1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Virus Help

Discussion in 'Bits & Bytes' started by mrRT, Nov 22, 2002.

  1. mrRT

    mrRT Tech Mod

    OK folks I need some help here. I have a client that has a virus on her machine. It looks like it is W95.CIH
    how do I get rid of this thing. No matter what she does it seems to keep re- propagating itself. I had her run NAV and it just disinfects the file, but as soon as she restarts the machine its back again. Now for the difficult part..she is 2000 miles away and the instructions I give her are all over the phone. Her computer skill set is not that great, but she is a good friend and I really need to help her out.
    any advise on how to walk her through it would be appreciated.
     
  2. tke711

    tke711 Oink Oink Staff Member

  3. mrRT

    mrRT Tech Mod

    Thanks...She does have interent access. I have used Trend before but forgot/maybe did know that they had that online tool.

    This virus is really a PITA...it just won't go away.

    will let ya's know how I make out.

    thanks again

    just read the Symatec warning about this thing

    If you attempt to scan with any antivirus product without first running this tool, you run the risk of causing the infection to spread.

    I think that what she is doing wrong..scanning without killing it first and then it re-propagates itself

    ugggggggggg
     
  4. Sunriser13

    Sunriser13 Knee Deep in Paradise

    Also, depending on the OS she's using, the infection could, I believe, be contained within restore files or system backups. In XP, for example, all restore points would have to be deleted...

    Any unlocked floppy, any files copied to CD, any networked computers (if she has a network), and any temp files would also be suspect. This can be an ugly one to eradicate, but it can be done.
     
  5. -Ken

    -Ken Guest

    While I don't know everything, here are the steps I would take.

    1) Regedit - and off you go through by clicking on plus signs down
    this path...

    HKEY_LOCAL_MACHINE\
    Software\
    Microsoft\
    Windows\
    CurrentVersion\
    Look for the Run folder and open it.

    At this point Google can be you friend. Most of what you see here
    are MS Task Scheduler and other things which "autoload" most of
    which display in the system tray. Most software modems, virus
    software and other assorted things will have statements there.

    This is the location where some of these things launch from.
    Most of what you see there ok but some of the nastier ones
    can launch from there.

    After you feel comfortable you've taken care of everything there,
    check the runonce folder and all other "run" folders in that specific
    group.

    Ok, close regedit.

    Next we go Start - Run - MSConfig
    Check what is under the startup tab for nasties launching there
    and also check the Win.ini Tab under the very top folder click
    the plus (+) sign to expose the load= and Run= and see what's
    there.

    Still going strong? Cool. Close MSconfig (after applying) and the
    system will reboot. As a sidenote, I have probably spent a year
    of my life cummulatively watching windows reboot.

    When Windows reboots, it will have a little box to confuse your
    friend hich says something like "Windows is now using Selective
    Startup" or some such nonsense. Have you friend check the box to
    never have the box appear again and then OK on the box and
    all will be well with that error.

    Next, we need to check the startup folder. This can be done by
    going to Start - Settings - Taskbar and Start Menu - Advanced -
    Advanced, Click the Plus sign and then click the plus next to the
    Startup folder to see what's there. While your there, feel free to
    remove any garbage you find.

    With luck, this should kill it.

    I'm sorry, this is not everything you need to know but it will
    address the most of the problems.

    At this point, a limit must be drawn as to how much anyone can
    do over the telephone. There comes a time when it's easier, cheaper
    and faster to box it, ship it, save the important data files and FDISK
    the hard drive. Better yet, upgrade the hard drive and reload Windows
    and the rest of her programs by scratch.

    That is a line you have to determine.

    Hope this helps.
     
  6. mrRT

    mrRT Tech Mod

    Sunriser you are sooooo right on that call. This has to be one of the nastier virii I have seen. I did get the thing killed.. Used a kil_chi program from symantec that found it. so I had her rerun the NAV and it came back clean...SO she says that thing screwed up my Illustrator and I need to reload it. So I tell her to re-boot (yep again) and when the machine reboots it hangs..turns out it must have also corrupted the win.ini file (thanks KEN). I got it to boot in safe and edited the ini...I found 3 different lines of code ( at then end of sections) that looked like a long string os ASCII characters. Deleted the strings and reboot (AGAIN>>UGGGGGGG) and machine came right up. So she loads Illustrator and the machine barfs...found CIH again.....
    <sighhhhhhhhhhh>
    apparently she burned a copy of Illustartor the other day that had been infected with cih...

    soooooooo we cleaned the machine again...

    now it is running and the Illustrator CD is a Coffee Coaster....

    that was one nasty mother....thank god it is dead
     

Share This Page