Formatting C:
David Walter
Could somebody please provide me with information on the CIH virus? I'm
afraid I've got it...
--
David Walter
davidw...@hotmail.com
~~~~~
There are three types of people:
1. Those who can count.
2. Those who can't.
AkHibby
"David Walter" <david....@blueyonder.co.uk> wrote:
> Do any viruses survive after c: has been formatted? Does the CIH
virus?
> Could somebody please provide me with information on the CIH virus?
I'm
> afraid I've got it...
>
>
help, infact FDisk can make thins worse. If you think you are infected
then do the following; if a file is cleaned by the AV and you have a
clean backup of the file, by all means replace it (after scanning of
course).
Using a clean PC, ie not the one that's infected, go to
http://www.complex.is and download F-Prot for DOS,
then download the latest definitions files fp-def.zip & macrdef2.zip.
Unzip all the files starting with
f-prot to the same folder, preferably c:\f-prot\, then fp-def.zip &
finally macrdef2.zip.
Create a boot disk, unless you still have the one that came with your
PC? On a second floppy, copy
f-prot.exe, english.tx0, sign.def, sign2.def and nomacro.def. Rename
nomacro.def to macro.def, then
write protect both floppies.
Boot from the boot floppy and then pop in the second floppy, at the dos
prompt type "f-prot /hard /disinf"
w/o the quotes.
If you want you can goto http://members.xoom.com/avdisk/ to automate
the creation & update for F-Prot &
AVP boot disks. This will also lead you to http://www.pkzip.com for
one additional download.
HTH
Ian
Sent via Deja.com http://www.deja.com/
Before you buy.
kurt wismer
> Do any viruses survive after c: has been formatted?
yes, all bootsector viruses survive a format...
> Does the CIH virus?
the virus itself does not, no, however formatting will not correct the
damage done by a cih payload, and if the payload hasn't activated yet
formatting is overkill...
actually, formatting to remove any virus is overkill, and sometimes it
will remove everything except the virus...
> Could somebody please provide me with information on the CIH virus? I'm
> afraid I've got it...
if you think you have a virus then scan your computer with a good up to
date anti-virus product like f-prot (http://www.complex.is) or avp
(http://www.avp.ru)...
if you think you have a virus which your anti-virus can't detect then try
a different anti-virus or try sending a file you suspect to be infected
to the anti-virus developer...
if you do have cih, an up to date scanner will definitely find it and
should be able to remove it so long as none of the infected programs are
in use by windows... if you boot into dos (a dos box is not
sufficient) and use a dos scanner (f-prot for dos will work for this) then
no programs will be in use by windows (as windows won't be active) and
you should be able to remove the virus from all the infected programs...
--
"i raise my hand, i got another question
if i start a riot, will i get protection
'cause i'm a kid who's got a lot of problems
if i throw a brick maybe the brick will go and solve them"
Alan
A format will create a new boot secotor with a new (2) copies of FAT
kurt wismer <g9k...@cdf.toronto.edu> wrote in message
news:Pine.SOL.4.21.000820...@eddie.cdf...
Deniz Oezmen
> Are you sure about that
>
> A format will create a new boot secotor with a new (2) copies of FAT
But the virus will most likely (when active) reinfect the bootsector as soon as
the next disk access occurrs.
You'd need to boot from floppy in order to get rid of it (and this will only
count for DBS, not MBR viruses!) and then the step to using an AV program isn't
very far away anymore...
btw.: Please put the quote above your text...
> kurt wismer <g9k...@cdf.toronto.edu> wrote in message
> news:Pine.SOL.4.21.000820...@eddie.cdf...
> > On Fri, 18 Aug 2000, David Walter wrote:
> >
> > > Do any viruses survive after c: has been formatted?
> >
> > yes, all bootsector viruses survive a format...
[snip]
--
Regards, Deniz Oezmen
eMail: <Quantensprung [at] GMX [dot] net>
kurt wismer
> kurt wismer <g9k...@cdf.toronto.edu> wrote in message
> > On Fri, 18 Aug 2000, David Walter wrote:
> >
> > > Do any viruses survive after c: has been formatted?
> >
> > yes, all bootsector viruses survive a format...
> Are you sure about that
>
> A format will create a new boot secotor with a new (2) copies of FAT
format *can* write a new bootsector, but it doesn't necessarily do so, it
depends on the condition of the existing bootsector (if none exists it'll
make a new one) and the command line arguments passed to format (i think
you may need the /u switch to force a dbs rewrite)...
aside from that, most bootsector infectors actually go after the mbr on
hard disks, and there's no way to make format touch the mbr at all...
Jeffrey A. Setaro
dkcroni...@1st.net says...
> You could always use fdisk mbr to erase the boot record.
>
And what if the computer in question is using a drive overlay like
Ontrack's Disk Manager or is infected with Monkey which encrypts the
partition table or with OneHalf that encrypts cylinders on the HDD?
How exactly do plan to A) regain access to the hard drive you've just
rendered inaccessible and B) recover the data you've just lost access
to?
FDISK is not an anti-virus or data recovery tool and shouldn't be used
as one unless you know exactly what you're dealing with and the
potential problems that can arise from using it improperly.
I would suggest taking a look at
<http://www.datasecurity.co.uk/av.htm> for information on when and how
to use FDISK to remove a boot sector virus.
--
Cheers-
Jeff Setaro
jase...@sprynet.com
http://home.sprynet.com/~jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99
David C.
kurt wismer <g9k...@cdf.toronto.edu> wrote in message
news:Pine.SOL.4.21.000825...@eddie.cdf...
Zvi Netiv
> On Thu, 24 Aug 2000, Alan wrote:
> > kurt wismer <g9k...@cdf.toronto.edu> wrote in message
> > > On Fri, 18 Aug 2000, David Walter wrote:
> > > > Do any viruses survive after c: has been formatted?
> > > yes, all bootsector viruses survive a format...
> > Are you sure about that
> > A format will create a new boot secotor with a new (2) copies of FAT
> format *can* write a new bootsector, but it doesn't necessarily do so, it
> depends on the condition of the existing bootsector (if none exists it'll
> make a new one) and the command line arguments passed to format (i think
> you may need the /u switch to force a dbs rewrite)...
You'll need the /S switch to refresh the boot sector. /U is for an
unconditional format, it will overwrite all sectors in the data area.
Zvi
--------------------------------------------------------------------
NetZ Computing Ltd. ISRAEL Tel. +972 3 9386868 Fax +972 3 9386869
InVircible AntiVirus Software, ResQ Disk and Data Recovery Utilities
Homepage: http://www.invircible.com E-mail: Sup...@invircible.com
--------------------------------------------------------------------
Zvi Netiv
> In article <LVFp5.126894$A%3.16...@news1.rdc2.pa.home.com>,
> dkcroni...@1st.net says...
> > You could always use fdisk mbr to erase the boot record.
> And what if the computer in question is using a drive overlay like
> Ontrack's Disk Manager or is infected with Monkey which encrypts the
> partition table or with OneHalf that encrypts cylinders on the HDD?
It's time that you know that FDISK /MBR is perfectly alright with Disk
Manager (DM uses a standard loader program, the data required to start
the overlay is IN THE PARTITION TABLE -- virtual boot sector at 0/0/2,
partition type 84). You can stop scarring with this false info.
> How exactly do plan to A) regain access to the hard drive you've just
> rendered inaccessible and B) recover the data you've just lost access
> to?
Regaining access after Monkey and FDISK /MBR is straightforward: Run
XMONKEY from http://invircible.com/Netzutil.html XMONKEY will also
remove Monkey from all installed drives, or you could use my boot
virus remover, available from the same URL. ;-)
> FDISK is not an anti-virus or data recovery tool and shouldn't be used
> as one unless you know exactly what you're dealing with and the
> potential problems that can arise from using it improperly.
FDISK is a far better boot virus remover that most of the advice given
in this newsgroup.
Regards, Zvi
Bart Bailey
> On Thu, 24 Aug 2000, Alan wrote:
>
> > kurt wismer <g9k...@cdf.toronto.edu> wrote in message
> > > On Fri, 18 Aug 2000, David Walter wrote:
> > >
> > > > Do any viruses survive after c: has been formatted?
> > >
> > > yes, all bootsector viruses survive a format...
>
> > Are you sure about that
> >
> > A format will create a new boot secotor with a new (2) copies of FAT
>
> format *can* write a new bootsector, but it doesn't necessarily do so, it
> depends on the condition of the existing bootsector (if none exists it'll
> make a new one) and the command line arguments passed to format (i think
> you may need the /u switch to force a dbs rewrite)...
>
> aside from that, most bootsector infectors actually go after the mbr on
> hard disks, and there's no way to make format touch the mbr at all...
Would this be one of those few instances that you would actually recommend a
fdisk/mbr...in conjunction with the format?
~~Bart~~
kurt wismer
> You could always use fdisk mbr to erase the boot record.
yes you could, but only with the caveats that a) you may lose access to
all your data, depending on the state of the mbr, b) you may lose any
security or multi-boot software that was installed in your mbr, and c) you
may lose that ability to use large hard disks if you had ezdrive or
similar software installed in your mbr...
kurt wismer
> kurt wismer <g9k...@cdf.toronto.edu> wrote:
[snip]
> > make a new one) and the command line arguments passed to format (i think
> > you may need the /u switch to force a dbs rewrite)...
>
> You'll need the /S switch to refresh the boot sector. /U is for an
> unconditional format, it will overwrite all sectors in the data area.
i stand corrected, then... thank you...
kurt wismer
> kurt wismer wrote:
>
> > On Thu, 24 Aug 2000, Alan wrote:
> >
> > > kurt wismer <g9k...@cdf.toronto.edu> wrote in message
> > > > On Fri, 18 Aug 2000, David Walter wrote:
> > > >
> > > > > Do any viruses survive after c: has been formatted?
> > > >
> > > > yes, all bootsector viruses survive a format...
> >
> > > Are you sure about that
> > >
> > > A format will create a new boot secotor with a new (2) copies of FAT
> >
> > format *can* write a new bootsector, but it doesn't necessarily do so, it
> > depends on the condition of the existing bootsector (if none exists it'll
> > make a new one) and the command line arguments passed to format (i think
> > you may need the /u switch to force a dbs rewrite)...
> >
> > aside from that, most bootsector infectors actually go after the mbr on
> > hard disks, and there's no way to make format touch the mbr at all...
>
> Would this be one of those few instances that you would actually recommend a
> fdisk/mbr...in conjunction with the format?
??? no specific circumstances have been identified, so my answer would
have to be no...
i tend to stay away from recommending fdisk /mbr under any circumstances,
though i may on occasionally mention rebuilding from scratch (which
includes fdisk /mbr) if there's no unreplacable data on the drive and
critical data structures on the drive are sufficiently hosed to make
rebuilding from scratch more expedient than finding and implementing
necessary data recovery solutions...
Raid
g9k...@cdf.toronto.edu says...
> On Sat, 26 Aug 2000, David C. wrote:
>
> > You could always use fdisk mbr to erase the boot record.
>
> yes you could, but only with the caveats that a) you may lose access to
> all your data, depending on the state of the mbr, b) you may lose any
> security or multi-boot software that was installed in your mbr, and c) you
> may lose that ability to use large hard disks if you had ezdrive or
> similar software installed in your mbr...
I sometimes wonder if it wouldn't be better to keep your mouth shut, and
let the user learn this for themselves, the hard way.... Seems to me,
when people learn this by losing all of their data first, they are less
likely to recommend it to others...
My 2 cents anyhow...