W95/CIH.1003a Virus

I have scanned my system with a mcafee virus scanner and found that I have this virus in my DDHELP.EXE, RNAAPP.EXE, SPOOL32.EXE, TAPISRV.EXE, WMIEXE.EXE, mcaeng.exe, INETSW95.EXE, SYSTRAY.EXE, TASKMON.EXE. Mcafee says to delete the files and reinstall, but how do I delete the files and reinstall them because most of them Windows uses to operate?
Who is Participating?
dbruntonConnect With a Mentor Commented:
You have the Windows boot disk or Windows start up disk.  These will probably start the computer up in place of the dos boot disk.  Make sure the write protect has been enabled on the Windows boot disk and see if the computer will start up on it.

If the computer starts correctly then you should see something like the following.

A:\ >

If this occurs you have your dos boot disk.  


Reboot your computer without the boot disk and go onto the net.  You need to obtain a dos based anti-virus utility.  There are two that will do the job.  These are

AVP lite available from




which you will have to do a search for on the net.

Obtain either of these and install them and place them into a folder on your C:    I suggest you use the folder virus.

Because these are DOS based utilities the virus will not infect them.


Now reboot the computer from the floppy disk

After the A:\ > shows type the following in.

C:                     press the Enter key
cd \virus           press the Enter key

The screen should show C:\virus >

To use f-prot type

f-prot                 and press the Enter key and follow the instructions

To use avplite type

avplite :*           and press the Enter key.
You might want to read about a utility that might help at
A quick and dirty workaround to this would be to boot from a safe floppy, then simply overwrite the infected versions with the originals from the CD.
Since you're booting from a write-protected uninfected floppy, you don't give the virus a chance to load and then do the copying.  At your next reboot all should be well.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

B112874Author Commented:
Moresca, give more info on how to do what your talking about.
1st step, boot from a bootable floppy; I.E. DOS boot disk, Windows Rescue Disk, etc.  Make sure it is write-protected.  (looking from back of diskette, little tab should be pressed down so you can see through the hole).
After you bootup using the diskette, just copy the original files from whatever source you used to initially install over the infected files in their respective locations.
What version of Windows are you running?
B112874Author Commented:
Win 98SE 4.10.2222A. How do you make DOS boot disk or Windows rescue disk? I have a Windows boot disk and a Windows start up disk.
If you have problems with the above look at this site.  It will clean your system.


B112874Author Commented:
dbrunton I downloaded the avplite and rebooted with my boot disk and after the A: typed C: and so on. I then typed avplite:* and it came up with the options list, but how do I get it to run? Every command I typed it kept saying bad command or file name.
There is meant to be a space between the
avplite and the :*

avplite      :*

This checks all hard disks.
B112874Author Commented:
Ok, dbrunton I did that and all it scanned was 1 file, 1 archive, 1 directory for a total of 1867 kilobytes. It said no virues found. What now?
Hmmm.  I think their documentation is incorrect.  Try this.

avplite           c:\*.*

I tried this on my machine and it works.  Note that it is c:\*.* and that there is a . between the two *
NOTE: If you do not solve this issue by 4/20/00, I would highly suggest that you DO NOT, repeat, DO NOT, turn on your pc on Thursday.

Chernobyl, CIH, is usually, time-bomb triggered to detonate on 4/20 of every year, it happened to 2 friends last year, thankfully, they both had new  Dells, under warrenty, and Dell was kind enough to replace their hdd's/

B112874Author Commented:
dbrunton Ok that worked and it found 173 EXE. progams that were infected, now what do you type in to clean (fix) them?
B112874Author Commented:
nfroio, don't turn on the computer just on 04-20-00? Can I turn on the computer after that?
From all that I have read, CIH (Taiwan origin version), will only detonate when your system BIOS shows a 4/20 date. It can fooled however by changing the date of your system before 4/20, to a date after 4/20, and all should be well.

Although, ridding your system of CIH, would be the best possible alternative, I just got a call from a friend who's system was blasted last year, and I told him to change his system date to 5/17, then to change it back after 4/21, just to be safe.

Even if you think that you have rid your system of the Chernobyl virus, I would still suggest that you either
a. just leave it alone from 12:00midnight 4/20 until 12:01am 4/21.
b. change the date today or tomorrow to a date way past 4/20.

4/20 is the trigger date, and the name of the virus to *celebrate* the meltdown of Chernobyl Nuclear Plant in USSR.

Ooooops, wrong date: APRIL 26 is trigger. Follow above if worried, but replace 4/20 w/ 4/26. :-)

Too many things happened on previous April 20 (Columbine, Waco, Hitler, etc.)

From Sophos.com website:

10th March 1999

Network nuke set to blow 26 April 1999

Virus will trigger on thirteenth anniversary of Chernobyl disaster

CIH (Chernobyl) detected?

Sophos is warning computer users to be on their guard against CIH, a
hardware-attacking computer virus. The best-known and most widespread variant of the virus is set to go off on 26 April, the thirteenth anniversary of the Chernobyl meltdown.

The virus, which was first identified in mid-1998 and has since dominated the Top Ten Virus table, is able to wipe out the user's hard disk and to overwrite the computer BIOS chip, making the computer unusable.

In response to anxieties about CIH, Sophos has produced a CIH disinfection utility. This Utility requires SWEEP for DOS which can be downloaded free from our evaluation page.

Sophos has also produced compiled a list of Frequently Asked Questions (FAQ) and is urging individuals and businesses to double-check anti-virus policies.

The hardware-attacking warhead of CIH certainly puts it at the top of the
 nastiness league', said Paul Ducklin, Head of Research at Sophos. 'Hopefully, this will focus the attention of users and administrators on the fact that the best form of defence against viruses is not to get infected in the first place. Anyone without preventative measures in place should act at once.'

Below is the Inside Track on CIH, a Sophos FAQ.

The inside track on CIH

Sophos FAQ

What is CIH?
CIH is a family of computer viruses which infect Windows 95/98 programs. If you run an infected program on your computer, the virus will become active and begin to copy itself into other programs (EXE files) on your system. The virus usually replicates very quickly, so you will probably soon have hundreds of infected files on your computer.

How is CIH spread?
Any program you receive from outside your computer could potentially be
infected. Once you are infected, the virus will soon spread throughout your
computer, and so the chance of your passing an infected file to someone else is high.

How common is it?
Even though the first reports of CIH appeared only around the middle of 1998, the virus reached the Number Two spot on the Sophos Virus Top Ten for the whole of 1998. It was third in January 1999, and fourth in February 1999. This means it is very common indeed.

Why is it so widespread?
Programs infected with CIH have been seen on a number of cover CDs from
reputable magazines, and on a number of reputable websites. This has certainly helped the virus achieve wide distribution.

What does CIH do?
Normally, CIH simply spreads itself. But on certain trigger dates, it detonates its warhead. The warhead wipes out your hard disk, and then tries to overwrite the computer's BIOS chip. Once the BIOS is overwritten, you will be unable to use your computer at all. Repair involves physically removing the BIOS chip and replacing it with a fresh one. On some computers, the BIOS chip is not removable, so it can only be replaced by swapping the entire motherboard.

What are the trigger dates?
There are several variants of CIH, with different trigger conditions. The best
known, and most widespread, variant will detonate on 26 April. Other variants detonate on 26 June, or even on the 26th of any month.

Which operating systems are vulnerable?
CIH spreads under Windows 95 and Windows 98. DOS and Windows 3.x cannot spread CIH because they cannot run Windows 95/98 programs. Windows NT cannot spread CIH because the virus uses programming tricks that do not work  under NT. The virus can infect Windows NT programs, but such programs will no longer run, and will therefore not be infectious themselves .

How can I prevent it?
Use reputable anti-virus software which can accurately identify CIH. Use the
preventative component of your anti-virus software, not just the component that can detect viruses. Your goal is not just to avoid having your computer damaged by CIH on 26 April, but to avoid being infected at all - by CIH or any other virus.

Where can I get anti-virus software?
Go to the Download section of this website. You can download Sophos Anti-Virus  free of charge. But don't just get it, use it!

Hope that helps, now, gotta call friend, and advise of **REAL** detonation date...

B112874Author Commented:
Thanks, for the info. You wouldn't by chance have any ideas on how to get rid of it on your system would you?
avplite    /-        c:\*.*

Note the  /-

Other than commercial virus sweepers (Norton, McAfee), the ones that have been suggested here should work, albeit the directions given are vague at best.

You could also check your Motherboard docs for a jumper that will disable writing to the system BIOS, a major cause of CIH infestation, and just remove that jumper until after the detonate date. See the URL's below for more specific info, including downloads to rid yer sys of CIH.:

----> This is the best one in my humble opinion.




Good Luck.


I talked w/ a couple of other folks last night who had the CIH virus, and they used the antivirus software that dbrunton has suggested and is giving you directions for, and they said that it worked great.

They did state however, that the directions were less then satisfactory, but I think that dbruntons explanation is right on from what I have read, although, I would still suggest to you, just in case, to avoid the use of the possibly affected pc on the detonation date - 4/26.

Good Luck,

>>albeit the directions given are vague at best.

I meant the softwares directions folks, not the ones here.

just in case, not trying to offend, just help. :-)
B112874Author Commented:
OK, It's finally gone. I have scanned my system with three different virus scanners and nothing was found. The AVPLITE was nice, but it was very slow in DOS. At least it got rid of my problem. I appreciate all the time that you spent with me on this problem dbrunton especially on the commands you have to type to get the damn thing to do what you want it to do. I don't know what I would have done without Experts-Exchange and your input.
B112874Author Commented:
Sorry, I didn't mean to post it twice. I guess I was just excited that the virus is gone.
B112874Author Commented:
Thanks, nfroio for the info
Thanks for the points.

Try and get f-prot as well.  It is free for personal use and a little easier to use than avplite.

It is best to have two different virus scanners in case one does not detect as well as it should do.

I have found that the McAfees Windows product does not tend to find all viruses when scanning but finds them when you try to open or run an infected file.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.