PE_CIH virus

Hi,

My virus software found the PE_CIH, it cleaned most of the affected files accept about six which are in quaratine. trend micro website say that to clean these files you need to start in DOS mode.

I am not sure how to do that and once you are in DOS, do you just run the antivirus software and clean the files, like when you boot the computer in normal mode?


cubbycuddly.

 

Each antivirus program has its own special instructions for cleaning under those conditions -- when their program is installed. Usually special DOS bootable disks must already be created. I'm not really familiar with Trends, if it's the online scan there is nothing you can do with that.

I'd recommend creating F-prots two disk DOS based scanner and using it to scan and clean the files; it's not an easy task, but once you have the floppies created, it's a good virus rescue program to have on hand.

http://forums.techguy.org/showthread.php?postid=406115#post406115

What are the six that are in Quarantine? You may not need them at all if Windows is running without problem, and you may be able to just delete them and restore them at your leisure if you really need them for anything.

 

Hi,


the files are:

csss.exe

extensionMgr.exe

FS95.CAB (ZIP FILE)

FS219.CAB ( ANOTHER ZIP FILE)

Surethinhg cd labeler.exe


Does this help?

cubbycuddly

 

None of them are "Windows" files, and the first two are actually backdoor trojans.

I'd just delete them all.

 

Hi,

I have deleted those files but then on doing a subsequent scan it revealed more files that have become infected. Those ones never showed up before despite doing a complete scan. These ones are

WINDOWS\SYSTEM\STIMON.EXE

WINDOWS\SYSTEM\DPLAYSVR\EXE.


I'm anxious to get rid of this virus. I have read on the internet that this one can do lots of serious trouble if its not eradicated.

Does anyone have some more ideas I can do to see the back of this virus?

Thanks.

cubbycuddly

 

Although stimon.exe is not a file required for the operation of Windows, it is needed for scanner usuage. A new copy can be extracted from cab files using msconfig > extract one file.

http://support.microsoft.com/servicedesks/fileversion/moreinfo.asp?Id=192133

\DPLAYSVR is a Compaq Monitor driver. I'm not sure it is required or how to replace it. If it is quarantined, then you probably don't really need it if your monitor and video are working properly.

Are these new files being identified as CIH infected as well?

About all I can suggest is you try to create and run the F-Prot virus disks above. I'm afraid most people who get infected with CIH end up reformatting; hopefully you can escape that fate.

 

Hi,

I'm still working on the f-prot but I keep encountering problems. I often get a bad command message back or when the first disk works right and I need to insert the second one and then unfortunately I have problems getting that one to work.

In the meanwhile I have used an alternative antivirus (Panda) which has disinfected files that pc cillin couldn't. The files it couldn't were because they are in compressed files/folders.

these were

C:\WINDOWS\EXPLORER.EXE

c:\_RESTORE\TEMP\A0072012

" " " " " " " 13 etc etc

Would it be possible to uncompress these, that then Panda might be able to clean them? Or is this creating more problems?

Panda virus called it W95/CIH is this different from PE_CIH1003

cubbycuddly

 

C:\WINDOWS\EXPLORER.EXE should not be a compressed file. If it is infected you will need to restore it.

http://support.microsoft.com/default.aspx?scid=KB;en-us;q265371

The other file is in your WinME restore archive; it's allright to ignore it as long as you don't try a System Restore. Otherwise it's best just to disable System Restore, then reboot and re-enable it.

http://service1.symantec.com/SUPPOR...5766df37140aed3b8825696500726d13?OpenDocument

ps.. I'm running f-prot on my Win98 system right now; the three disk solution seems to work for me... no error messages so far..