Remove a virus

In order that downtime be short and losses low, do the minimum that you must to restore the system to a normal state, starting with booting the system from a clean diskette (see G8). It is *never* necessary to low- level format a hard disk to recover from a virus infection! If backups of infected or damaged files are available and, in making them, appropriate care was taken to ensure that infected files have not been included in the backups (see D10), restoring from backup is the safest solution, even though it can be a lot of work if many files are involved. More commonly, a disinfecting program is used, though disinfection is somewhat controversial and problematic (see E8). If the virus is a boot- sector infector, you can continue using the computer with relative safety (if the hard disk's partition table is left intact) by booting from a clean system diskette. However, it is wise to go through all your diskettes removing any infections as, sooner or later, you will be careless and leave an infected diskette in the machine when it reboots, or give an infected diskette to a someone who doesn't have appropriate defenses to avoid infection. Most PC boot-sector infections can be cured by the following simple process--pay particular care to make the checks in Steps 2 and 3. Note that removing an MBR virus in the following way may not be desirable, and may even cause valuable information to be lost. For instance, the One_Half virus gradually encrypts the infected hard drive "inwards" (starting from the "end" and moving towards the beginning), encrypting two more tracks at each boot. The information about the size of the encrypted area is *only* stored in the MBR. If the virus is removed using the method above, this information will be irrecoverably lost and part of the disk with unknown size will remain encrypted. 1. Boot the PC from a clean system floppy--this must be MS-DOS 5.0 or version 6.0 or higher of PC-DOS or DR DOS. This diskette should carry copies of the DOS utilities MEM, FDISK, CHKDSK, UNFORMAT and SYS. (See G8 for help on making an emergency boot diskette.) 2. Check that your memory configuration is "normal" with MEM (see C10 for assistance here). Check that your hard disk partitioning is normal--run FDISK and use the "Display partition information" option to check this. MS-DOS 5.0 (or later) users can use UNFORMAT /L /PARTN. 3. Try doing a DIR of your hard disk/s (C:, D:, etc). You should continue with Step 4 *only* if all the tests in Step 2 and this step pass. Do *NOT* continue if you were unable to correctly access *all* your hard disks, as you will quite possibly damage critical information making permanent data damage or loss more likely. 4. Replace the program (code) part of the MBR by using the MS-, or PC-DOS FDISK /MBR command. If you use DR DOS 6.0, or later, select the FDISK menu option "Re-write Master Boot Record". 5. Replace the DOS boot sector using the command SYS C: (or whatever is correct for your first hard disk partition). For this step, the version of DOS on your boot diskette must be *exactly* the same as is installed on your hard disk (this may mean you have to first reboot with a clean boot diskette other than that used in Step 1). If you are using a disk compression system, such as DoubleSpace of DriveSpace, check the documentation on how to locate the physical drive on which the compressed volume is installed, and apply the SYS command to that instead. Usually this is drive H: or I:. 6. Reboot from your hard disk and check that all is well--if not (which is unlikely if you made the recommended checks), seek expert help. 7. As you will get re-infected by forgetting an infected diskette in your A: drive at boot time, you have to clean all your floppies as well. This is harder, as there is no simple way of doing this with standard DOS tools. You can copy the files from each of your floppies, re-format them and copy the files back, but this is a very tedious process (and prone to destructive errors!). At this point you probably should consider obtaining some good antivirus software. FDISK /MBR will only overwrite the boot loader code in the MBR of the *first* hard drive in a system. However, a few viruses will infect both drives in a two drive system. Although the second hard drive is never booted from in normal PC configurations, should the second drive from such a machine ever be used as the first drive in a system, it will still be infected and in need of disinfecting.

1st Security Agent

Mail Bomber

Security Administrator

PC Lockup

Access Lock

Access Administrator Pro

ABC Security Protector

1st Security Agent

Mail Bomber

Security Administrator for Windows

PC Lockup

Access Lock

Access Administrator

ABC Security Protector

http//www.softheap.com