
ķ

ذ  Moscow 2000  
ذذ
ذذذذ
ذذذذذ
ذذذذ
ذذذذذذ
ذذذذذذذ
ذذذذذذذذ
ذذذذذذذ
ذذذذذ
ذذذذ
ذذذ
ذ
ذ
 (c) Dmitry Mostovoy   ذ


ͼ



      ķ
                   Advanced Diskinfoscope  (ADinf)               
                          Anti-virus Center                      
                                                                 
                       (c)  Dmitry Mostovoy                      
                              1991-2000                          
                                                                 
                      with Cure Module (ADinfExt)                
             A Curing Companion to Advanced Diskinfoscope        
                                                                 
          (c)  Vitaly Ladygin, Denis Zuyev & Dmitry Mostovoy     
                              1993-1999                          
                                                                 
                           Moscow, Russia                        
      ͼ
        



               ADinf version 12.14, released May 30, 2000
         ADinf Cure Module version 4.05, released June 18, 1998

           ADinf size (80386/8086)  128 027/135 027 bytes
           (Noncommercial version - 124 140/131 077 bytes)


              ----------------------------------------

                            USER's GUIDE

              ----------------------------------------


                           Moscow, Russia
                                2000



                              CONTENTS

ACKNOWLEDGEMENTS
1. BEFORE YOU BEGIN
     1.1 What is ADVANCED DISKINFOSCOPE ADinf?
     1.2 What is ADinf Cure Module?
     1.3 What do you need to run ADinf
     1.4 Swapping
2. GETTING STARTED
     2.1 Installing Advanced Diskinfoscope ADinf
     2.2 Installing ADinf Cure Module
     2.3 Using ADinf jointly with Sheriff
     2.4 Running ADinf Cure Module under Sheriff
     2.5 Starting ADinf from autoexec.bat file
     2.6 Starting ADinf from the DOS prompt
     2.7 Command line options
     2.8 Batch file ERRORLEVELS
     2.9 Interaction of ADinf with scanners of DSAV
     2.10 Starting ADinf in interactive mode
     2.11 Useful tips
     2.12 Speedkeys
3. ADINF MAIN MENU
     3.1 Menu titles and their purpose
     3.2 Scanning the drives
     3.3 Creating diskinfo tables
     3.4 Checking floppy diskettes
     3.5 Stealth search mode
     3.6 Customizing the ADinf operation
4. IF CHANGES DETECTED
     4.1 Responding to ADinf messages
     4.2 Changes in memory size
     4.3 Changes in master boot record or boot sector
     4.4 New bad clusters
     4.5 Changes in file system
5. RUNNING ADINF CURE MODULE
6. INCOMPATIBILITY REPORT
7. ERROR AND WARNING MESSAGES
8. QUESTIONS AND ANSWERS
REFERENCES


                           ACKNOWLEDGEMENTS

The idea of writing Advanced Diskinfoscope crystallized in a series of
discussions  and  disputes.  It  was  initially  compiled in 1989 as a
simple Disk Inspector (Dinf) which today has  grown  into  a  powerful
diagnostic  tool with a file restoration facility to keep in line with
the suggestions and remarks of its numerous users and well-wishers. We
express our sincere gratitude to  Prof. Nikolai Bezroukov  for  advice
and  encouragement,  to Aleksandr Lapinsky for valuable suggestions on
MS Windows support,  to Yuri Kravatsky for designing the pseudographic
mouse  cursor  support  library,  to Aleksandr Samotokhin for his help
with his expert knowledge in video adapters whenever I needed.

We would be glad to receive from our users remarks and suggestions for
improving the performance of ADinf - Advanced Diskinfoscope.



                         1. BEFORE YOU BEGIN

The ADinf program is supplied "AS IS"  without  any  warranty,  either
expressed or implied, of workmanship, merchantability, and fitness for
a particular purpose.  In no event will DialogueScience,  Inc., or its
authorized  dealers  or  the  designer of the program be liable to the
purchaser for any consequential problems arising out of the use or the
inability to use the program.


                                                  Timely detection  of
                                                  infection guarantees
                                                  successful curing !
1.1 What is ADVANCED DISKINFOSCOPE ADinf?

Advanced Diskinfoscope, ADinf, is a unique and powerful disk integrity
checker  which  scans  a disk,  reading its sectors one by one through
BIOS.  It does not utilize DOS tools in searching for  infectors  and,
therefore,  can  trap  formidable  stealth  viruses  that are known to
intercept more than twenty DOS functions.  It also traps infectors  in
disk  drivers  and hitherto-unknown viruses.  For example,  the Dir-II
virus that caused havoc on a large scale in  summer  1991  was  easily
detected and killed by ADinf.

Additionally, it  reads  a  disk  directly addressing BIOS to spot and
kill boot infectors even if they have  taken  control  over  Int  13h.
Unlike  other  anti-virus  tools,  which  require  that  the system be
started a write-protected bootable diskette,  ADinf detects viruses on
booting a system from the hard disk.

Its mission  is  wider  than  mere  anti-virus  protection  -  besides
detecting infectors,  ADinf scrupulously x-rays a system for full data
integrity  and  security,  and  for other data modifications.  This is
particularly desirable in a multiuser PC.

A modified version of Advanced  Diskinfoscope,  ADinf  Pro,  based  on
64-bit hash function is specially designed to safeguard valuable data.

It is always a good idea to use ADinf along with its curing companion,
ADinf Cure Module  (see  below),  which  maintains  its  own  database
describing the files in disk. When ADinf detects a virus, the computer
can be immediately and reliably cleaned with  ADinf  Cure  Module  for
about 97% of the existing and, most importantly, even hitherto-unknown
viruses.

ADinf is quite fast in its checks.  The predecessor of  ADinf  is  the
integrity  checker  Dinf,  which  won  a prize at the Second All-Union
Anti-virus Contest in 1990.  ADinf was awarded the second prize of the
Borland Contest 93.

A non-commercial  version  of  ADinf  is also available.  This version
along with its accompanying documentation is distributed free of cost.

The non-commercial version does not

- support personal diskinfo tables,
- query for curing infected files by ADinf Cure Module,
- save scanning reports in a log file,
- support editing of the filename extension list, and
- provide a possibility for skipping subdirectories in a checking
  mission.


    ADinf  strategy

At the first start,  ADinf reads vital data about such  parameters  as
the  memory  size,  the address of Int 13h handler in BIOS,  Hard Disk
Parameter Tables,  the  master  boot  record  and  boot  sectors,  bad
clusters,  directory tree,  and data on all files under control;  then
creates a diskinfo table for every drive and saves in it the retrieved
information for collation in subsequent checks.  It also checks if Int
13h was pointing to BIOS before DOS was loaded.  While scanning, ADinf
checks a disk,  sector by sect or, directly accessing via BIOS without
the use of Int 21h and Int 13h to  trap  resident  viruses  that  have
intercepted these vital interrupts.

At subsequent starts, ADinf first reads these parameters and  compares
them with those in its diskinfo tables. During scanning it  notes  any
changes in the size of the memory allotted to DOS, Hard Disk Parameter
Tables, master boot record, boot sectors of every  logical  drive,  as
well as new bad clusters,  directories  and  files  newly  created  or
deleted since the last check, and  changed  files.  After  checking  a
drive, if a change in diskinfo is "suspicious", it alerts for possible
virus infection.  If the changes are "harmless", (say, changes in file
creation  date and time) it produces a scan report which can be viewed
in interactive mode or saved in a log file.

ADinf regards a change "suspicious", if a file is modified:

   a) without any change in date  and  time  (most  of  well  designed
      viruses do not change them);

   b) with  an  invalid  date  (greater than 31,  12,  and the current
      number for day, month and year). Some viruses date files by such
      strange settings;

   c) with  an  invalid  time (greater than 58,  59 and 23 for second,
      minute and hour) and

   d) for a file in the STABLE FILES list,  any  slightest  change  is
      reported suspicious.


1.2 What is ADinf Cure Module?

ADinf Cure Module restores your system after virus  attacks,  so  that
you need not search for an anti-virus utility capable of  killing  the
viruses in your computer. In other words, it is  a  universal  remover
for viral stains, not knowing their structure,  or  their  strategies.
Therefore it does not need to know  anything  about  the  multifarious
viruses already existing and those being created  day  by  day.  ADinf
Cure Module simply sweeps viruses off your files and restores them  in
toto to their original status. The program was tested on a  collection
of 7000 various  viruses  unknown  to  the  program  and  successfully
removed 97 % of them.

    What ADinf Cure Module cannot do?

You may doubt the 97 %  efficiency claimed  in  the  above  paragraph,
because   every   utility   has  its  own  field  of  application  and
limitations.

ADinf Cure Module is not a panacea for each and every  virus,  but  it
does kill  almost  every virus.  Nevertheless,  a 97 %  efficacy is an
impressive performance.

    Curing strategy

Despite the multitude of different viruses,  paradoxically,  there are
only a few techniques by which a virus is imbedded in a file.  This is
the underlying principle of the basic strategy of ADinf  Cure  Module.
In  day  to  day operation,  when you run ADinf regularly,  it informs
ADinf Cure Module about the changes,  if any,  in the diskinfo data of
files  since  the  last  ADinf session.  ADinf Cure Module immediately
scans these files and stores the new diskinfo data in its  tables  for
restoring  them after a virus attack.  When a virus attacks your file,
ADinf at once detects the changes and calls for the Cure Module, which
tries  its best to reinstate the original shape of an infected file by
comparing its status before and after infection.  If ADinf Cure Module
reports  that  a file has been restored successfully,  it really means
what it says.

    ADinf Cure Module, or Doctor Web?

Which to  choose?  The  only  choice  is  both  these utilities.  Each
complements the other two and they work hand in hand  together.  ADinf
Cure  Module may fail to kill some virus - it is then Doctor Web comes
to your rescue.  Newer and newer virus modifications are  cropping  up
every  day,  some new virus may enter your computer much ahead of than
an anti-virus is available.  Precisely in such situations,  ADinf Cure
Module is your savior. Furthermore, virus codes may contain bugs which
corrupt a file beyond the restoration power of usual  virus  scanners.
But  ADinf  Cure Module in such cases reinstates the original shape of
your file in toto.


1.3 What do you need to run ADinf

ADinf and  ADinf Cure Module run  on IBM PC/XT/AT,  PS2 or compatibles
with one to four hard disks and  one or two floppy disks under MS  DOS
3.20-6.22,  PC  DOS  3.20-6.30,  DR  DOS  5.0 and 6.0, Novell DOS 7.0,
Compaq DOS  3.31, DesqView,  Windows 3.xx,  Windows 95,  or OSR2.  The
programs support  FAT12, FAT16,  VFAT and  FAT32 file  systems.   When
curing  from  a  DOS-bootable  curing  diskette,  ADinf  Cure   Module
correctly handles the long filenames of Windows 95.

ADinf gains  access  directly  to  video  memory  bypassing  BIOS  and
supports CGA, EGA, VGA and Hercules video-adapters. ADinf scans drives
directly  via  BIOS  under  MS  Windows,  Windows  95,  and   DESQview
multitasking  environment.  It  can  be  run  jointly with the Sheriff
security protection system.

ADinf can take under check practically unlimited number of  files  per
logical drive.  ADinf Cure Module has a limitation of processing files
(about 5000 executable files per logical drive).

The  INCOMPATIBILITY REPORT  gives  a  list  of equipment and programs
which conflict with ADinf, and ways to come round this difficulty.


1.4 Swapping

In machines  with large disks,  ADinf uses XMS and or a temporary file
for swapping data.  For speedy operation,  ADinf needs 300-500  Kb  of
XMS.  If  sufficient  XMS  is  not available,  it creates a swap file.
A directory for this swap file  is  chosen  as  follows.  If  the  DOS
environment  variables  ADINFSWP,  TMP,  TEMP  are  specified  in this
particular order,  the temporary file  is  created  in  the  directory
specified   by  these  variables.  If  no  environment  variables  are
specified,  a swap file is created in the  directory  where  ADinf  is
installed or in the directory specified with -home command option.



                          2. GETTING STARTED

2.1 Installing Advanced Diskinfoscope ADinf

     IMPORTANT! Prior  to  installing  ADinf on your machine,  it is a
     good idea to make a copy of the  original  distribution  diskette
     and  use only the copy in your work.  In case of damage,  you can
     always restore the copy from the original diskette.

To install ADinf,  insert the copy of  distribution  diskette  into  a
floppy drive, log on to ADINF directory, type

     install

and press <Enter>.  The screen displays a panel:

    ?! ķ
      Are you installing ADinf for the first time    
              or upgrading its old version           
                                                     
     First installation     Upgrading old version  
        
   ͼ

The setup program behaves differently, depending on  whether  you  are
installing ADinf for the first time or upgrading an older version.

     If this is the first time you are installing ADinf,

choose the FIRST INSTALLATION button. The setup  program  will  prompt
you to specify a directory for installing ADinf.

    Type a directory for installing ADinf ķ
     C:\ADINF                                        
   ͼ

Type the  full pathname of the directory where you want to install the
program and press <Enter>.  By default,  the setup program proposes to
install ADinf  in  a  directory  named  ADINF in drive C.  If there is
sufficient space on drive C, you may press <Enter>.

In case there is no directory of the pathname specified in the  panel,
the setup program will ascertain your intention prior to creating this
directory:

    Directory not found: ķ
                        C:\ADINF                     
               Create             Cancel           
                                  
   ͼ

Choose the CREATE button to create the directory.  If you have changed
your  mind or the directory path is wrongly typed,  you can fix up the
error by choosing the CANCEL button. Then the Setup returns you to the
previous panel.

After you  have  chosen  a  proper directory  for installing ADinf  an
on-screen panel invites you to change the name of the ADinf executable
file:

   ķ
                       Adinf.exe                     
      Now you should select executable file name.    
                                                     
     Renane the default filename ADinf.exe to some   
     other name, e.g.,  Myinf.exe, as some viruses   
     try to destroy files of names  beginning with   
     the letters "ad".                               
                                                     
           Edit file name and press <Enter>.         
   ͼ

The default  name  of the file is ADINF.EXE.  Edit the highlighted top
field to any other name for the reasons stated  on  the  panel.  After
editing, press <Enter>.

After copying the files from the diskette, Setup prompts you  to  tack
ADinf to the AUTOEXEC.BAT file:

    ? ķ
            Add ADinf to AUTOEXEC.BAT file ?         
                                                     
               Add                Don't add        
                            
   ͼ

By tacking ADinf to the AUTOEXEC.BAT file, you can automatically check
the computer by ADinf every time the computer  is  started,  but  only
once a day (if the -d option is included in the command line).

To tack ADinf to the AUTOEXEC.BAT file, choose the ADD  button.  Setup
will prompt you to specify the drives that are to be taken under ADinf
control:

    Help ķ
          Specify the names of drives you want       
          to put under the control of Advanced       
          Diskinfoscope program.                     
                                                     
              For selecting drives, press            
                                                     
           ->, <-, Tab   - to move the cursor,       
           Space,  Ins   - to select,                
           Enter,  Esc   - to finish selection.      
                                                     
   ͼ
                   ķ
                    C:  D:  E:  F:  
                    ^               
                   ͼ

It is always safe to put all drives in your system under  the  control
of ADinf.  Or, at least, the  drives  containing  the  frequently-used
programs, including the  operating  system,  must  be  put  under  the
control of ADinf.

After you have finished the selection  of  drives,  Setup  displays  a
panel for tacking ADinf to the AUTOEXEC.BAT file:

    Autoexec.bat file ķ
   PATH C:\WIN;C:\WIN\COMMAND;C:\DOS;C:\NC;C:\UT;C:\BC\BIN   
   C:\WIN\COMMAND\MSCDEX.EXE /S /D:MSCDOO1                   
   @ECHO OFF                                                 
   PROMPT $p$g                                               
   SET TEMP=C:\TMP                                           
   mode con codepage prepare=((866) C:\WIN\COMMAND\ega3.cpi) 
   mode con codepage select=866                              
   swakeyb                                                   
   C:\ADINF\Adinf.exe -a -b -d -lC:\ADINF C: D:              
   nc                                                        
      ͼ

Arrow to the place on the on-screen panel where you want to tack ADinf
and press <Enter> to finish. It is a good idea to tack ADinf after all
programs,  but  before  the  call  for  a  shell,  such  as the Norton
Commander or Windows.  The old status of  AUTOEXEC.BAT  file  will  be
saved in the file AUTOEXEC.ADI.

Press <Esc> to close the panel without modifying the file.

Thereafter, you  are  prompted  to  create  ADinf  diskinfo tables for
saving the status of your drives.  If you do not want to create  these
tables  at  the  time  of  installation,  and  want  to postpone their
creation  to  some  other  time,  say,   after   the   completion   of
installation, you may choose the DON'T CREATE button.

    ? ķ
                  Create ADinf tables                
                                                     
             Create            Don't create        
                          
   ͼ

If you opt to create diskinfo tables,  Setup prompts to specify a  new
name for the ADinf diskinfo tables:

   ķ
                      Adinf.                   
                                                     
    Rename the default filename ADinf. for the 
    files containing ADinf diskinfo tables, e.g., to 
    MyTbl--.tbl, as some viruses corrupt  files of  
    names beginning with the letters "ad".           
                                                     
          Edit the filename and press <Enter>.       
   ͼ

By default,  these tables are named ADINF.. Edit the highlighted
top  line  to  any  name  for  the reasons stated on the panel.  After
editing, press <Enter>.

Now Setup begins to construct tables containing vital data  about  the
drives in the system. This process may take some time, particularly if
your disk is large.

After successfully constructing diskinfo tables, Setup displays a logo
panel. Press  any key to return to the DOS prompt.  This completes the
installation procedure.

If you have also procured the companion program ADinf Cure Module,  it
is the proper time to install it, although it can be done at any other
time.

    If you are upgrading older ADinf version,

first choose the UPGRADING OLD VERSION button from the panel which the
Setup  program  displays  at  the beginning of installation procedure.
Setup will ask your permission to overwrite the old version,  but will
not  modify  the  AUTOEXEC.BAT  file,  nor will create diskinfo tables
afresh since the tables created by  earlier  versions  are  compatible
with later versions.  You may also upgrade the version in your system,
by starting the Setup program,  by including the -update option in the
command line.

    Parameters of Setup command line

You can  also  use  some  parameters in the Setup command line.  These
parameters tell the Setup program where to install ADinf or to upgrade
the  old  version,  and specify some options.  In certain cases,  this
speeds up installation or updating procedure.

To install ADinf in the D:\UTIL\ADINF directory, type the command

   install d:\util\adinf

and press <Enter>.

In this  case,  Setup  will  not prompt you to specify a directory for
installation,  and will immediately proceed to copy the files.  If the
directory   specified  does  not  exist,  Setup  will  ascertain  your
intention prior to creating it.  Thereafter,  installation proceeds as
described above.

To speed  up  updating  procedure and to suppress unnecessary dialogs,
include the -update or -u option in the command line:

   install -update

and press <Enter>.

Immediately, Setup will search for the ADinf program and overwrite the
upgraded  version and other necessary files.  Diskinfo tables will not
be created afresh,  since the tables created by  earlier  version  are
compatible with later versions.

If the  Setup  does  not  find the ADinf executable file,  it warns as
follows:

    WARNING! ķ
          ADinf program not found on any drive!      
                                                     
                     Press <Esc>                    
                                       
   ͼ

Press <Esc>,  and  Setup  will prompt you to type the full pathname of
the program.

It  takes  a  long  time  to  search  the  ADinf   executable    file,
particularly, on high-volume disks. To speed up the  search,  you  may
include the pathname of the ADinf executable file in the command  line
of the Setup program as follows:

   install -update d:\util\adinf

This command tells the Setup program  to  update  the  obsolete  ADinf
version in  the  D:\UTIL\ADINF  directory.  The following is a list of
other options which can be included in the command line of  the  Setup
program.

  Option          Its function
 
   -386          Depending on  the  type  of  the  processor in  your
                 computer, Setup automatically install one of the two
                 variants  of  ADinf program: one is designed for the
                 386 processors  and  higher,  and the other  variant
                 is designed for the  286 processors or earlier.  The
                 -386 option forces  the  Setup  program  to  install
                 386 ADinf variant.
 
   -86           Install  the  ADinf  variant  for  286 processors or
                 earlier.
 
   -co           Use color scheme for a color monitor.  Include  this
                 option, if the video subsystem can operate in  color
                 mode, but Setup uses black and white mode.
 
   -m            Disable mouse in the course of installation.
 
   -mo           Force  monochrome  display  mode.  Setup  recognizes
                 whether your monitor is  color  or  monochrome.  Use
                 this option when you want black-and-white display on
                 a color monitor, particularly on LCD VGA laptops and
                 notebooks.
 
   -nam          Disable the mouse arrow pointer and use the standard
                 mouse cursor.
 
   -nowin        Do not copy the ADINF.ICO and ADINF.PIF files needed
                 for running ADinf under Windows.
 
   -os           Start Setup with its old  style  interface  prior to
                 ADinf version 9.00.  This option disables  the ADinf
                 internal font table from being  loaded  into EGA/VGA
                 adapters,  so it is useful when Setup conflicts with
                 any  resident  programs,  say,  programs  that  load
                 national fonts into the display adapter.
 

    NETWORK installation

ADinf installed on  a  network  drive  offers  several  advantages  at
workstations. First install ADinf on the network drive; you  can  then
use it at any workstation of the network. Such an installation will be
convenient for network administrators and maintenance personnel.

Installation on network drive greatly reduces the time of installation
on separate workstations. You use the original diskette only  once  to
install ADinf on the network drive, while the program is installed  on
other workstations directly from the network  drive without the aid of
the original ADinf diskette.

ADinf can  be  installed on a network drive in two different ways.  In
the first method,  you simply copy the entire ADINF  directory,  along
with  all  files  in  it,  to  the network drive.  Then to install the
program on any workstation, you simply run Setup from the workstation.
Installation  proceeds  exactly  as  described  above,  except for one
difference:  Setup copies the ADinf files from the network  drive.  In
this  method,  not  only  diskinfo  tables  and configuration file are
created,  but also the ADinf executable file  is copied to  the  local
drive.  Since  the  files  needed  in installation are copied from the
network drive  rather  than  from  the  original  diskette,  ADinf  is
installed on local drives quickly.

In the second method, ADinf is installed on  the  network  drive,  and
users must run ADinf on the network  drive  from  their  workstations.
This method is advantageous in that there is no need  to  upgrade  the
program at every workstation;  it suffices to upgrade the program only
in the network drive. However, the diskinfo tables  and  configuration
tables are created  at  each  workstation  separately;  they  are  not
created in the network drive.

To install ADinf on a network drive, include the full pathname of  the
network directory where you want to install the program in the command
line of the Setup program. In this case, ADINF.EXE, ADINF.PIF (to  run
ADinf  under  Windows),  all  documentation  files,  as  well  as  the
INSTALL.EXE file will be copied to the ADinf directory on the  network
drive.

Now to install ADinf on any local drive, run INSTALL.EXE on the server
directly from the workstation. The Setup program runs as usual, except
for the difference that the ADinf files are not copied  to  the  local
drive.  First  Setup prompts you to tack ADinf  to  your  AUTOEXEC.BAT
file. If ADinf is tacked to your AUTOEXEC.BAT file,  the  local  drive
will be checked every time the workstation is booted.

Then you are prompted to specify the drives in the local disk that are
to be taken under ADinf control. After specifying  the  drives  to  be
controlled by ADinf, you can choose the line  where  ADinf  is  to  be
tacked to the AUTOEXEC.BAT file:

    Autoexec.bat file ķ
   @ECHO OFF                                                 
   PROMPT $p$g                                               
   SET PATH=C:\WIN;C:\DOS;E:\NC;D:\UT;D:\ARC                                          
   SET TEMP=C:\TMP                                           
   MOUSE.COM /Y                                              
   mode con codepage prepare=((866) C:\WIN\COMMAND\ega3.cpi) 
   mode con codepage select=866                              
   lsl.com                                                   
   ne2000.com                                                
   ipxodi.com                                                
   netx /c=c:\net\net.cfg                                    
   f:                                                        
   echo *                                                    
   login                                                     
   echo *                                                    
   U:\ADINF\ADINF.EXE -a -b -d -l                            
      ͼ

     ATTENTION! ADinf will be run directly  from  the  network  drive;
     therefore, call to ADinf must be placed after the call to network
     program and login program. In the above example,  call  to  ADinf
     comes after the calls  to  network  drivers  LSL.COM,  NE2000.COM
     IPXODI.COM, network shell NETX.COM,  and  login  by  the  command
     LOGIN.

Finally, Setup prompts you to create diskinfo tables. Either  you  can
create them at the time of installation or postpone to a  later  date.
Upon completion  of  successful  installation,  Setup  will inform you
about the specifics of network installation of ADinf Cure Module  the
curing  companion  of  ADinf  (refer to the item INSTALLING ADINF CURE
MODULE).

Press any key to return to the DOS prompt.

The ADinf executable file is installed  only  on  the  network  drive;
therefore, it can be run only from the network drive. The local  drive
will contain only ADinf diskinfo tables and ADinf configuration files.

When ADinf on the network drive is started, by default, it will search
for its configuration file and personal diskinfo tables in C:\ADINF on
the local drive. ADinf configuration file is  usually  created  during
installation,  and it can updated at any time at the discretion of the
user while customizing the operation of ADinf.

If ADinf configuration  file  does  not  exist,  it  is  automatically
created.  You  can  move  the configuration file and personal diskinfo
tables to  a  different  directory.  For  this,  rename  the  C:\ADINF
directory, and at subsequent calls to ADinf, specify the full pathname
of the new location through the -home command option.

For example, if you rename the directory C:\ADINF to  C:\AVIRCONF,  at
the next call to the program,  include the -home option in the command
line as follows:

     u:\adinf\adinf.exe -a -b -d -l -home:c:\avirconf


2.2 Installing ADinf Cure Module

To install ADinf Cure Module,  insert the copy diskette in drive A  or
B,  log on to the ADINFEXT directory,  run the INSTALL.EXE program and
answer all its questions.

Setup begins  to  search  for  the ADinf program on the drives in your
hard disk.  This may take some time,  especially,  if your disk has  a
large  volume.  To speed up the search,  in the Setup command line you
may specify the pathname,  or just the name letter of the drive  where
ADinf is installed. For example, the command

     a:\install.exe d:

restricts the search for ADinf to drive D, and the command

     a:\install.exe d:\antivir

restricts the search to the D:\ANTIVIR directory.

On detecting ADinf, Setup displays a query:

    Searching for ADinf  on disk C: ķ
                                                     
    C:\ADINF\Adinf.exe                               
    Found: 1 Ķ
    C:ADINF\adinf.exe                                
         ?! ķ       
   ͳ Do you wish to continue searching? ͼ
                                             
                Stop          Continue     
                           
         ͼ

If the  pathname  displayed  is  correct,  you may abort the search by
choosing the STOP button;  otherwise continue the search  by  choosing
CONTINUE.

If Setup does not find ADinf in the  computer,  you  are  prompted  to
install ADinf first and repeat the  installation  procedure  of  ADinf
Cure Module.

Thereafter, Setup prompts you to install  ADinf  Cure  Module  in  the
\ADINF directory in drive C:

    Install in directory? ķ
                        C:\ADINF                     
                Yes                 No             
                                  
   ͼ

Choose YES to accept the location; otherwise, choose NO and  type  the
full pathname of the directory where you want to  install  ADinf  Cure
Module.

On pressing YES, you are prompted to  scan  the  machine  for  stealth
viruses (refer the section STEALTH SEARCH MODE):

    Scan for Stealth-viruses? ķ
                                                     
                Yes                 No             
                                  
   ͼ

Upon completion  of the search for stealth viruses (supposing you have
chosen YES), Setup prompts you to rename the ADINFEXT.EXE file for the
reason stated in the panel:

   ķ
                     Adinfext.exe                    
                                                     
      Now you should select executable file name.    
                                                     
       Rename the default filename  ADinfExt.exe to  
    some other name, e.g.,  MyinfExt.exe,  as  some  
    viruses try to destroy files of names beginning  
    with the letters  "ad".                          
                                                     
           Edit file name and press <Enter>          
                                                     
   ͼ

Edit the  top  highlighted  line  in  the  panel to any name and press
<Enter>.  Setup immediately begins to copy the working files of  ADinf
Cure  Module  to your disk.  A beep is heard while copying,  and after
completing this process, a panel is displayed :

          Cure Module ķ
          Support COMMON tables   
          Support PERSONAL tables 
         <Esc>

On choosing the necessary  curing  support  mode,  COMMON  TABLES,  or
PERSONAL TABLES, you are prompted to specify the drives for which cure
mode is to be supported:

          COMMON ķ
          C: Support       
          D: Support       
          E: Don't support 
          F: Don't support 
          G: Don't support 
         <Esc>

Arrow to the necessary drives one by one and press <Space> to  select.
After completing the selection of drives, press <Esc> twice  to  close
the drive selection and Tables selection panels. You will be  prompted
to press any key.  On pressing a key,  the screen  displays  the  CURE
MODULE SETUP panel:

    Cure Module Setup ķ
          Table type                                 
             () Complete                            
             ( ) Abridged                            
   Ķ
          Curing mode                                
             () Files of EXE internal structure     
             ( ) Files of given extension            
   Ķ
          Edit Filename extension list...            
   Ķ
                 Ok               Cancel           
                                  
   ͼ

Specify the necessary table type and curing mode. How to  handle  this
panel is described in detail under CURE FILE  SUPPORT  in  CUSTOMIZING
THE ADINF OPERATION. On choosing the OK button from  this  panel,  you
will be prompted to prepare a curing diskette:

    ?! ķ
                 Prepare the diskette?               
                Yes                 No             
                                  
   ͼ

Preparation of a curing diskette  can  be  postponed  to  later  date.
However, it is a good idea to prepare it at the time of  installation.
For this, choose YES from this panel. Then you  will  be  prompted  to
insert a clean diskette into drive A:

    ! ķ
         Insert a clean diskette into drive A!       
             Ok         Cancel     DOS shell      
                       
   ͼ

If you have no clean diskette, you should choose DOS SHELL to clean or
format a diskette.

After inserting a clean diskette into drive A,  choose OK.  Setup will
then copy the necessary files  of  ADinf  Cure  Module  and  make  the
diskette bootable.  If you are using non-standard booting drivers, you
must manually copy  them  to  the  curing  diskette  and  correct  the
CONFIG.SYS file on the diskette.

To make the diskette bootable,  Setup uses the DOS SYS.COM command. If
this routine is not available in your machine or your operating system
is  earlier  than 4.0,  at the end of the installation procedure,  you
will be prompted to make the diskette  bootable.  For  this,  you  may
conveniently use the DiskTool program from Norton Utilities.

Upon successful  preparation  of  the  curing  diskette,  the   screen
displays a logo panel. Press any key to return to the DOS prompt.

Now you must verify whether the  curing  diskette  has  been  prepared
properly.  If  error  occurs  in  the course of preparation or if some
unconventional booters are needed to start your computer,  the  entire
disk  or  certain  drives  may not be accessible upon booting from the
curing diskette.  In such situations, you cannot use ADinf Cure Module
for restoring files in non-accessible drives.

To test the curing diskette, write-protect the curing diskette, insert
it into drive A,  and reboot the computer.  After DOS is started,  the
screen displays a menu of two commands:

1. Restore infected files
2. Test drive accessibility

Choose TEST DRIVE ACCESSIBILITY.  After the  test  is  completed,  the
screen displays a list of drives,  their labels (if any),  drive size,
and free space in them.  Check whether the name letters of all  drives
in your disk are enumerated in this list.

Remember that remote drives,  CD-ROM drives,  and pseudo drives formed
by the SUBST command are not accessible upon booting from  the  curing
diskette. Moreover, the test also verifies the integrity of the curing
diskette and warns in case of error.

After test is completed, remove the curing diskette from the drive and
press any key to reboot the computer.

One curing diskette is sufficient for restoring infected files in many
machines.  If you intend to use one curing diskette for curing several
machines, the curing diskette must be prepared on the machine with the
latest DOS version in order to avoid compatibility  problems.  In  any
case, the drives in all machines for which the curing diskette will be
used must be tested for accessibility upon  booting  from  the  curing
diskette.

     IMPORTANT!  Store  the original  curing diskette in a safe place.
     You will need it when a virus infiltrates into your computer.

In addition to the pathname of the ADinf directory, the  command  line
of the Setup program also accepts the following options:

  Option          Its function
 
   -co           Use color scheme for a color monitor.  Include  this
                 option, if the video subsystem can operate in  color
                 mode, but Setup uses black and white mode.
 
   -m            Disable mouse in the course of installation.
 
   -mo           Force  monochrome  display  mode.  Setup  recognizes
                 whether your monitor is  color  or  monochrome.  Use
                 this option when you want black-and-white display on
                 a color monitor, particularly on LCD VGA laptops and
                 notebooks.
 
   -nam          Disable the mouse arrow pointer and use the standard
                 mouse cursor.
 
   -os           Start Setup with its old  style  interface  prior to
                 ADinf version 9.00.  This option disables  the ADinf
                 internal font table from being  loaded  into EGA/VGA
                 adapters,  so it is useful when Setup conflicts with
                 any  resident  programs,  say,  programs  that  load
                 national fonts into the display adapter.
 

    NETWORK installation

If ADinf is available on the network drive, you can also install ADinf
Cure Module on the network drive.  The Cure Module is installed  on  a
network  drive  almost  in  the  same  way as on a local drive.  While
installing on a network drive,  it is a good idea to specify the  full
pathname  of  the  ADinf  directory  in  the command line of the Setup
program.  After installing the Cure Module on the network drive, it is
to be linked to every workstation.

For this,  start  ADinf  from  a  workstation.  Goto  OPTIONS => SETUP
PARAMETERS > CURE MODULE SETUP to pull down the menu:

          Cure Module ķ
          For common tables   
          For personal tables 
          Cure Module Setup   
         <Esc>

First choose whether cure support  is  to  be  implemented  by  COMMON
TABLES or by PERSONAL TABLES, then choose the drives  for  which  cure
support is needed. Thereafter, choose the CURE MODULE SETUP item  from
the panel to pull down the CURE MODULE SETUP panel. How to handle this
panel is described under CURE FILE SUPPORT in  CUSTOMISING  THE  ADINF
OPERATION.


2.3 Using ADinf jointly with Sheriff

     Installing ADinf on a Sheriff-guarded computer

To install ADinf,  if  your  computer  is  protected  by  the  Sheriff
protection hardware:

     1. switch off Sheriff, and install ADinf as described above,
     2. start ADinf in  interactive mode, and go to OPTIONS >  SETUP
        PARAMETERS >SHERIFF SERIAL  No panel,
     3. in the box,  type the first five figures in the serial  number
        of your Sheriff, and press <Enter>,
     4. quit ADinf and switch on Sheriff.

     Installing Sheriff on an ADinf-installed computer

To install  the  Sheriff,  if  ADinf  is  already  installed  in  your
computer:

     1. start  ADinf  in interactive mode,  and go to OPTIONS > SETUP
        PARAMETERS > SHERIFF SERIAL No panel,
     2. in  the box,  type the first five figures in the serial number
        of your Sheriff, and press <Enter>,
     3. install Sheriff as described in its User's Guide.


2.4 Running ADinf Cure Module under Sheriff

ADinf Cure  Module  also  runs  on  a  computer  guarded  by a Sheriff
protection system.  But prior to curing an infected disk,  the Sheriff
protection  system  must  be  disabled,  since curing is possible only
after starting the computer from a write-protected bootable  diskette.
If  Sheriff is on,  it locks the access to hard disks when computer is
started from an independent bootable diskette. After the completion of
curing  procedure,  you may enable the Sheriff protection system.  For
enabling and disabling the Sheriff, refer to its User's Guide.


2.5 Starting ADinf from autoexec.bat file

ADinf can be started  automatically  from  the  AUTOEXEC.BAT  file  or
manually by typing its command at the DOS prompt.

To run  ADinf  automatically  at  the  time  of  booting,  modify your
AUTOEXEC.BAT file by adding a line as shown below (during installation
you can tell the setup program to do this automatically):

 c:\adinf\adinf -d -a -b -ld:\tmp  c: d:
 Ŀ      Ŀ Ŀ Ŀ Ŀ  Ŀ
                                   Drives to be scanned
                            
                            
                             Save report in D:\TMP directory
                    
                     Black screen background
                   No dialog pauses
                 Check only once a day
          Directory where ADinf is installed

ADinf command line options are described below.

Look also INTERACTION OF ADINF WITH SCANNERS OF DSAV to organize joint
running ADinf and Doctor Web.


2.6 Starting ADinf in batch mode

Advanced Diskinfoscope  ADinf  can  be  run  in  batch  mode   or   in
interactive  mode  by  typing  its  command line at the DOS prompt and
pressing <Enter>.

In the batch mode, ADinf successively checks the drives, executing the
options specified in its command line.  To run ADinf in batch mode, at
the DOS prompt, type:

     adinf <drive> [<drive>...<drive>] [<option>...<option>]

Here <drive> means the logical drives to be tested. At least one drive
must be specified in for ADinf to run in batch mode.

For example, type

  c:\adinf\adinf c: d:
  Ŀ      Ŀ
                     Drives to be scanned
          
           Directory where ADinf is installed

and press <Enter> to scan the drive C and then the drive  D.  In  this
example, ADinf is assumed to be installed in the C:\ADINF directory.

In place  of a long list of drive name letters,  you may type the wild
character "*" to test all the drives for  which  diskinfo  tables  are
available  in  your  machine.  For  example,  to  test all drives with
personal diskinfo tables in batch mode, type

     c:\adinf\adinf -p *

and press <Enter>.


2.7 Command line options

ADinf  accepts  several command options.  They must be preceded with a
hyphen "-" or a slash "/" ,  and separated with a space.  They may  be
typed in upper- or lower-case. Asterisked items in the table below are
valid only in batch mode, and are inoperati ve in interactive mode.

  Option          Its function
 
  -@<filename>   Tell  ADinf  to  compile  a  list   of   files  that
                 subsequently   need   to  be  tested  by  anti-virus
                 scanners.  This  list  will  include  newly-created,
                 changed,  renamed,  and moved (from one directory to
                 another) files.  This list is saved in a file of the
                 filename  specified after the character @.  Files in
                 this list can be checked through anti-virus programs
                 Virus  Hunter and Doctor Web by running them via the
                 /@ command option (see the  User's  Guide  of  these
                 programs).
 
  -15            Disable the ADinf internal Int 15h handler.
 
  -76            Disable the ADinf internal Int 76h handler.
 
  -a[<time>]*    Hide  minor  dialogs,   e.g.,   when   started  from
                 AUTOEXEC.BAT  file.   When   <time>   parameter   is
                 specified,   the  panel  showing  the  changes  will
                 automatically close after the lapse of xxx (seconds)
                 set  if  the changes are not suspicious and the user
                 does not press a key prior to the lapse of the value
                 specified.  This is an optional parameter, which you
                 may or may not specify.  For the  <time>  parameter,
                 you may set a value from 1 to 511.
 
  -admin         Define,  change,   or   cancel   the   administrator
                 password.  If a password is defined,  the  following
                 will  happen.  When an ADinf operation is aborted by
                 pressing <Ctrl+Break> or <F10>, or when the scanning
                 of a drive  is terminated  by pressing <Esc>,  after
                 the completion of scanning mission  you are prompted
                 to type the administrator password.  If the password
                 is wrongly typed, the system will be rebooted - this
                 security measure prevents users  from  skipping  the
                 checking  of  a drive when ADinf is started from the
                 AUTOEXEC.BAT file.  Moreover,  when ADinf is started
                 in  interactive mode,  you will be prompted to enter
                 the password - this is done to prevent any user from
                 introducing  unauthorized  changes  in  the  program
                 settings.
                
                 To cancel  a  password  that is defined,  just press
                 <Enter>  when  you  are prompted to type and confirm
                 the password.
                
                 When you want to change or cancel the password,  you
                 will  be  prompted  to  type  the  currently  active
                 password.
 
  -b*            Tell ADinf not to color the screen  background,  but
                 to display all messages and panels against  the  DOS
                 background without clearing the screen that  existed
                 prior to starting ADinf. This mode  gives  a  better
                 view when ADinf is run from AUTOEXEC.BAT file.
 
  -co[lor]       Use color scheme for a color monitor.  Include  this
                 switch, if the video subsystem can operate in  color
                 mode, but ADinf uses black and white mode.
 
  -d*            Run ADinf ONLY ONCE A DAY and  not  to  initiate  at
                 subsequent starts on the same day, even if specified
                 in the AUTOEXEC.BAT file.
 
  -e             Undo the attribute HIDDEN assigned to diskinfo files.
 
  -f             Run in fast mode without checking the CRC of  files.
                 Diskinfo tables are not updated. Same as  FAST  SCAN
                 in OPTIONS menu.
 
  -force13       Tell  ADinf  to  redefine  the address  of  Int  13h
                 handler in BIOS.
 
  -hd<n>         Define  the  maximum  number  of  nonremovable  hard
                 disks  in  a system.  This option  is necessary  for
                 machines   equipped  with  Back  Pack  Microsolution
                 devices which  are  removable  hard  disk  cassettes
                 connected  to an LPT port.  They are controlled by a
                 special driver  which  misinforms  the  system  that
                 these   disks   are   nonremovable  hard  disks.  By
                 specifying,  for example,  -hd2,  you can tell ADinf
                 that  there  are actually only two nonremovable hard
                 disks in your system.
 
  -home:<path>   Define the directory where the  ADinf  configuration
                 file and personal tables are to be saved (unless the
                 directory for saving personal tables  is  explicitly
                 specified, see the -p option). If this option is not
                 specified,  ADinf configuration  file  and  personal
                 tables are saved in the  directory  where  ADinf  is
                 installed. If your computer  is  a  workstation  and
                 ADinf is run directly from the  network  drive,  the
                 configuration tables and personal tables are  saved,
                 by default, in the C:\ADINF directory.
 
  -i             Toggle info mode. Diskinfo tables  are  not  updated
                 after the completion of checks. This option must NOT
                 be used with the -d option. Same  as  INFO  MODE  in
                 OPTIONS menu.
 
  -l[+][<path>]  Write the scan report for the drive in a file in the
                 directory where  the  ADinf  configuration  file  is
                 located.  If the <path> parameter is specified, scan
                 report will be saved  in  a  file  of  the  pathname
                 specified  in  the option.  If a report file exists,
                 the  report  of  the  current  scanning  mission  is
                 overwritten on the existing report file. If the plus
                 sign is included, the report of the current scanning
                 mission  is  appended  at  the  end  of the existing
                 report file in order to retain the  reports  of  the
                 previous  scanning  missions.  Scanning  results can
                 also be saved in a file by choosing the SAVE LOG  IN
                 FILE  button from the panel displayed on closing the
                 scanning report panel.
 
  -m             Disable the mouse.
 
  -mo[no]        Force  monochrome  display  mode.  ADinf  recognizes
                 whether your monitor is  color  or  monochrome.  Use
                 this option when you want black-and-white display on
                 a color monitor, particularly on LCD VGA laptops and
                 notebooks.
 
  -n             Hide the title screen. By default, it  is  displayed
                 only in interactive mode.
 
  -nam           Disable the mouse arrow pointer and use the standard
                 mouse cursor.
 
  -nr            Do not wait for retraces on CGA-monitor. This option
                 may generate "snow" on certain types of CGA-monitor.
 
  -os            Start ADinf with its old style  interface  prior  to
                 version   9.00.   This  option  disables  the  ADinf
                 internal font table from being loaded  into  EGA/VGA
                 adapters,  so it is useful when ADinf conflicts with
                 any  resident  programs,  say,  programs  that  load
                 national fonts into the display adapter.
 
  -p[<path>]     Use  personal   diskinfo  tables   created   for   a
                 multi-user PC. By default, ADinf diskinfo tables are
                 created  in  the  root  directory  of  a  drive.  In
                 scanning with personal tables, diskinfo  tables  are
                 created, by default, in the directory where ADinf is
                 installed.  A different location for diskinfo tables
                 can be specified through the <path> of  this  option
                 or through the menu OPTIONS >  SETUP  PARAMETERS >
                 PERS. TABLES PATH. Refer the section CUSTOMIZING THE
                 ADINF OPERATION. This check from a floppy should  be
                 used with great caution. If you  run  ADinf  from  a
                 floppy containing the diskinfo tables of some  other
                 computer,  the  consequences  would  be   disastrous
                 especially if you restore the master  boot  or  boot
                 sector of your system.
 
  -r             Run under  DR  DOS.  ADinf  detects  its environment
                 automatically If ADinf  hangs  up  under  Novell-DOS
                 later  than  7.0,  run  it with -r option.  Use this
                 option, if your computer is running under Compaq DOS
                 or any other OS not fully MS DOS compatible.
 
  -s             Toggle beeps ON/ OFF. Same as SOUND in OPTIONS menu.
 
  -stop[<code>]  If virus  protection  is  the  responsibility  of  a
                 system analyst, he must configure ADinf  to  prevent
                 it from reporting any changes to regular  users,  by
                 properly choosing the list of ADinf-protected  files
                 and specifying the working directories.  If ADinf is
                 started from AUTOEXEC.BAT file with this option,  on
                 trapping a change, it halts the system  and  prompts
                 the user to STOP work on computer and  to  call  for
                 the  system  analyst.
                 The -stop option can be specified in  two  different
                 ways:
                 (1) When  specified  with  no  <code>  value,   this
                 option halts operation when ADinf detects any change
                 in disk information.
                 (2) When  specified  with   a  <code>  value,   this
                 option  does  not  halt  the  operation  when  ADinf
                 detects a diskinfo change defined by the <code>. The
                 values of the <code> are as follows:
                 DO NOT TERMINATE OPERATION when one of the following
                 changes is detected
                 1     - change in master boot record (MBR);
                 2     - change in boot sector;
                 4     - new bad clusters;
                 8     - new directories;
                 16    - deleted directories;
                 32    - changes in files;
                 64    - new files;
                 128   - deleted files;
                 256   - files moved to other directories;
                 512   - renamed files;
                 1024  - any change which ADinf regards as
                         "suspicious". See below for information
                         on "suspicious changes";
                 2048  - change in the size of ADinf executable file;
                 4096  - change in size of the memory allotted to DOS;
                 8192  - change in the number of physical disks;
                 16384 - changes in Hard Disk Parameter Tables (HDPT).
                
                 You can tell ADinf NOT to halt the operation  for  a
                 combination of changes by specifying the sum of  the
                 corresponding values  of  <code>.  For  example,  to
                 tell ADinf not  to  stop  operation  if  it  detects
                 changes in the master boot record, boot sector,  and
                 files, specify -stop35. Here (35=1+2+32).
                
                           SYSTEM SUPPORT SPECIALIST ONLY!
                
                 1. After adding this option to ADinf command line in
                 the  AUTOEXEC.BAT  file,   don't  forget  to  update
                 DISKINFO tables.  Otherwise,  ADinf will detect this
                 change at the next startup and halt the system.
                
                 2. If ADinf displays STOP warning, pressing of <Esc>
                 or <Enter> key will only reboot the machine. To  get
                 out of this loop, press <Ctrl+Break>.
                
                 3. The use of the key combination  <Ctrl+Break>  for
                 hasing  the  unending  reboot  loop into which ADinf
                 gets after the operation  is  halted  by  the  -stop
                 option  can  be  reserved for use only by the system
                 administrator  by  specifying  a  password. For more
                 details see -admin option description.
                
                 The -stop option is not operative  when ADinf is run
                 under Windows.xx or Windows 95.
 
  -w*            To create new diskinfo tables in batch mode. Same as
                 CREATE TABLES in MODE menu.
 


2.8 Batch file ERRORLEVELS

ADinf sets an errorlevel,  and this can be used in  a  batch  file  to
determine  what actions are then to be taken.  The errorlevels set are
as follows:

  Errorlevel   Meaning
 
        0     Normal termination. All disks verified,  no  changes
              found.
 
       10     Some  changes  were  noticed,  but  they  are    not
              suspicious.
 
       20     Suspicious changes were detected.
 
       25     Checking of, at least, one drive terminated by  user
              by pressing <Esc>.
 
       30     ADinf operation terminated by user by pressing <F10>.
 
       40     ADinf terminated its mission, since  some  virus  is
              counteracting against checks.
 
       50     Abnormal termination due to program internal bug.
 

If two  events  take place concurrently,  for instance,  scanning of a
drive aborted by pressing <Esc> and then ADinf operation terminated by
pressing  <F10>,  the  higher  of  the two levels is returned.  In the
example given above, the errorlevel returned is 30.


2.9 Interaction of ADinf with scanners of DSAV

When new  programs are copied to your computer,  ADinf has no diskinfo
information about them.  Therefore,  you have to check them with  some
anti-virus scanner,  for example,  Virus Hunter and Doctor Web,  which
are components of the DialogueScience DSAV kit .

ADinf can compile a list of files that require subsequent verification
by some anti-virus scanner. For this purpose, first ADinf forms a list
containing the names of newly-created,  renamed,  and  changed  files.
Then  this  list is passed to Virus Hunter and Doctor Web for scanning
for viruses.  In this way,  you can speed up the verification of  your
computer,  because  the  files  that remained unchanged since the last
session are already checked by these anti-virus scanners.

The following is a sample batch file to run ADinf jointly with  Doctor
Web  and Virus Hunter by transferring diskinfo changes (see /@ command
line option).  Such a  joint  operation  greatly  speeds  up  scanning
sessions, while retaining the high checking reliability.

First ADinf   must  be  run  to  scan  the  computer.  If  it  reports
newly-created or changed files,  they are first checked by Doctor  Web
and  then  by  Virus  Hunter.  In  case  some  virus  is detected,  an
appropriate message is displayed.

   @echo off
   ADINF * /@c:\adin2web.lst /a

   if errorlevel 50 goto abnormal
   if errorlevel 40 goto vir_in_mem
   if errorlevel 30 goto break
   if not exist c:\adin2web.lst goto end

   DRWEB /@+c:\adin2web.lst /cl/ha/rv/hi/upn/ns

   if errorlevel 2 goto new_vir
   if errorlevel 1 goto vir

   V-HUNTER /@c:\adin2web.lst /g/nb

   if errorlevel 3 goto abnormal
   if errorlevel 2 goto abnormal
   if errorlevel 1 goto vir

:no_vir
   echo No viruses found
   goto end

:vir_in_mem
   echo WARNING! There is an active virus counteracting against ADinf
   pause
   goto end

:vir
   echo ATTENTION! There is a known virus in the machine
   pause
   goto end

:new_vir
   echo ATTENTION! There is an unknown virus in the machine
   pause
   goto end

:abnormal
   echo Abnormal end of scanning mission
   pause
   goto end

:break
   echo Scanning mission broken by user
   pause
   goto end

:end

        WARNING 1. For reliable checking of disks, the  list  of  file
        extensions and ADinf operation  parameters  must  be  properly
        specified such that no important changes in  disk  information
        escape unnoticed.

        WARNING 2. When ADinf  or scanners detect viruses  or  suspect
        possible virus infection, it is not sufficient to analyze  and
        cure only the infected files and system areas.  It  is  always
        safe to cold start  the  system  from  a  virus-free  bootable
        diskette, first thoroughly test all drives  and  then  restore
        the infected files from the original distribution disks.  When
        such a possibility for restoration from original  distribution
        diskettes is not available, you may use the curing procedure.

        WARNING 3. The errorlevel verification function in  the  batch
        file can be specified in such a manner  that  after  the  disk
        scanning mission is completed, curing  mode  is  automatically
        called and then ADinf is restarted for  final  checking  after
        the curing session is completed. But such an automatic  curing
        mode is HAZARDOUS  and  requires  an  in-depth  study  of  the
        computer configuration settings and utilization modes. Such  a
        study  must  be  made  by  a  knowledgeable  computer  analyst
        familiar with the specifics of the computer configuration  and
        users' needs.


2.10 Starting ADinf in interactive mode

A command line with no drives specified, e.g.,

       c:\adinf> adinf

starts ADinf in interactive mode and displays its main menu.

At every start-up  ADinf  runs  in  interactive  mode,  executing  the
parameters  set  in  the  previous session.  If the -i,  -f,  -s or -p
options  are  specified  in  the  command  line,  ADinf   additionally
implements them.


2.11 Useful tips

It is always safe:

1) to  run  some anti-virus utility,  say,  Doctor Web,  to clean your
system prior to installing ADinf,

2) to run ADinf a few times a day,  especially if  you  swap  floppies
often, and

3) to prevent accidental damage, loss and infection, always use only a
copy of the ADinf original diskette.


2.12 Speedkeys

You may  use  certain  keyboard shortcuts to speed up work in an ADinf
session:

  Shortcut   Its function
 
  <Esc>     abort ADinf scanning mission (this key is inoperative
            if ADinf is started with the -stop option),
 
  <F10>     end an ADinf session (this key is inoperative if ADinf
            is started with the -stop option),
 
  <Alt+D>   enter DOS shell,
 
  <Alt+V>   execute a DOS command,
 
  <Alt+S>   toggle sound ON or OFF,
 
  <Alt+P>   edit internal paths for viewers,
 
  <Alt+F5>  view DOS screen,
 
  <F1>      get on-line help on key usage.
 



                          3. ADINF MAIN MENU

When you start ADinf in interactive mode, the screen  top  line  shows
the main menu of five titles: ADINF, DRIVES, MODE, OPTIONS, and  QUIT.
By default, the SCAN DRIVES command from the MODE title  is  selected,
so just press <Enter> to scan the drives  for  which  diskinfo  tables
are available in your machine.

 ķ
  ADinf       Drives       Mode       Options     Quit      F1=Help 
 Ķ
 ķ                                              
 Files CRCtypes  Scan drives                                 
 .com  Fast      Scan selected                               
 .exe  Fast      Create tables                               
 .sys  CRC32     Stealth search                              
 .bat  CRC32    ͼ                              
 .bin  No CRC                                                  
 .lib  No CRC                                                  
 .ov?  Fast                                                    
 .drv  No CRC                                                  
 .dll  Fast                                                    
 Ŷ                                                
 OthersNo CRC                                                  
 ϼ                                                
                                                                    
 Ķ
  C:  BIOS  Scan all drives under check     C  358K  XMS:2576K 
 ͼ

You move across the menu bar with <Left> and <Right> keys. Arrow to an
item and press <Enter> to pull down its  local  menu.  Using  <Up>  or
<Down> key, move to an option in local  menus  and  press  <Enter>  to
select it.  If  the  option is a command,  <Enter> executes it,  <Esc>
loses the menu panel without accomplishing any command.

Alternatively, to select  a  main  menu  title,  press  or  click  the
highlighted letter in the title name. To close  a  menu  panel,  press
<Esc> or click an empty spot on the screen.

The bottom line shows the name  of  the  drive  being  scanned,  drive
acsess type (via BIOS or INT 13h  or  INT  25h),  brief  messages  and
prompts, diskinfo tables type (C for common and P for  personal),  the
conventional memory space presently free, and XMS space presently free.


3.1 Menu titles and their purpose

  
  ADINF    To view ADinf ver. No and other relevant information.
  
  DRIVE    To select drives for scanning.
  
  MODE     To choose SCAN DRIVES, SCAN SELECTED, CREATE TABLE,
           or STEALTH SEARCH mode.
  
  OPTIONS  To customize ADinf operation parameters. (For details,
           see CUSTOMIZING THE ADinf OPERATION below).
  
  QUIT     To end an ADinf session.
  

In the interactive mode, you can:

     1. scan hard drives in your computer,
     2. create ADinf diskinfo tables for your drives,
     3. check floppy diskettes for changes,
     4. scan for active stealth viruses in your computer,
     5. customize certain ADinf parameters to suit  your  preferences,
        i.e. scan  all  files  in  drives  or  only  the  files  whose
        extensions are specified in the file  extension  list,  revise
        the  list  of  extensions of files to put under ADinf control,
        associate viewers and editors with extensions for viewing  and
        editing files of particular extensions and specify the type of
        file CRC for scanning.


3.2 Scanning the drives

When ADinf is started in interactive mode,  the  SCAN  DRIVES  command
from  the  MODE  title  is  by default selected;  therefore just press
<Enter> to scan the drives for which diskinfo tables have already been
created.

To scan only particular drives, first arrow to DRIVES in the main menu
and press <Enter> to pull down the DRIVES local menu.  Then  arrow  to
the  drive you want to scan and press <Enter>.  A plus sign (+) on the
left of the drive name indicates the drive is  selected.  A  drive  is
deselected  by pressing <Enter> again  the plus sign changes to minus
sign.  You may select as many drives as you like for scanning  in  one
run.  Then,  arrow to MODE in the main menu and press <Enter>. A local
menu drops down contain ing SCAN DRIVES,  SCAN SELECTED, CREATE TABLES
and STEALTH SEARCH commands.  Arrow to SCAN SELECTED and press <Enter>
to start scanning the drives.

            Scanning Drive C: -ķ
               Table updated 30 July 1997      
           Ķ
             AnalyzingDriveStructure 
                Checking  Boot Record          
                Checking  Bad Clusters         
                Analyzing New Directories      
                Analyzing Erased Directories   
                Checking  Files                
                Analyzing New & Erased Files   
                Analyzing Moved Files          
                Analyzing Renamed Files        
                Stealth Search                 
           ͼ
       ķ
                Calculating file CRCs ...          
         ۱   
                           19%                     
        Travel.dll (Fast  ) ͼ


You can abort scanning of any disk at any time by  pressing  <Esc>  or
clicking both mouse buttons together. ADinf then will respond:

    Stop scanning ? ķ
         No          This drive      All drives   
                 
   ͼ

If you choose NO or click the mouse  right  button,  scanning  of  all
other drives is resumed; if you choose THIS DRIVE,  only  the  current
drive is skipped and if you choose ALL DRIVES, scanning is aborted.

If no drive is selected, on pressing <Enter> to  start  scanning,  you
get the

    Warning ! ķ
                   No drives selected!               
                       Press <Esc>                   
              Select some from "DRIVES" menu.        
   ͼ

In such cases, press <Esc>  to  return  to  DRIVES  menu.  Select
drive(s) and run ADinf again.


3.3 Creating  diskinfo  tables

The procedure  is the same as described above,  the only difference is
now you choose CREATE TABLES command from the MODE menu.


3.4 Checking floppy diskettes

Most of the viruses migrate from computer to computer via diskettes. A
clean diskette gets easily infected: insert  it  into  a  contaminated
computer  and  just  open  its directory for viewing  it may become a
virus carrier. But inserting an infected diskette into a  computer  is
not sufficient  to  inject  a  virus  into  your  computer:  either an
infected program on the diskette has to be started or the computer has
to be booted from an infected diskette.

In order to be certain that your diskettes, or the diskettes you  pass
on to or obtain from others are clean, always check them  with  ADinf.
When a diskette is checked with ADinf for the first time,  a  diskinfo
table containing vital information about  the diskette is saved on it.
Therefore, prior to passing a diskette to others, always check it with
ADinf and save the diskinfo tables on it. If the receiver has Advanced
Diskinfoscope installed in his computer, he can check the integrity of
the data on the  diskette.  Likewise,  you  can  check  up  whether  a
diskette obtained from others is virus-infected or clean.

The diskinfo tables written  by  ADinf  on  a  diskette  contain  full
information essential for scanning (the list  of  files  under  check,
types of CRC of files, names of viewers and editors for the  files  on
the diskette).  Therefore the diskinfo tables created on a diskette by
ADinf in  one  computer  may  be  compatible with the configuration of
ADinf on another computer.


3.5 Stealth search mode

Stealth viruses,  as  their  name  implies,  are capable of stealthily
hiding themselves in an infected machine. The early computer infectors
did  not  possess this property and so could be detected visually when
an infected  file  is  opened  for  viewing.  Even  simple  anti-virus
utilities  could  suppress  their multiplication and thus viruses were
not epidemic hazardous.

Advancement in new anti-virus techniques catalyzed new trends in virus
design and the appearance of invisible infectors was the next  natural
step in the evolution of virus technology.  Viruses designed on hiding
algorithms cannot be viewed with operating system tools.  For example,
when  an  infected  file is viewed by pressing <F3>,  Norton Commander
does not show anything unusual because the virus removes its body when
the file is opened for reading,  and returns back on closing.  This is
only one of the dodging tools and  there  are  several  other  masking
techniques.  Boot  infectors  also  hide  themselves  when an infected
sector is opened for reading.

In the early development stages, the stealth virus design was ahead of
the potentialities of the then anti-virus utilities.  Thus the viruses
Frodo.4096,  XPEH  and some other specimens proliferated far and wide.
ADinf easily detects newly designed  stealth  viruses.  For  instance,
most of the anti-virus utilities were ineffective against the epidemic
outbreak in the summer and autumn of 1991  due  to  the  incidence  of
DIR-II  virus written with a then unknown detection-dodging algorithm.
But on the computers protected by ADinf,  it was  easily  trapped  and
eradicated.

Hiding algorithm itself is the  weakest  link  in  the  stealth  virus
design. This algorithm itself is the key to  successful  detection  of
this virus on an infected machine. Discrepancy in the file size or CRC
given by DOS and its actual size or CRC is a definite symptom of virus
infection.  Hiding  capability of a stealth virus betrays its presence
in an infected file!  Such a comparison algorithm  is  implemented  in
ADinf.

To detect stealth viruses in your machine

     1. arrow to DRIVES in the main menu,
     2. mark the drives you want to scan for stealth virus by pressing
        <Enter> on the drive name A:, B:, C:,...,
     3. arrow to MODE in the main menu,
     4. select STEALTH SEARCH,
     5. press <Enter> to start scanning the selected drives for
        stealth viruses.

You may stop scanning a drive any time as described under SCANNING THE
DRIVES.

While scanning for stealth  viruses,  ADinf  checks  the  master  boot
sector, boot sectors of logical drives and then compares the sizes and
CRC of files given by DOS with the actual values which  it  determines
by directly reading the sectors, accessing via BIOS. If there  is  any
discrepancy in these values, it stops scanning the drives in order not
to spread infection  to  other  clean  directories  and  displays  the
message :

  Attention! ķ
                              For file                              
                            C:\AAAA.COM                             
          size reported by DOS differs from its real length!        
                                                                    
       DOS reports: 5883, real: 9889 bytes, difference: 4016.       
                                                                    
        There may be an active STEALTH-VIRUS in the memory!         
                                                                    
      Continue         Stop           View         Reboot       
                        
     Further scanning may inject infection into clean files being   
    checked by ADINF! Recommend you to stop scanning, insert into   
    drive A a write-protected system diskette, & choosing REBOOT,   
    reboot your computer with a clean operating system. Disinfect   
    the infected files, prior to starting the computer from your    
    hard disk!                                                      
 ͼ

Choosing VIEWER from this panel, you can view the  suspect  file.  The
viewer prints the file on the screen by reading  it  directly  through
BIOS.

Choosing REBOOT, you can eradicate stealth and other viruses from your
computer. For this, insert in drive A: (or the  drive  appropriate  to
your system) a write-protected bootable diskette  containing  a  clean
operating system and an anti-virus utility capable  of killing stealth
virus, say,  Doctor Web.  And choose REBOOT to reset the  machine  and
then run the anti-virus program on the diskette. If the virus residing
in your machine is already known, Doctor Web will kill it. If not, the
virus is definitely a hitherto unknown stealth infector and you should
call for help from some Anti-virus Service or restore your files  from
a backup copy.

ADinf automatically checks for stealth viruses in newly created files,
because certain stealth  viruses  infect  files  only  when  they  are
created, for example, while copying from a  diskette  or  exploding  a
packed file. By default, this mode is ON.  Since this check takes some
time, you may  switch  it  OFF,  cascading  through  the  menu  route:
OPTIONS => SETUP PARAMETERS => INFO UNDER CHECK => SS NEW FILES.


3.6 Customizing the ADinf operation

The OPTIONS title in the main menu provides ample items  to  customize
certain ADinf parameters to suit  your  preferences.  It  cascades  as
follows:

OPTIONS

 TABLES
 PROGRAM MODES    Ŀ
 SETUP PARAMETERS Ŀ SOUND
                      FAST SCAN
                      INFO MODE
                     
                      EXTENSION    LIST Ŀ
                      INFO  UNDER CHECK Ŀ EXTENSIONS
                      TABLE  FILE  NAME     CRC TYPES
                      PERS. TABLE  PATH    
                      DRIVE ACCESS TYPE     EXTENSIONS
                      TREEINFO.NCD FILE     STABLE FILES
                      PATH  TO  VIEWERS     BOOT-SECTORS
                      FILE LIST SORTING Ŀ BAD CLUSTERS
                      SHERIFF SERIAL NO    DIRECTORIES
                      CURE FILE SUPPORT Ŀ SKIP  TREES
                                             HDP  TABLES
                                             SS NEW FILES
                                             SS CHANGED
                                            
                                             BY  EXTENSION
                                             BY  DIRECTORY
                                             KEEP UNSORTED
                                            
                                             FOR COMMON TABLES
                                             FOR PERSONAL TABLES
                                             CURE MODULE SETUP(*)

(*) - available only for ADinf Cure Module versions later than 3.00

The OPTIONS title contains three items:

        TABLES
        PROGRAM MODES
        SETUP PARAMETERS


TABLES

item has two choices:  COMMON to construct tables for a machine  as  a
whole  regardless of the number of users operating it,  and PERSONAL 
only for you. These two choices are toggled with <Enter>.

Ordinarily, ADinf creates diskinfo tables in the root directory of the
drive  being  checked.  In  PERSONAL mode,  they  are  created  in the
directory containing ADinf.  You can  also  specify  a  directory  for
saving  the personal diskinfo tables.  For this,  choose PERS.  TABLES
PATH from PROGRAM MODES in OPTIONS from the main  menu  and  type  the
full  pathname  in the on-screen panel and press <Enter>.  See also -p
and -home options.

You can copy ADinf in your directory or on a separate floppy and  thus
conduct  a  personal check to detect the changes that occurred in your
absence.  This check from a floppy should be used with great  caution.
If  you run ADinf from a floppy containing the diskinfo tables of some
other computer,  the consequences would be disastrous,  especially  if
you restore the master boot or boot sector of your system.


PROGRAM MODES

menu contains three toggles:

        SOUND
        FAST SCAN
        INFO MODE

SOUND beeps are toggled ON and OFF with <Enter>.

FAST SCAN, when ON, file CRCs are not calculated and  diskinfo  tables
and TREEINFO.NCD files are not updated.

INFO MODE,  when  ON,  diskinfo  tables and TREEINFO.NCD files are not
updated in every ADinf session, even if the diskinfo has changed since
the last check.


SETUP PARAMETERS

menu provides  ten  items  for  customizing  certain  ADinf  operation
parameters to suit your preference and convenience:

        EXTENSION LIST
        INFO UNDER CHECK
        TABLE FILE NAME
        PERS. TABLES PATH
        DRIVE ACCESS TYPE
        TREEINFO.NCD FILE
        PATH TO VIEWERS
        FILE LIST SORTING
        SHERIFF SERIAL NO
        CURE FILE SUPPORT


 EXTENSION LIST

menu contains  two  options  EXTENSIONS  and  CRC  TYPE.  On  choosing
EXTENSIONS, you get two panels, viz., a FILE EXTENSION LIST containing
the extensions of files under control, their viewers and editors and a
SELECT EXTENSION panel showing editing keys:

  Files: Viewer  Editor ķ
   .COM  wpview.exe   nu.exe   
 .EXEwpview.exenu.exe<Ŀ
   .SYS  wpview.exe   edit.com      Select extension ķ
   .BAT  wpview.exe   edit.com                                
   .LIB  wpview.exe   edit.com              Use keys:         
   .OV?  wpview.exe   nu.exe     Ĵ    <Enter>    - Edit;     
   .DRV  wpview.exe   nu.exe            <Up>,<Dn>  - Select;   
   .DLL  wpview.exe   nu.exe            Gray <+>   - Add;      
 ͼ         Gray <->   - Delete;   
                                            <Esc>      - Quit.     
                                        ͼ

You may edit the file extension list for adding the extensions of  the
files to put under ADinf control or for deleting the extensions of the
files not needing control any longer.


  Adding and deleting file extension

To delete a file extension, select the extension you  want  to  delete
with <Up> or <Down> key, and then press <Gray ->. Press <Esc> to  quit
the panel.

To add a file extension, press <Gray +>. The selection bar jumps to an
empty row created at the table bottom. Type the file extension.  After
you are done,  press <Esc> to finish or <Enter> to edit the viewer and
editor columns.


  Editing the VIEWER and EDITOR columns

By editing the VIEWER and EDITOR fields,  you may assign for each file
extension  a  separate  viewer and editor for displaying and reading a
file with a  particular  extension.  After  adding  or  deleting  file
extensions,  while you are still in the extension panel, press <Enter>
to invoke EDIT MODE:  the SELECT EXTENSION panel at  once  toggles  to
EDIT MODE:

  Files: Viewer  Editor ķ
   .COM  wpview.exe   nu.exe   
 .EXEwpview.exenu.exe<Ŀ
   .SYS  wpview.exe   edit.com      Edit mode ķ
   .BAT  wpview.exe   edit.com                               
   .LIB  wpview.exe   edit.com             Use keys:         
   .OV?  wpview.exe   nu.exe     Ĵ   <Enter>    - Done;     
   .DRV  wpview.exe   nu.exe           <ESC>      - Cancel;   
   .DLL  wpview.exe   nu.exe           <Ins>      - Ins/Ovt;  
 ͼ        <Tab>      - Field.    
                                        ͼ

To edit an item in the viewer or editor column, press <Tab> to jump to
the desired column. Edit as in any text editor and after you are  done
with editing, press <Enter> to save the edits. You may edit in  INSERT
or OVERTYPE mode, by toggling with <Ins>. Press <Enter> to  finish  or
<Esc> to cancel the edit command.


  Selecting the CRC type

First arrow to EXTENSIONS LIST in the SETUP PARAMETERS menu and  press
<Enter> to pull down a local menu of two  items:  EXTENSIONS  and  CRC
TYPE. On choosing CRC TYPE and pressing <Enter>, the  screen  displays
two panels:

  Files:CRC type
   .COM  Fast   
 .EXEFast<Ŀ   CRC types selection ķ
   .SYS  CRC16                                                 
   .BAT  CRC16        FAST CRCs  provide virus protection  and 
   .LIB  No CRC       high  scan  speed.  For full disk checks 
   .OV?  Fast         select  CRC16/32/48.  But scan rate will 
   .DRV  No CRC       be slower.  Use  NO CRC  for  fast  disk 
   .DLL  Fast     Ĵ  scanning.                                
 ͼ                                                
                                      Use keys:                    
                           <Up>,<Dn>,                              
                           <Home>,<End> - select files;            
                           <Space>      - select CRC type.         
                                                                   
                         <Esc>,<Enter> - end selection 

Each file extension  can  be  assigned  a  separate  CRC  type  to  be
calculated while scanning. CRC types available and their functions are:

     CRC type       Function
  
   NO CRC         CRC for the file is not calculated.
  
   FAST           provides safe virus protection at sufficiently
                  fast scanning rate for COM and EXE files only.
  
   CRC16, CRC32,  guarantee complete control over data security
   or CRC48       but at a slower scanning rate.
  
   Macro          Macro CRC is used for MS Word and Excel documents
                  (OLE2 format).
                 
                  Macro CRC is the default setting for DOC, DOT, XLT,
                  and XLS files.  ADinf32 ignores any changes in these
                  files and signals only modifications of their macros
                  and some formulas in Excel files, thus suppressing
                  unnecessary warnings.  However, any infection by
                  macro-virus will immediately be detected.
  


To specify a CRC for a file extension, choose CRC TYPE from the  FILES
LIST menu and press <Enter>. Arrow  to  the  desired  file  extension,
repeatedly press <Space> to set the CRC type. Finally,  press  <Enter>
or <Esc> to finish.

Pro-ADinf also supports LAN64 CRC, i.e., the 64-bit CRC calculated for
the  whole  file  by  the  special  hash function developed by the LAN
Crypto Corporation.


 INFO UNDER CHECK

menu contains nine items for setting the parameters so that ADinf  may
check the drives the way you want it to do:

         EXTENSIONS
         STABLE FILES
         BOOT SECTORS
         BAD CLUSTERS
         DIRECTORIES
         SKIP TREES
         HDP TABLES
         SS NEW FILES
         SS CHANGED


  EXTENSIONS

Advanced Diskinfoscope can check ALL FILES on your disks or only files
BY LIST of file extensions you specified.

If you  want  to  keep a rigorous control over your disks,  choose ALL
FILES from the EXTENSIONS submenu. But to save time, you may limit the
extensions of files to be checked.  The previous section describes how
to edit the file extension list.

The list of files to be scanned can be specified  separately  for  the
COMMON and PERSONAL mode in the OPTIONS menu.  COMMON mode defaults to
BY LIST for scanning COM,  EXE, SYS, BAT, BIN, LIB, OV?, DRV, PGM, and
DLL files only. This list is quite adequate to safeguard against virus
infection.  PERSONAL mode defaults to ALL FILES for scanning,  but the
list contains additionally BAK, ZIP, ARJ, PAK, LZH, PIF files. You may
however edit the default list of file extensions to specify  files  to
put under ADinf control.

If  you  use  ALL  FILES  for  scanning,  extension  list  gives  some
information for all other extensions,  i.e. CRC type and viewer/editor
names.


  STABLE FILES

panel specifies a list of files which  should  always  remain  intact.
ADinf  checks these files by their LAN64 checksums and will report any
slightest modification in a stable file  as  suspicious.  To  edit  an
entry in this list, arrow to the desired filename and press <Enter>. A
cursor appears.  Now edit the filename as in a text editor.  Once  you
are done with editing,  press <Enter>. Press <Del> or <Bksp> to delete
a filename from the list.

The wildcard characters "*" and "?"  can  also  be  used  in  filename
specifications.


  BOOT SECTORS

panel tells ADinf to check or not to check the boot sector of a drive.
By default, ADinf only checks the boot sector of drive C. If drive C is
compacted, only the boot sector that contains the boot record will be
checked.

In certain cases,  you may have to disable the boot sector checks. For
example,  the boot sector checks must be disabled for the drives  that
are compacted by DoubleSpace,  DriveSpace,  Sstor, or Stacker, because
these space saving programs constantly modify the boot sectors of  the
drives which they compact.


  BAD CLUSTERS

panel tells  ADinf  to check or not to check for bad clusters that are
newly created in a drive.  You handle this panel in the  same  way  as
described in the previous paragraph.  By default, this mode is swithed
on.


  DIRECTORIES

panel tells ADinf to check or not to check for changes (newly  created
and deleted directories) in the directory tree of a drive. By default,
this mode is swithed on.


  SKIP TREES

tells ADinf  to  skip  its  checks  for  those  directories  that  are
frequently accessed or the directories  containing  frequently  edited
files.  For this, after ADinf has created its tables for the drives in
your machine,  (they are automatically created when ADinf is installed
for the first time),  or choosing CREATE TABLES from the MODE title of
the main menu,  you can create  them  afresh  any  time  you  like  as
follows:  first  go to OPTIONS > SETUP PARAMETERS > INFO UNDER CHECK
> SKIP TREES.

Then arrow to the desired drive in column  at  the  left-edge  of  the
panel,  press  <Tab>  or  <Enter> to display the directory tree of the
selected drive,  arrow to the desired directory  or  subdirectory  you
want  to exclude from the ADinf checks and press <Enter> (or click the
mouse).

The selected directory is then displayed in a contrasting  color,  all
others  in  black.  You  can  also  deselect  the  subdirectories of a
selected directory.

In a  checking  session,  ADinf  also  scans  those  directories   and
subdirectories  marked  for  exclusion  from checks,  only it does not
produce a status  report  for  them,  unless  it  expertizes  them  as
suspicious (see SUSPICIOUS CHANGES).


  HDP TABLES

panel tells ADinf to check or not to check the  Hard  Disk  Parameters
tables  (HDPT)  in the memory in BIOS variable area.  Press <Enter> to
toggle between TABLES ARE UNDER CHECK  and  TABLES  NOT  UNDER  CHECK.
Check  mark  indicates that the item is currently active.  By default,
ADinf does not check the HDPT.


  SS NEW FILES

panel toggles the search mode for stealth viruses in new files between
ON and OFF.  By default,  this mode is swithed on.  For  details,  see
under SEARCHING FOR STEALTH VIRUSES.


  SS CHANGED

panel toggles the search mode for stealth  viruses  in  changed  files
between ON and OFF.  By default, this mode is swithed on. For details,
see under SEARCHING FOR STEALTH VIRUSES.


 TABLE FILE NAME

By default,  ADinf  saves  its  diskinfo  table  for  each  hard  disk
separately in a file in the  same  drive  and  names  it  ADINF=x=.
(where x is the drive name letter).  The viruses which dodge ADinf may
alter the ADinf diskinfo tables.  To fool such viruses, you may rename
the ADinf diskinfo table file.

In the  on-screen  box  displaying  ADINF=x=.,  type a new name and
press <Enter>. If you make a typing mistake or want to change the file
name, back up all the way to first character and retype a new name.


 PERS. TABLES PATH

displays a panel for specifying the full path of the  directory  where
you want ADinf to save the diskinfo tables. If no path  is  specified,
personal tables are saved in the directory where ADinf executable file
is installed or in the directory specified in -p or -home option.


 DRIVE ACCESS TYPE

command defines  how ADinf should access a disk for checking infection
- through BIOS,  or Int 13h or Int  25h/26h.  ADinf  scans  the  disks
partitioned by DOS fdisk utility, directly accessing them via BIOS. If
necessary, you may set Int 13h or Int 25h/26h as the access type for a
drive.

In the panel displaying drive names and their  access  type  (BIOS  by
default), to change the access type of a drive:

     1. arrow to the drive name letter,
     2. repeatedly  pressing  <Space> or <Enter> or clicking the mouse
        left button, set your choice BIOS or Int 13h or Int 25h/26h,
     3. press <Esc> or click the mouse right button to finish.


 TREEINFO.NCD FILE

tells ADinf  to  update  or  not to update the drive TREEINFO.NCD file
created by Norton Commander and Norton Change  Directory  utility.  So
there  is  no  need  to  tell  Norton Commander to scan your drives to
update these files as ADinf compiles the full tree structure  of  your
drives and writes them in the TREEINFO.NCD files. By default this mode
is unselected.


 PATH TO VIEWERS

command  displays  a  panel  for  specifying  the  full  path  of  the
directories where ADinf may search for external viewers  and  editors.
You  may  specify  several paths,  separating them with an intervening
semicolon ";".


 FILE LIST SORTING

command tells ADinf to display the new,  changed,  deleted,  moved and
renamed files in its report after sorting them either by the  filename
extensions or by directories.


 SHERIFF SERIAL NO

command displays a panel for typing  the  first  five  digits  of  the
serial number of the Sheriff protection system,  if it is installed in
your computer (refer to USING ADINF JOINTLY WITH SHERIFF).


 CURE FILE SUPPORT

is active  only  if  ADinf  Cure  Module  is  installed.  This command
activates or disables the ADinf Cure Module - a companion program  for
curing  either by personal or common diskinfo tables.  You get a panel
displaying tree items:

     FOR COMMON TABLES
     FOR PERSONAL TABLES
     CURE MODULE SETUP

Arrow to  your  option  and  press  <Enter>  to  pull down a panel for
setting SUPPORT or DON'T SUPPORT. For each drive, set your option with
<Enter>  to  support or not to support curing for the files controlled
by the common or personal tables.


  CURE MODULE SETUP

The last item CURE MODULE SETUP in CURE FILE SUPPORT menu  is  helpful
in customizing the operation of ADinf Cure Module.  On  choosing  this
item, you get the "Cure Module Setup" dialog panel:

         Cure Module Setup ķ
                   Tables type                                 
                      () Complete                             
                      ( ) Abridged                             
        Ķ
                   Curing mode                                 
                      () Files of EXE internal structure      
                      ( ) Files of given extension             
        Ķ
                   Edit list of filename extensions...         
        Ķ
                           Ok           Cancel               
                                           
        ͼ

Setting the  cursor  under  the  desired field,  you can choose either
COMPLETE or ABRIDGED tables by pressing the spacebar.  Complete tables
provide 97%  file restoration efficiency.  Abridged tables provide 94%
restoration  efficiency,  but  require  less  disk   space   and   are
perceptibly faster in restoration.

The CURING  MODE field gives two alternatives for choosing the type of
the files to be cured.  Choosing the FILES OF EXE  INTERNAL  STRUCTURE
option,   you  can  cure  files  having  the  EXE  internal  structure
(irrespective  of  the  filename  extension),  as  well  as  files  of
extensions COM,  EXE,  SYS,  BAT,  and XTP. The other option, FILES OF
GIVEN EXTENSION,  as it name implies,  restores files of the extension
you specify.  Table for the first option take longer time to construct
and occupy more space than the tables needed for restoring  under  the
second option.

If you choose the FILES OF GIVEN EXTENSION option, the diskinfo tables
contain data about files of extensions COM,  EXE, SYS, BAT, and XTP as
well as about files of extensions which you add to this list. For this
purpose,  choose the EDIT FILENAME EXTENSION LIST and press <Enter> to
pull a dialog panel:


         Edit Filename extension list ķ
                                                                 
         You can add extensions to the filename extension  list. 
         ADinf  cure Module currently  supports  the extensions: 
                        EXE, COM, SYS, BAT, XTP.                 
         If you have executable files with other extensions, you 
         can add by typing them in  the  next  line,  separating 
                           them with a comma.                    
         Ŀ 
                                                               
          
                           Ok             Cancel               
                                             
        ͼ

In the text field of this panel, type the filename extensions you want
to add to this list.  Remember, these filename extensions must also be
specified under the filename extension list of ADinf program.



                        4. IF CHANGES DETECTED


        IMPORTANT!  Never  leave  the  changes  reported   by    ADinf
        unattended. If you do not know the  cause  for  such  changes,
        take immediate action to remedy them. If  the  ADinf  messages
        are obscure, refer the section ERROR AND WARNING MESSAGES  and
        call for technic al help. These two simple measures, if  taken
        in time, will keep your computer  away  from  infectors  which
        otherwise may infiltrate unnoticed.


4.1 Responding to ADinf messages

Regardless of the operation mode  batch or interactive  ADinf, after
checking a drive,  always prints a scan report on the screen,  whether
or not the disk information has been changed since the last check.  If
there  are  no  such  changes and the -a option is not included in the
command line, you get a

  Drive C: Scan Report ķ
                                                                
      Current time is         23h 45m 13s    15 April  1997     
      Tables were created at  23h 11m  6s    15 April  1997     
                                                                
                133 directories and 1276 files scanned          
                                                                
                          No changes found                      
  Press any key ...ͼ

After two minutes (counted down in the highlighted  bar),  unless  you
press  a key earlier,  next drive (if any) will be scanned or the main
menu is returned.

If there are any changes in any one of the vital  parameters  of  your
system, the changes are highlighted in the scan report.

The scan report is straightforward and self-explanatory:  therefore we
only describe how to handle it. Press the key in the first column near
a  changed  item to get detailed information about the changes.  These
keys, however, are disabled when ADinf reports OKAY or NONE against an
item in the scan report.  The <Up>,  <Down>,  <PgUp>, <PgDn> keys move
the selection bar over the item list,  <Enter> opens the selected item
and <Esc> clears the table.

  Drive C: Scan Report ķ
                                                                    
      Current time is          0h  2m 12s    16 April  1997         
      Tables were created at  23h 46m 22s    15 April  1997         
                                                                    
               133 directories and 1278 files scanned               
                                                                    
  Changes in Diskinfo Ķ
     F2Master BootSector:Okay       
        F3              Boot Record : Okay                          
        F4          New Bad Cluster : None                          
        F5          New Directories :    1                          
        F6      Deleted Directories :    1                          
        F7            Changed Files : None                          
        F8                New Files :    9                          
        F9            Deleted Files :    7                          
        M               Moved Files : None                          
        R             Renamed Files :    2                          
                                                                    
  Use: <Up>,<Dn>,<PgUp>,<PgDn>,<Enter>,<Esc> 

When ADinf expertizes that a change in any one of the vital parameters
is  "suspicious",  it alerts you by superimposing on its scan report a
warning

     Warning ! ķ
                                                                    
                        Changes on your drive show                  
                         signs of  VIRUS ACTIVITY!                  
                                                                    
             Master boot record damaged                             
             Boot sector damaged                                    
             No date and time alterations in changed files          
          Strangetimesettingofchangedfiles       
             Strange date setting of changed files                  
             Changes in files marked STABLE                         
             Stealth-viruses in new or changed files                
                                                                    
                              Press Esc...                          
                                                                    
    ͼ

The types of detected changes which ADinf expertized as suspisious are
highlighted and ticked off on the left of the line.

When you get this warning and,  if ADinf Cure Module is  installed  in
your machine, press <Esc>, to call the panel:

  Do you wish to update diskinfo table ? ķ
                                                                   
     Update     Don't update        Cure      Save log in file 
        
 ͼ

On choosing  CURE,  all  other  drives will be checked and you will be
prompted to insert the bootable ADinf Cure Module diskette into  drive
A and finally to reboot the system.

If you do not have ADinf Cure Module, seeing this warning, immediately
abort ADinf and run some virus scanner, say, Doctor Web or any other.

Anti-virus utilities,  despite  their  ability  to  detect  and remove
viruses,  are nevertheless limited in their efficacy:  they  safeguard
you only for the viruses they recognize and are helpless,  if some new
virus has infiltrated your machine.  It is here ADinf  comes  to  your
rescue.  Closely  study  the "suspicious" changes it highlights in its
scan report.  If you cannot diagnose the cause for these changes, call
for some technical service agency.

Certain viruses, while infecting a file, corrupt its creation time and
date. Although, ADinf does not report such changes as "suspicious", if
you find a large number of files with changes, particularly, in system
files like COMMAND.COM or NC.EXE,  you must be on the alert and remedy
the situation.

Now press <Esc> to clear the scan report, and ADinf will respond:

      Do you wish to update diskinfo table ? ķ
                                                               
           Update       Don't update     Save log in file   
                   
     ͼ

To save the scan report in a file,  choose SAVE LOG IN FILE and  press
<Enter>.  You  are  prompted  to type a name for the log file.  Either
accept the name proposed in the panel (report is saved in a  log  file
in the directory where ADinf is installed) or type a name,  indicating
the path, say,

     c:\adinf\adinf.log

and press <Enter>.  If  the  pathname  is  wrongly  specified  or  the
diskette is write-protected, you get a warning.

Fix up  the mistake and press <Enter>.  After saving the report in the
log file,  ADinf will reprint the above panel on  the  screen.  Choose
either UPDATE or DON'T UPDATE and press <Enter> to clear the panel.


4.2 Changes in memory size

At every start,  ADinf checks the memory allotted to DOS.  This memory
size may change due to mechanical faults in the  memory  chips  or  to
installation  of resident programs and drivers occupying higher memory
addresses.  Many viruses also  reside  in  higher  addresses,  thereby
reducing  the  memory  allotted to DOS.  When the memory size changes,
ADinf alerts you as follows

         Attention! ķ
                                                           
               Memory size in your computer changed!       
                                                           
             Old size: 640K,  New size: 639K (Change 1K)   
                                                           
               Maybe, boot infector in your computer!      
                                                           
          Save new size in table           Continue      
              
        ͼ

If you know for certain why the DOS memory area has been changed,  you
may choose SAVE NEW SIZE IN TABLE.  ADinf will then  resume  scanning.
The  new memory size saved in the table will be used in all subsequent
sessions. If you do not know the reason, choose CONTINUE. Be attentive
to every change ADinf reports.

Memory size  may  also  increase,  say,  when you remove some resident
driver which snatches memory from DOS.  In such cases you get a milder
message:

         Attention! ķ
                                                           
               Memory size in your computer changed!       
                                                           
             Old size: 639K,  New size: 640K (Change 1K)   
                                                           
          Save new size in table           Continue      
              
        ͼ

If you  know why the DOS-resident memory area has been increased,  you
may choose SAVE NEW SIZE IN TABLE and press <Enter> to resume scanning.


4.3 Changes in master boot record or boot sector

On detecting  any  change  in  the  master  boot record containing the
partition table or a change in the boot sectors of your drives,  ADinf
alerts you by the warning:

          Attention! ķ
                                                             
                       Boot record changed!                  
                                                             
                   Maybe, virus in your computer!            
                                                             
           System areas may be modified not only by viruses, 
           but also by certain legal actions, e.g., when the 
           operating system is upgraded or replaced. You can 
           either restore the previous status from ADinf disk
           info tables or continue to observe the modifica-  
           tions. If in doubt as to whether the boot sector  
           can be restored or not, stop work and call for    
           technical help of an expert technician.           
                                                             
             Continue         Restore        More...      
                         
         ͼ

Choosing MORE...,  you  can compare the contents of your system tables
before and after modifications.  If you are unable to  decipher  these
changes, switch off the computer and call for technical help.

If you are certain that the changes in your boot  sector  are  due  to
virus  activity  or  to  program  bugs,  you can restore your original
sector,  choosing RESTORE.  On pressing <Enter>, ADinf ascertains your
intention, and, after your confirmation, ADinf will repair your system
by copying the images of the original sectors saved  in  its  diskinfo
tables.

Prior to restore the boot sector, ADinf will prompt you to type a name
for  the  file  to  save  the infected boot sector for future detailed
analysis.  If you don't want to save the infected boot sector,  simply
press <Esc> to clear the query panel.

After repairing the boot sector, you are prompt to reboot your system.
Do reboot the system - otherwise the virus may  still  reside  in  the
memory and infect your disk anew.


4.4 New bad clusters

may appear on your disk in two different ways.  When some disk manager
like  Norton  Disk  Doctor  is run to test the disk surface,  unusable
clusters are marked BAD by these diagnostic programs.  In such  cases,
the  message  on  new  bad  clusters in scan report is unimportant and
ADinf will not warn about new bad clusters in subsequent sessions.

In case  you  had not tested your disk with such a diagnostic program,
new bad clusters, if any, are evidently due to recent virus infection.
Continue  to  check your disk and pay special attention to all changes
reported by ADinf.  As a rule,  a virus hiding in a cluster,  which it
marks  BAD  to  dodge detection,  inevitably corrupts the boot sector,
partition table or files as the virus takes over control from them for
its malicious activity.


4.5 Changes in file system

Advanced Diskinfoscope  is  not  just  an  anti-virus  utility,  but a
full-fledged diagnostic center  -  it  detects  any  change  that  has
occurred  in  the  diskinfo.  For  example,  the  sample  scan  report
reproduced above informs one directory has been  newly  created  since
the  last  check.  On  pressing <F5>,  the directory tree of the drive
scanned is displayed,  highlighting  the  name  of  the  newly-created
directory (EXAMPLE) in a contrasting color (yellow):

        New directories  ķ
         \                                                    
       ıEXAMPLE  
          EXE                                               
          WINDOWS                                           
          DOC                                               
            HELP                                           
           INTERRPT                                       
              A                                           
              B                                           
              C                                           
            DOS.DOC                                        
         BC                                                
            LIB                                            
            BIN                                            
            INCLUDE                                        
         Ķ
        Full Name:                  Cluster: 700 <2BCh>       
        C:\EXAMPLE                                            
        Files:<Enter>; Exit:<ESC> 

Using the <Up>, <Down>, <PgUp>, <PgDn> keys, move the selection bar to
some directory and press <Enter>.  A panel displays the files  in  the
directory that are under control. If there are no files under control,
you get a NO FILES UNDER CHECK message.  Press <Esc> (or  <Enter>)  to
clear the panel.

Likewise, if  you  open  a  deleted directory entry highlighted in the
scan report,  the panel displays a  list  of  files  that  were  under
control in the directory before deletion.

If the  ADinf  scan  report  informs  any  changes  in  newly created,
renamed,  moved,  deleted and changed files,  you  can  view  detailed
information about these changes.  The sample scan reports informs nine
new files have been created in  drive C  since the last  check.  Press
<F7> to list the newly created files.

        New files ķ
                                                                 
       C:\ADINF\ADINF.LOG   
         C:\WORD\ADINFMAN.DOC                                    
         C:\PCZ\PCXGRAB.EXE                                      
         C:\README.TXT                                           
         C:\NC\INREAD.TXT                                        
         C:\WINWORD\HELP.DOC                                     
         C:\WINDOWS\CONTROL.EXE                                  
         C:\MASTER\MANUAL.LST                                    
                                                                 
         Ķ
        File information:                                        
        Date:   16 April 1997                                    
        Time:   0h 15m 12s                                       
        Length: 1962              Cluster: 58899 (E613h)         
        View <F3>; Edit <F4>; Delete <Del>; Exit <Esc> 

To view  and edit a file in the panel,  arrow to it and press <Alt+F3>
or <Alt+F4> to view or  edit  it.  If  a  viewer  and  an  editor  are
associated  with  the  extension  of a file,  it is opened on pressing
these keys.  The directories where ADinf searches for external viewers
and  editors  are  specified  in  a  list showing their full pathnames
separated by a semicolon.  You can edit this list, choosing OPTIONS =>
PATH  TO  VIEWERS  from  the main menu or pressing the <Alt+P>.  If no
viewer or editor is specified in the FILE EXTENSION  LIST  (see  under
REVISING  THE  FILE EXTENSION LIST),  you will be prompted to select a
MASTER viewer or an editor,  depending on the keys pressed.  Type  the
command line of the viewer or editor and press <Enter>. Or press <Esc>
to cancel the command.

If the viewer associated with  a  file  extension  is  unsatisfactory,
press  <Shift+F3>  and  <Shift+F4>  to  quickly change over to another
viewer and editor to experiment whether better display is possible. On
pressing  these  keys,  you  are prompted to select a MASTER VIEWER or
MASTER EDITOR.  Type the name of some other viewer or editor and press
<Enter>.  Then  you  can view or edit the file through newly specified
viewer or editor. Press <Esc> to cancel the panel.

Pressing <F3>,  you may use the simple built-in viewer  activated  via
BIOS.

To delete  a  file of changed information,  arrow to the file name and
press <Del>.  ADinf will delete the file only after ascertaining  your
intention.

NOTE. External  viewers and editors do not display many of the stealth
      viruses,  because they  access  disks  via  DOS,  whereas  ADinf
      detects  them  by  scanning  a  disk  via  BIOS.  Use the simple
      built-in viewer (pressing <F3>) in such cases.



                     5. RUNNING ADINF CURE MODULE

ADinf Cure Module runs in three different modes:

     1. Creating diskinfo tables for the files in your machine,
     2. Updating diskinfo tables, and
     3. Curing infected files.


5.1 Creating and Updating Diskinfo Tables

In table  creating  and  updating  modes,   ADinf   Cure   Module   is
automatically initiated upon the completion of an ADinf session.

 Creating ADinf Cure Module Tables ͻ
                                                                    
  ADinf Cure Module tables are being created for the first time. It 
  is the only operation that takes some time to finish. Thereafter, 
  tables are updated automatically almost instantly.                
                                                                    
ͼ
ͻ
 D:\BC45\BIN\PVIEW.EXE                                              
 D:\BC45\BIN\RC.EXE                                                 
 D:\BC45\BIN\RC2MSG.DLL                                             
 D:\BC45\BIN\RCDLL.DLL                                              
ͼ
               Completed 41% ͻ
                                                      
                ۱  
                                                      
              ͼ

Tables are created only once for a machine. This is the only operation
that  takes some time to complete.  If necessary,  diskinfo tables for
ADinf Cure Module are automatically updated at the  end  of  an  ADinf
session.

Diskinfo tables require some hard disk space,  e.g., about 500Kb for a
200Mb disk holding a large number of programs.  For updating  diskinfo
tables,  there must be free disk space slightly more than the original
table size.


5.2 File Curing Mode

For curing  an  infected  file,  the  computer  must be started from a
bootable curing diskette.  The curing diskette  must  be  prepared  in
advance  as described in the section INSTALLING ADINF CURE MODULE.  It
is quite  important  that  the  curing  diskette  is  write-protected,
otherwise the curing module will not be initiated.

Insert the  curing  diskette  into  drive A and reboot the computer by
pressing the RESET button on the computer system case.  Alternatively,
you  may also power down and then power on the computer.  The computer
will be booted from the curing diskette,  and the  screen  displays  a
menu of two commands:

1. Restore infected files
2. Test drive accessibility

Choose RESTORE INFECTED FILES.  An on-screen panel will prompt you  to
choose the type of diskinfo tables for curing:

           ?  ͻ
                                                           
                     Which tables to process ?             
                                                           
                    Common            Personal           
                                     
         ͼ

Choose the type of ADinf diskinfo table (common or personal) that  was
used in the scanning session in which a request for curing was made.

If you  choose  COMMON,  the  screen  displays a LIST OF CHANGED FILES
showing the names of files that ADinf reported as changed in the  last
scanning session.

If you choose PERSONAL, prior to displaying the list of changed files,
you are prompted to specify the pathname of the  directory  containing
the personal tables:

           PERSONAL Tables  ͻ
                                                           
                  Type the path to PERSONAL tables         
                         in the line below:                
                                                           
          C:\ADINF\                                        
         ͼ

By default, this is the directory in which ADinf is installed.

After typing  the pathname or if the pathname in the panel is correct,
press  <Enter>.  An  error  message  is  displayed  if  the  specified
directory  does not contain the personal tables,  and you are prompted
to type the correct pathname once again.

If the pathname of the directory containing  the  personal  tables  is
correctly specified, you get a list of changed files:

   List of changed files ͻ
     D:\PRG\800.COM                                               
     D:\PRG\900.COM                                               
     D:\PRG\PKUNZIP.EXE                                           
     D:\PRG\PKZIP.EXE                                             
     D:\PRG\PKZIPFIX.EXE                                          
     D:\PRG\RAR.EXE                                               
                                                                  
  ͵ Choose files for restoration and press <Enter> Ƽ
  ͻ
   File 1 from 6                                                  
   Filename: D:\PRG\800.COM                                       
   File information is consistent with the current disk status.   
   Restoration is possible.                                       
   File not included in the list of files for restoration.        
  ͼ

To select a file for curing from this list, highlight its filename and
press <Space>.  To cancel a selection,  press <Space> once again.  Any
number of files can be selected for curing.  A selection is  indicated
by a tick mark on the left of the filename. Full information about the
currently selected file is given at the bottom of the panel. To select
all files in the panel,  press <Gray+>. To cancel the selection of all
files, press <Gray->. Press <F1> to get help on the usage of keys.

   List of changed files ͻ
    D:\PRG\800.COM                                               
    D:\PRG\900.COM                                               
    D:\PRG\PKUNZIP.EXE                                           
    D:\PRG\PKZIP.EXE                                             
    D:\PRG\PKZIPFIX.EXE                                          
    D:\PRG\RAR.EXE                                               
                                                                  
  ͵ Choose files for restoration and press <Enter> Ƽ
  ͻ
   File 1 from 6                                                  
   Filename: D:\PRG\800.COM                                       
   File information is consistent with the current disk status.   
   Restoration is possible.                                       
   File included in the list of files for restoration.            
  ͼ

After completing the selection of files for curing,  press <Enter>.  A
query ascertains whether you wish to save a copy of the infected files
for subsequent analysis:

      ?  ͻ
                                                                
         Save infected files after successful restoration ?     
                                                                
        Infected files are saved under the original name but    
        the last two letters in extension are changed to VR.    
                                                                
        Save the 1st file    Don't save    Save all files    
             
    ͼ

You may   save  all  infected  files  or  only  one  file  (the  first
successfully repaired file) for subsequent analysis.  If you  wish  to
save  only  the first successfully repaired file,  choose the SAVE THE
FIRST button.  If you wish save a copy of all infected  files,  choose
the SAVE ALL button.  A copy of an infected file after curing is saved
under the original filename,  but  the  last  two  characters  of  its
extension  are  replaced  by  VR;  for example,  EXE and COM files are
assigned the extension EVR and CVR, respectively.

If you choose DON'T SAVE, infected files are deleted after restoration
and no copies of infected files are saved.

Finally, restoration of chosen files is started and an on-screen panel
shows the progress of curing procedure:

     Wait please, restoring the files ͻ
                                                                
      D:\PRG\800.COM                                           
      D:\PRG\900.COM                                           
      D:\PRG\PKUNZIP.EXE                                       
      D:\PRG\PKZIP.EXE                                         
      D:\PRG\PKZIPFIX.EXE                                      
       D:\PRG\RAR.EXE                                           
    ͼ
               Completed 83% ͻ
                                                      
                ۱  
                                                      
              ͼ

Certain files may require some time to be restored.  In such cases, an
message panel will report the time needed for restoration:

            ͻ
                         Restoring file:               
                          D:\PRG\800.COM               
                                                       
              Restoration time may take 5 to 10 min.   
               To abort restoration press <Esc>.       
            ͼ

Restoration procedure can be aborted at any time  by  pressing  <Esc>.
Upon the completion of the restoration procedure,  the screen displays
a restoration report:

     RESTORATION REPORT  ͻ
                                                                
                      Out of 6 selected files                   
                                                                
                      Restored       - 6                        
                      Not restored   - 0                        
                      No information - 0                        
   ͵ Press any key ͼ

Press any key to close the report panel.  Then the screen  displays  a
panel showing the pathnames of files selected for restoration.

   RESTORATION REPORT ͻ
    D:\PRG\800.COM                                               
    D:\PRG\900.COM                                               
    D:\PRG\PKUNZIP.EXE                                           
    D:\PRG\PKZIP.EXE                                             
    D:\PRG\PKZIPFIX.EXE                                          
    D:\PRG\RAR.EXE                                               
                                                                  
  ͵ Press <Enter> to close the panel Ƽ
  ͻ
   Restored 6 out of 6. Not restored - 0.                         
   Filename: D:\PRG\800.COM                                       
   File restored.                                                 
  ͼ

The names of successfully repaired files are marked with a tick on the
left of the filenames. Highlighting a filename from this list, you can
view a full report on the restoration of the file in the lower panel.

If a file is marked as restored, ADinf Cure Module guarantees that the
restored  status  fully  agrees  with  the pre-infection status of the
file.  ADinf  Cure  Module  verifies  the  restored  status  by  three
different  (16-  and  32-bit) checksums independently computed for the
whole file.

After viewing the restoration  report,  press  <Enter>  to  close  the
panel. A query will ascertain your intention:

               Close the panel ? ͻ
                         Yes             No         
                                        
              ͼ

To close  the  restoration report panel,  choose YES.  Another message
panel reports in detail how successfully each file has been  restored.
In case of successful restoration of all files, the screen displays an
appropriate message:

     Attention! ͻ
                                                                
                  ALL FILES RESTORED SUCCESSFULLY!              
                                                                
                           Press <Enter>                        
    ͼ

Now, press  <Enter>.  You will be prompted to remove the diskette from
the drive and to reboot the computer:

    ͻ
                                                                
                ADINF CURE SHELL MISSION COMPLETED.             
                                                                
                  Remove the diskette from drive A: and         
                   press any key to reboot.                     
    ͼ

For the files that did not yield to curing,  you will be  prompted  to
rename or delete them:

      ?  ͻ
                                                                
                   Delete the unrestored files ?                
                                                                
       Unrestored files are saved under the original name but   
        the last two letters in extension are changed to VR.    
                                                                
       Don't delete  Except the 1st     Rename     Delete   
              
    ͼ

Choose DON'T DELETE to save the infected files.  Choosing RENAME,  you
can rename the unrepaired files.  While  renaming  an  infected  file,
ADinf  Cure Module replaces the last two characters in the filename by
VR.  For example, EXE and COM files are assigned the extension EVR and
CVR, respectively.

The files  that  did not yield to restoration can be simply deleted by
choosing DELETE. If you wish to delete all unrepaired file, except for
the  first  file  in the order of occurrence in the changed file list,
choose EXCEPT THE FIRST.

If unrepaired files exist in the hard upon exiting ADinf Cure  Module,
a warning is displayed:

     Attention! ͻ
                                                                
                  There are some unrestored files.              
                                                                
                           Press <Enter>                        
    ͼ

On pressing <Enter>, a panel recommends the measures for fixing up the
situation:

     ATTENTION! ͻ
                                                                
        ADinf Cure Module could not restore certain files.      
        Run Dr.Web;  it may restore them, if the virus  in      
        your computer is known to it.  If Dr.Web  fails to      
        cure the files, try some other antivirus  utility.      
        Eventually, even if this does not help, delete the      
        infected files and reinstate a fresh copy of them       
        from their master diskettes.                            
    ͼ

After reading these instructions,  press  <Esc>  to  quit  ADinf  Cure
Module.  A  message prompts you to remove the curing diskette from the
drive and to reboot the computer.


5.3 Unrepaired Files: Recommended Measures

If ADinf Cure Module fails to kill some virus, run Doctor Web, or some
other virus scanner/remover. If the virus in your computer is known to
these anti-virus programs,  they will kill it. Finally, run ADinf once
again  as  a confirmation test.  If the scanning report still contains
changed files, run ADinf Cure Module once again. Secondary curing will
clean   up   your  system  from  all  minor  modifications  inevitably
introduced in files by anti-virus utilities, though such modifications
have hardly any effect on the program performance. But it is better to
be confident that your files have  been  restored  in  toto  to  their
original   shape.  Finally,  run  ADinf  once  again,  paying  special
attention to the files that were reported as changed in  the  previous
runs.  Anyway,  check  up the performance of an application program by
actually running it.



                      6. INCOMPATIBILITY REPORT

The following  is  a  list  of  equipment and programs which have been
found to be incompatible with ADinf.  It also recommends ways to  come
round such problems.


  ASPI2DOS.SYS DRIVER

SYMPTOM  ADinf versions earlier than 9.25 hang up on starting.

CAUSE    Due to  the  bug  in  Int  13h  handler  in ASPI2DOS.SYS,  on
         machines with one physical disk, in attempting to execute Int
         13h  for  the  second  disk,  the  driver hangs up instead of
         normal returning with Carry Flag.

REMEDY   Use ADinf version 9.25 or higher.


  SCSI-DISKS WITH LOADABLE DRIVERS

SYMPTOM  After scanning  the  disk,  ADinf  hangs up while writing the
         diskinfo tables and reports "10% written".

CAUSE    When the SCSI-hard disk is managed by  its  loadable  driver,
         ADinf cannot access the disk directly via BIOS.

REMEDY   In the ADinf menu, specify Int 13h as the ACCESS TYPE for all
         drives (though virus protection is less reliable) or  disable
         the SCSI-hard disk driver, if this is possible.


   SOME RARE TYPES OF BIOS

SYMPTOM  On certain  machines  with rare types of BIOS,  ADinf version
         9.12 or higher may hang up, printing "OPENING DRIVE C" in the
         message box at the screen bottom, or display false alarms.

CAUSE    Beginning from version 9.12,  ADinf uses a special  mechanism
         to trap the viruses hiding at the hard disk controller level.
         This mechanism may conflict with certain, particularly, older
         BIOS versions.

REMEDY   Run ADinf  with the -76 command option.  Please inform us the
         version  number  of  your  BIOS  (8  bytes  at  the   address
         F000:FFF5)  for  updating  the  ADinf internal incompatiblity
         table to avoid conflicts with such a BIOS.


  AMOUSE.COM MOUSE DRIVER

SYMPTOM  On starting  ADinf in a machine installed with the AMOUSE.COM
         mouse driver,  the screen  is  blacked  out  or  filled  with
         "garbage".

CAUSE    Incompatibility of  pseudographic cursor support library used
         in ADinf with the AMOUSE.COM mouse driver.

REMEDY   Disable the  pseudographic  mouse  cursor  by  including  the
         -nam command  option while running ADinf and use the standard
         cursor instead.


  CMD640X2.SYS DRIVER

SYMPTOM  ADinf hangs up, displaying the message "Opening the disk".

CAUSE    The CMD640x2.SYS  driver  supports 32-bit access to IDE disks
         under MS-DOS.  This driver intercepts  and  handles  Int  76h
         initiated  by the IDE controlled upon the completion of every
         disk operation.  Certain stealth viruses use  this  interrupt
         for  hiding  their presence in the machine.  To prevent these
         viruses from doing so,  ADinf intercepts and handles Int 76h,
         thereby conflicting with this driver.

REMEDY   Run ADinf  with  the -76 command option to prevent ADinf from
         intercepting Int 76h (see also QUESTIONS AND ANSWERS).



                    7. ERROR AND WARNING MESSAGES

Advanced Diskinfoscope is intelligent and  user-friendly.  Whenever  a
situation  is  precarious,  it  warns  you;  whenever  your  action or
response is illegal or unwarranted,  it displays an error message. The
following  is an alphabetical list of error and warning messages ADinf
may display in a session.  The cause for each message,  followed by  a
brief description of actions you can take, are given.


     BEFORE DOS WAS LOADED INT 13H WAS POINTING TO RAM
     (NOT TO ROM BIOS)

This warning may appear when ADinf is started for the first  time.  At
the  first  start it determines the value of the Int 13h vector before
DOS was loaded and checks if the vector was pointing to BIOS  or  not.
If not, it warns you and determines its address by another method.


     CANNOT CREATE FILE FOR WRITING LOG

ADinf complains its inability to create a file for writing log, if you
do  not  properly  specify  the  pathname  or  if  the   diskette   is
write-protected.


     CANNOT START PROGRAM <name>

When you called some external viewer or editor,  ADinf could not start
it due to insufficient memory,  or incorrect name, or its directory is
not  specified in the PATH TO VIEWER settings.  You can specify a path
by pressing <ALT+P> keys.


     DISK x: ACCESS DENIED

By this message ADinf says it cannot read the boot sector of the drive
under  check,  for  example,  if the diskette is not inserted into the
drive or if you try to check a network drive.


     ERROR WHILE CHECKING DRIVE

ADinf was not able to read the sectors in the current  drive.  Restart
it once again and if the error persists,  test the hard disk with some
diagnostic tool.


     ERROR WHILE RESTORING

This message is displayed when ADinf encounters a writing error  while
restoring  the  master boot record or the boot sector.  Try to restore
your system by running ADinf once again.  If the error persists,  test
the hard disk with some diagnostic tool.


     ERROR WHILE WRITING LOG FILE

ADinf could not create a file for writing log,  if the pathname is not
properly specified or if the diskette is write-protected or when there
is no enough room for writing the log file.


     ERROR WHILE WRITING TABLE

This message is displayed when the diskette is write-protected or when
there isn't enough free room to write the tables.


     HARD DISK PARAMETER TABLE IN BIOS VARIABLES AREA FOR PHYSICAL
     DRIVE 80H CHANGED!

ADinf complains of such changes whenever you replace the hard drive in
your system.  In such cases,  choose SAVE NEW INFO  from  the  warning
panel and press <Enter>.  ADinf will do the rest for you. If, however,
you have not replaced a new hard drive,  this message may  forewarn  a
virus  attack in your computer.  In such cases,  choose MORE INFO from
the warning panel and press <Enter>  to  obtain  detailed  information
about  your  Hard  Disk Parameter Table.  Certain resident programs or
some BIOSes may modify the hard  disk  parameter  table  and  if  this
message is frequently displayed,  disable this check,  choosing TABLES
NOT UNDER CHECK command through the path:  OPTIONS > SETUP PARAMETERS
>  INFO  UNDER  CHECK  >  HDP  TABLES > TABLES NOT UNDER CHECK.  By
default, this check is disabled.


     IN ADINF NON-COMMERCIAL VERSION YOU CANNOT WRITE LOG.
     PLEASE, BUY A FULL-FLEDGED ADINF VERSION.

The message is straightforward and needs no explanation.


     INSUFFICIENT MEMORY

This message tells you that ADinf failed to execute some operation due
to  lack  of  memory  space.  If  you  get  this  message,   terminate
unnecessary  resident  programs  and  drivers,  reboot your system and
start ADinf once again.


     INVALID KEY

ADinf displays this error message, if you have typed an invalid option
in  the  command  line.  Check  up  your  command line and restart the
program.


     INVALID OPTION IN COMMAND LINE

ADinf displays this message, if you have typed an invalid drive in the
command  line  or  forgotten  to  type  a hyphen or a slash before the
command options. Check up your command line and restart the program.


     LENGTH OF ADINF.EXE FILE CHANGED

This message is displayed when ADinf executable file is  infected.  If
you get this message, continue scanning and carefully note the changes
reported by ADinf and take appropriate measures.


     MAY BE, ADINF.EXE FILE INFECTED.
     PAY SPECIAL ATTENTION TO CHANGES IN FILES

At every  start  ADinf  runs special self-infection tests.  If you get
this message,  continue scanning and carefully  note  the  changes  it
reports and take appropriate measures.


     NO DISKINFO TABLE FOR DRIVE x:

This message may appear under several circumstances:

     1. No diskinfo tables were ever created for the drive;
     2. Diskinfo tables were created with a different ADinf version;
     3. Diskinfo tables have been corrupted;
     4. TABLES item in OPTIONS menu is not properly set; e.g.,
        you might have created common tables, but you are testing
        the machine under personal tables or vice versa;
     5. Diskinfo tables renames;
     6. Path to personal tables in PERS. TABLES PATH  item in SETUP
        PARAMETERS changed.

The error that generated this warning is diagnosed in the message. You
will prompted to create new tables to fix up the problem.


     NUMBER OF PHYSICAL HARD DRIVES CHANGED: OLD: x, NEW: y

This message is displayed whenever a disk is removed from or added  to
the system.  In such cases,  the names and number of logical disks may
also change. Therefore, the diskinfo tables must be created anew. This
message in a computer in which no disk was added or removed is a clear
indication of virus attach.

This message may also be displayed in  a  computer  equipped  with  an
external disk BACK PACK Microsolution through a parallel port, because
the driver of such disks informs ADinf that the  disk  is  a  physical
non-removable disk.

To fix  up  this  problem,  specify  the  number  of disks permanently
connected to the computer with the help of the -hd command option. For
full information on the -hd option, refer to the section RUNNING ADINF
IN BATCH MODE.


     SORRY, ILLEGAL COPY, SIR!
     NEITHER SHALT THOU STEAL.
             -THE TEN COMMANDMENTS

ADinf is copy-protected.  When installed illegally on  a  computer  it
does not function and displays this message which may also appear even
when a legal program is copied from one computer to another.  In  such
cases, reinstall it from the original distribution diskette.


     THERE ARE MORE THAN xxx DIRECTORIES (FILES) ON THE DISK

From  version  10.00,   ADinf   can  control  about  32000  files  and
directories.  This message may appear if ADinf failed  when  analizing
disk  structure.  Check you disk with CHKDSK,  SCANDISK or Norton Disk
Doctor.


     WRONG PATH. PRESS ALT+P TO SPECIFY PATHS.
     MULTIPLE PATHS ARE ALLOWED;
     A SEMICOLON (;) MUST SEPARATE PATHS.

This message  is displayed when ADinf doesn't find any external viewer
or editor.  Directories where ADinf searches for external viewers  and
editors  must  be  specified  in  a panel showing their full pathnames
separated by a semicolon ";".  You can edit the path, choosing OPTIONS
PATH TO VIEWERS from the main menu or pressing <Alt+P>.


     THE HARD DISK PARTITION TABLE HAS AN ENTRY WHICH REQUIRES
     A BIOS  WITH  SUPPORT FOR  LOGICAL BLOCK ADDRESS  INT 13H
     EXTENSIONS.  TERMINATING THE ADINF MISSION,  BECAUSE YOUR
     BIOS DOES NOT SUPPORT EXTENDED INT 13H FUNCTIONS.

Windows 95  OSR2  supports  new types of partitions 0Ch (FAT32X),  0Eh
(FAT16X),  and 0Fh (EXT_DOSX),  which  are  created  with  FDISK  on a
computer  with a BIOS of 1997 standard.  If a disk formatted on such a
computer is transferred to a computer with an old BIOS  and  ADinf  is
run  to check the transferred disk,  ADinf displays this error message
and terminates its mission.


                       8. QUESTIONS AND ANSWERS
                 A Guide to Commonly Asked Questions

Here are the answers in detail to the questions which our users  quite
frequently ask about ADinf. All questions on a topic have been unified
and arranged topicwise.  The menu tree structure described  below  may
not fully agree with that of the ADinf earlier versions as the answers
specifically refer to version 8.xx and later.


     Can ADinf  check  a disk compacted with DoubleSpace,  DriveSpace,
     SpeedStor or Stacker?

Yes, it does check a compacted disk, scanning not through BIOS but via
Int 25h.  For scanning a SuperStor-compacted disk, you must tell ADinf
not  to  check  for new bad clusters (choosing INFO UNDER CHECK > BAD
CLUSTERS > DON'T CHECK)


     I, being  a  programmer,  naturally  change many files on my disk
     everyday.  How can I tell ADinf to skip these legal modifications
     in its report?

You can hide directories from ADinf  checks.  For  this,  choose  INFO
UNDER  CHECK  >  SKIP TREE.  Then choosing a drive from the on-screen
panel,  pop  up  its  directory  tree,  mark   the   directories   and
subdirectories where files are likely to be changed often.  ADinf will
not report the unharmful changes in a file under a  marked  directory.
But if a change (in size or CRC) is suspicious,  for example a file is
modified but its date stamp is unaltered, you are alerted.


     What is  ADinf  Cure  Module?  If this is a curing module,  is it
     better or worse than Virus Hunter and Doctor Web? Where can I buy
     it?

ADinf Cure  Module  is  a  curing   companion   which   enhances   the
capabilities  of  Advanced  Diskinfoscope.  It  radically differs from
scanners  Virus  Hunter  and  Doctor  Web.  It  kills   existing   and
as-yet-unknown viruses  with  equal  efficacy.  It  maintains  a small
database containing necessary information  about  all  files  in  your
disk.  When  ADinf  detects a virus,  the curing module can be used to
kill it.  Database is automatically updated  by  ADinf  when  diskinfo
changes in your system. The program was tested on a collection of 7000
various infectors unknown to the program and successfully  removed  97
percent of them.

Scanners and  ADinf  Cure  Module  cannot be compared:  each deploys a
different strategy to the antivirus problem:  each ideally supplements
the  other.  First,  ADinf Cure Module does not kill all but about 97%
viruses,  particularly, admitting its capabilities to clean a computer
from  as-yet-unknown  viruses.  Second,  it  is  helpless when you are
handling someone else's  diskettes  since  it  requires  the  database
containing diskinfo. Scanners, on the contrary, deploy the traditional
tactics: to every attack they design a counterattack and can therefore
kill  only  the  viruses  known to them,  but are helpless against new
viruses.  It is therefore a good idea to have both  of  them  in  your
machine.


     Why does ADinf compute several types of checksums?

The possibility   of  specifying  different  types  of  checksums  for
verifying the integrity files is useful in customizing ADinf for  fast
and  reliable  scanning.  For  detailed  information on the CRC types,
refer to the  section  CRC  TYPES  (OPTIONS  ->  SETUP  PARAMETERS  ->
EXTENSION LIST -> CRC TYPES).


     What is fast CRC that ADinf computes? When I modified a few bytes
     at the end of an executable file,  it ignored them under fast CRC
     mode. Why?

ADinf checks  in  one  of the modes:  NO CRC,  FAST CRC,  and full CRC
(CRC16, CRC32 or CRC48). FAST CRC is computed in close relation to the
internal  structure of an executable file.  So FAST CRC is best suited
for COM and EXE  files  as  it  guarantees  reliable  virus  detection
without  the  need  for computing the CRC of the whole file.  So,  any
change in certain file areas,  unless it is virus-induced,  is ignored
under FAST CRC check.


     Can I put network drives under ADinf control?

Unfortunately, you can't. ADinf checks a drive, reading it  sector  by
sector. Therefore it can check local drives only.


     Can ADinf run under MS Windows, Windows 95, and DESQview?

Yes, it does run under MS Windows,  Windows 95, and DESQview, scanning
the drives directly via BIOS.


     Can ADinf run under DR DOS, Novell DOS, Compaq DOS?

Yes, ADinf can run under DR DOS 5.00 or 6.00.  If ADinf hangs up under
Novell DOS later than 7.0,  run it with -r option. Use this option, if
your computer is running under Compaq DOS or any other OS not fully MS
DOS compatible.


     What is the purpose of personal tables?

ADinf supports two types of tables,  common and personal,  for storing
disk information.  Structurally, they don't differ much. Common tables
are  saved  in the root directory of logical drives and personal table
in the directory where ADinf is installed  or  in  another  directory.
Common  tables  are  helpful in regularly checking a limited number of
program files of particular extensions.  Whereas personal  tables  are
better suited for in-depth checking.  You may even choose all types of
files on your disk and specify CRC32 for CRC type.  Such  a  check  is
all-inclusive; time consuming, though.


     I feel my machine is infected,  but ADinf is silent.  Can a virus
     dodge ADinf?

This is a common question,  and  there  is  only  one  answer  to  it.
Unfortunately, there is no panacea against PC virus infection, nor can
there be ever one.  ADinf seems to be the best virus  detector  today.
But bear in mind its capabilities and limitations.  Let us examine the
situations where ADinf may keep quite.

First, if you have installed ADinf on an already infected machine,  it
will not  notice  any  virus,  because  it detects viruses through the
changes in file information.  And in our case there are no changes  in
file information and so it does not alert you.  If the virus is hiding
its presence,  i.e.,  you have a stealth virus in the  machine;  ADinf
will  certainly  detect it,  if you run under the STEALTH SEARCH mode.
This is a very useful mode and run ADinf from time to time under  this
mode.

Second, ADinf  may fail to notice the viruses tailored specifically to
infect a file only at the time of creation.  If they are  additionally
hiding themselves,  you may trap them, running ADinf in STEALTH SEARCH
mode.  If they are NOT hiding their presence,  you can  easily  detect
them with your naked eyes. For example, suppose you are copying a file
from drive  A  to  drive  C  and you notice that the source file has a
different size than the  target  file.  You  can  easily  detect  such
infectors, running ADinf as follows: write a batch file (call it TRAP)
which copies several executable files, say, to your RAM drive and then
copies them back from the RAM drive to the source drive.  Run the TRAP
batch file before turning  off  your  computer.  When  you  start  the
computer next time,  ADinf will report about such viruses, if any. For
greater reliability,  you better include files to be copied in  STABLE
FILES  list  (its  menu  path  is OPTIONS > SETUP PARARAMETRS > INFO
UNDER CHECK > STABLE FILES).

Third, ADinf permits to toggle off many checks.  If you,  for example,
have toggled  off  check of boot sector of drive C or you have deleted
EXE from extension list for control, you may not notice virus-inducted
changes.

Finally, because of its beneficent policy   aggressive  strategy  and
ingenious  tactics  ADinf irritates to virus designers.  One fine day
it is not excepted that you may find a new virus specially tailored to
dodge the ADinf in your machine. Today there are several viruses which
try to delete files with a name begining with "ADIN".  What will these
evil-mongers do further, God alone knows.


     What is disk access via BIOS, Int 13h, and Int 25h?

In checking  missions,  ADinf  automatically  identifies  the DOS file
structure by reading the disk sectors one after another.  Three access
methods are available for reading the sectors in a drive

         through direct addressing to BIOS;
         through the use of Interrupt 13h (Int 13h);
         through the use of DOS Interrupt 25h (Int 25h);

The drive  access  type  is  specified  by  choosing  OPTIONS > SETUP
PARAMETERS >  DRIVE  ACCESS  TYPE.  When  and which drive access type
should be chosen?

For an IDE disk partitioned by the FDISK program, ADinf uses  BIOS  as
the access type.

Access via Int 13h must be used under the following situations. Modern
high-capacity disks are manufactured with  more  than  1024  cylinders
(limiting  value  for  standard  BIOS  of IBM AT).  Present-day BIOSes
and hard disks support handling of such disks by redusing  the  number
of   cylinders   and  increasing  the  number  of  sectors  or  heads,
accordingly (LBA mode).  However,  if your BIOS does not provide  this
facility, you may have to use special disk drivers to utilize the full
capacity of such disks, for example, Disk Manager for IDE disks. ADinf
identifies  Disk  Manager and automatically defaults to Int 13h as the
disk access type. Several drivers exists for SCSI disks. If you have a
high capacity SCSI disk in your machine,  manually choose Int 13h from
the DRIVE ACCESS TYPE box.

Second case.  In a machine running under QEMM  set  to  STEALTH  mode,
ADinf  defaults  to Int 13h as the DRIVE ACCESS TYPE because access to
disk via BIOS is denied to ADinf.

DRIVE ACCESS TYPE must be set to Int 25h for disks managed by  special
drivers,  for example,  disk compactors.  As a rule,  ADinf identifies
such situations and automatically defaults to  Int  25h.  But  if  the
drive  name letters in a compacted disk are changed,  the drive access
type must be set to Int 25h manually by the user.

There are also other situations where the user must specify the  drive
access  type manually,  for example,  if you have changed the standard
sequence of drive specifiers that DOS assigns to disk partitions.  DOS
allots  the  drive  name  letters  in  the following sequence (if some
partition is missing, the letters are shifted accordingly):

First hard disk

       1st Primary  DOS Partition C: BIOS
       1st Extended DOS Partition E: BIOS
       2nd Extended DOS Partition F: BIOS
       3rd Extended DOS Partition G: BIOS
       2nd Primary  DOS Partition K: BIOS
       3rd Primary  DOS Partition L: BIOS

Second hard disk:

       1st Primary  DOS Partition D: BIOS
       1st Extended DOS Partition H: BIOS
       2nd Extended DOS Partition I: BIOS
       3rd Extended DOS Partition J: BIOS
       2nd Primary  DOS Partition M: BIOS
       3rd Primary  DOS Partition N: BIOS

ADinf strictly supports  this  standard  sequence  of  specifiers  for
assigning  names  to  drives.  But,  this  sequence may be violated in
several cases.  For the  logical  drives  of  name  letters  up  to  a
violation  in  the  standard  sequence,  ADinf  uses BIOS as the drive
access type and Int 25h for the other drives.  Below is an example  of
such  a situation.  Let us suppose that the second hard disk is an IDE
disk with more than 1024 cylinders (without  LBA)  formatted  by  Disk
Manager.  In  this case the partitions are allotted drive name letters
as follows:

First hard disk:

       1st Primary  DOS Partition C: BIOS
       1st Extended DOS Partition D: Int 25h
       2nd Extended DOS Partition E: Int 25h
       3rd Extended DOS Partition F: Int 25h
       2nd Primary  DOS Partition G: Int 25h
       3rd Primary  DOS Partition H: Int 25h

Second hard  disk:

       Only one DM Partition I: Int 25h

The DRIVE ACCESS TYPE is listed in the right-most column.

One more example of nonconventional configuration.  Let us interchange
the hard disks in the above example.  Let the first  hard  disk  be  a
large  IDE disk partitioned by Disk Manager and the second an ordinary
IDE disk. In this case, the drive access type must be set as follows.

First hard disk:

       Only one DM partition C: Int 13h

Second hard disk:

       1st Primary  DOS Partition D: BIOS
       1st Extended DOS Partition E: BIOS
       2nd Extended DOS Partition F: BIOS
       3rd Extended DOS Partition G: BIOS
       2nd Primary  DOS Partition H: BIOS
       3rd Primary  DOS Partition I: BIOS


     Why BIOS  cannot  be  specified  as  the  drive access type for a
     32-bit machine? Does this affect detection reliability?

Problems are encountered in enabling/disabling this mode in a  machine
running under Windows 3.11,  because the address of the entry point to
Int 13h handler in BIOS changes.  If 32-bit access is disabled,  ADinf
while running under Windows 3.11 gains access to drives via "hardware"
BIOS, whereas if 32-bit access is enabled, it gains access via virtual
BIOS.   For  ADinf  to  operate  reliably,  the  first  run  of  ADinf
immediately after enabling/disabling the 32-bit drive access  must  be
started  with the -force13 command option which forcibly redefines the
address of the entry point to the Int 13h handler.


     What is the purpose of the -76 command option,  which the  User's
     Guide does not explain?  On some computers ADinf hangs up, saying
     "Opening the disk". What is the cause for this?

Int 76h is an interrupt generated  by  the  IDE  controller  upon  the
completion of every disk operation. There are stealth viruses that use
this interrupt for hiding their presence  in  the  machine.  In  fact,
these  viruses  dodge  detection  at  the hardware level utilizing the
published potentialities of the IDE controller.  In  order  to  detect
such  viruses,  ADinf intercepts and handles this Int 76h itself.  But
such an independent handling may conflict with certain BIOS systems or
special  drivers of 32-bit access to IDE disks.  In such cases,  ADinf
hangs up, displaying the message "Opening the disk".

In order to prevent ADinf from intercepting Int 76h,  run  ADinf  with
the -76 option, as follows:

C:\ADINF\Adinf.exe -a -b -d -76 -@C:\ADINF\list  -lC:\ADINF\

If, by  such a command line,  your system does not hang up any longer,
please send the version number of your BIOS (the eight  bytes  at  the
address  F000:FFF5)  to DialogueScience,  Inc.,  Moscow,  Russia,  for
modifying  the  ADinf  internal  BIOS  incompatibility  table  in   an
appropriate  manner  so  that you may be able to run ADinf without the
need for including this option in the command line.


     I installed ADinf version 10.06 on my network server, but I could
     not install ADinf Cure Module version 3.03. What is the reason?

To install ADinf on a LAN along with the  curing  module,  ADinf  Cure
Module must be at least 3.04 or higher.

Similarly, the -home command option  available  in  ADinf  10.06  also
requires  ADinf  Cure Module 3.04 or higher for the joint operation of
ADinf along with the Cure Module.


     What  is  the  objective  of  ADinf  Pro  version?  What  is  the
     difference between ADinf Pro and the standard ADinf?

ADinf Pro is a special modification for users  who  demand  guaranteed
integrity  and security of large volumes of valuable information,  for
example,  databases or document  achieves.  Because  of  a  new  LAN64
algorithm used for computing the checksums of files,  ADinf Pro is not
a simple integrity checker,  but a powerful utility which keeps strict
control over data security.

LAN64 algorithm  computes  64-digit  checksums  by  the  hash function
developed by LAN Crypto Corporation for controlling  the  security  of
specially  valuable  information.  It guarantees reliable control over
data security and leaves no room for  modification  of  files  without
changing the value of the hash function.

Under CRC16  and CRC32 algorithms employed in standard ADinf versions,
the checksums of files  can  be  algorithmically  modified  so  as  to
introduce  slight  modifications  in files.  In this sense,  CRC16 and
CRC32 checksums are helpless against smart tricks.  For both these CRC
types,  there  are  algorithms  which compute additional bytes so that
checksum remains unchanged.

The LAN64 algorithm (hash  function)  is  intelligent  enough  not  to
permit  anyone  to  compute the necessary changes without altering the
checksum.  Trial-and-error method is  only  way  and  this  cannot  be
accomplished  in real time.  Here lies the superiority of LAN 64-digit
checksum.

A special mechanism is incorporated in ADinf Pro for  controlling  the
integrity  of  diskinfo  tables which are also now protected by 64-bit
checksums.



                           REFERENCES

DialogueScience, DSAV, ADinf and Virus Hunter are registered trademarks
of DialogueScience Inc., Moscow, Russia.

Sheriff is a registered trademark of FomSoft, Moscow, Russia.

Other names are registered trademarks or trademarks of the
respective companies.

                              * * *

ADinf & Cure Module are available at

DialogueScience, Inc.,
Computing Center of the Russian Academy of Sciences,
Office No 103, House No 40, Vavilov street,
117786, Moscow, Russia.

Tel.:     (+7-095) 137-0150, 135-6253
Tel./Fax: (+7-095) 938-2970, 938-2855

BBS: (+7-095) 939-3705 (28800/V.34, 33600/V.34+) - subscribers only
     (+7-095) 938-2969 (28800/V.34, 33600/V.34+) - subscribers only
     (+7-095) 938-2867 (28800/V.34, 33600/V.34+) - subscribers only
     (+7-095) 938-2856 (28800/V.34)              - common access

FidoNet: 2:5020/69

FTP-server: ftp://ftp.ADinf.com
            ftp://ftp2.ADinf.com
            ftp://ftp3.ADinf.com

WWW:        http://www.adinf.com
            http://www.dials.ru

E-mail: Antivir@ADinf.com
