Armed with F-PROT 2.24 on a write-protected 3.5" floppy disk I tackled the infected machine.
First
of all I wanted to be sure that the computer was infected. So I let it
boot normally, then ran F-PROT from the floppy, which halted during RAM
test with this warning:
 |
It's a pretty alarming message.
|
So I
booted it off a DOS 3.2 on a floppy dsk (write protected) and ran a
second scan. This time the memory was clean but it obviously detected
Junkie in the hard-disk MBR, which could not be cleaned. That was
expected. Unfortunately DOS on that floppy would not recognise the
hard-disk so I could not issue the [FDISK /MBR] command.
 |
What's the infected program?
|
Time
for a... reinstall! This time I used the three 3.5" floppies with
MS-DOS 5.0, booted off the first one and followed the guided procedure.
We should note that since it detected a formatted HDD, there was no need
to format the disk and wipe the content: it simply copied itself over
C:\DOS. Unfortunately this probably left me with an infected MBR and at
the end of the install process it wanted to reboot. Hitting F-keys I
managed to get a DOS prompt where I could run FDISK /MBR (maybe the
setup wizard had already done that, but I preferred to avoid a second
reinstall).
 |
1996 F-PROT in 2024 action!
|
Rebooted from HDD. Loaded
F-PROT from the floppy and let it scan the disk. It located two infected
.COM files I remember I had executed, which were cleaned. Now we're
ready to go. No, there's the pile of 5.25" floppies I DIR'ed to check!
So
I spent more than a few minutes scanning all 5.25" disks that were at
hand's reach and found nothing. In order to prevent similar mistakes I
have now write-protected these apparently clean disks.
Side
note on F-PROT. The executable can be run with /OLD option to bypass
the "signatures expired" block. Apparently /OLD on 2.24 does not work so
I simply
set the system date a month later than the signature timestamp.
