My system got zapped by Chernobyl this week, although I didn't realize it until last night. Well, it got PARTIALLY zapped. Right now, even though I can't boot to Win98 in Normal mode anymore, I can still boot in Safe mode and the BIOS, MBR and partition tables all appear to be intact. The problem is that Chernobyl has gummed up a number of the critical system files and other program executables on C:

Actually, I'm not even sure exactly how Chernobyl got onto my system, because I have Norton Antivirus active, updated just last week, and it ran an automatic system scan only a couple of days before the virus hit. I first noticed that something was wrong when I hit ctrl-alt-del last evening to shut down a balky process and saw a process on the list that I didn't recognize and that had a suspicious name (one, moreover, that kept changing - always a sure sign of trouble). When I tried to start Norton Antivirus, the system informed me that NAVW32.EXE had been changed, and that raised the red flag.

So I rebooted. Not a good idea. The system was very slow to shut down, and when I tried to restart, it froze at the password screen, so I had to go back to Safe Mode. I was able to restart to Normal Mode from there a couple of times after that, but then boot to Normal Mode just broke down. I ran an emergency scan on the system from the CD and found that a number of system files had been infected with W95_CIH, and that the CD (which was a relatively old one - it's the Systemworks 2001 CD) couldn't fix the problem. (I now actually think that the virus detonated when I shut down the system the first time - remember, the shutdown process was much slower than could have been accounted for by normal memory leakage.)

Fortunately, I have an alternate computer, so I started it up, got online, and got the CIH removal tool from Symantec. I also have a clean boot disk, so I put the CIH (NAVC10.EXE) onto the infected machine, booted from floppy, unzipped NAVC10 and then ran it. Three files were found to have been infected with W95.CIH.1075 and were repaired.

However, the majority of the infected files still haven't been cleaned/repaired because NAVC10 apparently only works with one variant of Chernobyl. I don't believe any further damage has been done to the system, but now, when I try to do a Normal boot, the system crashes with a BSOD error at the password prompt (which, of course, is an artifact of the mucked system files). Safe Mode boot continues to work and Safe Mode is, as far as I can tell, completely operational. My secondary hard drive does not appear to have been damaged, which is a Good Thing because I have a lot of non-executable (and irreplacable) files that I will need to copy/move over there if worst comes to worst.

I also have the KILL_CIH.EXE tool from Symantec, but all that does is disable the virus in memory until Norton Antivirus can come in to take care of it - but as I told you, Norton Antivirus is hosed on the hard drive and the emergency version on the CD isn't the latest version which might be able to repair the infected filed. I have also downloaded the FIX_CIH tool from Gibson Research but it doesn't appear to meet my needs because, as I mentioned, the MBR and FAT partition tables are intact and so is the BIOS (Award version 6.00PG on an ECS K7VZA motherboard, built in July 2001).

What do I do next? I am planning to ask the IT people at work today if they have any up-to-date antivirus tools I can borrow, but I have to be ready for the possibility that I may have to reinstall Win98, and possibly most if not all of the the applications on C:. I have the OEM CD, and I'm getting conflicting information as to whether I can reinstall Win98 from there without wiping the C: partition clean, not to mention the problem that Chernobyl is still lurking in memory unless I run the KILL_CIH.EXE tool and I'm afraid of having it infect the new install. So I need to try to disinfect C: first. Suggestions?

-Joe-

------------------
Alternate email: joea64@yahoo.com

Probably your best bet at this stage is not to worry about trying to disinfect the install, but to wipe everything on the drive (if it is more than one partition those too), not just reformat, use a "wipe" utility that will overwrite the drive with all zeros. The reason I say this is you cannot get any of the disinfection tools to complete the job, so you may have a new variant that isn't covered by the current crop of tools, (might also be a good idea to get in touch with Norton).

Get in touch with Norton...I think you have a new variant that goes off on the TMI (Three Mile Island) date!!!!

That could explain why the disinfection tools didn't get it all!!

Don't use the infected system and don't use any floppies that were used in it anywhere else (unless they were write protected)!

------------------
mjc
Links list:Computer Links (http://www.dreamwater.org/tech/mjc/index.htm)

Celts are the men that heaven made mad, For all their battles are merry and their songs are all sad.

GRC has a CIH progarm to get your files back again. Go too www.grc.com (http://www.grc.com)

You could go to GRC to get the CIH removal tool--www.grc.com Also if you reformated your drive you could get rid of it by installing a fresh MBR. The command to do this is format c: /mbr

bwlautt,

I have also downloaded the FIX_CIH tool from Gibson Research but it doesn't appear to meet my needs...


And the way to fix the MBR is:

fdisk_/mbr (with a space instead of the underscore)

------------------
mjc
Links list:Computer Links (http://www.dreamwater.org/tech/mjc/index.htm)

Celts are the men that heaven made mad, For all their battles are merry and their songs are all sad.

Originally posted by bwlautt:
You could go to GRC to get the CIH removal tool--www.grc.com Also if you reformated your drive you could get rid of it by installing a fresh MBR. The command to do this is format c: /mbr

Well, I don't have anything left to lose, so I'm going to go ahead and try FIX_CIH after all, once Norton Antivirus 2002's CD gets through scanning. NAV 2002 _did_ find and fix some more files (NPS-something.EXE, TWUNK_32.EXE, and another one I don't remember - I wish I had a log) but there are a lot of infected files that it couldn't fix. Therefore, I'm going to try FIX_CIH. If that doesn't work....

...well, I'm not altogether out of options. I still have the old HD (IBM, 3.2 GB) that I swapped out for the 20 GB one that's now infected back at the beginning of December. All the data is present on that drive, so I _should_ be able to get going again once I swap them out. Nonexecutable files don't appear to have been infected, so I will save them to the secondary HD on the system (which I will also run FIX_CIH on) - I'm especially interested in rescuing website files, my Netscape bookmarks, my homemade wallpapers and image collections and my documents - and I think there's enough room left on the secondary HD to store them on. Once that's done, I can take the infected HD to the IT people at work to have them wipe it clean so that I can reuse it.

-Joe-


------------------
Alternate email: joea64@yahoo.com

Originally posted by bwlautt:
You could go to GRC to get the CIH removal tool--www.grc.com Also if you reformated your drive you could get rid of it by installing a fresh MBR. The command to do this is format c: /mbr

No joy with FIX-CIH, I'm afraid. The utility reports that the MBR's on both hard drives are _good_, and that neither HD has suffered CIH damage (this is after a scan with the CD of NAV 2002 which reported numerous executable files infected with CIH, but was able to fix only about 52 files with .vir and .vi* extensions.

At this point, what I'm going to do is to move as much data (non-executable) as I can from the infected C: drive to the secondary HD. I am considering swapping out the hard drives, as well, and replacing the infected primary with the old primary HD.

-Joe-



------------------
Alternate email: joea64@yahoo.com

Joea64,

A good thing to do would be to take all your website files, bookmarks and wallpapers, zip them up and temporarily transfer them to a folder on your website, that way you can scan them when you dl them back to your drive....besides making the local backup.

But I still think you may have a new variant.....


------------------
mjc
Links list:Computer Links (http://www.dreamwater.org/tech/mjc/index.htm)

Celts are the men that heaven made mad, For all their battles are merry and their songs are all sad.

Originally posted by mjc:
Joea64,

A good thing to do would be to take all your website files, bookmarks and wallpapers, zip them up and temporarily transfer them to a folder on your website, that way you can scan them when you dl them back to your drive....besides making the local backup.

But I still think you may have a new variant.....



Well, I could do that, but it's several hundred megabytes of data, and I'm not sure whether dialup access works in safe mode. If it does, then I'll consider it.

In the meantime, though, I'm getting increasingly confused. I found another CIH scanning/cleaning utility, CleanCIH from Proland Software. I ran this from floppy boot and it found two more virus files and cleaned them (reporting the virus as version 1.2 of CIH; Symantec's NAVC10 reported cleaning three instances of W95.CIH.1075, raising the ugly possibility that I might have been hit by _more_ than one variant of CIH). However, CleanCIH tells me, even after I scanned C: for a second time, that NONE of the files that Norton AV reported as having been messed with by CIH are infected. ???

-Joe-



------------------
Alternate email: joea64@yahoo.com

Originally posted by mjc:
bwlautt,
And the way to fix the MBR is:

fdisk_/mbr (with a space instead of the underscore)



I have as of now backed up all the non-executable files that I could find that I wanted to keep (including my Pegasus Mail mailbox files; I'll need to figure out how to rebuild that when I get to it), and have downloaded a new Win98SE boot disk image from bootdisk.com and write-protected the floppy. Next step is to go to fdisk, then run fdisk /mbr, then format c:, then reinstall Win98 and then run NAV 2002 again.

-Joe-


------------------
Alternate email: joea64@yahoo.com

Hey Joe,

Well, It sounds like I'm a little late on this but, I hope this backup process did not include putting any data from the 20G to the 3.2G.
It is painfuly obvious that you have been hit by an extra special version here http://www.PCGuide.com/ubb/frown.gif, it may also be a version that infects other types of files that your AV is not indicating. You have already found out that no one AV is finding all of it.

In my honest opinion, you are messing with another virus that you are unaware of. Norton Anything 2002. This program attaches itself to any file or program opened, reduces system performance, takes up unnecessary space, and will not play well with others http://www.PCGuide.com/ubb/eek.gif
When you realize it is giving you problems and go to remove it, it destroys your registry. BINGO, a malicious virus!!!

Take the Norton disk out back and see how far you can throw it http://www.PCGuide.com/ubb/wink.gif (if you own a shotgun, have a little fun with it), then go to AVG (http://http:\\www.grisoft.com) and download their free, antivirus.

I do not normaly criticize software manufacturers, but this program is a wolf in sheeps clothing. I absolutly love Norton because it is easy money for me. http://www.PCGuide.com/ubb/wink.gif

Good luck http://www.PCGuide.com/ubb/cool.gif

------------------
A real Christian is one who can give his pet parrot to the town gossip.
Frank's Place (http://dreamwater.net/tech/frankscomp/)

Originally posted by bassman:
Hey Joe,

Well, It sounds like I'm a little late on this but, I hope this backup process did not include putting any data from the 20G to the 3.2G.

- As it turned out, I did _not_ use the 3.2G at all. See my previous post; I moved every nonexecutable I could to the secondary HD (a 13GB), then uninstalled every program that was residing on the secondary HD, then took a clean boot disk and did fdisk /mbr, then formatted C: _twice_. After that, I reinstalled Win98, the device drivers and am getting started on installing the programs - but you may be certain that I am NOT installing Outlook this time. I never used Outlook, but it was one of the executables infected, and besides, it's a gaping security hole on ANY computer, IMO.

I reran kill_cih.exe just now, and the system memory is _clean_; I bet repairing the MBR is what did it. (That, or double-formatting C:.) I'm running a scan with NAV 2002 now (I started that before I saw your post; so far, so good, nothing infected...), but I'll try this AVG next; I hope it's small enough to put on a floppy because I haven't restored the Internet connection on my primary machine yet. I'll probably do it this afternoon; I'm going to take a break for lunch now, I've been worknig on this problem most of the morning. :P

-Joe-

-----

It is painfuly obvious that you have been hit by an extra special version here http://www.PCGuide.com/ubb/frown.gif, it may also be a version that infects other types of files that your AV is not indicating. You have already found out that no one AV is finding all of it.

In my honest opinion, you are messing with another virus that you are unaware of. Norton Anything 2002.

*giggle* One could deduce that you have issues with Symantec's offerings. :P http://www.PCGuide.com/ubb/smile.gif

This program attaches itself to any file or program opened, reduces system performance, takes up unnecessary space, and will not play well with others http://www.PCGuide.com/ubb/eek.gif
When you realize it is giving you problems and go to remove it, it destroys your registry. BINGO, a malicious virus!!!

Take the Norton disk out back and see how far you can throw it http://www.PCGuide.com/ubb/wink.gif (if you own a shotgun, have a little fun with it),

- I do, but it needs cleaning and probably new ammunition; it hasn't been out of the gun cabinet in years. http://www.PCGuide.com/ubb/smile.gif

then go to AVG (http://http:\\www.grisoft.com) and download their free, antivirus.

I do not normaly criticize software manufacturers, but this program is a wolf in sheeps clothing. I absolutly love Norton because it is easy money for me. http://www.PCGuide.com/ubb/wink.gif

Good luck http://www.PCGuide.com/ubb/cool.gif




------------------
Alternate email: joea64@yahoo.com

This is as good a reason as any to take a mid day run to Walmart, buy a box of shells and a good cleaning kit.
No weapon deserves to sit in a cabinet that long, especialy when you have such a good use for it http://www.PCGuide.com/ubb/wink.gif http://www.PCGuide.com/ubb/biggrin.gif

Once you have done an Fdisk of the MBR and the rest of the drive, you are pretty safe. I would recommend getting your internet connection set up and getting AVG. It won't fit on floppy.

As for my problem with Norton, They have made a decent, usable product for some time. Their latest batch of so-called "system tools" is a pack of c@*p.
I won't make this long with my whole opinion of this http://www.PCGuide.com/ubb/wink.gif
Good luck http://www.PCGuide.com/ubb/cool.gif

------------------
A real Christian is one who can give his pet parrot to the town gossip.
Frank's Place (http://dreamwater.net/tech/frankscomp/)

Originally posted by bassman:
This is as good a reason as any to take a mid day run to Walmart, buy a box of shells and a good cleaning kit.
No weapon deserves to sit in a cabinet that long, especialy when you have such a good use for it http://www.PCGuide.com/ubb/wink.gif http://www.PCGuide.com/ubb/biggrin.gif

- But a katana is so much more artistic! (if I had one, that is)

Once you have done an Fdisk of the MBR and the rest of the drive, you are pretty safe. I would recommend getting your internet connection set up and getting AVG. It won't fit on floppy.

- Will do. I'm now optimizing performance on the system (setting up a fixed-size swap file, enabling ConservativeSwapFileUsage so that the system will _use_ all that 512MB of physical RAM before going to the swap file, setting up a fixed-size file cache so that Windows doesn't try to grab all the RAM for cache, setting the role of the computer as "network server", defragmenting the C: drive, etc.) and I've also just set up the dialup connection. Next thing I have to do is to recover my Netscape bookmarks; fortunately, Netscape 6 was included as an extra on the CD-ROM containing my video drivers so I don't have to download that. I also need to get ahold of WinZip, Pegasus Mail, Free Agent and WS-FTP LE. Once I've done that, I should be all ready to get back on the net from my primary system

As for my problem with Norton, They have made a decent, usable product for some time. Their latest batch of so-called "system tools" is a pack of c@*p.
I won't make this long with my whole opinion of this http://www.PCGuide.com/ubb/wink.gif
Good luck http://www.PCGuide.com/ubb/cool.gif


- Well, I don't know; the only ones of Norton Utilities that I really use regularly are Speed Disk and System Doctor.

-Joe-


------------------
Alternate email: joea64@yahoo.com

Well, I'm back in business on the primary machine. Still have to download some stuff, but my Internet dialup connection is active, and Netscape is running, so I'm ready to go. I still wish I knew where the heck that W95.CIH came from in the first place....

-Joe-


------------------
Alternate email: joea64@yahoo.com