Go to NetZ Home

מפת האתר
תמיכה
    בסיס מידע
    התקנה יחידה
    התקנה ברשת
    ניהול רשת
    דווח תקלה
רישום
הורדות
מידע

  

הצטרף לרשימת תפוצה
הוסף לרשימת המועדפים
שלח לחבר

English

Content of this page:

Recover Your Files from ExploreZip / LoveBug / W97M.Suppl Damage

by Zvi Netiv, author of InVircible and the ResQ Utilities

Damage caused by ExploreZip / LoveBug / Suppl and their variants: When activated, either Trojan will scan all accessible drives, both local and network drives for MS Office files (Word and Excel). ExploreZip will also seek for PowerPoint, C, C++ and Assembler source files, while Suppl will look for text, database and archived files (TXT, DBF, ZIP, ARJ and RAR). When found, every file with the appropriate extension will be zeroed. The zeroing is done by opening the file with the CreateFile function and then closing it.  LoveBug replaces JPG image files with a copy of its own script.  The data that was contained in the damaged files may still exist on the drive but cannot be accessed nor 'undeleted' as all FAT reference to it was lost in the process. Unless it's recovered immediately after the incident, the data will be overwritten by new one and won't be recoverable anymore.

What data can be recovered after ExploreZip / LoveBug / Suppl ravage: Only files that were not fragmented at the time they were hit can be recovered by the procedure described below. Additional requirements for a successful recovery are: The partition is either FAT-16 or FAT-32, and no part of the data has been overwritten since zeroed or replaced.  Hence, it is strongly advised that usage of a drive that was hit by any of these Trojans is stopped as soon as the damage is discovered, to improve the rate of successful recovery.

Recommended hardware setup and software tools: The utility you'll need is RESQDATA, from the ResQ package, with ResQpro authorization.

ResQdata has a special mode that allows selective recovery of the files that were reduced to zero length by one of the above Trojans, as well as recover JPG files that were replaced by LoveBug.

All recovery work should be conducted from plain DOS. Working under an OS that supports FAT-32 is a must, if the lost data resides in a FAT-32 partition.

Before starting the actual recovery, please read the online help provided with ResQdata and practice, as suggested in the help text. To access the help, from the directory where the ResQ files reside, type from the command line: RESQDATA /? 

Good luck! 

Recovery of the Hard Drive after CIH / Chernobyl / Kriz Trashing

A step by step guide how to recover your hard drive after it was trashed by CIH, aka Chernobyl.
by Zvi Netiv, author of InVircible and the ResQ Utilities

Hotkeys: The ^ (caret) and @ (at) signs in the following text denote the Ctrl and Alt keys of the keyboard, respectively. For example, the combination @F4 mean "press the Alt and F4 function keys, simultaneously". 

You are advised to print this file with your online printer and save it as HTML, for later use.

Hardware setup and software tools

The drive to recover should be set as first drive.  No need to change anything if the recovery is conducted in the same machine in which the drive was ruined by the virus.  Work should be conducted from an external drive, like floppy, or super-drive, or from a second hard drive, if available.  During the recovery of a FAT-32 partition you'll need several megabytes of storage space for temporary files.  Instructions how to create a RAM drive in memory are given below.

The utilities you'll need are RESQDISK.EXE, with ResQpro authorization, and IVZ.EXE, both available from NetZ website.  ResQdisk is the hard disk recovery tool, from our RESQ package, and IVZ is the disinfector, and part of the InVircible package, for cleaning your program from CIH, after access to the drive and file system is restored.

Running the RESQ.EXE self extracting archive will open the files to a floppy or to a directory of your choice. If the 'Unzip' option is selected, then the extraction of the files will be followed by the running of the MakeResQ utility that will transfer the system files to the floppy and make it bootable, as well as copying the XMS and RAMDRIVE drivers to the floppy. MakeResQ will also create a:\config.sys that will load the two drivers when booting from the floppy. MakeResQ will only run under Windows 95, 98 or ME, but not under NT, Win2000. Note that you need to run the procedure under Windows 98 or ME in order to have FAT-32 supported. The floppy on which you prepare the RESQ should be formatted, and empty.

Finally, install your ResQpro personal license to the floppy. You'll also need IVZ.EXE on the floppy, from the InVircible antivirus package. You are now all set to start with actual disk recovery.

FAT-16 or FAT-32 partition?

The common and most widespread variant of the CIH virus triggers on April 26.  On that date, the virus payload routine will trash the first 2 K sectors of the first hard drive, ruining the partition data, the boot sector, and part, or all of the system area (FAT, root directory and system files).  The damage, and whether the drive can be recovered from CIH trashing, depends entirely on the type of the first partition.  If it was FAT-16, then the damage extends beyond all critical areas.  Full recovery of such partitions is impossible.  Yet files that were unfragmented at the time that CIH struck, can be recovered by the method described below.  FAT-32 partitions can be recovered fully, as the virus payload trashing normally extends as far as into part of the first copy of the FAT.  The second copy of the FAT, as well as the root directory, are left intact.

If you don't know whether the ruined partition was FAT-16 or 32 then here is how to check:

Start RESQDISK and press @P to toggle it into 'physical' mode.  Press @F to search text, and specify "MSDOS" as the search string.  This string is normally found in the root directory of both FAT-16 and 32.  If the partition was FAT-16, then the root would be overwritten and the string can only be found at random, in files, but not in a directory sector.  You are advised to experiment on a good and functioning drive so that you know what to expect.  Yet if the partition was FAT-32, then RESQDISK will find the 'msdos' string in a root directory sector.  With FAT-32, the first root directory sector will normally be found anywhere between logical sector 3,000 to 50,000, depending on the size of the partition.

Recovery of a FAT-16 Partition

With the @L keys combination, assure that RESQDISK is in Windows 9x mode, and in FAT-16 (toggle the FAT mode with @2).  Press @F4 to have ResQdisk search for all partitions on the drive and write the reconstructed MBR to disk, when prompted.  Reboot the computer from the RESQ floppy to let the reconstructed partition data to take effect.  If you had extended partitions then they should be accessible now, with all their directories and files intact.  Restart ResQdisk, press @F2 to rebuild a boot sector for the first partition, and write it to disk, when prompted.  Reboot once more, C: should now be visible, yet full of trash.  Issue the command FORMAT C: /Q to quick format the C: drive, and clear trash from the FAT and root directory, without affecting the data that still exists on disk.  Finally, run UNFORMAT C: to rebuild the directories tree.  When done, you should be able to access files in subdirectories.  Note that all directories in the root will receive generic names, in result of the unformat process, e.g. DIR001, DIR002 etc.  Only files and directories in lower directories will have their original name after running Unformat.

Note:  Only files that were unfragmented before CIH hit can be recovered from a C: partition of FAT-16 type.  After having recovered your important data, format the C: drive and reinstall Windows and all your applications.

Recovery of a FAT-32 Partition

With the @L keys combination, assure that RESQDISK is in Windows 9x mode, and in FAT-32 (toggle the FAT mode with @2).  Press @F4 to have ResQdisk search for all partitions on the drive and write the reconstructed MBR to disk, when prompted.  Reboot the computer from the RESQ floppy to let the reconstructed partition data to take effect.  If you had extended partitions then they should be accessible now, with all their directories and files intact.  

Finding the geometry of a FAT-32 partition: Success in recovering a FAT-32 partition depends on rebuilding the boot sector, with the correct data in it and restoring the FAT first copy from the second one.  RESQDISK will rebuild the boot sector for partitions with standard parameters, which can then be edited in case the actual configuration deviates from standard.  Here is how to find out and calculate the partition parameters.

With ResQdisk in 'physical' mode (@P), find the first sector of the root directory (search [@F] for the 'MSDOS' string), and note the number of the logical sector where the root begins (watch, as the sector with the string may not be the first sector of the root.  Search back to be sure that you got the correct one).  Subtract 95 from the root's first sector number, divide by 2, and add 95 to the result.  The number obtained is where you should see the beginning of the second FAT copy.  Go to the calculated sector and you should see the [°    ] pattern, without the brackets, in the upper left corner of the ResQdisk browse window.  If you see the pattern, then you are on the correct sector where the second FAT copy begins.  Note the number of this sector.  A crucial parameter in the reconstruction of FAT-32 is the number of sectors per FAT copy.  This number is simply:   sectors per FAT copy = number of first root sector - number of sector where FAT2 begins.

Example: Suppose that the first sector of the root was found at logical sector 9445.  The beginning of the FAT2 should be found at sector (9445 - 95) /2 + 95 = 4770.  The number of sectors per FAT copy then is 9445 - 4770 = 4675.

Nonstandard case: Normally, the root directory of a FAT-32 partition will start right after FAT2, in cluster 2.  Yet the extended spec of FAT-32 allows placing the root directory anywhere in the partition, just like any other file.  This condition will be recognized by not finding typical root entries, like IO.SYS, MSDOS.SYS, RECYCLED, etc. in the first cluster after FAT2.  If this condition exists on your drive, then you are advised to leave the recovery to experts.  Although RESQ is designed to accommodate for this condition, yet still, untrained users may cause here more damage than good and ruin all chances to recover anything at all!

Copying FAT2 over FAT1: The two copies of the FAT are always kept in exact synchronization during normal operation.  Since FAT2 reflects the status of the file system at the moment it was destroyed by the virus payload, then copying FAT2 over FAT1 will restore the correct file allocation table for the drive.  If you use the RESQ floppy prepared as instructed above, then you noticed that a virtual drive with the size of 24 megabytes was created in memory by the RAMDRIVE device, and a drive letter was assigned to it.  Before proceeding, take note of the letter assigned to the RAM drive, and verify with the DIR command that the drive is available, and has the correct size.  Let's assume, just for our example, that the RAM drive was assigned the letter D:.

Start ResQdisk, toggle into 'physical' mode, and place yourself on the first sector of FAT2 (logical sector 4770 in our example).  Press @S (save sequence of sectors to file) and then F1.  The label 'Marker 1 set' will come up.   Now move ResQdisk with the direction arrows to the first sector of the root, and step one sector back (logical sector 9444 in our example).  Press F2, and ResQdisk will prompt for a file name where to save the FAT2 image file.  Respond with a file name to be created on the RAM drive. D:\FAT2.IMG is a good name for our example.

After the file was successfully saved, place ResQdisk on sector 95 (0/1/33 in CHS notation).  Be very cautious on what you are doing now as recovery will fail if you misplace the FAT copy.  Press @R when still in physical mode, and the program will prompt for the file which contains the image to copy to disk.  Answer with the saved file name, D:\FAT2.IMG in our example.  ResQdisk will now prompt "Write xxxxxx sectors to disk, starting from sector 95 [Y/N]?".  Answer 'yes' and wait until writing to disk is completed.  If you did it properly, then pressing the up arrow key, once, and then the down key, will show the beginning of FAT2, with the familiar pattern in it.

Reconstruction of the boot sector: Before you continue, press F6 when in ResQdisk and take note of the total number of sectors in the first partition (the number shown under the 'Total Sectors' label, at right).  Also, note the head number under the 'Ending' label.  The value indicated there, plus 1 is the number of heads, i.e.. 254 means that the drive uses 255 heads.  With ^P go back to CHS mode, make sure FAT-32 is set (^2), then press ^F2. This will initiate the rebuilding of a standard boot sector and write it to the drive.

Finally, edit the boot sector as follows:  Navigate the ResQdisk window to the boot sector, at logical sector 63 (0/1/1 in CHS notation), then press @E and 'read'.  Now press @N to open the boot sector editor.  Here is the data that you should see:

Reserved secs:

32

Large part:

(1)

Per cluster:

8

Per FAT:

(2)

Per track:

63

Hidden sec:

63

Num of heads:

(3)

Drive number:

128
Root1st clust: 2 (*)

The parameters in the table are those of a standard FAT-32 boot sector, and the ones in parentheses change from disk to disk.  Check these parameters against the numbers obtained through your checks, and modify them if needed, as follows:

In (1) enter the total number of sectors in first partition, found as explained above.
In (2) enter the number of sectors per FAT copy, calculated as explained above, 4675 in our example.
In (3) enter the number of heads, found as explained above.

(*) Nonstandard case: The last parameter in the table is for the nonstandard case where the root directory is located elsewhere than in cluster 2.  The cluster number where the root begins should then be established by other methods, and entered here.

When done with the changes, 'save to clipboard' and the editor window will close.  Write the modified parameters to the boot sector on disk by placing ResQdisk on logical sector 63 (0/1/1 CHS), pressing @E, and then 'write'.

Reboot the computer now, still from the RESQ floppy.  Drive C: should be accessible now, with all its directories and files on it.  Don't try self booting the drive yet, as there are a couple of steps that still need be run.  With the boot floppy still in drive A:, change the current directory to the hard drive, to \WINDOWS\COMMAND, or to where the SYS.COM program can be found.  Issue the command SYS A: C:   This should make final adjustments to the extended FAT-32 boot sector.

You can now boot the hard drive from its own system files, but careful !!! as you still need cleaning infected files, before letting Windows to load.  You may now boot the hard drive, in command prompt mode only, by pressing F8 when restarting the computer and selecting "command prompt" mode from the multi-boot menu.  When at the C: prompt, insert the RESQ floppy in drive A: and type A:\IVZ  C:\  /ALL  /R, then Enter. Select 'clean all files' when prompted.

You may let Windows restart normally after having cleaned all the infected files.  If you followed these instructions by the letter then the recovery from CIH trashing will be complete, with no residual effect left.

Warning!  Attempts to process a CIH trashed hard drive with standard disk repair utilities, or even with dedicated utilities to fix CIH damage, may modify data structures on the drive and render the recovery impossible!

A Primer on Hard Disk Recovery - RESQDISK

by Zvi Netiv, author of InVircible and the ResQ Utilities

The most common use of the ResQ utilities, ResQdisk in particular, is the recovery of a hard drive, or partition, to which access has been lost.  The following describes how to use ResQdisk in handling hard drives.

Compatibility.  ResQdisk was designed with FAT-16 and FAT-32 partitions in mind.  Still, ResQdisk can be used to restore the boot chain (MBR and boot sector) in dual booting systems, such as Windows 9x/2000 and NT, or Windows and Linux.  ResQdisk can fix soft errors caused by improper drive setup, virus damage, the deletion of logical partitions, corruption of partition / boot data, and a long list of common and daily mishaps with hard drives.  The ResQ utilities won't help fixing 'hard failures' (hardware related), although ResQdisk can help in determining whether the problem is caused by the hardware or else.

Preparing a ResQ work floppy.  Here is how to prepare a ResQ work floppy from which disk recovery can be conducted. Insert a a newly formatted and empty floppy to drive A: then run the downloaded RESQ self extracting archive. Selecting 'Unzip' when prompted will extract all files to the write-enabled floppy in A:, followed by the automatic running of the MakeResQ utility, also contained in the package. The latter will transfer the system files to the floppy and make it bootable, as well as copy the XMS and RAMDRIVE drivers to the floppy. MakeResQ will then create a config.sys file on the floppy, which will take care of loading the two drivers when booting from it. RamDrive will create a RAM disk of 16 megabytes in extended memory, the space of which can be used for all sorts of purposes during virus or data recovery. MakeResQ will only run under Windows 95, 98 or ME, but not under NT, W2K. Windows 98/ME are the recommended platform on which to prepare the RESQ disk on, because they support both FAT-32 and FAT-16. If you purchased a ResQpro license then install now the registration to the floppy before write protecting it.

Hardware setup.   Hard disk recovery should normally be conducted in the same environment in which the drive is functioning normally, unless sure that the problem is in the drive itself.  More often than you would expect, disk access problems are caused by wrong CMOS settings or hardware conflicts.  Although ResQdisk can handle the first two installed hard drives, it's easier to deal with the faulty drive when connected as single, and boot drive.

Assessing the problem, basic tests.  Check first if the hardware detects the drive.  The simplest is to boot the computer from the ResQ floppy, from the A: prompt run RESQDISK, and watch the error messages, if any.  If no hard drive is found then check the BIOS settings (only for IDE, SCSI are detected by the hardware), cables and drive adapters.  If the drive does not respond, then try it in another machine.  If it doesn't respond there either then the drive hardware is in fault.

ResQdisk has a built in 'save to file' feature.  Pressing tilde (Shift~) will create a report file in the same directory where ResQdisk is placed, named RESQDISK.RPT.  A screen capture is saved to the report file every time Shift~ is pressed.  The report is a text file that can be reviewed and analyzed with a DOS text viewer (the report may contain hi-ASCII characters that cannot be displayed by Windows).  The report can also be e-mailed to NetZ support for consultation and advice.

Follows a list of ResQdisk hotkeys and the tests that they initiate.  The order in which they are listed here is also the order in which it is recommended to run the various tests, and record them in the report file.

  • F5 - Shows the CMOS settings for the drive, its IDE parameters, and the extended BIOS translation data, where available.
  • F6 - Displays the partition table data found in the MBR.
  • F7 - Displays the BPB data contained in the active partition boot sector, and tells whether it's FAT-16 or FAT-32.
  • ^F4 - Initiates a search for existing partitions, displays the resulting partition table, and rebuilds the MBR with that data.  Caution should be exerted to not write the new MBR to the drive unless absolutely sure that this is what you want!
  • ^F5 - Initiates a search for existing FAT copies and displays their location data and size (sectors per FAT copy).
  • ^F6 - Initiates a disk surface scan, looking for bad sectors.

The F5, F6 and F7 tests reveal problems with the IDE controller (F5), CMOS settings (F5), or mismatch between the BIOS, the MBR and the boot sector.  Parameters should be consistent between the three.  An inconsistency may hint that one of the three has been modified and does not match the true drive/partition geometry.

ResQdisk Procedures and Control Keys

Navigating with RESQDISK - CHS, physical and extended mode.  Navigation changes in ResQdisk according to the mode.  The mode can be changed manually, by pressing ^P, or automatically, depending on the control key pressed.  The current mode is indicated by a yellow label at top-right of the screen, announcing 'CHS', 'physical' or 'extended'.  In all modes, use the right-hand arrows keypad for navigating.  In CHS mode, only sectors 1 to 63 of cylinder 0, head 0, the active boot sector and the extended partition sector can be reached.  In 'physical' and 'extended' mode, all sectors in the BIOS range can be viewed.  The difference between the last two modes is that physical covers the older BIOS range of 8 gigabytes (1024 cylinders, by 255 heads, by 63 sectors).  'Extended' covers the new EIDE standard.  Sector addresses are shown in both CHS and logical (LBA) notation.

FAT-16 / FAT-32 / Win9x modes:  Various ResQdisk functions depend on the partition type, whether FAT-16 or 32, and Windows version.  Normally, both are detected automatically, and indicated at top-right of the screen (W9x), and the FAT status window.  The FAT mode can be toggled by pressing ^2 and the OS mode can be changed through the menu that opens on pressing ^L.

Functions in CHS mode:  CHS is the default mode for basic hard drive recovery and emergency procedures.  Follows a list of the main key sequences and their related function:

  • Home, F1, F4 - refresh the MBR loader.  Rewrites the MBR program portion, leaving the partition table data unchanged.  Useful to recover from viruses that overwrite the MBR loader, without affecting the partition table.  Pay attention to the FAT-16/32 mode as the MBR loader differs according to the boot partition type.
  • Left arrow key, F1, F4 - refresh the boot sector loader.  Same as previous, but for the boot sector.  Both the partition type and the OS should be set properly as the bootstrap loader style depends on both.
  • ^F1 - rebuild the MBR from existing boot sector.  For use when the partition table was overwritten, or corrupted, but the boot sector is intact.  Set the partition type and OS according to what's found in the boot sector and proceed.  This procedure restores a single partition for the drive.  In case there were more than a single partition on the drive then use the ^F4 instead.
  • ^F2 - rebuild the boot sector from existing partition data in MBR.  Same as previous procedure, the other way round.  
  • ^F4 - rebuild the partition table for entire drive.  Use this procedure when extended partition(s) existed on the drive, or when both the partition table and the boot sector were destroyed or corrupted.
  • ^0 (zero) - reset partition table to zero.  The partition table needs sometimes resetting to zero in order to let the BIOS detect the drive correctly, like when the MBR was corrupted by a virus, or accidental overwriting.  The BIOS may then autodetect the drive with incorrect parameters.  Always reboot and let the BIOS detect the drive, after having reset the table to zero.  Check with F5 that the drive is detected correctly before continuing with the recovery.

Functions in Physical/Extended mode:  The following functions are available only when in physical or extended mode:

  • ^B - find candidate boot or partition sector.  Can be used to find the backup image of a boot or partition sector on a ruined drive.
  • ^F - find text string.  See the use of this feature in the recovery from CIH/Chernobyl, above.
  • ^S - save bloc of sectors to file 0.  See the use of this feature in the recovery from CIH/Chernobyl, above.
  • ^R - restore sector bloc from file to disk.  This procedure is the inverse of the previous one (^S) and serves to pick a sequence of sectors stored in a file and write them to disk, starting from a selected location.  See the use of this feature in the recovery from CIH/Chernobyl, above.

Boot sector analyzer (^A).  Sectors having a boot 'signature', i.e. the bytes '55 AA' at their end, can be analyzed by pressing ^A.  The choice whether to analyze as boot or partition sector is left to the user.  ResQdisk will present the result as BPB or partition table, respectively.

Disk sector editor (^E).  ResQdisk provides sector 'copy and paste' capability, through the built in sector editor.  On pressing ^E, the user can choose to read the currently browsed sector to the clipboard, write it from clipboard to disk, read a sector from file, or write the clipboard content to file.  The clipboard being loaded is indicated by a yellow on red diamond at top right of the display.  The clipboard content can be brought to the display by pressing ^C, and unloaded by ^U.  The 'decrypt' option on the editor menu serves only in the recovery from the Monkey boot virus (see below).  The more advanced features of the editor are reserved to 'ResQpro' licensed users.

Partition (^M) and boot sector editor (^N).  ResQdisk provides for the editing of the partition table data contained in the MBR or in an extended partition sector, and the BPB (boot parameters bloc) in boot sectors.  The sector to edit must be first loaded to the clipboard, either from file, or from the disk, before the editor can be started with ^M or ^N.  The edited sector should then be saved to clipboard, from where it can be rewritten to disk, or file, with the sector editor (^E).  Full functionality of the boot/partition editor is reserved to 'ResQpro' licensed users.

Logical drive access (^B).  ResQdisk normally addresses the first two physical hard drives.  Yet, it may be necessary sometimes to access the boot sector of a logical drive.  Press ^B, when in CHS mode, to select the logical drive to access.

ResQdisk and NTFS.  ResQdisk has special features to handle and recover NTFS partitions.  Among them are the special modes of the boot sector analyzer and editor, the search functions to locate the MFT (master file table) and its mirror, as well as the other ResQdisk features.  A good knowledge of disk and FAT/NTFS partition structures is required to handle these partitions.

Screen snapshot recorder (Shift~).  Pressing shift + tilde will save a snapshot of the current screen to a file named RESQDISK.RPT in the directory where ResQdisk resides.  New snapshots are appended to an existing report file.  The report is a text file that can be attached or pasted into e-mail.  The ResQdisk report is especially useful to the less experienced users, for assistance from NetZ and other professionals.

Emergency disk functions.  ResQdisk is the key player in the NetZ emergency or rescue disk, making part of the InVircible antivirus package.  Yet ResQdisk can be used on its own as an 'all in one' rescue utility.  ResQdisk makes a backup image of the following data: the CMOS settings, the MBR, the boot sector of the active partition, and the entire track 0 (cylinder 0, head 0).  The track 0 functions (backup/restore) can be accessed by pressing ^Z.  The other backup/restore functions are described under 'rescue disk' in the InVircible documentation.

ResQdisk and boot viruses.  ResQdisk has special features for dealing with boot viruses.  ResQdisk uses heuristics to determine whether a boot sector contains virus code and issues a warning message when a virus is found.  ResQdisk also uses SeeThru, a NetZ unique technology, that enables seeing through stealth virus spoofing. SeeThru can be toggled in and out with the F9 key.  Last, the ResQdisk editor (^E) features a decryptor that enables to recover from the Monkey boot virus by decrypting the original partition table and restoring it to the MBR.

Using ResQdisk from command line.  Certain ResQdisk functions are available through command line.  Follows a list of the more useful command line arguments, to add after the RESQDISK command:

  • /B - Backup the MBR, boot sector and CMOS image.  
  • /2 - Suffix to use if the command relates to physical disk 2 rather than to disk 1 (default).  The /2 argument applies and can be added to all commands in this section.
  • /R - Restore the parameters that were saved with /B.
  • /Z - Relate all commands to track zero.  For example: /Z /B would be 'backup track 0 of disk 1'.  The same way, /Z /R /2 means 'restore track 0 of disk 2 from backup'.
  • /REBUILD - The same as ^F4, i.e. reconstruction of the MBR for the entire disk 1.
  • /NEWBOOT - The same as ^F2, i.e. the reconstruction of the active boot sector from scratch, based upon data obtained from the MBR and from the BIOS.  Unlike Format C:, the /NewBoot directive is non-destructive to existing data as it only rewrites the boot sector, without affecting the FAT content, or the root directory.
  • /KILL - The same as Alt+0, i.e. nulling the partition table data of disk 1 or 2 (if used with the /2 switch).
  • /FAT32 - Force ResQdisk into FAT-32 mode.  For use with the /REBUILD switch.
  • /NTFS - Force ResQdisk to run in NT mode, when in /Rebuild.  This feature is reserved to ResQpro licensed users only.
  • /COMPAQ - Compaq hard disks have a special configuration.  To not require editing after rebuilding the MBR, use this switch.  This function is available from command line only, and reserved to ResQpro licensed users.