Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 31

Thread: detecting hard disk

  1. #21
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Poppy~

    Can you get hold of a WIN98 boot disk? You need to boot into DOS.

    Then at the A:> prompt type in
    fix-cih /bootroot
    Please note the space before the /

    That is if it does not work normally with fix-cih.............that may give you a "fixed" message, but not have done it when you check.

    Please go very carefully.............you will have infected files on that drive.............need to fix that first

    If that doesn't work, I guess we have to try data recovery.................we can do that safely on the XP box, because CIH won't run on an NT based operating system..........

    Sorry for the "poor service"...........but that virus is 5 years old..............I have sort of forgotten

    Good luck

  2. #22
    It has shown me all figures of my drive accurately, and I am repairing through "fix-cih" utility.

  3. #23
    nihi, I am doing as you say, It has shown me all figures of my drive accurately, and I am repairing through "fix-cih" utility now, it is "other boot sectors" this time.

  4. #24
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Poppy~

    It is Sunday here and I have to go out................other boot sectors huh?, yes that does sound familiar...............I will get back to you today, but later.

    Hey, I think that we are making some progress? but sorry, it must be a good three years since I had to do a CIH recovery, I have forgotten a lot



    Catch you later...

  5. #25
    Thanks nihil I have retrieved all my data back, I just scanning for virus, thanks for fix-cih and nihil again. any online virus scanning ??

  6. #26
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    HI Poppy~

    Thank you for the update..............run Trend Micro "Housecall" it is a very good up to the minute online AV scanner.

    Once again, please accept my appologies for the amount of time this took..............I have not seen that virus for a long time

    Also, I think that you must be in a very different time zone from me

    Take care

    Johnno

  7. #27
    nihil I am scanning online from http://www.ravantivirus.com/scan this time, here is a log while it is scanning.

    Scan started at 5/24/2004 3:31:54 PM

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    H:\quantum2\mscs\semester 6\java DOT\MSCS-263realproject.rar->real

    project\server\folder.htt->(SCRIPT0000) - VBS/ActiveXExploit* -> Infected
    H:\quantum2\mscs\semester 6\java DOT\MSCS-263realproject.rar->real

    project\server\folder.htt->(SCRIPT0001) - VBS/Redolf* -> Infected
    H:\quantum3\project 266-263.rar->project 266-263\folder.htt->(SCRIPT0000) -

    VBS/ActiveXExploit* -> Infected
    H:\quantum3\project 266-263.rar->project 266-263\folder.htt->(SCRIPT0001) - VBS/Redolf*

    -> Infected
    H:\quantum3\softwares\keylogger.zip->KeyLogger.exe->(ZipSfx)->UPIN Key

    Logger/keylog.exe - Win32/Nihilit.L@mm -> Infected
    H:\quantum3\softwares\password recovery utility cain25b45.exe - Backdoor:Win32/Cain.2_5 ->

    Infected
    H:\quantum3\softwares\Msn hacking\TELNET.exe - SpyTool:Win32/MSN_X3 -> Infected
    H:\quantum3\softwares\nmap\name.rar->name.txt->nmap.exe - Win95/CIH.1003 -> Infected
    H:\quantum3\softwares\nmap\name.txt->nmap.exe - Win95/CIH.1003 -> Infected
    H:\quantum3\softwares\nt crash\NTCRASH\ntcrash.rar->NTCRASH.EXE - Win95/CIH.1003 ->

    Infected
    H:\quantum3\softwares\nt crash\NTCRASH\web.rar->nt.txt->NTCRASH.EXE - Win95/CIH.1003

    -> Infected




    This is data of effected drive, I will scan my whole system so.

  8. #28
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Poppy~

    1. Are you running this on your WinXP computer, or on the original PC?
    2. Autoclean: Automatic clean the infected/suspicious files.
    Inside archives: Scan for malwares inside archives.
    Unpack executables: Unpack executables during the scanning process.

    Please select the above options and let the scan do the WHOLE PC

    3. Has anyone other than yourself had access to the infected machine? Because it looks as if you might have been "owned"

    You have a password cracker (Cain) a back door (allowing remote access), a spytool and a keylogger (Nihilit)...........hey they have named a nasty after me! fame at last!

    Unless these are part of your studies?

    You have some executables infected with the CIH virus

    I am starting to remember my CIH virus. Please DO NOT use this machine/drive on May26th. The CIH virus has a payload trigger date of the 26th of the month I believe that the first one only did it on the 26th. April, but it looks like you have a later variant, which will trigger every 26th. of the month. We need to be sure that you are "clean" before that date, or wait until afterwards to be perfectly certain.

    Cheers

  9. #29
    Yes nihil, I am running on my original machine, infact I have two hard drives, after retrieving data from effected drive, I copy all data into other drive(not effected)'s h: drive. and then scan only this drive.

    hey they have named a nasty after me! fame at last
    what do you mean?
    and last one, how I can completely white washed this cih virus from my system?

  10. #30
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Poppy~

    I am back!............I live in England, and think that I am some 5-6 hours behind you? you must live somewhere to the East?

    http://housecall.trendmicro.com/

    Please run the first option over both drives (it should do that anyway) let it scan everything and let it automatically repair anything.

    What do I mean by:

    hey they have named a nasty after me! fame at last
    That is my rather poor English sense of humour The name of the bad guy was NIHILit?.......I had never even heard of it up until now...........do not worry, it has no influence on cleaning your machine

    Please remember that this virus will deliver its payload on the 26th. We MUST be certain we have killed it, or don't use the machine on that date.

    It infects executable files, each time you boot up and open them, but it only runs the payload either once per month or once per year (April26)


    Good luck, and please keep me informed

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •