We help IT Professionals succeed at work.


Domandro asked
Last Modified: 2013-12-28
My computer was effected by WinCIH.I don't mind recovering any data.I don't know much about these topics but it seems to have damaged master boot record,because when I boot with a system disc, I can't get to C drive.
When I type C: what I get is a C: but a MS Ramdrive.
As I said recovering data is not important for me,the only thing is to get to my real hd drive C: and clean the virus and install Win98 again.
Your step by step help on that problem will be appreciated.
Watch Question

First of all, I'm not a virus expert. This is just what I've heard or read :

In the best of cases, WinCIH only messes with the data on your hard disk.  In the worst-case scenario, it also corrupts your BIOS, making it impossible to bood your computer again.  You might need a new motherboard to solve this one.


I forgot to say that there seems no problem with my bios. I entered bios setup, and made adjustments like changing boot sequence.I've read many articles and previously asked questions.
As much as I've understood,most of them were able to get their C drive and applied one of the solution methods,using different solutions to clean the virus(e.g. cleancih, kill_cih).
This one is on us!
(Get your first solution completely free - no credit card required)
You need to be sure that your bootdisk is ok and that you can access your CDROM, when you boot on it.
If this is ok, then you should do this:
Boot on the floppy
run fdisk and delete any partitions on your hd
reboot on floppy
run fdisk and create a primary dos partition and make it active
reboot on floppy
format the partition, you've just created.
start installation af windows from the CDROM.

Partitoning and formatting the hd will remove any trace of the virus.
Hope this helps


bobinmad and tonnybrandt;
thanks for your answers.I'm at work now and I'll try your suggestions when I get back home and will inform you tomorrow.Thanks again!

The correct syntax is FDISK /MBR to re-create a master boot record.
Well i hate to be the bearer of bad news but here's information from the AVP Encyclopedia.

You could very well have damadged hardware thanks to CIH. If fdisking does not work try flashing the bios and see if that helps out at all.

This virus is also known as: Chernobyl, PE_CIH, W32.Spacefiller, WIN95/CIH, CIH, and W32.CIH.

This is a Windows95 specific parasitic PE files (Portable Executable) infector about 1Kbyte of length. This virus was found "in-the-wild" in Taiwan in June 1998 - it was posted by the virus author to a local Internet conference as a some utility. Within a week the virus was found in Austria, Australia, Israel, United Kingdom, and was also reported from several other countries (Switzerland, Sweden, USA, Russia, Chile and the list keeps growing).

The virus installs itself into the Windows memory, hooks file access calls and infects EXE files that are opened. Depending on the system date (see below) the virus runs its trigger routine. The virus has bugs and in some cases halts the computer when an infected application is run.

The virus' trigger routine operates with Flash BIOS ports and tries to overwrite Flash memory with "garbage". This is possible only if motherboard and chipset allow to write to Flash memory. Usually writing to Flash memory can be disabled by a DIP switch, however this depends on the motherboard design. Unfortunately, there are modern motherboards that cannot be protected by a DIP switch - also, some of them do not pay attention for switch position and this protection has no effect at all. Some other motherboard designs provide write protection that can be disabled/overriden by software.

During tests in our lab the virus did not overwrite the Flash BIOS and just halted the computer. We do however have reports from other sources telling that the virus really is able to mess it up.

The trigger routine then overwrites data on all installed hard drives. The virus uses direct disk write calls to achieve this and bypasses standard BIOS virus protection while overwriting the MBR and boot sectors.

if you want to recover your data on your harddisk. You can use mrecover.exe and you can find it at this URL ftp://ftp.akkobank.ru/pub/win95/aids/mrecover.zip

if you just want to recover your hard drive you can boot your system with a clean system diskette. Then run fdisk from diskette a:

From the menu select 3 to delete partitions from c:. When all partitions deleted you can create a new partition by selecting 1 from the menu.

After all, restart your computer with your system diskette and format your drive.

if you get back to the c drive after trying the above suggestions, run the kil_cih program again to ensure nothing is in memory to cause possible reinfection before reinstalling windows etc.

according to the write ups, kil_cih is only good until you reboot the pc.


If you submitted this question on the pc you think is infested w. CIH, then you are OK. If the pc in question is at home, the best thing that you can do is ignore it today. ALL DAY.

If the former, for the simple fact that you were able to submit this question, it is doubtful that you still have CIH infecting your pc, because today, 4-26 is the detonation date for most versions of the Chernobyl WinCIH virus, the anniversary of the wee disaster over there. Especially any of the virus that originated from Taiwan.

So, if you are using the same pc that you think may be infected, you are probably not, if you were, as soon as you turned on your pc this am, it would have died, as CIH infects when any *.exe is used, or any data is written to sys bios, ie. turning it on, or opening any app, or even something as simple as your clock running will kill the system

If the former, and your infected pc is your home pc, I hope that you have not turned it on yet, if not, DO NOT, it will die, hardware, and software, CIH _WILL_ kill your hard drive to a point where you need a new one, it happened to two friends last year. It may also ruin your mainboard and  mem chips, best bet, leave any pc alone today that may be infected, then tomorrow, go get a good CIH cleaner.

Symantec has a good one
Sophos has a good one

Good luck,


Win95.CIH virus cleaning program

thanks bartsmit on the syntax - - i was sweepy when i typed that!


I really fear too late to stop Domandro.
For remaining audience, sometimes it is 'good' to go slow, pause & reflect before act. While you are here in EE and not in a 'panic' mode, think on this:

"I can't wait to turn my PC on to see if it has the same virus _____!"

RU.Sure ??

(collection of local informational links from hes follows:)

Look at these q's



Sorry for being too late to evaluate this question.I was busy till now.Bobinmad and tonnybrandt were to show me the correct way.You both commented at the same time.Will it be fair to share the points for you?And please inform me how to do that.(Will I have to post another question specially for one of you?)
I was lucky as the virus didn't infect Bios.Then I followed the steps as you told me.One of my friends suggested me to use Tiramisu, a software that can recover data even if the mbr is damaged.It is said to be a very effective program.But luckily I didn't have any important data on my hdd.
Again thanks for all...
Hi Domandro
Glad that you got your 'puter fixed.

About points:
You can't lower the points for a question.
To split points, you need to submit a 0 point question in
Where you provide a link to this question and ask them to split points between Bobinmad and tonnybrandt, if that's what you want to do.
It's your choice.


-If your PC is able to boot at all, your BIOS has definitely NOT been modified

-If you want to recover your data, do not make any changes with fdisk or format. If your drive was FAT32 and you haven't made any modifications to the disk since the virus struck, the FIX-CIH utility from http://www.grc.com should be able to recover all the data.

-The CIH cleaners like CLEANCIH and KILL_CIH won't do any good until after the partition(s) have been restored

-CIH does not physically kill hard drives

I have a page with some myths about CIH at http://stubbs.cjb.net/cih.html

>>-CIH does not physically kill hard drives

Tell that to my friends hard drives after last years round of CIH, two of my friends drives were completely killed,  you can find them at the bottom of a bin somewhere at dell.....

Community Support has reduced points from 150 to 75

Hello everyone,

I am reducing the points on this question to 75 for a split.

Domandro: you can now accept one of bobinmad or tonnybrandt's comments as an answer to award the first half of the points. For the second Expert, create a new question in this topic area. The title should be 'For ExpertName -- 10334113' and it should be for 75 points.

Remember, the Accept Comment as Answer button is in the header of the comment.

Customer Service


I'll bet Dell just repartitioned them and reformatted them and sold them to someone else.

>>I'll bet Dell just repartitioned them and reformatted them and sold them to someone else.

Unless they have a "super-duper" low-level format utility, I doubt it, I tried for many hours to get both disks back up, repartioning, formatting, and low-level formatting, and nothing worked. I think that they are currently ballast on a Hong Kong Junk.

But, as happens from time to time, me could be wrong, either way, I am just glad that Dell stands, in my eyes, 100% behind their products, and not some 'fine print'.


ok, thumbs up dell.

Hard drives erased by CIH are still not physically damaged, for instance see all the people that successfully recovered their drives at http://grc.com/cih-letters.htm

My guess would be that you set the drive parameters wrong in the CMOS or you forgot to set one of the partitions active, but I suppose that it's also possible the hard drive could have coincidentally died at around the same time.



I remain curious on drives dying (capability?)

Let us remember, there are also different types of drives, perhaps such a damage capability is limited to a certain kind of a drive or bios etc.

I tinkered with viruses one night, reading their hex.  I must've been brain dead, for I rebooted with the floppy ready to load. As I heard the spin up, I 'knew'. In a flash I got the diskette to pop out. Too late.  This was one with a trigger date, and the clock had just moved past midnight, for that trigger.

Imagine how I felt!

The thing is, the virus had been around a while. BIOS changed. Drive geometry changed. I 'lucked out' and found it was too primitive to wipe the sectors it had planned to.

I am not saying play with virus or don't.  I am saying that disk access methods change over time, and so concerning issues like this thread, I am curious about any differences that have been distinguished between some of the disk types, of bios, or other disk access method.

The subsequent Love_Bug hit my inbox. I thought it would not run. So I tried it as a 'proof'. I was right this time, my system is/was too primitive for it to work.  That is my curiousity, on the distinctions that there may be for the behavior.

If a family is fortunate where husband has pc with scsi drive, and mother has pc with IDE, can they be made aware that one unit is more or less vulnerable to a virus_of_the_week? Any way they can get information to make more informed decisions as to which one gets to connect to internet next?
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.