK message. Press <Esc> (or <Enter>) to clear the panel. If the ADinf scan report informs any changes in newly created, renamed, moved, deleted and changed files, you can view detailed information about these changes. The sample scan reports informs nine new files have been created in drive C: since the last check. Press <F7> to list the newly created files. ┌────────────────────── New files ─────────────────────────╖ │ │▒▒C:\ADINF\ADINF.LOG ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ░ │ C:\WORD\ADINFMAN.DOC ░ │ C:\PCZ\PCXGRAB.EXE ░ │ C:\README.TXT ░ │ C:\NC\INREAD.TXT ░ │ C:\WINWORD\HELP.DOC ░ │ C:\WINDOWS\CONTROL.EXE ░ │ C:\MASTER\MANUAL.LST ░ │ ├────────────────── ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ─╢ │ File information: ║ │ Date: 16 August 1996 ║ │ Time: 0h 15m 12s ║ │ Lenght: 1962 ║ ╘══════════ View <F3>; Edit <F4>; Delete <Del>; Exit <Esc> ╝ To view and edit a file in the panel, arrow to it and press <Alt+F3> or <Alt+F4> to view or edit it. If a viewer and an editor are associated with the extension of a file, it is opened on pressing these keys. The directories where ADinf searches for external viewers and editors are specified in a list showing their full pathnames separated by a semicolon. You can edit this list, choosing OPTIONS => PATH TO VIEWERS from the main menu or pressing the <Alt+P>. If no viewer or editor is specified in the FILE EXTENSION LIST (see under REVISING THE FILE EXTENSION LIST), you will be prompted to select a MASTER viewer or an editor, depending on the keys pressed. Type the command line of the viewer or editor and press <Enter>. Or press <Esc> to cancel the command. If the viewer associated with a file extension is unsatisfactory, press <Shift+F3> and <Shift+F4> to quickly change over to another viewer and editor to experiment whether better display is possible. On pressing these keys, you are prompted to select a MASTER VIEWER or MASTER EDITOR. Type the name of some other viewer or editor and press <Enter>. Then you can view or edit the file through newly specified viewer or editor. Press <Esc> to cancel the panel. Pressing <F3>, you may use the simple built-in viewer activated via BIOS. To delete a file of changed information, arrow to the file name and press <Del>. ADinf will delete the file only after ascertaining your intention. NOTE. External viewers and editors do not display many of the stealth viruses, because they access disks via DOS, whereas ADinf detects them by scanning a disk via BIOS. Use the simple built-in viewer (pressing <F3>) in such cases. Now press <Esc> to clear the scan report, and ADinf will respond: ┌──────── Do you wish to update diskinfo table ? ──────────╖ │ ║ │ Update ▄ Don't update ▄ Save log in file▄ ║ │ ▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ║ ╘══════════════════════════════════════════════════════════╝ To save the scan report in a file, choose SAVE LOG IN FILE and press <Enter>. You are prompted to type a name for the log file. Either accept the name proposed in the panel (report is saved in a log file in the directory where ADinf is installed) or type a name, indicating the path, say, c:\adinf\adinf.log and press <Enter>. If the pathname is wrongly specified or the diskette is write-protected, you get a warning. Fix up the mistake and press <Enter>. After saving the report in the log file, ADinf will reprint the above panel on the screen. Choose either UPDATE or DON'T UPDATE and press <Enter> to clear the panel. Likewise, if you open a deleted directory entry highlighted in the scan report, the panel displays a list of files that were under control in the directory before deletion. 5.6 Incompatibility report The following is a list of equipment and programs which are incompatible with ADinf. It also recommends ways to come round such problems. ASPI2DOS.SYS driver Symptom ADinf versions earlier than 9.25 hang up on starting. Cause Due to the bug in Int 13h handler in ASPI2DOS.SYS, on machines with one physical disk, in attempting to execute Int 13h for the second disk, the driver hangs up instead of normal returning with Carry Flag. Remedy Use ADinf version 9.25 or higher. SCSI-disks with loadable drivers Symptom After scanning the disk, ADinf hangs up while writing the diskinfo tables and reports `10% written'. Cause When the SCSI-hard disk is managed by its loadable driver, ADinf cannot access the disk directly via BIOS. Remedy In the ADinf menu, specify Int 13h as the ACCESS TYPE for all drives (though virus protection is less reliable) or disable the SCSI-hard disk driver, if this is possible. Some rare types of BIOS Symptom On certain machines with rare types of BIOS, ADinf version 9.12 or higher may hang up, printing "OPENING DRIVE C" in in the message box at the screen bottom, or display false alarms. Cause Beginning from version 9.12, ADinf uses a special mechanism to trap viruses hiding at the hard disk controller level. This mechanism may conflict with certain, particularly, older BIOS versions. Remedy Run ADinf with the -76 command option. Please inform us the version number of your BIOS (8 bytes at the address F000:FFF5) for updating the ADinf internal incompatibility table to avoid conflicts with such BIOS. AMOUSE.COM mouse driver Symptom On starting ADinf in a machine installed with the AMOUSE.COM mouse driver, the screen is blacked out or filled with "garbage". Cause Incompatibility of pseudographic cursor support library used in ADinf with the AMOUSE.COM mouse driver. Remedy Disable the pseudographic mouse cursor by including the -nam command option and use the standard cursor instead. CMD640X2.SYS driver Symptom ADinf hangs up, displaying the message "Opening the disk". Cause The CMD640x2.SYS driver supports 32-bit access to IDE disks under MS-DOS. This driver intercepts and handles Int 76h initiated by the IDE controller upon the completion of every disk operation. Certain stealth viruses use this interrupt for hiding their presence in the machine. To prevent these viruses from doing so, ADinf intercepts and handles Int 76h, thereby conflicting with this driver. Remedy Run ADinf with the -76 command option to prevent ADinf from intercepting Int 76h (see also QUESTIONS AND ANSWERS). 6. ERROR AND WARNING MESSAGES Advanced Diskinfoscope is intelligent and user-friendly. Whenever a situation is precarious, it warns you; whenever your action or response is illegal or unwarranted, it displays an error message. The following is an alphabetical list of error and warning messages ADinf may display in a session. The cause for each message, followed by a brief description of actions you can take, are given. BEFORE DOS WAS LOADED INT 13H WAS POINTING TO RAM (NOT TO ROM BIOS) This warning may appear when ADinf is started for the first time. At the first start it determines the value of the Int 13h vector before DOS was loaded and checks if the vector was pointing to BIOS or not. If not, it warns you and determines its address by another method. CANNOT CREATE FILE FOR WRITING LOG ADinf complains its inability to create a file for writing log, if you do not properly specify the pathname or if the diskette is write-protected. CANNOT START PROGRAM <name> When you called some external viewer or editor, ADinf could not start it due to insufficient memory, or incorrect name, or its directory is not specified in the PATH TO VIEWER settings. You can specify a path by pressing <ALT+P> keys. DISK x: ACCESS DENIED By this message ADinf says it cannot read the boot sector of the drive under check, for example, if the diskette is not inserted into the drive or if you try to check a network drive. ERROR WHILE CHECKING DRIVE ADinf was not able to read the sectors in the current drive. Restart it once again and if the error persists, test the hard disk with some diagnostic tool. ERROR WHILE RESTORING This message is displayed when ADinf encounters a writing error while restoring the master boot record or the boot sector. Try to restore your system by running ADinf once again. If the error persists, test the hard disk with some diagnostic tool. ERROR WHILE WRITING LOG FILE ADinf could not create a file for writing log, if the pathname is not properly specified or if the diskette is write-protected or when there is no enough room for writing the log file. ERROR WHILE WRITING TABLE This message is displayed when the diskette is write-protected or when there isn't enough free room to write the tables. HARD DISK PARAMETER TABLE IN BIOS VARIABLES AREA FOR PHYSICAL DRIVE 80H CHANGED! ADinf complains of such changes whenever you replace the hard drive in your system. In such cases, choose SAVE NEW INFO from the warning panel and press <Enter>. ADinf will do the rest for you. If, however, you have not replaced a new hard drive, this message may forewarn a virus attack in your computer. In such cases, choose MORE INFO from the warning panel and press <Enter> to obtain detailed information about your Hard Disk Parameter Table. Certain resident programs or some BIOSes may modify the hard disk parameter table and if this message is frequently displayed, disable this check, choosing TABLES NOT UNDER CHECK command through the path: OPTIONS ═> SETUP PARAMETERS ═> INFO UNDER CHECK ═> HDP TABLES ═> TABLES NOT UNDER CHECK. By default, this check is disabled. IN ADINF NON-COMMERCIAL VERSION YOU CANNOT WRITE LOG. PLEASE, BUY A FULL-FLEDGED ADINF VERSION. The message is straightforward and needs no explanation. INSUFFICIENT MEMORY This message tells you that ADinf failed to execute some operation due to lack of memory space. If you get this message, terminate unnecessary resident programs and drivers, reboot your system and start ADinf once again. INVALID KEY ADinf displays this error message, if you have typed an invalid option in the command line. Check up your command line and restart the program. INVALID OPTION IN COMMAND LINE ADinf displays this message, if you have typed an invalid drive in the command line or forgotten to type a hyphen or a slash before the command options. Check up your command line and restart the program. LENGTH OF ADINF.EXE FILE CHANGED This message is displayed when ADinf executable file is infected. If you get this message, continue scanning and carefully note the changes reported by ADinf and take appropriate measures. MAY BE, ADINF.EXE FILE INFECTED. PAY SPECIAL ATTENTION TO CHANGES IN FILES At every start ADinf runs special self-infection tests. If you get this message, continue scanning and carefully note the changes it reports and take appropriate measures. NO DISKINFO TABLE FOR DRIVE x: This message may appear under several circumstances: 1. No diskinfo tables were ever created for the drive; 2. Diskinfo tables were created with a different ADinf version; 3. Diskinfo tables have been corrupted; 4. TABLES item in OPTIONS menu is not properly set; e.g., you might have created common tables, but you are testing the machine under personal tables or vice versa; 5. Diskinfo tables renames; 6. Path to personal tables in PERS. TABLES PATH item in SETUP PARAMETERS changed. The error that generated this warning is diagnosed in the message bar at the screen bottom line. You will prompted to create new tables to fix up the problem. NUMBER OF PHYSICAL HARD DRIVES CHANGED: OLD: x, NEW: y This message is displayed, when a physical hard disk is added to or removed from a computer. In such cases, using the CREATE TABLES from the MODE title of the main menu, create tables for the reconfigured system afresh. If this message appears when there are no such physical changes, there is probably a virus in the computer. SORRY, ILLEGAL COPY, SIR! NEITHER SHALT THOU STEAL. -THE TEN COMMANDMENTS ADinf is copy-protected. When installed illegally on a computer it does not function and displays this message which may also appear even when a legal program is copied from one computer to another. In such cases, reinstall it from the original distribution diskette. THERE ARE MORE THAN xxx DIRECTORIES (FILES) ON THE DISK From version 10.00, ADinf can control more then 30000 files and directories. This message may appear if ADinf failed when analizing disk structure. Check you disk with CHKDSK, SCANDISK or Norton Disk Doctor. WRONG PATH. PRESS ALT+P TO SPECIFY PATHS. MULTIPLE PATHS ARE ALLOWED; A SEMICOLON (;) MUST SEPARATE PATHS. This message is displayed when ADinf doesn't find any external viewer or editor. Directories where ADinf searches for external viewers and editors must be specified in a panel showing their full pathnames separated by a semicolon ";". You can edit the path, choosing OPTIONS PATH TO VIEWERS from the main menu or pressing <Alt+P>. 7. QUESTIONS AND ANSWERS A Guide to Commonly Asked Questions Here are the answers in detail to the questions which our users quite frequently ask about ADinf. All questions on a topic have been unified and arranged topicwise. The menu tree structure described below may not fully agree with that of the ADinf earlier versions as the answers specifically refer to version 8.xx and later. Can ADinf check a disk compacted with DoubleSpace, DriveSpace, SpeedStor or Stacker? Yes, it does check a compacted disk, scanning not through BIOS but via Int 25h. For scanning a SuperStor-compacted disk, you must tell ADinf not to check for new bad clusters (choosing INFO UNDER CHECK ═> BAD CLUSTERS ═> DON'T CHECK) I, being a programmer, naturally change many files on my disk everyday. How can I tell ADinf to skip these legal modifications in its report? You can hide directories from ADinf checks. For this, choose INFO UNDER CHECK ═> SKIP TREE. Then choosing a drive from the on-screen panel, pop up its directory tree, mark the directories and subdirectories where files are likely to be changed often. ADinf will not report the unharmful changes in a file under a marked directory. But if a change (in size or CRC) is suspicious, for example a file is modified but its date stamp is unaltered, you are alerted. What is ADinf Cure Module? If this is a curing module, is it better or worse than Virus Hunter and Doctor Web? Where can I buy it? ADinf Cure Module is a curing companion which enhances the capabilities of Advanced Diskinfoscope. It radically differs from scanners Virus Hunter and Doctor Web. It kills existing and as-yet-unknown viruses with equal efficacy. It maintains a small database containing necessary information about all files in your disk. When ADinf detects a virus, the curing module can be used to kill it. Database is automatically updated by ADinf when diskinfo changes in your system. The program was tested on a collection of 7000 various infectors unknown to the program and successfully removed 97 percent of them. Scanners and ADinf Cure Module cannot be compared: each deploys a different strategy to the antivirus problem: each ideally supplements the other. First, ADinf Cure Module does not kill all but about 97% viruses, particularly, admitting its capabilities to clean a computer from as-yet-unknown viruses. Second, it is helpless when you are handling someone else's diskettes since it requires the database containing diskinfo. Scanners, on the contrary, deploy the traditional tactics: to every attack they design a counterattack and can therefore kill only the viruses known to them, but are helpless against new viruses. It is therefore a good idea to have both of them in your machine. What is fast CRC that ADinf computes? When I modified a few bytes at the end of an executable file, it ignored them under fast CRC mode. Why? ADinf checks in one of the modes: FAST CRC, CRC16, CRC32 and NO CRC. FAST CRC is computed in close relation to the internal structure of an executable file. So FAST CRC is best suited for COM and EXE files as it guarantees reliable virus detection without the need for computing the CRC of the whole file. So, any change in certain file areas, unless it is virus-induced, is ignored under FAST CRC check. Why is ADinf very sluggish in checking a write-cached disk? Why does it hang on a cached disk? ADinf efficiently checks a read-cached disk, but may fail on a write-cached disk when both ADinf and the cache simultaneously address BIOS, creating conflicts. There are two ways of avoiding such conflicts: first disable the write-cache prior to starting ADinf and toggle it on when checking is complete. For instance, to hide your drives C and D from write-caching by smatrdrv.exe, use the command smartdrv C D and to switch it again the command: smartdrv C+ D+ Alternatively, tell ADinf to access all drives, except drive C:, via Int 13h. For this, go to OPTIONS ═> SETUP PARAMETERS ═> DRIVE ACCESS TYPE. Then arrow to the drive name letters and repeatedly pressing <Space>, set Int 13h as the drive access type for all drives. For the drive C:, leave the default setting as it is. Now ADinf will not conflict with your write-cache, but virus detection is somewhat less reliable. ADinf ver. 9.00 or higher is fully compatible with HyperDisk write-cache ver. 4.50 or later. No problems arise with this utility any longer. Can I put network drives under ADinf control? Unfortunately, you can't. ADinf checks a drive, reading it sector by sector. Therefore it can check local drives only. Can ADinf run under MS Windows, Windows 95, and DESQview? Yes, it does run under MS Windows, Windows 95, and DESQview, scanning the drives directly via BIOS. Can ADinf run under DR DOS, Nowell DOS, Compaq DOS? Yes, ADinf can run under DR DOS. ADinf detects its environment by the version number. If ADinf hangs up under Novell DOS later than 7.0, run it with -r option. Use this option, if your computer is running under Compaq DOS or any other OS not fully MS DOS compatible. What is the purpose of personal tables? ADinf supports two types of tables, common and personal, for storing disk information. Structurally, they don't differ much. Common tables are saved in the root directory of logical drives and personal table in the directory where ADinf is installed or in another directory. Common tables are helpful in regularly checking a limited number of program files of particular extensions. Whereas personal tables are better suited for in-depth checking. You may even choose all types of files on your disk and specify CRC32 for CRC type. Such a check is all-inclusive; time consuming, though. I feel my machine is infected, but ADinf is silent. Can a virus dodge ADinf? This is a common question, and there is only one answer to it. Unfortunately, there is no panacea against PC virus infection, nor can there be ever one. ADinf seems to be the best virus detector today. But bear in mind its capabilities and limitations. Let us examine the situations where ADinf may keep quite. First, if you have installed ADinf on an already infected machine, it will not notice any virus, because it detects viruses through the changes in file information. And in our case there are no changes in file information and so it does not alert you. If the virus is hiding its presence, i.e., you have a stealth virus in the machine; ADinf will certainly detect it, if you run under the STEALTH SEARCH mode. This is a very useful mode and run ADinf from time to time under this mode. Second, ADinf may fail to notice the viruses tailored specifically to infect a file only at the time of creation. If they are additionally hiding themselves, you may trap them, running ADinf in STEALTH SEARCH mode. If they are NOT hiding their presence, you can easily detect them with your naked eyes. For example, suppose you are copying a file from drive A: to drive C: and you notice that the source file has a different size than the target file. You can easily detect such infectors, running ADinf as follows: write a batch file (call it TRAP) which copies several executable files, say, to your RAM drive and then copies them back from the RAM drive to the source drive. Run the TRAP batch file before turning off your computer. When you start the computer next time, ADinf will report about such viruses, if any. For greater reliability, you better include files to be copied in STABLE FILES list (its menu path is OPTIONS ═> SETUP PARARAMETRS ═> INFO UNDER CHECK ═> STABLE FILES). Third, ADinf permits to toggle off many checks. If you, for example, have toggled off check of boot sector of drive C: or you have deleted EXE from extension list for control, you may not notice virus-inducted changes. Finally, because of its beneficent policy ─ aggressive strategy and ingenious tactics ─ ADinf irritates to virus designers. One fine day it is not excepted that you may find a new virus specially tailored to dodge the ADinf in your machine. Today there are several viruses which try to delete files with a name begining with "ADIN". What will these evil-mongers do further, God alone knows. What is disk access via BIOS, Int 13h, and Int 25h? In checking missions, ADinf automatically identifies the DOS file structure by reading the disk sectors one after another. Three access methods are available for reading the sectors in a drive through direct addressing to BIOS; through the use of Interrupt 13h (Int 13h); through the use of DOS Interrupt 25h (Int 25h); The drive access type is specified by choosing OPTIONS ═> SETUP PARAMETERS ═> DRIVE ACCESS TYPE. When and which drive access type should be chosen? For an IDE disk partitioned by the FDISK program, ADinf uses BIOS as the access type. Access via Int 13h must be used under the following situations. Modern high-capacity disks are manufactured with more than 1024 cylinders (limiting value for standard BIOS of IBM AT). Present-day BIOSes and hard disks support handling of such disks by redusing the number of cylinders and increasing the number of sectors or heads, accordingly (LBA mode). However, if your BIOS does not provide this facility, you may have to use special disk drivers to utilize the full capacity of such disks, for example, Disk Manager for IDE disks. ADinf identifies Disk Manager and automatically defaults to Int 13h as the disk access type. Several drivers exists for SCSI disks. If you have a high capacity SCSI disk in your machine, manually choose Int 13h from the DRIVE ACCESS TYPE box. Second case. In a machine running under QEMM set to STEALTH mode, ADinf defaults to Int 13h as the DRIVE ACCESS TYPE because access to disk via BIOS is denied to ADinf. DRIVE ACCESS TYPE must be set to Int 25h for disks managed by special drivers, for example, disk compactors. As a rule, ADinf identifies such situations and automatically defaults to Int 25h. But if the drive name letters in a compacted disk are changed, the drive access type must be set to Int 25h manually by the user. There are also other situations where the user must specify the drive access type manually, for example, if you have changed the standard sequence of drive specifiers that DOS assigns to disk partitions. DOS allots the drive name letters in the following sequence (if some partition is missing, the letters are shifted accordingly): First hard disk 1st Primary DOS Partition C: BIOS 1st Extended DOS Partition E: BIOS 2nd Extended DOS Partition F: BIOS 3rd Extended DOS Partition G: BIOS 2nd Primary DOS Partition K: BIOS 3rd Primary DOS Partition L: BIOS Second hard disk: 1st Primary DOS Partition D: BIOS 1st Extended DOS Partition H: BIOS 2nd Extended DOS Partition I: BIOS 3rd Extended DOS Partition J: BIOS 2nd Primary DOS Partition M: BIOS 3rd Primary DOS Partition N: BIOS ADinf strictly supports this standard sequence of specifiers for assigning names to drives. But, this sequence may be violated in several cases. For the logical drives of name letters up to a violation in the standard sequence, ADinf uses BIOS as the drive access type and Int 25h for the other drives. Below is an example of such a situation. Let us suppose that the second hard disk is an IDE disk with more than 1024 cylinders (without LBA) formatted by Disk Manager. In this case the partitions are allotted drive name letters as follows: First hard disk: 1st Primary DOS Partition C: BIOS 1st Extended DOS Partition D: Int 25h 2nd Extended DOS Partition E: Int 25h 3rd Extended DOS Partition F: Int 25h 2nd Primary DOS Partition G: Int 25h 3rd Primary DOS Partition H: Int 25h Second hard disk: Only one DM Partition I: Int 25h The DRIVE ACCESS TYPE is listed in the right-most column. One more example of nonconventional configuration. Let us interchange the hard disks in the above example. Let the first hard disk be a large IDE disk partitioned by Disk Manager and the second an ordinary IDE disk. In this case, the drive access type must be set as follows. First hard disk: Only one DM partition C: Int 13h Second hard disk: 1st Primary DOS Partition D: BIOS 1st Extended DOS Partition E: BIOS 2nd Extended DOS Partition F: BIOS 3rd Extended DOS Partition G: BIOS 2nd Primary DOS Partition H: BIOS 3rd Primary DOS Partition I: BIOS What is the purpose of the -76 command option, which the User's Guide does not explain? On some computers ADinf hangs up, saying "Opening the disk". What is the cause for this? Int 76h is an interrupt generated by the IDE controller upon the completion of every disk operation. There are stealth viruses that use this interrupt for hiding their presence in the machine. In fact, these viruses dodge detection at the hardware level utilizing the published potentialities of the IDE controller. In order to detect such viruses, ADinf intercepts and handles this Int 76h itself. But such an independent handling may conflict with certain BIOS systems or special drivers of 32-bit access to IDE disks. In such cases, ADinf hangs up, displaying the message "Opening the disk". In order to prevent ADinf from intercepting Int 76h, run ADinf with the -76 option, as follows: C:\ADINF\Adinf.exe -a -b -d -76 -@C:\ADINF\list -lC:\ADINF\ If, by such a command line, your system does not hang up any longer, please send the version number of your BIOS (the eight bytes at the address F000:FFF5) to DialogueScience, Inc., Moscow, Russia, for modifying the ADinf internal BIOS incompatibility table in an appropriate manner so that you may be able to run ADinf without the need for including this option in the command line. I installed ADinf version 10.06 on my network server, but I could not install ADinf Cure Module version 3.03. What is the reason? To install ADinf on a LAN along with the curing module, ADinf Cure Module must be at least 3.04 or higher. Similarly, the -home command option available in ADinf 10.06 also requires ADinf Cure Module 3.04 or higher for the joint operation of ADinf along with the Cure Module. REFERENCES DialogueScience, ADinf and Virus Hunter are registered trademarks of DialogueScience Inc., Moscow, Russia. DSAV is a trademark of DialogueScience Inc., Moscow, Russia. Sheriff is a registered trademark of FomSoft, Moscow, Russia. Other names are registered trademarks or trademarks of the respective companies. * * * ADinf & Cure Module are available at DialogueScience, Inc., Computing Center of the Russian Academy of Sciences, Office No 103a, House No 40, Vavilov street, 117967, Moscow, Russia. Tel.: (+7-095) 137-0150, 135-6253 Tel./Fax: (+7-095) 938-2970, 938-2855 BBS: (+7-095) 939-5239 (14400/V.32bis, 19200/ZyXEL) - subscribers only (+7-095) 939-3705 (28800/V.34, 33600/V.34+) - subscribers only (+7-095) 938-2969 (28800/V.34, 33600/V.34+) - subscribers only (+7-095) 938-2867 (28800/V.34, 33600/V.34+) - subscribers only (+7-095) 938-2856 (28800/V.34) - common access FidoNet: 2:5020/69 2:5020/69.4 (Dmitry Mostovoy) 2:5020/69.6 (Denis Zuyev) FTP-server: ftp.dials.ccas.ru ftp.kiam1.rssi.ru WWW: http://www.dials.ru http://www.dials.ccas.ru http://www.kiam1.rssi.ru E-mail: antivir@dials.ru - Sales and Support Department bob@dials.ru - Modem link service id@dials.ru - Line for transferring new viruses loz@dials.ru - Line for transferring new viruses