
ķ

ذ  Moscow 1995  
ذذ
ذذذذ
ذذذذذ
ذذذذ
ذذذذذذ
ذذذذذذذ
ذذذذذذذذ
ذذذذذذذ
ذذذذذ
ذذذذ
ذذذ
ذ
ذ
 (c) Dmitry Mostovoy   ذ


ͼ




      ķ
                   Advanced Diskinfoscope  (ADinf)               
                                                                 
                          Anti-virus Center                      
                                                                 
                       (c) Dr. Dmitry Mostovoy                   
                              1991-1995                          
                                                                 
                           Moscow, Russia                        
      ͼ
        



                      Version 9.32 of February 1995

           Size 100 000 bytes (noncommercial version - 96306)




                ----------------------------------------

                              USER's GUIDE

                ----------------------------------------




                          DialogueScience, Inc.
                             Moscow, Russia
                                 1994



                                CONTENTS


BEFORE YOU BEGIN
     What is Advanced Diskinfoscope ADinf? ................
     Copy protection!......................................
     What do you need to run ADinf.........................

GETTING STARTED
     Installing Advanced Diskinfoscope ADinf...............
     Using ADinf jointly with Sheriff......................
        Installing ADinf on a Sheriff-protected computer...
        Installing Sheriff on an ADinf-protected computer..
     Starting ADinf from AUTOEXEC.BAT file.................
     Starting ADinf from DOS prompt........................
     Starting ADinf in batch mode..........................
     Command options.......................................
     Starting ADinf in interactive mode....................

ADinf MAIN MENU
     Scanning the drives...................................
     Creating diskinfo tables..............................
     Checking floppy diskettes.............................
     Stealth search mode...................................
     Customizing the ADinf operation.......................

USEFUL TIPS
     It is always safe ....................................
     Holding viruses in leash..............................
     Speedkeys.............................................

ADinf STRATEGY
     How does ADinf inspect a disk?........................

IF THINGS GO WRONG, ANYWAY
     Responding to ADinf report messages...................
          Changes in memory size...........................
          Changes in MASTER BOOT sector or BOOT sector.....
          New bad clusters.................................
          Changes in directory system......................
          Changes in file system...........................
          Viewing & editing files of changed information...


ERROR AND WARNING MESSAGES................................

ACKNOWLEDGMENTS...........................................

REFERENCES.................................................

DISTRIBUTOR IN RUSSIA......................................





                            BEFORE YOU BEGIN


The ADinf program  is  supplied  "AS  IS"  without  any  warranty,  either
expressed or implied,  of workmanship,  merchantability, and fitness for a
particular purpose.  In no event  will  JV DIALOGUESCIENCE, INC.,  or  its
authorized  dealers  or  the  designer  of  the  program  be liable to the
purchaser for any consequential problems arising out of  the  use  or  the
inability to use the program.

WHAT IS ADVANCED DISKINFOSCOPE ADinf?


                                              Timely detection of
                                              infection guarantees
                                              successful curing !


Advanced  Diskinfoscope  ADinf  is  a  disk  information  inspector,  more
precisely, a  disk infection  meter: how  it works  is described later. It
surpasses most other anti-virus programs as it scans a disk by reading its
sectors one by one through BIOS without the assistance of DOS to  pinpoint
even such  formidable infectors  like STEALTH  viruses known  to intercept
more  than  twenty  DOS  functions,  infectors  in disk drivers as well as
viruses  yet  unrecognized.  Nearly no other anti-virus utility has such a
reconnaissance power.

Additionally, ADinf reads a disk directly addressing BIOS to spot and kill
boot sector infectors even if  they have taken control over  the interrupt
INT 13h.

Advanced Diskinfoscope ADinf is an anti-virus utility which,  if  properly
used  by  booting  your  system  from  a  hard  disk  (instead  of  from a
write-protected bootable  diskette  as  required   by   other   anti-virus
utilities),  will  alert  you  for  nearly  every virus in your computer -
known,  unknown or potential ones.  Thus,  ADinf countermines the spiteful
projects of virus designers.

This is not the end of its mission - it leaps seven leagues ahead. Besides
detecting infectors,  ADinf can  scrupulously x-ray  your system  for full
data integrity, security and any other slight modifications of data.  This
is particularly desirable in a multiuser environment. You will  appreciate
its instant disk checks.

ADinf  Cure  Module (ADinfExt.exe)  -  a  separate  program  which  can be
ordered  with ADinf - maintains  a small database describing the  files on
your hard  disk.   When ADinf  reports virus  infection, you may instantly
use it to  clean your machine.  It kills up to ninety seven percent of the
existing viruses as well as, that is most important,  presently  unknown
viruses.

Disk inspector Dinf - the forerunner of ADinf - was awarded a prize at the
2nd All-Union Anti-Virus Programs Contest in 1990, Kiev (Ukraina).

The designer will  be glad to  receive from users  remarks and suggestions
for improving ADinf - the Advanced Diskinfoscope.


COPY PROTECTION!

ADinf is  copy-protected against  unauthorized duplication.  At the  first
start, ADinf retrieves  information about your  system and will  refuse to
function  if  it  is  illegally  copied  on  some  other  computer.   Copy
protection,  however,  does  not  restrict  owners'  rights to install the
program on any number of computers but safeguards against software piracy.

The  noncommercial  version  of  the  ADinf  program  and its accompanying
documentation  are  supplied  without  any  restriction  whatsoever in the
event  of  its  use  or  distribution for  noncommercial and nonprofitable
purposes.  The noncommercial version does not essentially differ from  the
full-fledged  version  of   the  ADinf  program:    it  demonstrates   the
capabilities  of  the  ADinf  program  on  your  system. The noncommercial
version

     (1) does not support PERSONAL tables,

     (2) cannot repair files through ADinf Cure Module,

     (3) cannot exclude directories (subdirectories) from checks,

     (4) cannot save the check results in a log file.



WHAT DO YOU NEED TO RUN ADinf

ADinf runs on IBM PC/XT/AT, PS2 or compatibles with one or two hard  disks
and  one  or  two  floppy  disks  under  MS or PC-DOS ver. 3.20 or higher,
DR-DOS 5.00  and 6.00,  Novell DOS  7.00 and  Compaq DOS  3.31.   It needs
about 100 kb free to  run from a hard disk.   ADinf gains access to  video
memory directly by-passing  BIOS and supports  CGA, EGA, VGA  and Hercules
video-adapters.  ADinf can scan  drives directly by BIOS under  MS Windows
and  DESQview  multitasking  environment.   ADinf  can  work together with
HyperDisk cache versions older then 4.50.


                             GETTING STARTED

INSTALLING ADVANCED DISKINFOSCOPE ADinf

To install ADinf,  insert the diskette containing the ADinf  program  into
drive  A  (or  B  whichever is appropriate to your system),  log on to the
ADINF directory with the commands

> a: (or b:) and press Enter

> cd: \adinf and press Enter

and type

> install

and press Enter.  And answer all the questions of the setup  program.  The
setup program behaves differently, depending on whether you are installing
ADinf for the first time or upgrading an older version in your machine.


IF THIS IS THE FIRST TIME YOU ARE INSTALLING ADinf IN YOUR MACHINE,
the setup  program, after  copying the  files from  the original diskette,
will prompt you  to tack ADinf  to your AUTOEXEC.BAT  file.  Using  the UP
and  DOWN  keys,  you  can  choose  a  place  for  tacking  ADinf  in your
AUTOEXEC.BAT file and  then press <Enter>  to confirm your  choice. If you
press <ESC>  at this  moment AUTOEXEC.BAT  file will  not be modified. The
old  status  of  your  AUTOEXEC.BAT  file  will  be  saved  in  the   file
AUTOEXEC.ADI.  If you do not  want to add ADinf to your  AUTOEXEC.BAT file
choose DON'T  ADD from  the query.   Thereafter the  setup program prompts
you to  create ADinf  diskinfo tables  containing the  status of drives in
your machine.


IF YOU ARE UPGRADING AN OLDER VERSION ALREADY INSTALLED IN YOUR MACHINE,

the setup  program will  ask your  permission to  overwrite the  old ADinf
version but will not  prompt you to tack  ADinf to your AUTOEXEC.BAT  file
nor  will  it  create  diskinfo  tables  afresh  as ADinf will continue to
utilize the tables created by the previous version.



                    USING ADinf JOINTLY WITH SHERIFF

INSTALLING ADinf ON A SHERIFF-PROTECTED COMPUTER

    To  install  Advanced  DiskinfoScope,  if  your  computer  is  already
protected by the Sheriff protection firmware:

    1. switch off the Sheriff protection firmware,
    2. Install ADinf as described above,
    3. Start ADinf in interactive mode,
    4. select OPTIONS from the main menu,
    5. select SETUP PARAMETERS from the submenu,
    6. choose SHERIFF SERIAL NO in  submenu.  In the box displayed  on the
       screen, type the  first five figures  in the serial  number of your
       Sheriff firmware and press Enter.
    7. quit ADinf and
    8. switch on the Sheriff protection firmware.


INSTALLING SHERIFF ON AN ADinf-PROTECTED COMPUTER

    To install the Sheriff protection firmware, if Advanced  DiskinfoScope
is already installed in your computer,

    1. start ADinf in interactive mode,
    2. select OPTIONS from the main menu,
    3. select SETUP PARAMETERS from the submenu,
    4. choose SHERIFF SERIAL NO in  submenu.  In the box displayed  on the
       screen, type the  first five figures  in the serial  number of your
       Sheriff firmware and press Enter.
    4. install Sheriff as described in its user's manual.



Advanced Diskinfoscope ADinf can be started either automatically from  the
AUTOEXEC.BAT  file  or  manually  by  typing  its  command line at the DOS
prompt.

                  STARTING ADinf FROM AUTOEXEC.BAT FILE

To run ADinf  automatically in batch  mode, modify your  AUTOEXEC.BAT file
by adding a line as follows  (at the time of installation you can tell the
setup program to do this automatically)

 C:\ADINF\ADinf -d -a -b -lc:\TMP  C: D:
 Ŀ      Ŀ Ŀ Ŀ Ŀ Ŀ
                                    Drives to be scanned
                             
                              Save report in
                              C:\TMP directory
                     
                      Black screen background
                    No dialog pauses
                  Check only once a day
           Directory where ADinf is installed


The options which the ADinf  command line accepts are described  in detail
under the section COMMAND OPTIONS.



                     STARTING ADinf FROM DOS PROMPT

Advanced Diskinfoscope ADinf  can be run  in batch mode  or in interactive
mode  by  typing  its  command  line  at  the DOS prompt and then pressing
<Enter>.


STARTING ADinf IN BATCH MODE

In the batch mode ADinf checks the drives one after another, executing the
options specified in its command line. To run ADinf in batch mode, at  the
DOS prompt type:


 C:\ADINF\ADinf [<Options>] C: D:
                   Ŀ Ŀ
                             drives to be scanned
    
     Directory where ADinf is installed


and press <Enter>. Advanced Diskinfoscope accepts in its command line  the
options described below.


COMMAND OPTIONS

In the command line  the options must be  preceded with a hyphen  '-' or a
slash "/" and separated with a blank  space and may be typed in upper-  or
lower-case.  Asterisked  items  are  used  only  in batch mode and have no
effect in interactive mode.

  OPTION          ITS FUNCTION
 
 *1) -a           To suppress certain minor dialog pauses,
                  for example, when running from
                  AUTOEXEC.BAT file.
 
 *2) -b           To blacken the screen background for
                  better view when ADinf is run from
                  AUTOEXEC.BAT file.
 
  3) -co[lor]     To set color display on a monitor.
                  ADinf automatically recognizes whether a
                  computer is fitted with a color or
                  monochrome monitor. Use this switch if
                  something goes wrong.
 
 *4) -d           To run ADinf "ONLY ONCE A DAY" and not to
                  initiate at repeated bootings on the same
                  day, even if specified in AUTOEXEC.BAT file.
 
  5) -cl[<path>]  To write scan report in a file of the path
                  specified after -cl, e.g., -clC:\ADINF\.
                  If the switch -cl is specified without any
                  path, the report is saved in the current
                  directory. If a log file already exists, the
                  report is appended to it. Or you may also
                  specify a file for writing the report,
                  choosing the SAVE LOG IN FILE item from the
                  DO YOU WISH TO UPDATE DISKINFO TABLES? panel
                  displayed on pressing ESC from the SCAN REPORT
                  window. This panel is displayed, only if the
                  FAST SCAN and INFO MODE in the PROGRAM MODE
                  submenu are set to OFF.
 
  6) -e           To undo the attribute HIDDEN assigned to
                  diskinfo files.
 
  7) -f           To run in fast scan mode without verifying
                  the CRC of files.  Diskinfo tables are not
                  updated.  Same as FAST SCAN in OPTIONS menu.
 
  8) -g           To switch off the Hard Disk Parameter Tables
                  checks in RAM BIOS variables area.
 
  9) -i           To toggle INFO MODE.  Diskinfo tables are
                  not updated after the completion of check
                  ups.  This switch must NOT be used jointly
                  with -d switch.  Same as INFO MODE item in
                  OPTIONS menu.
 
 10) -l[<path>]   To write the scan report in a file of the path
                  specified after the switch -l, e.g.,
                  -lc:\adinf\. If the switch -l is specified
                  without any path, the report is saved in the
                  current directory. Differs from the -cl switch
                  in that the report is overwritten on a log
                  file, if the file already exists.
 
 11) -m           To disable the mouse.
 
 12) -mo[no]      To set monochrome display on a monitor.
                  ADinf automatically recognizes whether a
                  computer is fitted with a color or
                  monochrome monitor. Use this switch when
                  you want black-and-white display on
                  your color monitor, particularly on laptops
                  and notebooks with LCD VGA display.
 
 13) -n           To hide the title screen even where it ought
                  to be displayed.  By default, it is displayed
                  only in interactive mode.
 
 14)  -nam        To disable the mouse arrow pointer and to use
                  the standard mouse cursor.
 
 15)  -nr         Do not wait for retraces on CGA-monitor.
 
 16)  -os         To start ADinf with the old style interface of
                  ADinf prior to version. 9.00 if you prefer it.
                  This switch disables the ADinf's internal font
                  table from being loaded into EGA/VGA adapters,
                  so it is useful when ADinf conflicts with any
                  resident programs, say, programs that load
                  national fonts into the display adapter.
 
 17) -p           To construct "PERSONAL" diskinfo tables
                  particularly useful in a multiuser PC.
                  For greater detail, see the section
                  CUSTOMIZING THE ADinf OPERATION.
 
 18) -r           To run under DR-DOS.  ADinf detects its
                  environment by the version number. If to
                  query on system version, DOS returns 3.31
                  (which is what DR DOS 5.00 does), ADinf
                  does not use the unreleased MS or PC-DOS
                  capabilities.  In future DR-DOS may return
                  some other number.  If ADinf hangs under
                  DR-DOS later than 5.0, run it with -r option.
                  Use this option, if you are running your
                  computer under Compaq-DOS or any other opera-
                  ting system not fully compatible with MS-DOS.
 
  19) -s          To  toggle  beeps  ON and OFF.  Same as
                  SOUND item in OPTIONS menu
 
  20) -Setup:     To specify the directory or full pathname of
                  the file for writing the ADinf status
                  information.  By default, the file
                  A-Dinf-. is saved in the directory where
                  ADinf.exe is installed.  You have to
                  define a different directory for this file,
                  if ADinf is installed on a write-protected
                  area in the disk.  For this, in the ADinf
                  setup command line, specify the directory
                  pathname, say, as follows:
                        ADinf C: D: -Setup:D:\READWR\
                  to save the ADinf configuration status
                  information in file D:\READWR\A-Dinf-..
                  You can also specify several filenames for
                  saving the ADinf configuration status
                  information in different files containing
                  different lists of filename extensions, names
                  of tables, disk access methods, etc.  For
                  this, specify the names of files for saving
                  various ADinf configuration information in
                  the setup command line, say, as:
                        ADinf C: D: -Setup:My_Setup.
                  A file My_Setup. will be created in the
                  directory where ADinf.exe is installed.  If
                  you type
                        ADinf C: D: -Setup:D:\SET\My_Setup,
                  a file My_Setup. will be created in the
                  directory D:\SET.
                
                  NOTE. If you type the path or the filename
                        wrongly, you will not get any warning
                        message.
 
  *21) -w         To create new diskinfo tables in batch
                  mode.  Same as CREATE TABLES in MODE menu.
 
   22) -13        To disable the check that verifies whether or
                  not the interrupt vector is pointing to BIOS.
                  If you have SHADOW BIOS which permits writing
                  in memory address areas installed in your
                  computer, disable SHADOW BIOS when you start
                  ADinf for the first time on your computer so
                  that ADinf may retrieve and save the address
                  of Int 13h handler. Thereafter you may switch
                  on SHADOW BIOS and use the -13 switch.
 
   23) -76        To disable ADinf internal Int 76h handler.
 


STARTING ADinf IN INTERACTIVE MODE

If no drives are specified in the command line, e.g.,

C:\ADINF>ADinf,

on pressing  <Enter>, ADinf  starts in  interactive mode  and displays its
main menu in the top line across the screen.



                             ADinf MAIN MENU

When you  start ADinf  in interactive  mode, the  screen top line displays
the  main  menu  containing  five  titles:  ADinf, DRIVES, MODE, OPTIONS &
QUIT.   The  SCAN  DRIVES  command  from  the MODE title  is automatically
selected, so you may just press  <Enter> to start scanning the drives  for
which diskinfo tables have already been created.

You move across the menu bar with <Right> and <Left> arrow keys. Arrow  to
any item and  press <Enter> to  pull down its  local menu.   Using <Up> or
<Down> arrow key,  you move to  an option in  these local menus  and press
<Enter>  to  select  it.  If  the  option  is  a command, press <Enter> to
execute it or <Esc> to cancel it.

Alternatively, to  select an  item from  the main  menu you  may press the
highlighted letter  in the  menu title  or click  the left  button of your
mouse on the menu title.  To  close a menu panel that is presently  pulled
down, press <Esc> or  click the right button  of your mouse anywhere  free
on the screen.

The  bottom  line  of  the  screen  displays  the  name of the drive being
scanned,  addressing  route  (through  BIOS  or  INT13h  or INT 25h) brief
messages and  prompts, type  of diskinfo  tables (C  for common  and P for
personal) and the size of the memory space presently free on your system.


  MENU ITEM     ITS PURPOSE
 
  ADinf         To view ADinf ver. No and other relevant info.
 
  DRIVE         To specify the drives to be scanned.
 
  MODE          To choose SCAN DRIVES, SCAN SELECTED,
                CREATE TABLE or STEALTH-SEARCH mode.
 
  OPTIONS       To customize ADinf operation parameters.
                (For more information see CUSTOMIZING THE
                ADinf OPERATION below).
 
  QUIT          To end an ADinf session.
 

In the interactive mode, you can:

     (1) scan hard drives in your computer,

     (2) check floppy diskettes for infection,

     (3) create ADinf diskinfo tables for your drives,

     (4) scan for active Stealth-viruses in your computer,

     (5) customize certain ADinf parameters to suit your preferences,

     (6) scan all files in your drives or only those files whose
         extensions are specified in the file  extension list,

     (7) revise the list of extensions of files to be taken under control
         by ADinf, associate viewers and editors with extensions for
         viewing and editing files of particular extensions and specify
         the type of file CRC for scanning.


(1) SCANNING THE DRIVES

When you start ADinf in interactive mode, the SCAN DRIVES command from the
MODE  title  is  automatically  selected,  therefore just press <Enter> to
start scanning the drives for which  diskinfo  tables  have  already  been
created.

To scan only selected  drives in your computer:  first, move to DRIVES  in
the main  menu with  <Right> or  <Left> arrow,  and press  <Enter> to pull
down the DRIVES local menu. Then  move the selection bar to the  drive you
want to scan and press <Enter>.  A plus sign (+) on the left of the  drive
name indicates the drive is selected.   A drive is deselected by  pressing
<Enter> again - the plus sign changes to minus sign, signifying it is  not
selected for  scanning. You  may select  as many  drives as  you like  for
scanning in  one run.   Then, arrow  to MODE  in the  main menu  and press
<Enter>. A local  menu drops down  containing SCAN DRIVES,  SCAN SELECTED,
CREATE TABLES  and STEALTH  SEARCH commands.   Arrow to  SCAN SELECTED and
press <Enter>  to start  ADinf for  scanning the  drives specified  in the
DRIVES panel.

You  can  abort  scanning  of  any  disk  at any time by pressing <Esc> or
clicking  two  mouse  buttons  together.   And  ADinf  will respond with a
query:

          Stop scanning ? ķ
              No         this drive          all drives    
         ͼ
           

If you choose NO or click the mouse right button, scanning is resumed;  if
you choose THIS DRIVE, ADinf will proceed  to scan all other  disks and if
you choose ALL DRIVES, ADinf abandons its mission to return to main menu.

If, without selecting any drives,  on pressing <Enter> to start  scanning,
you get the following error message:

           Warning ! ķ
                          No drives selected!               
                              Press ESC                     
                     Select some from "DRIVES" menu.        
          ͼ
            

In  such  cases,  on  pressing  <Esc>,  ADinf automatically returns you to
DRIVES menu. Select drive(s) and run ADinf again in scan mode.


(2) CREATING DISKINFO TABLES

The procedure is  the same as  described above, the  only difference being
now you choose CREATE TABLES command from the MODE  menu.


(3) CHECKING FLOPPY DISKETTES

Most of  the viruses  migrate from  computer to  computer via diskettes. A
clean  diskette  gets  easily  infected:  insert  it  into  a contaminated
computer and just open its directory  for viewing - it may become  a virus
carrier.  But  inserting  an  infected  diskette  into  a  computer is not
sufficient  to  inject  a  virus  into  your  computer: either an infected
program on the diskette has to be started or the computer has to be booted
from an infected diskette.

In order  to be  certain that  the diskettes  in your  possession, or  the
diskettes you pass  on to or  obtain from others  are clean, always  check
them with ADinf. When a diskette is checked with ADinf for the first time,
a diskinfo table containing vital information about the diskette is  saved
on it.  Therefore, prior to passing  a diskette  to  others, always  check
it with  ADinf and  save the  diskinfo tables  on it.  If the receiver has
Advanced  Diskinfoscope  installed  in  his  computer,  he  can  check the
integrity of the data on the diskette. Likewise, you can check up  whether
a diskette obtained from others is virus-infected or clean.

The  diskinfo  tables  written  by  ADinf  on  a  diskette  contain   full
information essential for scanning (the  list of files under check,  types
of  CRC  of  files,  names  of  viewers  and  editors for the files on the
diskette). Therefore the diskinfo tables created on a diskette by ADinf in
one computer may not tally with the configuration of ADinf diskinfo tables
on a different computer.


(4) STEALTH SEARCH MODE

Stealth viruses, as their name  implies, are capable of stealthily  hiding
themselves in an  infected machine. The  early specimens of  infectors did
not  possess  this  property  and  so  could  be detected visually when an
infected file is opened for viewing. Even simple antivirus utilities could
suppress  their  multiplication  and  thus  virus  failed  to  be epidemic
hazardous. Advancement in new antivirus techniques catalyzed new trends in
virus design  and the  appearance of  invisible infectors  was the natural
step in  the evolution  of virus  technology. Viruses  designed on  hiding
algorithms cannot be viewed with the operating system tools. For  example,
when an infected file is viewed by pressing F3, Norton Commander does  not
show anything unusual because the virus removes its body when the file  is
opened for reading,  and infects it  back on closing.  This is one  of the
hiding  methods  and  there  are  several  other  masking techniques. Boot
infectors  also  hide  themselves  when  an  infected sector is opened for
reading.

In the early development stages,  the design of stealth viruses  was ahead
of  the  potentialities  of  the  then  antivirus  utilities. And thus the
viruses V-4096, XPEH and some  other specimens proliferated far and  wide.
The present ADINF version  easily detects newly designed  Stealth viruses.
For instance, most of the antivirus utilities were ineffective against the
epidemic outbreak in the summer and autumn of 1991 due to the incidence of
DIR virus written with a then unknown detection-dodging algorithm. But  on
those computers  protected by  ADINF, this  virus was  easily trapped  and
prevented from doing harm.

Hiding algorithm  is the  weakest link  in the  design of stealth viruses.
This algorithm  is the  key to  successful detection  of this  virus on an
infected machine. Discrepancy  in the file  size or CRC  given by DOS  and
its actual size or  CRC is a definite  symptom of virus infection.  Hiding
capability of the stealth virus betrays its presence in an infected  file!
Such a comparison algorithm is incorporated in ADINF code.

To detect STEALTH viruses in your machine

1) arrow to DRIVES in the main menu,

2) mark the drives you want to scan for stealth virus by pressing  <ENTER>
on the drive  name A, B,  C, ... A  drive selected for  scanning is tagged
with plus  sign "+"  on the  left of  the drive  name letter. If you press
<ENTER> on a marked drive letter name, the drive is unselected.

3) After selecting drives for scanning,  press the right  <arrow>  key  to
move  to  MODE  in  the  main menu and select STEALTH SEARCH from the MODE
submenu.  Finally press <ENTER> to start scanning of the  selected  drives
for stealth viruses.

You may  stop  scanning  any drive at any time as described under SCANNING
THE DRIVES.

While scanning for stealth viruses,  ADINF checks the MASTER-BOOT  sector,
BOOT  sectors  of  logical  drives  and then compares the sizes and CRC of
files given by DOS with the actual values which it determines  by directly
reading  the sectors,  accessing them via BIOS.  As soon as it detects any
discrepancy in these values,  ADINF stops scanning the drives in order not
to spread infection to other clean directories and displays the message:

   Attention! ķ
                                                                      
                                For file                              
                              C:\AAAA.COM                             
            size reported by DOS differs from its real length!        
                                                                      
         DOS reports: 5883, real: 9889 bytes, difference: 4016.       
                                                                      
          There may be an active STEALTH-VIRUS in the memory!         
                                                                      
       CONTINUE           STOP           VIEWER          REBOOT       
                                                                      
       Further scanning may inject infection into clean files being   
      checked by ADINF! Recommend you to stop scanning, insert into   
      drive A a write-protected system diskette, & choosing REBOOT,   
      reboot your computer with a clean operating system. Disinfect   
      the infected files, prior to starting the computer from your    
      hard disk!                                                      
                                                                      
  ͼ
    


Choosing VIEWER  from this panel,  you can view the suspect file.  ADINF's
built-in viewer will print the file contents on the screen by  reading  it
directly through BIOS.

Choosing REBOOT from  this panel, you  can clean your  computer memory for
stealth and  other viruses.  For this,  insert in  drive A  (or the  drive
appropriate to your system) a write-protected bootable diskette containing
a  clean  operating  system  and  an  antivirus utility capable of killing
stealth virus, say, V-Hunter. And choose REBOOT from this panel to  reboot
your machine and then  run the antivirus program  on the diskette. If  the
virus residing in your machine is already known, V-Hunter will kill it. If
not, the virus is definitely  a hitherto unknown stealth infector  and you
should call for help from some Antivirus Service available nearest to  you
or restore your information from a backup copy.


ADinf automatically  checks for  Stealth viruses  in newly  created files,
because certain Stealth viruses infect  files only when they are  created,
for example, while copying from a diskette or exploding from a  compressed
file.  By default, this mode is ON.  Since this checks consumes a  certain
amount  of  time,  you  may  switch  it  OFF,  choosing  the  menu  route:
OPTIONS->SETUP PARAMETERS->INFO UNDER CHECK->SS NEW FILES.



(5) CUSTOMIZING THE ADinf OPERATION

Using the  OPTIONS title  from the  main menu,  you can  customize certain
ADinf parameters to suit your convenience and preferences.  The menu  tree
structure of the OPTIONS title is schematically represented below:

    OPTIONS
    
     TABLES
     PROGRAM MODES    Ŀ
     SETUP PARAMETERS Ŀ SOUND
                          FAST SCAN
                          INFO MODE
                         
                          EXTENSION    LIST Ŀ
                          INFO  UNDER CHECK Ŀ EXTENSIONS
                          TABLE  FILE  NAME     CRC TYPES
                          PERS. TABLE  PATH    
                          DRIVE ACCESS TYPE     EXTENSIONS
                          TREEINFO.NCD FILE     STABLE FILES
                          PATH  TO  VIEWERS     BOOT-SECTORS
                          FILE LIST SORTING Ŀ BAD CLUSTERS
                          SHERIFF SERIAL NO    DIRECTORIES
                          CURE FILE SUPPORT Ŀ SKIP  TREES
                                                 HDP  TABLES
                                                 SS NEW FILES
                                                
                                                 BY  EXTENSION
                                                 BY  DIRECTORY
                                                 KEEP UNSORTED
                                                
                                                 ADINFEXT NAME
                                                 FOR COMMON TABLES
                                                 FOR PERSONAL TABLES
                                                 CURE MODULE SETUP (***)

(***) - available only for ADinf Cure Module versions later than 3.30




The second  level menu  of OPTIONS  title contains  three items:   TABLES,
PROGRAM MODES and SETUP PARAMETERS.

---  TABLES has two commands: COMMON to construct tables for a machine  as
a whole  regardless of  the number  of users  operating the  computer, and
PERSONAL - only for you. These two choices are toggled with <Enter>.

Ordinarily, ADinf  creates diskinfo  tables in  the root  directory of the
drive being checked.  In "PERSONAL" mode  these tables are  created in the
directory containing ADinf. You can copy  ADinf in your directory or on  a
separate floppy and  thus conduct a  personal check to  detect the changes
that occurred in  your absence. This  check from a  floppy should be  used
with  great  caution.  If  you  run  ADinf  from  a  floppy containing the
diskinfo  tables  of  some  other  computer,  the  consequences  would  be
disastrous especially  if you  restore the  MASTER BOOT  or BOOT sector of
your system.   You can also  specify a directory  for saving the  personal
diskinfo tables.   For this  choose PERS.   TABLES PATH  from the  PROGRAM
MODES  item  in  the  OPTIONS  title  of  the  main menu and type the full
pathname in the on-screen panel displayed and press <Enter>.


--- The PROGRAM MODES menu contains three toggling commands:  SOUND,  FAST
SCAN and INFO MODE.

SOUND beeps are toggled ON and OFF with <Enter>.

FAST SCAN is toggled ON and OFF with <Enter>. When FAST SCAN is set to ON,
file CRCs are not calculated and diskinfo tables  and  TREEINFO.NCD  files
are not updated.

INFO  MODE,  when  set  to  ON,  will  not  update  diskinfo  tables   and
TREEINFO.NCD files every time ADinf is  run, even if the diskinfo of  your
system has changed since the last check.

--- The SETUP PARAMETERS menu  contains ten items for customizing  certain
ADinf operation parameters to suit your preference and convenience.

On choosing EXTENSION LIST from the SETUP PARAMETERS  menu,  and  pressing
<Enter>,  a  local  menu  containing two options,  EXTENSIONS and CRC TYPE
drops down.  On choosing EXTENSIONS and  pressing  <Enter>,  you  get  two
panels,  viz.,  a  FILE  EXTENSION LIST containing the extensions of files
under control,  their viewers and editors and  a  SELECT  EXTENSION  panel
showing editing keys.

  Files: Viewer  Editor Ŀ
   .COM  wpview.exe   nu.exe   
 .EXEwpview.exenu.exe<Ŀ
   .SYS  wpview.exe   edit.com ۳
   .BAT  wpview.exe   edit.com ۳
   .LIB  wpview.exe   edit.com ۳
   .OVL  wpview.exe   nu.exe   ۳
   .OVY  wpview.exe   nu.exe   ۳   Select extension ķ
   .DRV  wpview.exe   nu.exe   ۳                              
   .BAK  wpview.exe   nu.exe   ۳            Use keys:         
   .ZIP  arcview.exe           ۳                              
   .ARJ  arcview.exe           Ĵ     <Enter>    - Edit;     
   .PAK  arcview.exe                   <Up>,<Dn>  - Select;   
         Gray <+>   - Add;      
           Gray <->   - Delete;   
                                             <Esc>      - Quit.     
                                                                    
                                        ͼ
                                          

You may edit the file extension list for adding the extensions of files to
be  taken  under  control  by  Advanced  Diskinfoscope or for deleting the
extensions of files you no longer need to control.


ADDING AND DELETING FILE EXTENSIONS

To delete a file extension, select  the extension you want to delete  with
<Up> or <Dn> key, and then press gray <->.  Press <Esc> to quit the panel.

To add a file extension, press gray <+>.  At once the selection bar  jumps
to an  empty row  created at  the table  bottom. Type  the file extension.
After you are done,  press <Esc> to finish  or <Enter> to edit  the viewer
and editor columns.


EDITING THE VIEWER AND EDITOR COLUMNS

By editing the VIEWER and EDITOR fields, you may associate with each  file
extension a separate viewer and editor capable of displaying and reading a
file  with  a  particular  extension.   After  adding  or  deleting   file
extensions, while you are still  in the extension panel, press  <Enter> to
invoke EDIT MODE: immediately the  SELECT EXTENSION panel changes to  EDIT
MODE panel.

  Files: Viewer  Editor Ŀ
   .COM  wpview.exe   nu.exe   
 .EXEwpview.exenu.exe<Ŀ
   .SYS  wpview.exe   edit.com ۳
   .BAT  wpview.exe   edit.com ۳
   .LIB  wpview.exe   edit.com ۳
   .OVL  wpview.exe   nu.exe   ۳
   .OVY  wpview.exe   nu.exe   ۳     Edit mode Ŀ
   .DRV  wpview.exe   nu.exe   ۳                             
   .BAK  wpview.exe   nu.exe   ۳            Use keys:        
   .ZIP  arcview.exe           ۳                             
   .ARJ  arcview.exe           Ĵ  <Enter>    - Done;     
   .PAK  arcview.exe                  <ESC>      - Cancel;   
        <Ins>      - Ins/Ovt;  
          <Tab>      - field.    
                                                                   
                                          
                                            

To edit an item in the viewer or editor column of the file extension list,
press <Tab> to jump to an appropriate  column.  After  you  have  finished
editing  the  viewer and editor columns,  press <Enter> to save the edits.
You may edit the text  in  INSERT  or  OVERTYPE  mode,  by  toggling  your
preference  with  the  <Ins> key.  After you are done with editing,  press
<Enter> to finish. Press <Esc> to cancel the edit command.


SELECTING THE CRC TYPE

First arrow to the EXTENSION LIST from the SETUP PARAMETERS menu and press
<Enter> to drop down the local menu containing two items:  EXTENSIONS  and
CRC TYPE.  On choosing CRC TYPE and pressing <Enter>,  the screen displays
two panels as follows:

  Files:CRC type
   .COM  Fast   
   .EXE Fast<Ŀ    CRC types selection ķ
   .SYS  Full                                                  
   .BAT  Full          FAST CRCs provide virus protection  and 
   .LIB  No CRC       high scan speed.  For full disk checks   
   .OVL  No CRC       select FULL CRC.  But scan rate will be  
   .OVY  No CRC       slower.  Use NO CRC for fast disk checks.
   .DRV  No CRC  Ĵ for fast disk scanning                    
                                                 
                      Use keys:                    
                                                                     
                             <Up>,<Dn>,                              
                             <Home>,<End> - select files,            
                             <Space>      - select CRC type.         
                                                                     
                           <Esc>,<Enter> - end selection 
                            

You can specify for each file  extension the type of CRC to  be calculated
while scanning.  The CRC  TYPES available  are FAST,  FULL and  NO CRC and
their functions are as follows:

  CRC TYPE           Function
 
  NO CRC           CRC for the file is not calculated.
 
  FAST CRC         provides safe virus protection at
                   sufficiently fast scanning rate for COM
                   and EXE files only.
  
  FULL CRC         guarantees complete control over data
                   security but at a slower scanning rate.
 

To specify the type of CRC for a file extension, choose CRC TYPE from  the
FILES  LIST  submenu  and  press  <Enter>.  Move  the selection bar to the
desired file extension with <Up> or <Dn> key and repeatedly press  <Space>
to set the CRC type you want. Finally, press <Enter> or <Esc> to finish.

The INFO UNDER CHECK menu contains seven items for setting the  parameters
so that ADinf may check the drives the way you want it to do.

Advanced  Diskinfoscope  can  check  all  the  files on your disks or only
those files whose  extensions you specify  in the file  extension list. If
you want to keep a strict  control over your disks, choose ALL  FILES from
the EXTENSIONS submenu  in INFO UNDER  CHECK submenu. But  if you want  to
save time,  you may  limit the  extensions of  files to  be checked.   The
previous section describes how to edit the file extension list.  The  list
of files  to be  scanned can  be specified  separately for  the COMMON and
PERSONAL  commands  in  the  OPTION  menu.   For COMMON tables the default
setting is BY LIST  to scan COM, EXE,  SYS, BAT, BIN, LIB,  OVL, OVY, DRV,
PIF and PGM files only.  This list is quite adequate to safeguard  against
virus infection.   For PERSONAL  tables the  default setting  is ALL FILES
and list includes COM, EXE, SYS,  BAT, BIN, LIB, OVL, OVY, DRV,  BAK, ZIP,
ARJ, PAK, PIF  and PGM files.   You may however  edit the default  list of
file  extensions  and  thus  define  any  group  of files to put under the
stringent control of Advanced Diskinfoscope.

Using  the  STABLE  FILES  panel,  you  can  specify a list of files which
should always remain intact.  ADinf  checks these files by their full  CRC
and will report any slightest modifications it detects as suspicious.   To
edit a  file in  this list,  move the  selection bar  to its  filename and
press <Enter>.  A  cursor appears. Now you  can edit the filename  as with
any text editor. Once you are done with editing, press <Enter>. Use  <Del>
or <Bksp> to delete a filename from the list.

Using the BOOT-SECTORS panel, you can tell ADinf to check or not to  check
the boot-sector of a  drive. For this, move  to the drive name  letter and
repeatedly  pressing  <Enter>,  toggle  CHECK  or DON'T CHECK whichever is
appropriate.  You may have to switch off BOOT-SECTORS, particularly,  when
a drive is compacted with STACKER  because it modifies the boot sector  of
the drive it compresses.

Using the BAD CLUSTERS panel, you can tell ADinf to check or not to  check
for bad clusters newly created in a  drive.  You handle this panel in  the
same way as described in the previous paragraph.

Using the DIRECTORIES panel, you can  tell ADinf to check or not  to check
for changes (newly created and deleted directories) in the directory  tree
structure of a drive.

SKIP TREES. You can  tell ADinf to skip  its checks for those  directories
that  are  frequently  accessed  or  the directories containing frequently
edited files. For this, after ADinf has created its tables for the  drives
in your machine,  (ADinf automatically creates  these tables when  you run
ADinf for the first  time, or choosing CREATE  TABLES from the MODE  title
of the main menu, you can create them afresh any time you like),

    1) select OPTIONS from the main menu,
    2) choose SETUP PARAMETERS from the OPTIONS submenu,
    3) choose INFO UNDER CHECK,
    4) choose SKIP TREES from the INFO UNDER CHECK submenu,
    5) arrow to the desired drive name letter in the list column at the
       left-edge of the panel,
    6) press TAB or ENTER to open an on-screen panel displaying the tree
       structure of the selected drive,
    7) arrow to the desired directory or subdirectory which you want to
       exclude from the ADinf checks and press Enter (you may also use
       your mouse).

The selected directory is then displayed in a contrasting color, while all
other directories in black. In a checking session, Advanced  DiskinfoScope
also scans those directories and  subdirectories that you have marked  for
exclusion from checks, only it does not produce a status report for  these
directories and  subdirectories, unless  it expertizes  them as suspicious
(see SUSPICIOUS CHANGES below).

Using the HDP TABLES  panel, you can tell  ADinf to check or  not to check
the Hard Disk Parameters (HDP) tables  in the memory in BIOS area.   Press
<Enter> to  toggle between  TABLES ARE  UNDER CHECK  and TABLES  NOT UNDER
CHECK. A check mark near the  item indicates that it is currently  active.
By default, ADinf does not check the Hard Disk Parameter tables.


Using the  SS NEW  FILES panel,  you can  switch the  automatic search for
Stealth viruses in new  files ON and OFF.   For full information, see  the
Section SEARCHING FOR STEALTH VIRUSES.

TABLE FILE NAME.   By default, Advanced  DiskinfoScope saves its  diskinfo
table for each hard disk separately in a file in the same drive and  names
it  ADinfxͲ  (where  x  is   the  drive  name  letter).  The   viruses
specifically designed to dodge detection  by ADinf may alter the  contents
of the ADinf  diskinfo tables. To  fool such viruses,  you may rename  the
ADinf diskinfo table file as follows:

    1. select OPTIONS from the main menu,
    2. choose SETUP PARAMETERS from the OPTIONS submenu,
    3. choose TABLE FILE NAME.

In the on-screen  box  displaying  ADinfxͲ, type a new  name and press
Enter. If you make a typing mistake or want to change the file name,  back
up all the way to first character and retype a new name.

On choosing PERS. TABLES  PATH from the SETUP  PARAMETERS menu, you get  a
pane for specifying the  full path of the  directory where you want  ADinf
to  save  the  diskinfo  tables.   If  no  path is specified, the personal
tables are saved in the directory where ADinf.exe is installed.

DRIVE ACCESS TYPE.   Using the DRIVE  ACCESS TYPE command  from the  SETUP
PARAMETERS submenu from  the OPTIONS menu,  you can tell  ADinf how should
it access a  disk for checking  infection -- through  BIOS, or INT  13h or
INT 25h/26h.   ADinf scans  the disks  partitioned by  DOS FDISK  utility,
directly accessing them through BIOS. If necessary, you may tell ADinf  to
access drives through INT 13h or INT 25h/26h. For this,

    1. select OPTIONS from the main menu,
    2. choose SETUP PARAMETERS from the OPTIONS submenu,
    3. choose DRIVE ACCESS TYPE.

A panel will pop up on the screen displaying drive names and their  access
paths (BIOS by default). To change the access path of a drive:
    1. arrow to the drive name letter,
    2. specify your choice by  repeatedly  pressing the <Space> or <Enter>
       or clicking  the  left  button of your mouse to toggle from BIOS to
       INT 13h and then to INT 25h/26h,
    3. press <Esc> or click the mouse right button to finish.

TREEINFO.NCD FILE.  When this  mode is selected, ADinf will  automatically
update the drive TREEINFO.NCD file created by Norton Commander and  Norton
Change Directory utility and there is no need to tell Norton Commander  to
scan your drives  to update these  files as ADinf  compiles the full  tree
structure of  your drives  and can  write them  in the TREEINFO.NCD files.
By default this mode is unselected.

On choosing  PATH TO  VIEWERS from  the SETUP  PARAMETERS menu,  you get a
pane  for  specifying  the  full  path  of the directories where ADinf may
search for external viewers and  editors.  You may specify  several paths,
separating them with an intervening semicolon [;].

Using the FILE  LIST SORTING command,  you can tell  ADinf to display  the
new,  changed,  deleted,  moved  and  renamed  files  in  its report after
sorting them either by the filename extensions or by directories.

SHERIFF SERIAL  NO.   Choosing this  command from  the submenu  of OPTIONS
title in the main menu, you may  type the first five digits of the  serial
number of  the Sheriff  protection firmware,  if it  is installed  in your
computer (refer to USING ADinf JOINTLY WITH SHERIFF).

Using the CURE FILE  SUPPORT item, you can  activate or disable the  ADinf
Cure Module  - the  separate program  ADinfExt.exe -  for curing either by
the personal or  by common diskinfo  tables.  For  this, select CURE  FILE
SUPPORT from the INFO UNDER CHECK menu and press <Enter>.  You get a  pane
displaying three items: ADINFEXT NAME, FOR COMMON TABLES and FOR  PERSONAL
TABLES.  Arrow to  your option and press  <Enter> to pull down  a pane for
setting SUPPORT or  DON'T SUPPORT.   For each drive  set your option  with
<Enter> to clean  or not to  clean the files  controlled by the  common or
personal diskinfo tables.

In the course of installation,  the setup program of the ADinf Cure Module
prompts you to rename the ADinfext.exe file in order to dodge the  viruses
that  damage  executable  files  whose  names begin with the letters ADIN.
ADinf automatically recognizes the renamed  ADinfext  program.  Using  the
ADINFEXT NAME option, you can change the name of this file.

At  every  start-up  ADinf  runs   in  interactive  mode,  executing   the
parameters set in the previous session.  If the -i, -f, - s or -p  options
are specified in the command line, ADinf additionally implements them.



                        USEFUL TIPS
IT IS ALWAYS SAFE:

     (1) to  run  some  anti-virus  utility,  say  the  very
         popular and effective V-Hunter (or SCAN), to  check
         your system for infection of known viruses prior to
         installing ADinf in your computer,

     (2) to run ADinf a few times a day, especially if  you
         swap floppies quite often,

     (3) to  prevent  accidental  damage,  loss  and  virus
         infection, make a copy  of the original ADinf  and
         never run the program from the original diskette.

IMPORTANT!!!  Whenever ADinf displays a warning or an error
              message,  REFER TO WARNING AND ERROR MESSAGES
              IN ADinf USER'S GUIDE FOR HELP AND REMEDY.


ADinf reads a disk directly  addressing to BIOS. These addressings  cannot
be intercepted  by computer  infectors nor  by any  other memory  resident
program.   Therefore  disk  read-write  cache utilities may create certain
problems.  ADinf  is  friendly  to  disk-read  caches but conflicts with a
write cache utility as they  both compete to concurrently address  to BIOS
and this is illegal. Such conflicts can be avoided in two ways:

1)  first  disable  the  write-cache  program  prior to starting ADinf and
after ADinf completes its checks, you may switch on the cache back  again.
For  instance,  to  hide  your  drives  C  and  D  from  write-caching  by
SmartDrv.exe, use the command:  SmartDrv C D and  to switch it back  again
use the command:  SmartDrv C+ D+.

2) The other way of avoiding this conflict is to tell ADinf to access  all
your drives, except drive  C, via Int 13.   For this, choose OPTIONS  from
the main menu, then choose  SETUP PARAMETERS from the submenu  and finally
choose DRIVE ACCESS  TYPE from the  local menu.   Arrow to the  drive name
letters in  your machine  one after  another and  repeatedly pressing  the
<Space> key, set "Int  13" as the drive  access path for all  drives.  For
the drive C, leave  the default setting as  it is.  After  this ADinf will
not conflict with  your write-cache utility,  but virus detection  becomes
somewhat less reliable.

NOTE:  Beginning from version 9.00 onward,  ADinf is fully compatible with
HyperDisk write-cache version 4.50 or later.  No problems arise with  this
cache utility.



HOLDING VIRUSES IN LEASH

     (1)  Never  leave  the  changes  reported  by  Advanced Diskinfoscope
          unattended. If you do not know the cause for such changes,  take
          immediate action to remedy the situation.

     (2)  If you  are not able  to understand the  ADinf messages, call an
          expert service personnel to get help.

These two  simple measures,  if taken in time,  will help you to keep your
computer away from infectors which otherwise may  infiltrate  your  system
unnoticed.


SPEEDKEYS

You may use the following keyboard  shortcuts to speed up your work  in an
ADinf session:

 ͻ
  ESC              to abort ADinf scanning mission,      
  Alt+D            temporary exit to DOS,                
  Alt+V            to call any DOS command,              
  Alt+S            to toggle sound ON or OFF             
  Alt+P            to edit internal paths for viewers,   
  F1               to get on-line help on key usage,     
  F10              to end an ADinf session.              
 ͼ



                             ADinf STRATEGY

HOW DOES ADinf INSPECT A DISK

When ADinf is started for the first time, it first reads vital information
about such parameters of  your system as the  memory size, the address  of
INT 13 handler  in BIOS, Hard  Disk Parameter Tables,  the MASTER-BOOT and
BOOT sectors, a list of  bad clusters, directory tree, information  on all
files under control, then creates a DISKINFO TABLE for every drive scanned
and saves  in it  the retrieved  information for  collation in  subsequent
checks. ADinf  also checks  whether INT  13h was  pointing to  BIOS or not
before DOS was loaded.

In all these check-ups ADinf, as already noted, scans your disk, sector by
sector, directly addressing  BIOS without the  use of INT  21h and 13h  in
order to detect memory-resident viruses that have intercepted these  vital
interrupts.

At every subsequent start, ADinf  first reads the parameters listed  above
and compares them with those saved  in the diskinfo tables. In the  course
of inspection it makes a note of any slightest modification in the size of
the  memory  allotted  to  DOS,  Hard  Disk Parameter Tables, MASTER BOOT,
sector, BOOT sectors of every logical drive, as well as a list of new  bad
clusters, directories and  files newly created  or deleted since  the last
check as well as  changed files. And after  checking up every drive  under
its control, if ADinf expertizes a  change in diskinfo as "suspicious", it
immediately issues an on-screen  WARNING to  alert you  for possible virus
infection.  If the changes are "harmless", (say, changes in  file creation
date and time) it produces a SCAN REPORT. You can view the report in
interactive mode or save in a log file.

ADinf regards a change "suspicious", if a file is modified:

     a) without any change in date and time (most of well
        designed viruses do not change date and time);

     b) with an invalid date setting (greater than 31, 12,
        and the current number for day , month and year,
        respectively). Some viruses label infected files
        by setting such strange dates.

     c) with an invalid time setting (greater than 58, 59
         and 23 for second, minute and hour, respectively).

     d) For a file included in the STABLE FILES list, a change, however
        slight it may be, is reported as suspicious.

Good clusters may be marked  BAD by certain viruses for  hiding themselves
in them. ADinf also alerts about such situations.



                      IF THINGS GO WRONG, ANYWAY...

RESPONDING TO ADINF SCAN REPORT MESSAGES

Regardless  of  the  operation  mode  -  batch  mode  or interactive mode,
Advanced  Diskinfoscope,  after  checking  a  drive,  always prints a SCAN
REPORT  on  the  screen,  whether  or  not  the  disk information has been
changed since the last check.

If there are no changes disk information and the -a switch is not included
in the command line,  you get panel as shown below

    Drive C: Scan Report ķ
                                                                       
        Current time is         23h 45m 13s    31 December 1991        
        Tables were created at  23h 11m  6s    31 December 1991        
                                                                       
                  133 directories and 1276 files scanned               
                                                                       
                            No changes found.                          
    Press any key ...ͼ
     

After  waiting  for  two  minutes  (counted  down in the highlighted bar),
unless you press a key  earlier, ADinf will automatically proceed  to scan
the next drive (if any) or return to the main menu.

When ADinf  detects changes  in any  one of  the vital  parameters of your
system, it highlights the changes of disk information in the scan report:

    Drive C: Scan Report ķ
                                                                       
        Current time is          0h  2m 12s     1 January  1992        
        Tables were created at  23h 46m 22s    31 December 1991        
                                                                       
                  133 directories and 1278 files scanned               
                                                                       
    Changes in Diskinfo Ķ
                                                                       
        F2Masterbootsector:Okay.      
           F3              Boot Record : Okay.                         
           F4          New Bad Cluster : None                          
           F5          New Directories :    1                          
           F6      Deleted Directories :    1                          
           F7            Changed Files : None                          
           F8                New Files :    9                          
           F9            Deleted Files :    7                          
           M               Moved Files : None                          
           R             Renamed Files :    2                          
                                                                       
    Use: <Up>,<Dn>,<PgUp>,<PgDn>,<Enter>,<Esc> 
     

The  report  is  quite  self-explanatory  and  therefore  we only describe
briefly how to handle it. Press the key in the first column near a changed
item to get detailed information about the changes . These keys,  however,
are inoperative, if ADinf  types "OKAY" or "NONE"  against an item in  the
scan report. The  <Up>, <Dn>, <PgUp>,  <PgDn> keys move  the selection bar
over the item list,  <Enter> opens the selected  item and <Esc> quits  the
table.

If ADinf expertizes that a change in any one of the items in the report is
"suspicious", it superimposes on the scan report a warning panel

                ATTENTION!!! ķ
                     CHANGES IN YOUR COMPUTER SHOW      
                        SIGNS OF VIRUS ACTIVITY         
               ͼ
                 


When  you  come  across  this  warning  message  and, if ADinf Cure Module
(ADinfExt.exe) is installed  in your machine,  on pressing <ESC>,  you get
the panel shown below:

      Do you wish to update diskinfo table ? ķ
                                                                    
         UPDATE         DON'T UPDATE     CURE    SAVE LOG IN FILE   
     ͼ
       

If you  select CURE  ADinf will  continue its  checks on  other drives and
after all work it will ask you to put in the drive A bootable floppy  disk
with ADinf Cure Module and after it ADinf will reboot your system.

If ADinf  Cure Module  is not  available on  your machine,  then on seeing
this warning  message, immediately  abort the  ADinf program  and run some
antivirus utility, say V-Hunter or SCAN or any other program available  in
your system.   For this  purpose, first  press <Alt+V>  to invoke  the DOS
prompt  (see  the  section  SPEEDKEYS)  and  then  type  the command line:
V-Hunter * or SCAN C:  D: E:  F:.

Anti-virus utilities, despite  their ability to  detect and clean  a large
number  of  viruses,  are  nevertheless  limited  in  their efficacy: they
safeguard  your  computer  only  for  the  viruses  they recognize and are
helpless, if some new virus has infiltrated into your machine. It is  here
Advanced  Diskinfoscope   comes  to   your  rescue.   Closely  study   the
"suspicious"  changes  it  highlights  in  red  in its scan report. If you
cannot diagnose  the  cause  for  these changes,  call for a knowledgeable
service personnel.

Certain viruses, while  infecting a file,  corrupt its  creation  time and
date. Although, ADinf does not highlight such changes as "suspicious",  if
you find rather a large number  of files with changes or modifications  in
system files  like COMMAND.COM  or NC.EXE,  you must  be on  the alert and
remedy the situation.


CHANGES IN MEMORY SIZE

At every start ADinf checks the  amount of memory allotted to DOS.  It may
change  due  to  mechanical  faults  developed  in  the memory chips or to
installation of memory-resident programs  and drivers which occupy  higher
memory addresses. Many  viruses also reside  in higher addresses,  thereby
reducing the amount  of memory allotted  to DOS. When  the memory size  is
reduced, ADinf alerts you as follows

           Attention! ķ
                  Memory size in your computer changed!      
                                                             
               Old size: 640k,  New size: 639k (Change 1k)   
                                                             
                 May be, boot infector in your computer!     
                                                             
            SAVE NEW SIZE IN TABLE            CONTINUE       
          ͼ
            

If you know for certain why the DOS memory area has been changed, you  may
choose SAVE NEW SIZE  IN TABLE and press  <Enter>. ADinf will then  resume
scanning. The  new memory  size saved  in the  table will  be used  in all
subsequent  checking  sessions.  If  you  do  not  know the reason for the
changes  in  the  memory  size,  choose  CONTINUE  and  press  <Enter>. Be
attentive to every modification ADinf reports.

Memory size may also increase,  say, when you remove some  memory-resident
driver which  snatches memory  from DOS.  In such  cases ADinf  displays a
milder message:

           Attention! ķ
                  Memory size in your computer changed!      
                                                             
               Old size: 639k,  New size: 640k (Change 1k)   
                                                             
            SAVE NEW SIZE IN TABLE            CONTINUE       
          ͼ
            

If  you  know  for  certain  why  the  DOS-resident  memory  area has been
increased, you  may choose  SAVE NEW  SIZE IN  TABLE and  press <Enter> to
resume scanning.


CHANGES IN MASTER BOOT SECTOR OR BOOT SECTOR

On detecting any change in the master boot sector containing the partition
table or change in the boot sectors of your drives, Advanced Diskinfoscope
alerts you by the warning message:

           Attention! Ŀ
                                                            
                        Boot record changed!                
                                                            
                   May be, virus in your computer!          
                                                            
              CONTINUE          RESTORE         MORE...     
          
            

Choosing  MORE...,  you  can  compare  the  contents of your system tables
before  and  after  modifications.  If  you  are  unable to decipher these
changes,  stop  work  on  your  computer  and call for a qualified service
personnel.

If you are certain that the changes in your partition table or boot sector
are due to virus activity or to program bugs, you can easily restore  your
the previous sector by choosing  RESTORE. On pressing <Enter>, ADinf  will
ascertain your intention by displaying a query

               ARE YOU QUITE SURE ? ķ
                     YES                  NO       
              ͼ
                

If you answer YES, ADinf will repair your system by copying the images  of
the original sectors saved in its diskinfo tables.

Before proceeding to restore the sector,  ADinf will prompt you to type  a
name for the  file to save  the infected boot  sector for future  detailed
analysis. If you don't want to save the infected boot sector, simply press
<Esc> to clear the query panel.

After  repairing  the  partition  table  or  the  boot  sector, ADinf will
recommend  you  to  reboot  your  system.  Please,  do reboot the system -
otherwise the virus may remain in the memory and reinfect your disk.


NEW BAD CLUSTERS

New bad clusters may appear on your disk in two different ways. When  some
disk manager  like Norton  Disk Doctor  is run  to test  the disk surface,
unusable clusters  are marked  BAD by  these diagnostic  programs. In such
cases the message on  new bad clusters in  scan report is unimportant  and
ADinf will not warn about new bad clusters in subsequent sessions.

In case you had not tested  your disk with such a diagnostic  program, new
bad  clusters,  if  any,  are  evidently  due  to  recent virus infection.
Continue  to  check  your  disk  and  pay special attention to all changes
reported by ADinf. As a rule, a virus hiding in a cluster, which it  marks
BAD to  dodge detection,  inevitably corrupts  the boot  sector, partition
table or files as  the virus obtains control  from them for its  malicious
activity.


CHANGES IN DIRECTORY SYSTEM

Advanced  Diskinfoscope,  as  already  noted  in  overview, is not just an
anti-virus utility. It  is a full-fledged  diagnostic center -  it detects
any change that has occurred in the diskinfo. For example, the sample scan
report reproduced above informs one directory has been newly created since
the last check. On pressing F4, the directory tree of the drive scanned is
displayed, highlighting the name of the newly-created directory  (EXAMPLE)
in a contrasting color (yellow):

                New directories ķ
                 \                                            
               İEXAMPLE 
                  EXE                                       
                  WINDOWS                                   
                  DOC                                       
                    HELP!                                  
                   INTERRPT                               
                      A                                   
                      B                                   
                      C                                   
                    DOS.DOC                                
                 BC                                        
                    LIB                                    
                    BIN                                    
                    INCLUDE                                
               Ķ
                Full Name:                                    
                C:\EXAMPLE                                    
                Files:<Enter>; Exit:<ESC> 
                 

Move the selection bar with  <Up>,<Dn>,<PgUp>,<PgDn> keys over any one  of
the  directories  and  press  <Enter>.  A  panel displays the files in the
directory that are under control. If there are no files under control, you
get a NO FILES UNDER CHECK message. Press <Esc> [or <Enter>] to clear  the
panel. Now on pressing  <Esc> to clear the  scan report panel, ADinf  will
respond:

      Do you wish to update diskinfo table ? ķ
                                                                    
            UPDATE            DON'T UPDATE       SAVE LOG IN FILE   
     ͼ
       

To save  the SCAN  REPORT in  a file,  choose SAVE  LOG TO  FILE and press
<Enter>. You are prompted to type  a name for the log file.  Either accept
the name  proposed in  the panel  (report is  saved in  a log  file in the
directory where ADinf is installed)  or type a name, indicating  the path,
say, C:\ADINF\ADINF.log\<filename>   and press <Enter>.  In case you  have
specified   the   pathname   not   properly   or   if   the   diskette  is
write-protected, ADinf will respond

        Warning! ķ
                                                               
                 Cannot create file for writing log file.      
                                                               
                                Press ESC                      
       ͼ
         

Fix up the mistake and press  <Enter>. After saving the report in  the log
file, ADinf  will reprint  the above  panel on  the screen.  Choose either
UPDATE or DON'T UPDATE and press <Enter> to clear the panel.

Likewise, if you open a deleted directory entry highlighted  in  the  scan
report,  the  panel  displays  a  list of files that were in the directory
before deletion.


CHANGES IN FILE SYSTEM

If the ADinf  scan report informs  any changes in  newly created, renamed,
moved, deleted and changed files,  you can get detailed information  about
these changes. The  sample scan  report  informs nine new  files have been
created in drive C since  the last check. Press the  F8 key and you get  a
panel listing the names of all newly created files.

                New files ķ
               C:\ADINF\ADINF.LOG
                C:\WORD\ADINFMAN.DOC                          
                C:\PCX\PCXGRAB.EXE                            
                C:\PCX\README.TXT                             
                C:\NC\INREAD.TXT                              
                C:\WINWORD\HELP.DOC                           
                C:\WINDOWS\CONTROL.EXE                        
                C:\WINDOWS\CONTROL.HLP                        
                C:\MASTER\MANUAL.LST                          
                                                              
                                                              
                                                              
                                                              
               Ķ
                File information:                             
                Date :  1 January 1992                        
                Time :  0h  15m 12s                           
                Length: 1962                                  
                View<F3>;Edit<F4>;Delete<Del>;Exit:<Esc> 
                 




VIEWING AND EDITING FILES OF CHANGED INFORMATION

To  view  and  edit  one  of  these  files  in  the  panel, first move the
selection bar onto the desired file  with <Up> or <Dn> key and  then press
<Alt+F3> or <Alt+F4>  to view or  edit it. If  a viewer and  an editor are
associated with the  extension of the  file under consideration,  then the
file is at  once opened on  pressing these keys  for viewing and  editing.
The directories where ADinf searches for external viewers and editors  are
specified  in  a  list  showing  their  full  pathnames  separated  by   a
semicolon.   You can  edit this  list, choosing  OPTIONS->PATH TO  VIEWERS
from the main menu or pressing  the key combination <Alt+P>. If no  viewer
or  editor  is  specified  in  the  FILE  EXTENSION  LIST (see the section
REVISING  THE  FILE  EXTENSION  LIST),  you  will  be prompted to select a
MASTER viewer  or an  editor, depending  on the  keys pressed.   Type  the
command line of the viewer or editor and press <Enter>.  Or you may  press
<Esc> to  cancel the  command. Pressing  <F3>, you  may also  use a simple
built-in viewer activated via BIOS.

If the viewer associated with a file extension is unsatisfactory, you  can
use  the  MASTER  VIEWER  and  MASTER  EDITOR  toggle  keys <Shift+F3> and
<Shift+F4>, respectively,  to quickly  change over  to another  viewer and
editor to experiment whether better display is possible. On pressing these
keys, you are prompted to  select MASTER VIEWER or MASTER  EDITOR program.
Type the name of some other viewer or editor and press <Enter>. Thereafter
you can view or edit the file  with the help of newly appointed viewer  or
editor. Press <Esc>  to cancel the  SELECT MASTER VIEWER  or MASTER EDITOR
panel.

To delete a file of changed  information, first move the selection to  the
name of  the file  and then  press <Del>.  ADinf will  then ascertain your
intention by an on-screen  query and will delete  the file only after  you
confirm your decision.

NOTE. External  viewers and  editors do  not display  many of the Stealth-
virus because the disk is read  through DOS, though ADinf detects them  by
scanning the disk with the  help  of  BIOS. Use the simple built-in viewer
(pressing the F3 key) in such cases.



                       ERROR AND WARNING MESSAGES

Advanced  Diskinfoscope  is  an  intelligent  and  user-friendly   system.
Whenever it suspects a situation as precarious, it alerts you displaying a
warning message and whenever it  feels your action or response  is illegal
or  unwarranted,  it  displays  an  error  message.  The  following  is an
alphabetical list of error and  warning messages that may be  displayed on
the screen while  you are running  ADinf on your  computer. The cause  for
each message, followed by a brief description of actions you can take  are
also given under each item.


BEFORE DOS WAS LOADED INT 13H WAS ADDRESSED TO RAM (NOT TO ROM BIOS).

This warning  may appear  when ADinf  is started  on your  machine for the
first time. At the first start  ADinf determines the value of the  INT 13h
vector before DOS was loaded  and checks whether the vector  was addressed
to BIOS or not. If not, ADinf displays this warning message and determines
the address of INT 13h by another method.


CANNOT CREATE FILE FOR WRITING LOG

ADinf complains its inability to create a file for writing log,  if you do
not properly specify the pathname or if the diskette is write-protected.


CANNOT START PROGRAM

When you called some external viewer or editor, ADinf failed to start  the
program  due  to  lack  of  memory  space  or the directory containing the
program is not specified in the PATH= settings.


DISK x: ACCESS DENIED.

By this message ADinf complains its inability to read the BOOT  sector  of
the drive under check, for example, if  the  diskette is not inserted into
the drive.


ERROR WHILE CHECKING DRIVE

ADinf was not able to read the sectors in the drive being scanned. Restart
ADinf once again and if the error message is repeated, test your hard disk
with some diagnostic tool.


ERROR WHILE RESTORING

This message  is displayed  when ADinf  encounters a  writing error  while
restoring the MASTER-BOOT or the  BOOT-sector. Try to restore your  system
by running ADinf once again. And if the error is repeated, test your  hard
disk with some diagnostic tool.


ERROR WHILE WRITING LOG FILE

ADinf complains its inability to create a file for writing log, if you  do
not properly specify the pathname or if the diskette is write-protected or
when there is not enough room for writing the log file.


LOG IS NOT SUPPORTED IN NONCOMMERCIAL VERSION!
PLEASE, BUY A FULL-FLEDGED ADINF VERSION.

The message is straightforward and needs no explanation.


ERROR WHILE WRITING TABLE

This message  is displayed  when the  diskette is  write-protected or when
isn't enough room to write the tables.


INSUFFICIENT MEMORY.

This message tells you that ADinf failed to execute some operation due  to
lack of memory space. If you get this message, remove unnecessary  memory-
resident programs  and drivers,  reboot your  system and  start ADinf once
again.


INVALID KEY

ADinf displays this error message, if  you have typed an invalid drive  in
the command line or you have forgotten to type a hyphen or a slash  before
the command options. Check up your command line and restart the program.


INVALID OPTION IN COMMAND LINE

ADinf displays this error  message, if you type  an invalid option in  the
command line. Check up your command line and restart the program.


LENGTH OF ADINF.EXE FILE CHANGED

This message is displayed when ADinf is infected. If you get this message,
continue scanning  and carefully  note the  changes reported  by ADinf and
take appropriate measures.


MAY BE, ADINF.EXE FILE INFECTED
PAY SPECIAL ATTENTION TO CHANGES IN FILES

At every start the full-scale Advanced Diskinfoscope version runs  special
tests to detect self-infection. If you get this message, continue scanning
and carefully  note the  changes reported  by ADinf  and take  appropriate
measures.


NO DISKINFO TABLE FOR DRIVE X:

This message may appear under several circumstances:

     1. No diskinfo tables were ever created for the drive;
     2. Diskinfo tables were created with a different
          version of Advanced Diskinfoscope;
     3. Diskinfo tables have been corrupted;
     4. The TABLES item in OPTIONS menu is not properly set;
          for example, you might have created them using the
          COMMON tables option, but you are now testing the
          machine under the PERSONAL tables option or vice
          versa.
     5. You have changed the path to personal tables in PERS. TABLES PATH
        item in SETUP PARAMETERS.

The cause for the  error that generated this  warning is diagnosed in  the
message bar at the  bottom line of the  screen.  ADinf will  prompt you to
create new tables to fix up the problem.


SORRY, ILLEGAL ADINF COPY, SIR!
              NEITHER SHALT THOU STEAL.
                       THE TEN COMMANDMENTS

ADinf is copy-protected. If you  install an illegal copy on  your computer
it will refuse to function and display the above message. This message may
also appear when you try to copy even a legally purchased program from one
computer  to  another.  In  such  cases,  reinstall  the  program from the
original diskette.


THERE ARE MORE THAN xxx DIRECTORIES

To check a disk at a fast scan rate, ADinf creates diskinfo tables in  the
memory. The maximum number of tables which ADinf can construct is  defined
in its  source code.  You get  this message,  if your  disk contains  more
directories than the threshold value (rather a rare situation in practice)
The designer however will be glad to correct  the  threshold  specifically
for you, so please contact him.


THERE ARE MORE THAN xxx FILES ON THE DISK.

The cause of this message is the same as in the case of the message  THERE
ARE MORE THAN xxx DIRECTORIES. First,  try the BY LIST option in  the LIST
menu - if it does not work, then from the FILE EXTENSION LIST delete a few
extensions of files that do not need strict inspection for viruses.


THE NUMBER OF PHYSICAL HARD DRIVES HAS CHANGED:
OLD: 0, NEW 0

This message is displayed, whenever you add or remove a physical disk from
your computer. In such cases, using the CREATE TABLES from the MODE  title
of the main  menu, create tables  for your reconfigured  system afresh. If
you get this message when no  changes have been made to the  configuration
of your system, there is probably some virus in your computer.


HARD DISK PARAMETER TABLE IN BIOS VARIABLES AREA
FOR PHYSICAL DRIVE 8OH CHANGED!

Adinf complains  of such  changes whenever  you replace  the hard drive in
your  system.  In  such  cases,  choose  SAVE  NEW INFO from the on-screen
warning message panel and press <Enter>.  ADinf will do the rest for  you.
If, however,  you have  not replaced  a new  hard drive,  this message may
forewarn a virus attack in your computer. In such cases, choose MORE  INFO
from  the  on-screen  warning  message  panel  and press <Enter> to obtain
detailed information about your Hard Disk Parameter Table. Certain  memory
resident programs or some BIOSes may modify the HARD DISK PARAMETER  TABLE
and if  you frequently  get this  message, you  may disable  the check  by
choosing  the  TABLES  NOT  UNDER  CHECK  command.   Its  menu  path is as
follows:  OPTIONS ->  SETUP PARAMETERS -> INFO  UNDER CHECK -> HDP  TABLES
-> TABLES NOT UNDER CHECK . By default, this check is disabled.


WRONG PATH.
PRESS ALT+P TO SPECIFY PATHS. MULTIPLE PATHS ARE ALLOWED;
A SEMICOLON (;) MUST SEPARATE PATHS.

You  get  this  message  when  ADinf  doesn't  find any external viewer or
editor.   Directories  where  ADinf  searches  for  external  viewers  and
editors  must  be  specified  in  a  pane  showing  their  full  pathnames
separated by a semicolon ';'.  You can edit this list, choosing OPTIONS ->
PATH TO VIEWERS from the main menu or pressing <Alt+P>.


                             ACKNOWLEDGMENTS

The idea  of writing  Advanced Diskinfoscope  crystallized in  a series of
discussions and disputes. The program was initially compiled in 1989 as  a
simple  Disk  Inspector  (Dinf)  which  today  has  grown  into a powerful
diagnostic tool to keep  in line with the  suggestions and remarks of  its
numerous users and well-wishers. I express my sincere gratitude to  Vitaly
Ladygin  for  donating  countless  hours  in  developing  the   underlying
principles of  the program  and for  writing two  subroutines of ADinf, to
Prof. Nikolai  Bezrukov  for  advice  and  encouragement,  to Aleksandr V.
Lapinsky for valuable suggestions on MS Windows support, Yuri V. Kravatsky
for designing the pseudographic mouse cursor support library, to Aleksandr
S. Samotokhin  for  extending  his  helping  hand  with  his  unfathomable
knowledge in videoadapters whenever I needed and finally to  Dr.Naidu  Psv
for  taking  upon  himself  the  tedious  task  of thoroughly revising and
translating the Russian manuscript of the USER'S GUIDE.


                               REFERENCES

     ADinf    is a registered trademark of DialogueScience Inc., Moscow,
              Russia.

     MS-DOS and WINDOWS are registered trademarks of Microsoft
              Corporation, USA.

     DR-DOS   is a registered trademark of Digital Research Corporation,
              USA.

     IBM PC XT/AT PS2 and PC DOS are registered trademarks of
              International Business Machines Corporation, USA.

     SCAN     is a registered trademark of McAfee Associates, USA.

     NORTON UTILITIES is a registered trademark of Symantec Corporation,
              USA.

     V-Hunter is a registered trademark of DialogueScience Inc., Moscow,
              Russia.

     SHERIFF  is a trademark of DialogueScience Inc., Moscow, Russia.

     STACKER  is a trademark of Stac Electronics, USA.

     HERCULES is a registered trademark of Hercules Computer Technology
              Inc., USA.

    Other names  are  the  registered  trademarks or the trademarks of the
    respective companies.


DialogueScience, Inc.,
Ul. Vavilov 40, Room No.103-a,
Moscow 117967 GSP-1, Russia.

Tel/Fax: (+7-095) 938-2970, 137-0150
BBS:     (+7-095) 938-2856 (14400/V.32bis, 19200/ZyXEL) - general line
         (+7-095) 938-2969 (14400/V.32bis, 19200/ZyXEL) - subscribers only
FidoNet: 2:5020/69 , 2:5020/69.4
E-mail : lyu@dials.msk.su   - Sales and Support Department
         root@dials.msk.su  - Modem link service
         dmost@dials.msk.su - ADinf author
