1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

PE_CIH virus

Discussion in 'Virus & Other Malware Removal' started by cubbycuddly, Jan 20, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. cubbycuddly

    cubbycuddly Thread Starter

    Joined:
    Dec 1, 2001
    Messages:
    230
    Hi,

    My virus software found the PE_CIH, it cleaned most of the affected files accept about six which are in quaratine. trend micro website say that to clean these files you need to start in DOS mode.

    I am not sure how to do that and once you are in DOS, do you just run the antivirus software and clean the files, like when you boot the computer in normal mode?


    cubbycuddly.
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Each antivirus program has its own special instructions for cleaning under those conditions -- when their program is installed. Usually special DOS bootable disks must already be created. I'm not really familiar with Trends, if it's the online scan there is nothing you can do with that.

    I'd recommend creating F-prots two disk DOS based scanner and using it to scan and clean the files; it's not an easy task, but once you have the floppies created, it's a good virus rescue program to have on hand.

    http://forums.techguy.org/showthread.php?postid=406115#post406115

    What are the six that are in Quarantine? You may not need them at all if Windows is running without problem, and you may be able to just delete them and restore them at your leisure if you really need them for anything.
     
  3. cubbycuddly

    cubbycuddly Thread Starter

    Joined:
    Dec 1, 2001
    Messages:
    230
    Hi,


    the files are:

    csss.exe

    extensionMgr.exe

    FS95.CAB (ZIP FILE)

    FS219.CAB ( ANOTHER ZIP FILE)

    Surethinhg cd labeler.exe


    Does this help?

    cubbycuddly
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    None of them are "Windows" files, and the first two are actually backdoor trojans.

    I'd just delete them all.
     
  5. cubbycuddly

    cubbycuddly Thread Starter

    Joined:
    Dec 1, 2001
    Messages:
    230
    Hi,

    I have deleted those files but then on doing a subsequent scan it revealed more files that have become infected. Those ones never showed up before despite doing a complete scan. These ones are

    WINDOWS\SYSTEM\STIMON.EXE

    WINDOWS\SYSTEM\DPLAYSVR\EXE.


    I'm anxious to get rid of this virus. I have read on the internet that this one can do lots of serious trouble if its not eradicated.

    Does anyone have some more ideas I can do to see the back of this virus?

    Thanks.

    cubbycuddly
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Although stimon.exe is not a file required for the operation of Windows, it is needed for scanner usuage. A new copy can be extracted from cab files using msconfig > extract one file.

    http://support.microsoft.com/servicedesks/fileversion/moreinfo.asp?Id=192133

    \DPLAYSVR is a Compaq Monitor driver. I'm not sure it is required or how to replace it. If it is quarantined, then you probably don't really need it if your monitor and video are working properly.

    Are these new files being identified as CIH infected as well?

    About all I can suggest is you try to create and run the F-Prot virus disks above. I'm afraid most people who get infected with CIH end up reformatting; hopefully you can escape that fate.
     
  7. cubbycuddly

    cubbycuddly Thread Starter

    Joined:
    Dec 1, 2001
    Messages:
    230
    Hi,

    I'm still working on the f-prot but I keep encountering problems. I often get a bad command message back or when the first disk works right and I need to insert the second one and then unfortunately I have problems getting that one to work.

    In the meanwhile I have used an alternative antivirus (Panda) which has disinfected files that pc cillin couldn't. The files it couldn't were because they are in compressed files/folders.

    these were

    C:\WINDOWS\EXPLORER.EXE

    c:\_RESTORE\TEMP\A0072012

    " " " " " " " 13 etc etc

    Would it be possible to uncompress these, that then Panda might be able to clean them? Or is this creating more problems?

    Panda virus called it W95/CIH is this different from PE_CIH1003

    cubbycuddly
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    C:\WINDOWS\EXPLORER.EXE should not be a compressed file. If it is infected you will need to restore it.

    http://support.microsoft.com/default.aspx?scid=KB;en-us;q265371

    The other file is in your WinME restore archive; it's allright to ignore it as long as you don't try a System Restore. Otherwise it's best just to disable System Restore, then reboot and re-enable it.

    http://service1.symantec.com/SUPPOR...5766df37140aed3b8825696500726d13?OpenDocument

    ps.. I'm running f-prot on my Win98 system right now; the three disk solution seems to work for me... no error messages so far..
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/114255

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice