This
is taken verbatim from Chris
Stubbs Virus page as it is one of the clearest and simplest
set of instructions I have found so far. I suggest printing
this out now for future reference.
Most
antivirus programs need you to make a clean boot disk. This
should be made before disaster hits. To make one on a clean
computer follow these steps.
1. Be certain the computer you're making the disk on is clean.
To do this, check it with an antivirus program or two.
2. Put a blank disk into the disk drive that is the same size
as the infected computer's drive A:
3. At a DOS prompt type
FORMAT A: /s
or
if the clean computer's B: drive is the same size as the infected
computer's A: drive
FORMAT B: /s
4.
You will need one disk for starting the computer and one disk for
the antivirus program. Put another disk in the disk drive and type
FORMAT A:
or
FORMAT B:
F-Prot
can remove most of the viruses that are out there. I also recommend
AVP from http://www.avp.tm/ but
you don't need to make a boot disk with AVP
The essential files for F-Prot are
SIGN.DEF
F-PROT.EXE
ENGLISH.TX0
MACRO.DEF
If
there is not enough space for MACRO.DEF, then download ftp://ftp.complex.is/pub/nomacro.def.
Rename it to MACRO.DEF replacing the old MACRO.DEF. With the empty
MACRO.DEF, F-PROT uses only heuristics to find macro viruses, but
you don't need to boot from a floppy to clean macro viruses anyway.
F-Prot from ftp://ftp.tas.gov.au/pub/simtelnet/msdos/virus/fp-304.zip.
Unzip the ZIP file and copy the essential files to the disk. If
you don't have an Unzip program download WinZip from http://tucows.alphalink.com.au/
5. Write protect the disks. For 3 1/2 " disks you have to be able
to see through the hole. For 5 1/4 " disks, the notch must be
covered. Then scan the disk you have just made.
6. Go to the infected machine and turn it on. There should be
a message saying something like
Press DEL to access setup screen.
If it doesn't display a message like that then look in your manual
for the proper steps to access the CMOS setup screen and follow
them. If your computer doesn't have a CMOS, or you don't feel
comfortable changing settings, or what is written here doesn't
seem to match what your computer says, then skip to step 7
Explanation: There are a few things that trick people when trying
to do a disinfection. The virus could have set the Floppy drives
to be non-existent or an invalid size in the setup screen.
Check to make sure the floppy drives are set to their correct
sizes.
There are some options that some BIOSes have and others don't.
They are:
i. The boot sequence could be set to C:, A: which means it tries
to boot off drive C: first. To boot from the disk, the boot sequence
needs to be set to A:, C:.
ii. The virus protection in the BIOS could be turned on. It will
prevent anything from writing to the master boot sector, including
the antivirus program. Turn this off.
Contrary to what some people think, "Floppy Seek on Bootup" has
no effect on viruses or antiviruses. Save the changes you have
made.
Note: Setting the boot sequence to C:, A: and turning on the virus
protection in the BIOS are helpful in preventing an infection,
but for removing a virus, they are a nuisance. So, if you want,
set the boot sequence to C:, A: and turn on the BIOS virus protection
after you disinfect the computer. The boot sector
virus protection will warn if any program tries
to write to the boot sector. It does not protect you if the virus
has already infected the boot sector. Installing a new operating
system, using FDISK, and converting to FAT32 are supposed to write
the the boot sector.
7. Turn off the computer, insert the disk you have made, and turn
on the computer.
Explanation: Some viruses can fake a CTRL-ALT-DEL so it is necessary
to turn the computer off. Note, however, that there are no viruses
that are still in memory after the power is turned off. That means
there are no viruses that infect the CMOS or Flash BIOS, and no
viruses that require memory chips to be replaced.
8. If it asks, type in the correct date and time or just press
enter then enter.
9. For F-Prot type F-PROT /HARD /DISINF
Sometimes, when you use a Windows 95 boot disk, virus remnants
will be loaded into memory. These remnants are not active. If
your antivirus false alarms on the remnants then use
F-PROT /HARD /DISINF /NOMEM
10. The computer should be clean after a short time.
If one antivirus cannot clean the disk, then try the other one.
If none of the antivirus programs you try work, contact tech support
for your AV product, or post to a virus-related newsgroup with
all the details of what configuration you have and what has happened
so far. Be accurate with your description. The following information
would be the most helpful. The size, make and model of your hard
disk. The operating system you are using. The name and version
of the antivirus and why it said the virus couldn't be removed.
The name of the virus. If possible, the size of your hard drive
partitions and the amount of total conventional memory according
to CHKDSK. Whether you have any special partitioning software
like EZ Drive or Dynamic Drive Overlay.
Some antiviruses can even disable the virus while it is active
in memory. This is usually quite safe and sometimes there are
no other options open to you. The antivirus that does this the
best is AVP. If AVP can disable the virus in memory, you don't
need to boot from a clean disk to remove the virus. (You should
still have a boot disk handy just in case the computer doesn't
boot at all.) You can get AVP from http://www.avp.tm
After you clean your hard disk, you will have to clean all your
floppies that are infected. You will have to check every single
one of them. Install your antivirus to your hard disk. It should
be able to clean floppy disks as well.
Technical Notes on a few special cases.
* Almost all viruses could corrupt a floppy disk or file while
trying to infect it. E-Mail me if the virus you have is not on
this list or there is not enough information. First check to see
if the virus is described here.
- CIH:
If this virus payload activates it may overwrite the BIOS with
garbage, and you may have to reflash or replace your BIOS. It
does not infect the BIOS.
- EXEbug(CMOS1):
This virus changes values in the CMOS. You *must* follow step
6. In addition to infecting MBR this virus also infects COM
and EXE files in such a way that they cannot be repaired and
must be deleted.
- Natas:
In addition to infecting MBR this virus also infects COM and
EXE files and possibly files with other extensions as well.
Use the /ALL switch with F-Prot or SCAN. Findvirus automatically
checks all files.
- One_Half
(Freelove): Under certain versions of DOS, this virus encrypts
two tracks of the hard disk every time the computer is started
up. It will encrypt up to half of the hard disk. You should
make sure your antivirus product can handle a One_Half infection.
Findvirus and AVP can decrypt encrypted tracks and possibly
other products can as well.
- Ripper(JackRipper):
This virus swaps around some bytes in about 1 in a 1,000 disk
writes. There is no way to find out what has been damaged. You
should reinstall all your software to be sure that it is not
corrupted and check over your data carefully before you use
it for anything.
- [Stoned.][Empire.]Monkey:
This virus encrypts and relocates the Master Boot Record. Drive
C: will not be visible after booting clean. After the antivirus
product cleans the MBR, drive C: will still not be visible until
you reboot the system.
- WM(Macro,
Word, MSWord, WinWord, Concept, NPad, Wazzu, MDMA, CAP):These
are macro viruses.
Chris
Stubbs Virus Page
Home
:
Advice2 :
Download Links : Getting
rid of virus :
Virus FAQ :
CIH Fix : Happy99
: Trojans & Malware : ZIP
drive Click-o-Death :
|