FxH! Help for Anti-Virus Copyright 1992 by Central Point Software Inc. FV00FI :GHFO&pp p HFW|waboutactionactivityagainstanti-Stealthanti-VirusappearsautomaticallyavailablebeenbootbottombuttoncHKLIST.MSchangedchangeschangechecklistchecksumschecksumchoosechoosingcleanedcleanclickclosecommandconfirmcontinuecreatedcreatecurrentdatabasedatedeletedetecteddetectdialogdirectoriesdirectorydiskdisplayeddisplaysdriveduringeacherrorexecutableexitfile'sfilesfilefloppyfoundfromfunctionglossaryhavehelphighlightedhighlighthyperlinkshyperlinkinfectedinfectioninformationintegritykeysletterlistmemorymenumessagemicrosoftmoremouseoperationoptionsoptionoriginalotherpanelpressingpressprinterprogramsprogramreportreturnscannedscansscansectorselectedselectshowssignaturestopsystemtextthattherethistimetopicsunknownupdateusingverifyvirusesviruswantwhenwhilewillwindowwithoutwithyourFD:G K)[$,&n(*+,-'/01^35?6889R;5<<5>>u?@]BDEFFGHJKL7MM3NNRCVV}WXXYWZ[\FBH HelpIndexExitTopicsGoBackPrintPrevNext FZPSPTNo ; PLPH9):19EPI 00FPZ Sorry, ;is not  for gtopic. Please T ESC to 1gscreen or TF4 to view a Fof ; ifor gW.EiIndexPSPTl;PL PH&  A y AIEaPI 00QB-PZGetting ; You can get ;7anywhere vin a Wby SF1. The ;d*depends on what you were doing qyou accessed ;. If you were in a &box, ;tells you the   N.Scrolling If a ;page contains Kdthan can fit in the tat once, use the PGUP and PGDN D(or UP and DOWN arrow D) to scroll din the t. If you :a L, you can use the scroll bar at the right. The end of the ;tis indicated by a blue horizontal line.> 7vin most ;ts, you can access Q ;ts by >. A ?is a word or phrase eis connected (gconnection is invisible to the user) to deprovides KBthe chosen ?. To a ?, use the TAB or cursor Dto move the =er among >(END takes you to the last and HOME takes you to the first), then TENTER. If you :a L, just point and a ?to it. a ?+the ;t associated veword or phrase on wscreen. 7f, you can anQ?, T F5 to Yto the previously viewed t, or TF3 to 1the ;cand Yto the application.Related >located at the  left of some ;i ts take you to a related topic of the   ;. For example, the related topic in gt is "Special Din ;". g?to display a Fof  8Dfor g ;c.General >located at the  right of some ;i ts take you to a Kgeneral topic of the  ;. EPSPT Control HPL2PHB.. .@.@ !.%@#.-@+/3%9A QEPI 00u}PZThe cControl H is *q -you TAlt+SPACE or the W Ŀtbox. ... . Ĵ+a t  Alt+F4 containing copyright B specific to the  W. To Yto the Wt, OK, the tbox or TESC.+a &box which asks you to eyou pto 1the W. Double-the Wtbox to bypass the cControl Hand 1theW.E2 sPSPT Sample ?PL(9 PHEPI 00<vPZgis a sample teillustrates how >can be usedto move you quickly throughout a ;c. a ?edword or phrase transports you to anQteprovides KBthe  topic. To Yto the ;tyouwere just viewing, the ?ed word "Y". In gcase, you can also the general topic (located at the  right of gt), "l;", to Yto the previouslyviewed ;t.E9 l;PSPT Basic SkillsPL PHEPI 00?(PZ s l&BoxesEPSPTsPL 7 PH)9YE PI 00P#PZYou can s leither pull-down Hs or the IBar eat the  of the screen.To a Hlthe keyboard: 1. TF10 to activate the Horizontal HBar. 2. TALT and the <Eof the HO.! or  Tthe first Eof the or use the arrow Dto =the you pand TENTER.If the +a subH, a 7it in thesame way as noted above.To a Hlthe L:  Point to the main H(4, N, etc.), then Tand hold the left  , drag the pointer to the you pon the *H, and release the  . If you wmind and don't pto make a H _ion, drag the pointer outside the Hand release.To a 7the IBar:  Tthe 8key associated vthe (F1, F2, etc.)! or  Use the Lto the .El;- Basic SkillsPSPT l&BoxesPL7 9 PHV#US[|}|{EyPI 002PZ&boxes allow you to enter Bethe Wneedsbefore continuing. fare six types of &box N: () O  Lets you _one of several Fed  Nby Sthe O's <Eor ing the Ovthe L. _ing any one Oturns off all QN in the same group. [] Checkbox Lets you toggle an independent O  on or off by Sthe O's <Eor ing it v the L. [..] dBox Lets you enter d, such as a 4  name or dto search for. Type the dand TTAB to move to the next Oor ENTER to proceed 7the &box.[-A-] Scrolling F Lets you _an item 7a Fby[-B-] =ing it and SENTER or ing it vthe L. OK   Carries out an and s the  &box. TTAB or SHIFT-TAB to cycle through the  s, then T the <Eof the  or TENTER to the <  . EXIT and CANCEL terminate the rCONTINUE goes to the next step of the . : Arrow  s You can the up or down arrow v  the Lto increase or decrease the adjacent value by one. For example, you might adjust an alarm h lthe arrow  s.To leave a &box, a  -usually OK, CONTINUE, or thename of the .To leave a &box and cancel the , the EXIT orCANCEL  , TESC, or use the Lto the box inthe top-left corner.E7 Basic Skills9 l;PSPT;iPL& 4  ( 8(  8;8PHEPI 00OGPZ J Basic Skills 8D( 9 l;. IndexEPSPTIndexPL  '(8!X`hx   $"  & (#0Xx%(# PHN44 44A4I4Q444444 4A4I4Q4a4i4qEPI 005PZ+ Ŀ+Ĵ A - B + JLog tO o6&box+ Ŀ+Ĵ C - D + Check All 3Oon 5XO#3%and %Disable Alarm Sound,Line+ Ŀ+Ĵ E - H + 14o6&box8D9;i+ Ŀ+Ĵ I - R + Last RPause &boxUReady &boxPrompt r%+ Ŀ+Ĵ S - T + _New ,+ Ŀ+Ĵ U - Z + mCoBRoFtn$and tE;iPSPT8DPL PH1 $%$#!"$#%%$&#*!+#+DEDCA"D#E%D&C*AK#Kdedca"d#e%d&c*ak#k|}|{yEPI 00}PZ F1 ;gives ;on the  ^,  , or &box. F2 ,lets you  F7 #removes   ,s lthe ,  37the   Line. ,. F3 1quits J F8 N+W  and Ys to  N. DOS. F4 %looks for n F9 F`the n  in the ^3.  MSAV can %. F5 %s nand  fixes the damage done to a o-@4.E;iPSPT9PL8 PH* 9  9ayEPI 00YD:PZ ]o A oecopies itself to the  ]of a computer's hard or 5).  ] nreplace the )'s P ] vtheir own code so ethe ois always loaded into Gbefore anything else. Once in G, the ocan spread to Q)s.4 If the New Ois on, Js a for .(it [. g4contains a !of records .04 in the (, including B .2size, attributes, ", and h, called . If a 4already exists for the (, any 3e:  added to the (are added to the 4. A value derived 7the 02size, attributes, ", and h.4infectors The most common type of o, 4infectors add their ocode to 03(.COM, .EXE, .SYS, etc.). Once the ois executed, it spreads to Q03.Immunize Protect VoAby adding a small amount of code to them. Once immunized, a 4has its own anti-o capabilities allowing it to notify you of any emay occur. If a is $, the immunized 4can itself, Ying to its Pstate.Trojan horse A type of oeis disguised as a legitimate W. Trojan horses are much K apt to destroy 3or damage )s than Q n.Variant o A ly related form of anQo. Although the variant is similar, its code and aare different enough 7the P strain to need a unique ing routine.o A Wdesigned to replicate and spread on its own.VSafe A G-resident utility emonitors w cfor suspicious . If it %s such , VSafe +a warning I, giving you the opportunity to the M, restart the c, or cancel the M. VSafe Ncan be set by MSAV.EXE.E;iPSPTJPL$ @PHE9PI 009 PZJ(MSAV.EXE) protects wcsoftwareparasites in two ways. If wchas already become @,you can use Jto %and over 1000different n. Jcan also %and remove asuspect 4--an 04ehas in some way andwhich may be @by an jo.E;iPSPT%PLp PH^"""" D "&BD""D"""D#""*D+"2-5B2D3"":D;""BDC#"KEPI 00PZg[the entire  Ŀ work ,for n. 0% 100% A progress R`the  5% percentage of 'and  ' 3e: Z.  You can interrupt the \at 0% 100% any hby SESC, by  30% SF3, or by ing F3.  3 "  If a ois $, "Jsounds an alarm and +a ItvBthe o6and a suggested solution.qthe entire ,has  Z, then$and t`Bwhatwas 6.E;iPSPT %and PLp PH^"""" D "&BD""D"""D#""*D+"2-5B2D3"":D;""BDC#"KEPI 00PZg[the  Ŀ work ,for 0% 100% nand removes any  5% nit finds. A progress  ' R`the percentage of  'and 3e 0% 100% : Z. You can  30% interrupt the \at any  3 hby SESC.  # "If a ois $, Js itand ks the Last Taken B.qthe entire ,has  Z, then$and t`Bwhatwas 6and .E;iPSPT _New ,PL PHEPI 005PZgallows you to the ,esbe Z.qyou g , the ,line is *.To _a ,, =a ,icon vthe arrow D, thenTENTER, OR Tthe ,E, OR the ,icon. TheBarea at the  of the screen `the  work,.E;iPSPT Setting NPL8 ! ! 0 8 @HPHEiPI 00gPZN allows you to configure MSAV's N:mC New  Check All 3on 5Disable Alarm SoundBackupXPrompt r%EPSPTmCPL, PHEPI 007PZgOalerts you to in 03based on the4by the New O. galert provides wbest defense new, jn.qgOis ^along vthe O,Juses a special, low-level ochecking routineto enhance the %ion of the Stealth family of n.EPSPT New PLPH  EPI 003 PZqgOis ^, a 4called isfor .(as it is Z. g4contains a!of B, called .04on the (including B.2size,attributes, ", and h.If a 4already exists for the (, Jadds Bto the 4for any3e: added to the (.The default for gOis on.EPSPT on 5PL( PH / EPI 00@PZqgOis ^along vNew , a4is for .(on a 5)as itis Z. gOis useful for creating (see9) of 3on 5)s before write-protecting the ).Once the are , write-protect the )and turn gOoff. Subsequent [of the )scompare 3their but snot attempt to kthe . If gOis on q\ning a write-protected 5, a Isbe *indicating eJcannot write to the).EPSPTDisable Alarm SoundPLPHEPI 00:PZIf you do not pa sound played qa warning Iis*, _gO. The sound is useful for getting wattention, but not required qyou're lJ.EPSPT BackupPLPHEPI 00/bPZqgOis ^, a backup is made of any 4@va obefore the P4is . The backup 4sbe renamed vthe extension .VIR.lgOcan be dangerous, however, because it means ao-@4remains on w). You should only use gOif, for example, the @4is wonly copy of aWand you're so desperate eyou'd rather use an @Wthan not :it at all.EPSPTXPLPH& )61%I%Q%a%i%qEPI 00KpPZqgOis ^, Js a X4after any is taken in J. g4,named MSAV.RPT, is an ASCII d4located in the root (of the ^work ,. Here is a sample X: J. osearch Xfor ": mm/dd/yy, hhh:mm:ss. Total  ]n FOUND:# Total  ]n REMOVED:# Total 3 CHECKED:# Total 4n FOUND:# Total 4n REMOVED:# END OF REPORT.EPSPT Prompt r%PLPHEPI 002PZvgO^, a &box is *qever an@4is 6-%ion. 7fyou can repairthe 4, the \urepairing the 4, or bthe\.vgOde^, the %or Mgoes tothe end ubping to give you choices in a &box.The default for gOis on.EPSPTPL'8PHEPI 00/PZJprotects wcjnbylooking for any eoccur to 03. Stealthn, however, can evade gprotection method by la specialtechnique which allows them to infect 3uoutwardlychanging them.To %4caused by jStealth n, theOin addition to the mCO.Jsthen use a low-level verification techniquee%s the to Stealth-@3.The default for gOis off because fis a smallperformance penalty -o[.EPSPT Check All 3PLPHEPI 003PZqgOis ^, all 3sbe checked for n.qturned off, only 03sbe checked. 03end vthe extensions EXE, COM, OVL, OVR, SYS, BIN, APP, orCMD.EPSPT1PL `PHEYPI 00/ PZg1s Jand Ys to the DOS promptor whatever Wlaunched it.qyou are asked to eyou pto 1the W,_the Save Configuration Oto save any made to thework ,or QJNin gsession.E;iPSPT n$and tPL% PH )1EPI 00GPZgt`the results of the %and \. The table`how many )s and 3of various types were checked, howmany were @by n, and how many were of theirn.At the  of the table, \h`how long the checking anding took. OK to the &box and Yto theW.E;iPSPT1&boxPL PHEPI 004PZg&box asks you to eyou pto 1theJWand if so, whether to save the  configuration settings. 1to leave the Wor Cancel toremain in J.E;iPSPTCheck All 3&boxPL- PHEPI 00DOPZg&box after you the Check All 37the NH.E;iPSPT #3&boxPL (+( PH 0 EPI 00NPZg&box asks you to eyou pto #the3(). These 3store B(see 9) .4.If you #the 3to save )space, make sure youalso turn off the New and mCNin the NH. If you don't, the 3sbe re-. For maximum confidence, #the 3periodically.E;iPSPT Pause &boxPL PHEPI 008rPZYou can interrupt Jrit is \ning 3bySESC.bto end the Mor to finish the \.E;iPSPTFatal /&boxPL PHEPI 00:\PZg&box qJhappens upon an/serious enough ethe Wcannot .E;iPSPT Re &boxPL PHEPI 006PZg&box q1ing J, if it6a o-gsession. Jremoves theo, but it's always a good idea to re wPC after findingand ing a o, to make sure the ois eradicated not just7the ), but 7G.E;iPSPT  o6&boxPL PHV& & D !(, 6;AD&D&"D#)&+,189EPI 00DPZg&box indicates   o6Ŀea  ]o $ (see 9) has     b 6in wc. We     strongly recommend you $to remove the &oand prevent further A. to ignore theoand \ning the remaining 3. bto bthe \and Yto the JW.E;iPSPT 4o6&boxPL PHn-- D -D-D!"% "" %,"/%5"9%A"D#-*D+-2D3-;IQ%YEPI 00PZg&box o6Ŀq + JAnti- oAlabama was 6in: APPNAME.EXE o%s a + o.    b # to remove the o     7the 4and +restore it to its -Pcondition, so Q3on wcwon't be @.to ignore the oand \ning theremaining 3. bto bthe \and Yto theJW. #to #the @4.E;iPSPTUReady &boxPL PHEPI 00:^PZJ+the UReady &box to makesure the Uis ready before proceeding.E;iPSPT,LinePL PHEyPI 003PZThe ,line indicates the  ,icons in the cvthe  ,icon <. To _a ,, hold down CTRLrSthe ,E, or the ,icon. The ,you _sbe the one Zand .E;iPSPToBRPL8 ( PHEPI 009PZThe oBRindicates the last o6-a%or M, if any. If you pto find Kaparticular o6on wc, you can open the oF.E;iPSPT Last RPL PHEPI 006PZThe Last Rtells you what was most recently takenvin J(, #d, renamed, kd,verified, immunized, or disimmunized), and the "eoccurred.E;iPSPT Log tPL 'PHEYPI 005 PZAfter Jperforms an , a summary of eis recorded in the log. The log holds amaximum of 200 entries. qglimit is r.ed, the oldest entryis #d .ha new is recorded.EPSPToFtPL& 8)PHEPI 009PZThe oFt+a Fof all the nrecognizedby J. The Pname for the ois *in the first column rQnames for the o(if any) appearindented underneath it. The number of variants the ohasin the far right column.For Kdetailed Bon a particular o, =it inthe Fand Info or TY. You can search the oFfor a particular oby entering the oname in the blankfield. Js=the oecomesst to matching wentry. You can then get detailedBon the <oby Info or SY.You can also print the entire oFif you wish.EPSPToCharacteristics tPLPH!)1EyPI 00KPZThe oCharacteristics tprovides the following Bthe ^o:  Size  3it attacks  Gresident?  Side EffectsEPSPTWrong DOS Version &boxPLPHEPI 00>rPZThe version of DOS you are lis not supported by JAnti-o. Jrequires DOS 3.3 and later.EPSPTUNot Ready &boxPLPHEPI 008wPZJcannot access wU. Make sure wUis turned on, loaded vpaper, and connected to wcomputer.EPSPT No G&boxPLPHEPI 001]PZfis not enough G to complete the . Tryremoving TSR Vto K G.EPSPT /I&boxPL PHEPI 0068PZA )-related /has occurred.E;iPSPT joI&boxPLPHPI 00.iPZA ohas  $but could not be removed 7the 4.Please contact Jgetting an kto JAnti-oto the 4.PSPT m/&boxPLPH,++ D +D+D+"D#+*D++2D3+:D;+BDC+JDK+RDSYZ\]"\#Z%\&],\-Z/ ]9Z;]AZD[+bDc+jDk+sPI 00PZg&box  m/ Ŀalerts you ethe ) 2size or 4: APPNAME.EXE has  . has ) . Since  7 To W3 Attribute: generally don't h : 23:09:14 09:07:18 , gcould " : 03/27/90 02/27/91 indicate A Size : 139793 139743 by an jo. : FF4C FDF2  ) kmarks the k #  b in the      !as permanent )so Is are not +*-subsequent [. gOif you know whythe 4was .#removes the 4. Unless you know why the 4was,you should #it and re-install 7the P)s.resumes the \uupdating the data base.bcancels the \uupdating the !.PSPTmFailed &boxPLPH-++ D +D+D+"D#+*D++2D3+:D;+BDC+JDKQ+RDSZ\]"\#Z%\&],\-Z/ ]9Z;]AZD[+bDc+jDk+sEPI 00PZg&box  m/ Ŀalerts you ethe ) 2hor " 4: APPNAME.EXE has  . has . Since ) W3  7 To generally don't Attribute: , gcould h : 23:09:14 09:07:18 indicate A " : 03/27/90 02/27/91 by an jo. Size : 139793 139743  : FDF2 FDF2 kmarks the ) in the  k Repair  b !as permanent     so Is are not )*- +subsequent [. gOif you know why the 4was.Repair resets the 2 "and hto their P(7) values. gOif you know why the 4was.resumes the \uupdating the data base.bcancels the \uupdating the !.EPSPTNo GFor Exceptions &boxPLPHEPI 00@lPZfis insufficient Gto add an exception to the F. Tryfreeing Gby removing TSR V.EPSPTNo Log 4&boxPLPHEPI 007WPZThe log cannot be *. Check wMSAV (tosee if the 4was #d.EPSPTNo GFor Log &boxPLPHEPI 009cPZfis insufficient Gto display the log. Tryfreeing Gby removing TSR V.EPSPTWrong a&boxPLPHEPI 004PZThe oayou :entered is incorrect. methedata you :entered is correct. Contact Jif the problempersists.EPSPT #c4&boxPLPHEPI 002PZYou are attempting to #a c4. Deleting c3cancause serious problems including not being able to  up.EPSPTkoFPLPHEaPI 00- PZthe koFif you :B7a new o. The data describes the o"a"--theunique set of hexadecimal characters edistinguishes it 7QVor pieces of code.EPSPT #4&boxPL PHEPI 0060PZqg&box , a ohas done so much damage to w4eit cannot be recovered. Because vital Bhas  destroyed, Jis unable to restore the 4to itsPcondition.#to #the @47the c. qthe\is completed, restore the #d 47wmost recentbackup, and run Jagain to \for n.E;iPSPT aoI&boxPL ( pPHEiPI 00>PZg&box qyou :entered a new oain the oFto allow Jto recognize a newo. gdoesn't enable Jto or removethe new o, however.E;iPSPT akd &boxPL ( PHEPI 00>{PZJ+the akd &box toeethe new VIRSIGS 4you put in wMSAV (was 6and the oFwas kd.E;i