grc | cih virus recovery
grc | cih virus recovery
cih virusfree data recovery!
-
the day after . . .
on april 26th, many pc hard driveswere damaged by the cih virus.
in the news
cih virus finds a few victims cih impact was minimal; but don't say that to boston college students who lost term papers.
chernobyl virus wreaks havoc in parts of asia
the cih virus attempts to erase the writable flash bios of infected pc's, and also overwrites the first 2,048 sectors (1,048,576 bytes) of all of the system's available non-removable writable disk drives! while this behavior places the cih virus among the nastiest of all viruses, the damage is more recoverable than at first appears:
flash bios recovery:we have been told by knowledgeable experts that most pc motherboards do not provide any means for recovering from the loss of their flash bios eerom. (those that do are not vulnerable to cih's erasure in the first place.) you should contact your pc motherboard manufacturer to determine whether your system can have its eerom repaired. (many thanks to nick fitzgerald for sharing his accurate information.)
(please note that gibson research corporation has no special expertise in flash bios recovery so we can not help you there. if your system's flash bios was erased you must either move your hard drive to a system with a working motherboard or repair your bios before proceeding to consider the recovery of your system's hard drive.)
hard drive recovery:
the cih virus erases the first 2,048 sectors (1 megabyte) of each of the system's non-removable and writable disk drives. while this is certainly troublesome, the damage is very often 100% reversible and recoverable! (this is especially true if the drive contained multiple partitions, since only the first partition was truly damaged. see below.)
(note that our standard spinrite product was never designed to recover from deliberate and malicious damage done to drives by virus activity. spinrite does not recover from the damage done by the cih virus. steve has researched the problem and now offers a completely free solution for everyone.)
how is it possible to recover the loss of the first 1 million bytes of a hard disk drive? the "front" of a dos/windows hard disk drive contains the following crucial information:
"microsoft" dos/windows drive layout
the partition table -- also know as the "master boot record" or mbr.this single sector describes the major subdivisions (partitions) of the drive. in typical, simple, systems it specifies a single large partition that encompasses the entire drive.
the first partition's boot sector(s) -- also known as the "boot sector".one or six sectors which specify the layout of the balance of the partition, including the exact location of the following items:
the file allocation table(s) -- also known as the "fat".a permanent, contiguous, block of sectors used by the operating system to manage the sub-allocation of space within the partition. this information is so critical and non-recoverable that two complete, identical, fat tables are maintained.
the root directory -- also known as the "root".a block (or chain) of sectors which contains the information used to manage the root directory files and sub-directories.
recovering from the loss of the first megabyte:of all the data outlined above, only the fat and root directory contain vital information which cannot be "reverse engineered" from the existing system. since the fdisk and format programs created the partition table and boot sectors respectively out of nothing, it stands to reason that they could be similarly re-created from nothing.
the restoration of the drive's partition table (which is the first thing steve's new freeware program does) will immediately restore the drive's partitions to existence. although the cih virus does extensive damage to the first partition, subsequent partitions are left completely intact!
recovering the drive's first partition:
after the drive's partition table has been restored and any partitions beyond the first have been brought back into existence, we are still left with the extensive damage done to the first partition.
with the advent of 32-bit file allocation tables (fat32) the fat tables became quite large ... and this is the second part of the secret behind completely recovering from the loss of the first megabyte of the hard drive.
for example, a one gigabyte drive (or partition) formatted with a 32-bit fat will consist of approximately 262,144 clusters of 4,096 (4k) bytes each. since each fat table entry requires 32-bits, or four bytes, a single copy of the fat for a one gigabyte drive will require exactly one megabyte of sectors!
so, since just the first copy of a 32-bit fat for a one gigabyte drive requires one megabyte of storage, and since the cih virus only erases the first one megabyte of the drive, the large size of this first fat table pushes the entire second copy of the fat and the root directory fully out of harm's way!
this means that by first reconstructing the partition table and the boot sectors and then copying the second (preserved) copy of the fat down into the space where the first copy belongs ... the first partition of the drive (if it's at least one gigabyte and fat32 format) can be completely reconstructed and recovered!
what about drives with more than one partition?
as we said above, for drives with more than one partition of any format, the partitions beyond the first can always be completely recovered by the reconstruction of the drive's partition table. (which is one of the things that steve's new freeware program does.)
so, even if your c: partition was fat16 format (and thus not completely recoverable from a cih attack) your d:, e:, and other partitions can be completely recovered automatically!
did someone say 'free data recovery?' . . .
yes!! steve has written a freeware programfix-cih to completely recover from cih attack!
since this pesky cih virus has just damaged hundreds of thousands of hard disk drives, steve gibson created a new freeware program to recover from this problem . . . even after the virus has wiped out a drive! this program quickly recovers fat32 formatted drives from the damage done by the cih virus. (note: unfortunately, it will not be able to help non-fat32 formatted drives.)
so, if your system has just been zapped by the cih virus, if you have your flash bios working again (or if it wasn't zapped) but after booting dos from the a: (diskette) drive your hard drive is gone, unrecognized, or missing ... the program steve has written will repair your drive and recover all of your data!
the fix-cih research and development diary page has information about the development of the program.
the fix-cih download and version history page contains a link to download the fix-cih program and information about its various versions.
fix-cih research anddevelopment diary
fix-cih download andversion history
fix-cihrecovery stories
cih virus info home pagesteve's page
last edit: jun 25, 2004 at 21:05 (1,235.99 days ago)viewed 63 times per day
gibson research corporation is owned and operated by steve gibson. the contentsof this page are copyright (c) 2007 gibson research corporation. spinrite, shieldsup,nanoprobe, and any other indicated trademarks are registered trademarks of gibsonresearch corporation, laguna hills, ca, usa. grc's web and customer privacy policy.
Acceuil
suivante
grc | cih virus recovery How to Fix CGI - majordojo serious fix 4.1 Why Blog Post Frequency Does Not Matter Anymore Marketing Profs ... FOSSwire » Fix a Frozen System with the Magic SysRq Keys Windows Vista Team Blog : Partners helping fix Vista Software ... Objet Publicitaire : Magnet Magic fix - ALB01.com Indonesia's three divas fix the nation's finances International ... Rob Galbraith DPI: EOS-1D Mark III sub-mirror fix announced in USA ... KompoZer - Easy web authoring Mr. Fix It (2006) XML.com: Using XSLT to Fix Swing [Profil de fix] OverBlog - Le blog des blogs Fix Your Money Screw-Ups - Kiplinger.com frontline: the wall street fix PBS Portail Internet de la Haute Autorité de santé - H-FIX PDS Your Freebie Fix - All the latest Freebies, Coupons and Online Deals はてなブックマーク - FIX Bug Fix Weekend finished :: pnCommunity :: Support at your fingertips Windows Mobile 5.0 Fix Site - Home Tena Fix - Incontinence Google to fix blog noise problem The Register BBC/OU Open2.net - Can Gerry Robinson Fix The NHS? Two charged with hacking PeopleSoft to fix grades - Network World Bike Shop Frederick, Maryland Bike Repairs, Bike Sales --BICYCLE ... Object Fix Zip - Freeware for repairing damaged ZIP archives with ... Ajaxian » IE’s Memory Leak Fix Greatly Exaggerated IPython fix for Leopard - O'Reilly ONLamp Blog Fix all Ajax cross-browser problems then deploy Wiki Autrans - Fix FIX-IT - bedrijvengids - handelsgids - webdesign - Pc repair ... You receive an access violation error and the system may appear to ... FIX: Update to enable DirectX Video Acceleration (DXVA) of Windows ... Video Coldplay - Fix You - coldplay, fix, you, clip ... Free Registry Fix 3.9 for Windows Solar shield could be quick fix for global warming - earth - 05 ... adaptive path » 8 quick ways to fix your search engine Fix for COM Surrogate Has Stopped Working Error in Vista :: the ... Oral Fixation Mints / Get Your Fix Nail Fungus Onychomycosis - Fix My Fungus Pierre Fix-Masseau affiches sur AllPosters.fr Fixit Guide Series - DIY Mac & iPod Repair Dura Fix Aluminum Welding Aluminum Brazing Aluminum Soldering ... The Simple Dollar » 31 Days To Fix Your Finances: A Wrapup Gallery 2.2.3 Security Fix Release Gallery What To Fix VCOM: V Communications. Security, Web, OS Management, Partitioning ... Fix for securityd hogging RAM when reauthorizing apps' Keychain ... Cafe Hayek: Just Fix It DriverAgent.com Fix Your Driver Problems Instantly with Driver Agent Federal 'fix' knocks ca.gov for a loop NetworkWorld.com Community macosxhints.com - Twenty steps to help diagnose and fix system issues ca-fix program description. Fix your Exposé keys - WOW Insider IndieHIG » Blog Archive » Fix the Leopard Folders (FTLF or FTFLF) Blogger Buzz: A Layout Solution M·A·C Cosmetics Studio Fix Powder Plus Foundation The Right Way To Fix Inaccurate Wikipedia Articles The Daily Fix - WSJ.com The Art of Colin Fix Berkshire Computer Repairs And Servicing - 1-Fix Computer Services