Solved

WinCIH

Posted on 2000-04-26
25
436 Views
Last Modified: 2013-12-28
Hi,
My computer was effected by WinCIH.I don't mind recovering any data.I don't know much about these topics but it seems to have damaged master boot record,because when I boot with a system disc, I can't get to C drive.
When I type C: what I get is a C: but a MS Ramdrive.
As I said recovering data is not important for me,the only thing is to get to my real hd drive C: and clean the virus and install Win98 again.
Your step by step help on that problem will be appreciated.
0
Comment
Question by:Domandro
25 Comments
 
LVL 3

Expert Comment

by:IconMan7
ID: 2750609
First of all, I'm not a virus expert. This is just what I've heard or read :

In the best of cases, WinCIH only messes with the data on your hard disk.  In the worst-case scenario, it also corrupts your BIOS, making it impossible to bood your computer again.  You might need a new motherboard to solve this one.
0
 

Author Comment

by:Domandro
ID: 2750633
I forgot to say that there seems no problem with my bios. I entered bios setup, and made adjustments like changing boot sequence.I've read many articles and previously asked questions.
As much as I've understood,most of them were able to get their C drive and applied one of the solution methods,using different solutions to clean the virus(e.g. cleancih, kill_cih).
0
 
LVL 5

Accepted Solution

by:
bobinmad earned 75 total points
ID: 2750770
run fdisk from the bootdisk

choose option to view disk information  

hopefully you will be able to delete all partitions and then create a single partition

also, you may have to type "format c: /mbr" to recreate the boot sector

this assumes you have all data backed up and want to complete;y erase your drive and reinstall

if not, try the mbr method and see if you can get at the "c:" drive

hth

bobinmad
0
 
LVL 10

Expert Comment

by:tonnybrandt
ID: 2750775
You need to be sure that your bootdisk is ok and that you can access your CDROM, when you boot on it.
If this is ok, then you should do this:
Boot on the floppy
run fdisk and delete any partitions on your hd
reboot on floppy
run fdisk and create a primary dos partition and make it active
reboot on floppy
format the partition, you've just created.
start installation af windows from the CDROM.

Partitoning and formatting the hd will remove any trace of the virus.
Hope this helps
Tonny
0
 

Author Comment

by:Domandro
ID: 2750796
bobinmad and tonnybrandt;
thanks for your answers.I'm at work now and I'll try your suggestions when I get back home and will inform you tomorrow.Thanks again!
0
 
LVL 6

Expert Comment

by:bartsmit
ID: 2750872
The correct syntax is FDISK /MBR to re-create a master boot record.
0
 
LVL 1

Expert Comment

by:avtronics
ID: 2751516
Well i hate to be the bearer of bad news but here's information from the AVP Encyclopedia.

You could very well have damadged hardware thanks to CIH. If fdisking does not work try flashing the bios and see if that helps out at all.



Win95.CIH
This virus is also known as: Chernobyl, PE_CIH, W32.Spacefiller, WIN95/CIH, CIH, and W32.CIH.

This is a Windows95 specific parasitic PE files (Portable Executable) infector about 1Kbyte of length. This virus was found "in-the-wild" in Taiwan in June 1998 - it was posted by the virus author to a local Internet conference as a some utility. Within a week the virus was found in Austria, Australia, Israel, United Kingdom, and was also reported from several other countries (Switzerland, Sweden, USA, Russia, Chile and the list keeps growing).

The virus installs itself into the Windows memory, hooks file access calls and infects EXE files that are opened. Depending on the system date (see below) the virus runs its trigger routine. The virus has bugs and in some cases halts the computer when an infected application is run.

The virus' trigger routine operates with Flash BIOS ports and tries to overwrite Flash memory with "garbage". This is possible only if motherboard and chipset allow to write to Flash memory. Usually writing to Flash memory can be disabled by a DIP switch, however this depends on the motherboard design. Unfortunately, there are modern motherboards that cannot be protected by a DIP switch - also, some of them do not pay attention for switch position and this protection has no effect at all. Some other motherboard designs provide write protection that can be disabled/overriden by software.

During tests in our lab the virus did not overwrite the Flash BIOS and just halted the computer. We do however have reports from other sources telling that the virus really is able to mess it up.

The trigger routine then overwrites data on all installed hard drives. The virus uses direct disk write calls to achieve this and bypasses standard BIOS virus protection while overwriting the MBR and boot sectors.



0
 

Expert Comment

by:umitde
ID: 2751646
if you want to recover your data on your harddisk. You can use mrecover.exe and you can find it at this URL ftp://ftp.akkobank.ru/pub/win95/aids/mrecover.zip

if you just want to recover your hard drive you can boot your system with a clean system diskette. Then run fdisk from diskette a:

From the menu select 3 to delete partitions from c:. When all partitions deleted you can create a new partition by selecting 1 from the menu.

After all, restart your computer with your system diskette and format your drive.
0
 
LVL 2

Expert Comment

by:bantams
ID: 2751773
if you get back to the c drive after trying the above suggestions, run the kil_cih program again to ensure nothing is in memory to cause possible reinfection before reinstalling windows etc.

according to the write ups, kil_cih is only good until you reboot the pc.

0
 
LVL 5

Expert Comment

by:nfroio
ID: 2751888
Domandro:

If you submitted this question on the pc you think is infested w. CIH, then you are OK. If the pc in question is at home, the best thing that you can do is ignore it today. ALL DAY.

If the former, for the simple fact that you were able to submit this question, it is doubtful that you still have CIH infecting your pc, because today, 4-26 is the detonation date for most versions of the Chernobyl WinCIH virus, the anniversary of the wee disaster over there. Especially any of the virus that originated from Taiwan.

So, if you are using the same pc that you think may be infected, you are probably not, if you were, as soon as you turned on your pc this am, it would have died, as CIH infects when any *.exe is used, or any data is written to sys bios, ie. turning it on, or opening any app, or even something as simple as your clock running will kill the system

If the former, and your infected pc is your home pc, I hope that you have not turned it on yet, if not, DO NOT, it will die, hardware, and software, CIH _WILL_ kill your hard drive to a point where you need a new one, it happened to two friends last year. It may also ruin your mainboard and  mem chips, best bet, leave any pc alone today that may be infected, then tomorrow, go get a good CIH cleaner.

Symantec has a good one
Sophos has a good one

Good luck,

nfroio

0
 
LVL 17

Expert Comment

by:rayt333
ID: 2753225
Win95.CIH virus cleaning program
http://www.pspl.com/download/cleancih.htm
0
 
LVL 5

Expert Comment

by:bobinmad
ID: 2753849
thanks bartsmit on the syntax - - i was sweepy when i typed that!

bobinmad
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 
LVL 24

Expert Comment

by:SunBow
ID: 2757273
nfroio,
I really fear too late to stop Domandro.
For remaining audience, sometimes it is 'good' to go slow, pause & reflect before act. While you are here in EE and not in a 'panic' mode, think on this:

"I can't wait to turn my PC on to see if it has the same virus _____!"

RU.Sure ??

(collection of local informational links from hes follows:)

hes
Look at these q's

http://www.experts-exchange.com/jsp/qShow.jsp?ta=hardgen&qid=10334325  
http://www1.experts-exchange.com/Computers/Operating_Systems/Windows/Win98/Q_10334439.html
http://www1.experts-exchange.com/Computers/Operating_Systems/Windows/Win98/Q_10334113.html
0
 

Author Comment

by:Domandro
ID: 2772239
Sorry for being too late to evaluate this question.I was busy till now.Bobinmad and tonnybrandt were to show me the correct way.You both commented at the same time.Will it be fair to share the points for you?And please inform me how to do that.(Will I have to post another question specially for one of you?)
I was lucky as the virus didn't infect Bios.Then I followed the steps as you told me.One of my friends suggested me to use Tiramisu, a software that can recover data even if the mbr is damaged.It is said to be a very effective program.But luckily I didn't have any important data on my hdd.
Again thanks for all...
0
 
LVL 10

Expert Comment

by:tonnybrandt
ID: 2775135
Hi Domandro
Glad that you got your 'puter fixed.

About points:
You can't lower the points for a question.
To split points, you need to submit a 0 point question in
http://www1.experts-exchange.com/Customer_Service/Experts_Exchange/
Where you provide a link to this question and ask them to split points between Bobinmad and tonnybrandt, if that's what you want to do.
It's your choice.

Cheers
Tonny
0
 

Expert Comment

by:stubbs
ID: 2777937
-If your PC is able to boot at all, your BIOS has definitely NOT been modified

-If you want to recover your data, do not make any changes with fdisk or format. If your drive was FAT32 and you haven't made any modifications to the disk since the virus struck, the FIX-CIH utility from http://www.grc.com should be able to recover all the data.

-The CIH cleaners like CLEANCIH and KILL_CIH won't do any good until after the partition(s) have been restored

-CIH does not physically kill hard drives


I have a page with some myths about CIH at http://stubbs.cjb.net/cih.html
0
 
LVL 5

Expert Comment

by:nfroio
ID: 2777980
>>-CIH does not physically kill hard drives

Tell that to my friends hard drives after last years round of CIH, two of my friends drives were completely killed,  you can find them at the bottom of a bin somewhere at dell.....

0
 
LVL 3

Expert Comment

by:darinw
ID: 2779132
Community Support has reduced points from 150 to 75
0
 
LVL 3

Expert Comment

by:darinw
ID: 2779133
Hello everyone,

I am reducing the points on this question to 75 for a split.

Domandro: you can now accept one of bobinmad or tonnybrandt's comments as an answer to award the first half of the points. For the second Expert, create a new question in this topic area. The title should be 'For ExpertName -- 10334113' and it should be for 75 points.

Remember, the Accept Comment as Answer button is in the header of the comment.

darinw
Customer Service
0
 

Expert Comment

by:stubbs
ID: 2780303
nfroio:

I'll bet Dell just repartitioned them and reformatted them and sold them to someone else.
0
 
LVL 5

Expert Comment

by:nfroio
ID: 2781296
>>I'll bet Dell just repartitioned them and reformatted them and sold them to someone else.

Unless they have a "super-duper" low-level format utility, I doubt it, I tried for many hours to get both disks back up, repartioning, formatting, and low-level formatting, and nothing worked. I think that they are currently ballast on a Hong Kong Junk.

But, as happens from time to time, me could be wrong, either way, I am just glad that Dell stands, in my eyes, 100% behind their products, and not some 'fine print'.

nfroio
0
 
LVL 24

Expert Comment

by:SunBow
ID: 2782710
ok, thumbs up dell.
0
 

Expert Comment

by:stubbs
ID: 2783796
Nfroio:
Hard drives erased by CIH are still not physically damaged, for instance see all the people that successfully recovered their drives at http://grc.com/cih-letters.htm

My guess would be that you set the drive parameters wrong in the CMOS or you forgot to set one of the partitions active, but I suppose that it's also possible the hard drive could have coincidentally died at around the same time.
0
 

Author Comment

by:Domandro
ID: 2787175
thanks...
0
 
LVL 24

Expert Comment

by:SunBow
ID: 2822452
I remain curious on drives dying (capability?)

Let us remember, there are also different types of drives, perhaps such a damage capability is limited to a certain kind of a drive or bios etc.

I tinkered with viruses one night, reading their hex.  I must've been brain dead, for I rebooted with the floppy ready to load. As I heard the spin up, I 'knew'. In a flash I got the diskette to pop out. Too late.  This was one with a trigger date, and the clock had just moved past midnight, for that trigger.

Imagine how I felt!

The thing is, the virus had been around a while. BIOS changed. Drive geometry changed. I 'lucked out' and found it was too primitive to wipe the sectors it had planned to.

I am not saying play with virus or don't.  I am saying that disk access methods change over time, and so concerning issues like this thread, I am curious about any differences that have been distinguished between some of the disk types, of bios, or other disk access method.

The subsequent Love_Bug hit my inbox. I thought it would not run. So I tried it as a 'proof'. I was right this time, my system is/was too primitive for it to work.  That is my curiousity, on the distinctions that there may be for the behavior.

If a family is fortunate where husband has pc with scsi drive, and mother has pc with IDE, can they be made aware that one unit is more or less vulnerable to a virus_of_the_week? Any way they can get information to make more informed decisions as to which one gets to connect to internet next?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Several part series to implement Internet Explorer 11 Enterprise Mode
A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now