I have the W95.CIH virus - help me pleas!

[Tib]

Someone sent me an exe with the w98.cih virus on it. What an ass...he sent it to me on purpose. The exe didn't do crap except put the virus all over all of the computers on my network.

I downloaded kill_cih.exe from Norton's website and ran it in win98, and it was supposed to stop the virus. Well then the virus infected my norton files, so I had to do a reinstall. I did a reinstall and it did not detect the virus in the scan.

So I was all happy and everything, then, when I try to run quake3.exe, norton tells me it is infected with the w95.cih virus.

What is going on? What do I do to stop this crap?

I have Windows 2000 professional on my fileserver in my house. Do you think it can infect that too? It says it doesn't affect windows nt systems - is win2k for norton count as win nt or 95/98?

I really need some help on this ASAP. It says that it will affect my computer on the 26th of the month, which is in 2 days. Well I don't want to have to buy new computers.

So someone please help, thanks

Tibor

 

[MCS]

As far as I know Norton has two versions of all its Anti Virus software, one for NT/2000 and one for 9x. How many systems are we talking about here?

If I were you I would install Norton on every PC, update to the latest version (using auto update or downloading the patch) and run a scan. With any luck it should Quarentine any infected files its found.

Of course, you can't ALWAYS trust these things 100%, so if you're concerned (or the above doesn't work) you can always format all machines and reinstall Windows. The virus you have will NOT survive this, so it is a final and definite solution.

You certainly won't have to buy new computers!

 

[Tib]

I have 5 computers running win98 and 1 running win2000.

So there is no way to delete the virus? What a pain

Tibor

 

[Tib]

I have 5 computers running win98 and 1 running win2000.

So there is no way to delete the virus? What a pain

Tibor

 

[MCS]

<< when I try to run quake3.exe, norton tells me it is infected with the w95.cih virus >>



From the sounds of it you'll have NO idea where this thing is, so it doesn't look hopeful that you can just delete it.

 

[Tib]

I believe that it's in my bios. It didn't come up as detected in any of the files in my hard drive.

There has to be a way to delete this...I'm gonna bump this thread every 12 hours or so, and I'll contact norton. I'll let all of you guys know if I can find a way to delete it...this is one crappy virus

Tibor

 

[BadThad]

The virus cannot reside in the BIOS, no virus can. But, it CAN destroy the BIOS. BTW - You have all the time in the world, just reset your system date to the 1st of the month.

Just some info for anyone trying to help, from Symantec:

CIH is a virus that infects 32-bit Windows 95/98/NT executable files but only capable to function under Windows 95/98. When an infected program on a Windows 95/98 machine is run, the virus will become resident in computer's memory. This means that an infected system must be rebooted from a clean system disk before scanning with NAV, or any anti-virus product. If this is not done, the virus will infect every file that the anti-virus product scans. Symantec AntiVirus Research Center has also provided a small utility called KILL_CIH to remove the virus from memory to avoid rebooting from a clean system disk.

Although NT system files can be infected, the virus cannot become resident or infect files on a Windows NT system. The virus also will not function under DOS, Windows 3.1 or on Macintosh computers. Once the virus is resident, CIH virus infects other files when they are accessed (e.g. when they are run or copied).

Files infected by CIH may have the same size as the original files because of CIH's unique mode of infection. The virus will search for empty, unused spaces in the file. Next it will break itself up into smaller pieces and inserts them in these unused spaces. When NAV repairs a file infected by CIH, it look for these small viral pieces and remove them from the file.

There are 3 known variants as of April 1999 that are all very similar. CIH Version 1.2 and Version 1.3 has a payload that will trigger on April 26th commemorating Chernobyl (the anniversary of the April 26, 1986 Soviet nuclear disaster). CIH Version 1.4 has a payload that will trigger on the 26th of any month. The payloads for all the versions of CIH are the same.

The first of two payloads has been designed to overwrite the hard disk with random data starting at the beginning of the disk (sector 0) using an infinite loop. The overwriting of the sectors will not stop until the system has crashed. As a result, your computer will not boot from the hard disk or floppy disk. Also the data that has been overwritten on your hard disk will be very difficult or impossible to recover. You will need to restore the data from backups.

The second payload will try to cause permanent damage to the computer. This payload attacks the Flash BIOS (a part of your computer that initializes and manages the relationships and data flow between the system devices, including the hard drive, serial and parallel ports and the keyboard) and will try to corrupt the data stored in the Flash BIOS. As a result, your computer may not display anything on the screen when you startup the system. Fixing this will require hardware repair on the computer.

 

[Tib]

Alright, so you're saying (norton says) that I have to put the kill_cih.exe file on a boot disk (clean boot disk) and boot it from that floppy? I hope that will fix it, and if it doesn't work, I'll just reboot the system date like you told me

Thanks for the tips and help.

Tibor

 

[BadThad]

No, kill_cih just removes it from being resident in memory, that way its not currently activated. You would boot into windows as normal, then run kill_cih. At that point, it can't do anything, but kill_cih does NOT clean your system.

When you ran it the first time, then reinstalled NAV you probably rebooted per instuctions, eh? Well, when you rebooted, you reactivated CIH. Read THIS!.

Alright, you owe me a 10 rating in my profile for this one:

1) Boot up the PC.
2) Insert the kill_cih disk and run the program. (BTW- The kill_CIH.exe is immune to cih.)
3) Download the latest virus definition file from symantec and save on hard drive.
3) Install NAV and don't reboot when prompted.
4) Run the definitionfile.exe you downloaded, it will find and update NAV.
5) Run NAV and let it do whatever it has to to repair the system.
--Optional But Recommended--
6) Backup all your important data files and NO PROGRAMS NOR EXE FILES.
7) Run fdisk, delete the partitions/drives.
8) Run fdisk, make new partitions/drives.
9) Format the partitions and reinstall your OS.
10) Read how to NEVER get a virus again HERE.

Good Luck to You!

- BT

 

[mastertech01]

I had this virus about a year and a half ago... kept reinstalling and all and it kept coming back... come to find out it was on my driver disks and boot disk as well.. after cleaning everything it all went away... BE SURE TO CLEAN EVERYTHING! So get a virgin boot disk from a clean system and start from there and dont use any driver disks that arent cleaned.

 

[Tib]

I found out how to remove it without formatting my hard disk.

Yes, bathad, what you said will work, but I have 6 computers and I'm not about to spend a weekend or 2 reinstalling everything. Plus, 1 of my computers is a fileserver w/ 20 gigs of crap on it from like 30 cdr backups!

Well I found a way to remove the virus without fdisking or formating...

There is a file for download online (and I think on norton's site, too) called NAVC10.exe. You download that file and put it on your hard disk, like c:\temp. Run kill_cih.exe and restart your computer.

Boot up with a CLEAN floppy, and go to c:\temp, run navc10.exe. It will decompress a bunch of files.

Then, type NAVC /doallfiles /zips /repair

It will take a LONG time....like 2 or 3 hours if you have a large hard drive, maybe longer if it's 40 or 80 gigs, hehe. You might just have to leave it on overnight.

Your system will be cleaned, and you restart w/out the floppy and you'll have no further problems with the w95.cih virus. You can't delete it with a scan in windows because it will get reinfected regardless of whether or not you ran the kill_cih tool or not.

Anyway, it worked for me. If you're on a network, just to be safe, pull the computers out off the network (unplug it) if they might still be infected....clean all floppy's, etc. And then it will work

I had to try like 5 different processes, this is the only one that woule work for me without formating and fdisking.

Tibor

 

[anton]

DON'T REFORMAT !!!

I had this virus on two my computers , just download one little progge , it's called cleancih ,I think (search on google) , and run it in dos , not dos emulation , but DOS , so no files would be open , so it will be able to clean all files , worked for me just fine , on both computers.

 

[BadThad]

GREAT!...now just follow step 10, LOL.

 

[Tib]

Will do step 10, thanks man

And I'll check out that cleancih on google too...thanks,

Tib

 

[anazoal]

If you set up NAV to scan your emails when you're downloading them... Will this catch 100% of viruses?

 

[Tib]

i wouldn't trust it...they may say it will, but you never know for sure.

this one was in my yahoo mail, and i was dumb enough to d/load it w/out scanning.
stupid me, oh well.

Tib