May/2001 Tech Notes

1. Tip of the Month! There are occasions when a partition on a hard drive becomes inaccessible. If a drive has lost a partition, or has been repartitioned and formatted in error, or if the boot record has become corrupt, the system may be unbootable or FDISK may report there are no partitions or a newly-formatted partition may show zero files present. Depending on the specifics of the problem, you may want to try FDISK /MBR to reinitialize the master boot record. But if FDISK /MBR doesn't fix the problem, you are headed down the road to either data recovery or data abandonment.

The high-quality data recovery programs that are available all come with a price, but there is one free utility that is very simple to use and can retrieve lost data in certain circumstances. FP.SYS by Svend Olaf Mikkelsen is a DOS device driver that adds read-only drive letters for lost FAT partitions. To use it, you simply copy it to a DOS boot disk, and add the line:
device=fp.sys
to your config.sys file.

If the drive you wish to access is not drive 1, add the drive number to the line, as in:
device=fp.sys 2
to access drive 2.

Boot from that disk, and the device driver will look for lost FAT partitions. If it finds any, it will mount them as read-only drive letters. You can then copy off any intact files to another drive. If the lost partition is (or may be) FAT32, make sure your DOS disk is Windows 95B or newer. This driver does not recognize NTFS partitions.

Important: If you have a newly-formatted partition C: on drive 1, and you want to recover files from a lost partition also on drive 1, DON'T copy the files to C:\! Use a network drive, second hard drive, floppy drive, Jaz drive, Zip drive, or other drive to recover your files to. Because the read-only access to the "phantom" partition is accessing sectors on the same physical medium as your C: partition, it is very possible to overwrite the very file(s) you are trying to recover!

You can download this utility from Svend's Utilities web page. There is also a copy in the programs folder at the shop ftp site.

A text file in the zipped archive has more detailed information regarding the driver. This utility is not a comprehensive data recovery solution, but it is a quick and easy first step, and the price is right.

2. A few weeks ago, I had occasion to look at a workstation which had an odd problem. Most of the desktop was covered by a hypnotic, whirling, spiral vortex of black and white which could not be stopped or sent to the background. By booting into DOS mode, I was able to determine that the application in question was being launched by the run= line in WIN.INI. The line looked something like this:

run=KAIKUKOE.EXE

I removed the reference from WIN.INI, rebooted the machine, and everything appeared to be back to normal. I thought someone had perhaps played a trick on this user. I e-mailed myself the executable, so that I could check the Internet for further information about this prank. When I got back to my workstation, I was welcomed by a message from my anti-virus software informing me that I had been e-mailed a file called KAIKUKOE.EXE which contained the virus W32/Hybris.gen@MM.

I looked up this virus, and discovered that this executable and the reference to it in WIN.INI are only the tip of the iceberg. This virus originated in South America in October 2000. McAfee Anti-Virus DAT files have detected and cleaned it since October 25, 2000. The virus contains multiple components: it infects WSOCK32.DLL using a battery of different methods, e-mails itself to other computers, downloads plugins from the Internet, posts plugins to a newsgroup every full moon, and the executable which runs via WIN.INI is given a random eight-character name. It is never the same twice. The plugins are signed using public-key cryptography, and only the virus author has the private key to approve which plugins will be accepted by the virus. The spiral graphic is only one of numerous plugins which may be run on the infected machine.

In order to fully clean this virus from a system using McAfee's software, you must boot into single-mode DOS, or from a floppy, and use the command-line scanner with the latest DAT files to run SCANPM.EXE C: /CLEAN /ALL. And after that, you still have to restore the original WSOCK32.DLL file.

However, the point of this tech note is not to alert techs to this particular virus. If you are interested in more information about W32/Hybris.gen@MM please see this web site.

The message I would like to get out to all Division techs is that the viruses of today are vastly more sophisticated than the viruses of old. W32/Hybris.gen@MM is just one of literally thousands of viruses we may encounter. Every virus has its unique characteristics and poses a different threat. Although workstations should have their DAT files updated weekly, even this precaution is not sufficient protection. A computer which has been infected prior to updating the DAT files has no guarantee that the DAT update after the fact will fully clean, or in some cases even detect the existing virus! Depending on the virus and how the anti-virus software is configured, the tech may have to take comprehensive individual action, such as in the example above.

Because our standard anti-virus configuration no longer uses ScreenScan (see September/1999 Tech Note #2 and the WSD1 Windows 9x Anti-Virus FAQ), there is no regular virus scan of all files on the workstations. Only "incoming" files are checked.

The viruses of today can not only infect boot sectors and executables, and format hard drives, they can infiltrate the system, flash the BIOS, propagate and update themselves, and if there's some other sort of damage that you can imagine they might do, there's either a virus out there that will do it, or someone's writing that virus right now.

3. Division NT Servers typically have the time service installed so that servers automatically synchronize their clock with an Internet time source (NTP server), and workstations can then update their clocks using the NET TIME command in the login script. Unfortunately, our time service connection started failing in January 2001. Arnel J advises that the server setting we had been using is no longer valid. You can confirm this by examining the Application Log on any NT Server running the time service. There will likely be daily time service error entries dating back to early January 2001.

This problem is easily rectified:

• Open a Command Prompt in Windows NT.
  
• CD to the <systemroot> directory. (This is commonly D:\WINNT35 or D:\WINNT on standard Division servers. On a standard Division server, simply enter the command SYSTEMRT at the prompt, and you will be in the correct directory.)
  
• Enter EDIT TIMESERV.INI at the prompt.
  
• In this file, look for the line that begins ntpserver=.
  
• Change the line to read:
  
• ntpserver=tick.usno.navy.mil
  
• Save the file and exit.
  
• At the prompt enter:
  
• timeserv -update
  
• EXIT the Command Prompt.
  

4. Michael C shared this valuable web site. You'll want to read this article if you've been looking at upgrading a lab's worth of workstations to the latest version of Internet Explorer, and are asking the question: "How can I get the installation files without having Active Setup download them for every workstation I install on?"

The answer is less than obvious:

• Go to Microsoft's Internet Explorer Downloads page and select the version you want to download.
  
• Click the Download Now button to begin the process.
  
• In the next dialog box, choose the "run this program from its current location" option.
  
• Active Setup will then run.
  
• Choose the "install minimal or customize your browser" option.
  
• Do not choose the "install now" option, which begins installing immediately.
  
• Click Next to continue.
  
• In the Component Options dialog box, choose which pieces of IE you want to download and install, but don't click the Next button yet!
  
• First, click the Advanced button.
  
• Check the box at the bottom to only download the IE Setup files.
  
• This will be one big download.
  

5. While we're on the subject of annoying download/installation issues, a similar problem exists for QuickTime downloads. Updating a lab of workstations to the latest version of QuickTime would appear to require a separate download for each computer. Keith B pointed me to this website which indicates you can go directly to the QuickTime support page to download the stand-alone installer from. The process for this download is much more straightforward than the Internet Explorer download detailed in the previous Tech Note. Just follow the instructions online, and you should have no trouble.

6. Windows 98 has a system utility of some merit, for techs who would like to do some proactive service. The System File Checker is a utility which can check Windows system files and restore any missing or corrupted ones. However, in order for it to be useful on a system which has had a variety of applications and updates installed on it, it must be used to create an updated baseline before there are problems!

Assuming your Windows 98 workstation has been stable and trouble-free for a reasonable amount of time since the last installation or update, you should update the baseline:

• Run System File Checker. (Programs > Accessories > System Tools > System Information > Tools Menu > System File Checker)
  
• Click Settings...
  
• Place a checkmark in the boxes for "Check for changed files" and "Check for deleted files".
  
• Click Apply.
  
• Back in the original System File Checker window, be sure the "Scan for altered files" radio button is selected, and click Start.
  
• Assuming you have installed updated system files and not updated the baseline previously, you should almost immediately get a "File Changed" notification. The file name will vary from system to system. Click the radio button near the bottom of the dialog, labelled: "Update verification information for all changed files. Select this option only if you know many files have been updated and you don't want to verify each one individually." Click OK.
  
• Despite the previous step, you may get a similar dialog for several files during the update process. In each case, click the "Update verification information" button and click OK. (You will also find that pressing "U", "<Enter>", does the same thing and is faster.)
  
• When you get the "Finished" dialog, click on Details... This will show you how many files were changed, and how the verification profile was updated.
  
• To see the benefits of this process, close System File Checker, and then open it again. Repeat the above steps. This time, you shouldn't be informed of any file changes.
  

DISCLAIMER: This document is intended for the reference of computer support personnel within Winnipeg School Division No. 1. There is no warranty or liability if procedures recommended here have an adverse affect on any systems. Use them at your own risk. Any trademarks mentioned are the property of their owners, none of whom have certified any information provided here. Opinions expressed here are personal only and do not represent the policy of Winnipeg School Division No. 1 or any other organization anywhere.

Got a Tech Note to share? Submissions are most welcome! [Click here.]	To return to the Tech Notes home page, click here.	To download a copy of all the May/2001 Tech Notes in Rich Text Format, click here.
Click here to visit the Information "Super-Cul-De-Sac".		This page was updated 2001 June 9

This page hosted by Get your own Free Homepage Check out my neighbours here in Silicon Valley Peaks by clicking here.