Tim O'Leary Anti Virus Page
<<Home to Tim O'Leary's Virus Home Page<<
If you find this site usefull, please send me a brief email to tell me or with suggestions to make it easier to use.

Home : Advice2 : Download Links : Getting rid of virus : e-Newsletter subscribe : Virus FAQ : CIH Fix : Happy99 : Trojans & Malware : ZIP drive Click-o-Death :

How to Handle a Virus Attack


What to do when you suspect a virus

  • Do not panic. Virtually any virus can be removed without reformatting a hard drive or diskette.
  • Obtain the latest version of at least two of the better anti-virus products which detect/remove viruses.

Currently, the following products seem to be amongst the better Scanner/Remover products - which can be used after the infection has occurred:

  • Also have on hand utility programs such as Norton Disk Doctor and Central Point's DiskEdit, if at all feasible.

  • On an uninfected computer, UNZIP each package onto a diskette and write protect the diskette. A system formatted diskette is best but is not necessary if the original DOS or OS/2 diskettes are available.
  • Turn the computer suspected of being infected off. Put the boot diskette into drive A. Turn on the computer. This is known as a cold boot and is required for certainty in removing viruses.
  • When the computer has booted up, replace the DOS or OS/2 boot disk with the Anti-Virus product disk, unless the A-V product diskette is also a boot disk. Then run the A-V product from Drive A as per its instructions.

    For F-PROT the command line recommended is:

    F-PROT will be used for the remainder of the example, but only as an example. Each of the other products uses its own command structure but can be used the same way.

  • If F-PROT reports drive C is missing, a virus such as Monkey, which hides or encrypts the partition table, is probable. Repeat without the /REPORT command on the command line. Do not run FDISK/MBR if this happens.
  • If a virus is reported, you will either be given a choice of stripping it out of the programs that were infected or of deleting the infected program (if an overwriting virus) or will be told it is a suspected virus in which case you will have to decide since the A-V product will not delete or remove the virus unless there is exact identification.

Decide according to your requirements. If a virus is exactly identified it can be stripped out, or the infected program deleted. Else you must decide if you want to delete the suspect file(s). You should have the original application diskettes on hand so that you can replace the damaged programs. That is always the best course of action. If you do not, then attempt to strip out the virus.

  • When the virus infected programs are removed/replaced, repeat steps 4-7 to be sure the computer is clean of viruses. Then check every diskette that has been near the computer - at least one is probably infected. This is always true if the virus is a boot sector virus - virus droppers for them are rare.

  • Install the A-V product's TSR program as early in CONFIG.SYS or AUTOEXEC. BAT as possible. Read the documentation for the TSR to determine the requirements. For F-PROT, the TSR is VIRSTOP and the best command choice is a device driver in CONFIG.SYS, similar to the following:


  • There are other A-V products that function very well if installed before there is a virus infection and are used according to their instructions.

  • All the products named are updated regularly, and the current version must be used in all cases. In the worst cases the updates are quarterly. Most products update every month or every two months, just to keep up. There are at least 100 new viruses each month, these days.
  • Check every diskette and every download from a BBS or friend, or from the net, and especially from irc and ICQ, before you run it on your computer, with the latest version of two anti-virus products such as those named and you are likely to avoid all but the newest viruses. These new viruses can still get you, but the next version of the A-V product will likely find them, if they are in the 'wild'....
  • If you find a virus that is not identified with certainty, save a copy and send it to the Anti-Virus product producer of the product you used, so that it can be added to his/her product. Instructions for how to do this will be included with all of the better A-V products.
  • Never turn on your computer with a diskette in drive A, unless you are certain that the diskette does not have a boot sector virus.

    Good luck, and I hope you never need to use these instructions.

Adapted by Tim O'Leary Jan 1999, from information written by: R.S. (Bob) Heuman Willowdale, Ontario, Canada. Permission given by hhikers Internet Services (Webmaster)

Home : Advice2 : Download Links : Getting rid of virus : e-Newsletter subscribe : Virus FAQ : CIH Fix : Happy99 : Trojans & Malware : ZIP drive Click-o-Death :

Created by Tim O'Leary email: tmoleary@melbpc.org.au
9 Nov 1998 / updated 22/12/1998, 10/1/99, 29/3/99, 10/5/99
URL: http://www.alphalink.com.au/~oleary/Virus/advice2.htm