will detect all infected files and prompt about disinfection. Let it do 

        that - the latest build disinfects the CIH virus with no virus traces 

        left in files. 

        If there are infected files run the same time AVP32 scans them, AVP32 

        would fail to disinfect them because Windows95 does not allow to open 

        such files for writing. In such cases AVP32 will create FILENAME.EXT.AVP 

  

        temporary copies and disinfect them. The list of these files is saved in 

  

        a special reference file that will be used by AVP32 on next rebooting. 

        When the scanning process is complete, AVP32 looks for files that were 

        not disinfected because of read-only mode. If there are such files, 

        AVP32 modifies the C:\AUTOEXEC.BAT file with a call for AVP32 DOS 

        helper. AVP32 then prompts about rebooting your system - do it. On 

        rebooting the modified AUTOEXEC.BAT executes the AVP32 DOS helper that 

        will restore all infected files with their disinfected images (long 

        names are preserved). 

        If you are using build 120 of AVP...: 

        Download AVP 3.0 for Windows95/98 (avp32120.zip) AND AVP 3.0 for DOS 

            (avpd120.zip). Have a DOS based Unzipping utility ready (e.g. 

            PKUNZIP 2.04g from PKware). 

            Reboot your PC - during the startup process, press "F8" and select 

            the Command-line prompt option to avoid loading win95/98. 

            At the command prompt, unzip the archive avpd120.zip into a 

            temporary directory and run the Installer from there, which will 

            copy all the necessary files to e.g. c:\avp30 

            Change to that directory and run either AVP.EXE or AVPLITE.EXE 

            e.g. avplite.exe c:. If your PC is infected you should see a lot of 

            the Windows Executable files marked as infected. 

            If you have run AVP 3.0 for Windows95/NT already and got numerous in 

fection 

    messages, then you should directly go to the disinfection instructions. 

    How can I disinfect my PC from Win95.CIH when using build 120 

    If you already use build 122 of AVP 3.0 for Windows95/98/NT see the section 

    above on how it works now. 

    If you run AVP 3.0 for Windows95/NT build 120 and use it to disinfect 

    Win95.CIH it might not be able to disinfect files which are currently in 

    use, and you risk the AVP 3.0 for Windows95/NT does get infected too. 

    Aug-04-98: Kaspersky Lab has developed a special update-base which removes 

    any left-over CIH-traces (only use if you have done your cleaning with build 

  

    120/119 or another anti-virus program. If you use build 122, there will be 

    no traces left. 

    The safe process to disinfect Win95.CIH is as follows: 

    Reboot your PC and enter Command line mode as shown above. Install AVP 

        3.0 for DOS as shown above and change into the AVP program directory. 

        (e.g. cd \avp30) 

        Run AVP.EXE or AVPLITE.EXE (avplite uses less memory, but is command 

        line only). In AVP, select the option to disinfect. In AVPLite (and AVP 

        too) you can get a list of possible commands by typing avplite /? . To 

        disinfect with AVPLite type e.g. avplite /- c: which will start 

        disinfection on drive c: 

        Once disinfection is completed you can reboot your PC and go into 

        win95/98 again. 

        Reinstall AVP 3.0 for win95/NT (to make sure that all it's files are 

        intact) and scan your PC again (including any "archive" files). 

        Why do I have to go into command line mode for proper disinfection? 

    AVP 3.0 for win95/98 cannot disinfect files that are currently in use 

    because the operating system blocks deleting/writing to Windows executable 

    files that are currently in use. By using the DOS version of AVP and running 

  

    it in command-line mode (NOT a full-screen DOS session with win95/98 

    active), you make sure that there are no file-locks on Windows executables. 

    Build 122 of AVP 3.0 makes a copy of the infected file, disinfects that 

    copy, reboots the PC and then will auto-replace the infected file with the 

    previously disinfected copy! 

    After disinfection, I still find traces of CIH in some files (notably the 

    "CIH" string), but a scan shows the files as clean 

    CIH puts it's code into multiple locations in a file, whereever it finds a 

    cave, which makes the cleaning task pretty difficult. AVP removes most of 

    the virus code, but may leave occasionally some traces back in the file. The 

  

    Win95.CIH virus however is destroyed and cannot be activated again from such 

  

    files. 

    Note from the development team: we are going to release a special update 

    that will clean these traces that AVP and other antivirus programs leave 

    over... and, this special update is now available!: 

    Download the file upcih.zip, unzip into your AVP program directory and 

    follow these instructions: 

    If your computer was infected by Win95.CIH and then disinfected, there might 

  

    be "traces" of the virus found in disinfected files - blocks of virus code 

    and the "CIH TATUNG" or "CIH TTIT" text strings. These traces are absolutely 

  

    harmless and cannot spread the virus, corrupt data or interfere with other 

    software in any way. 

    If you do not like these virus traces and want to clean them, you should add 

  

    the reference for this update to your AVP.SET file and scan your disks; 

    otherwise see the the new features of build 122. If executable files with 

    the virus traces will be found in files, AVP will inform you and request for 

  

    cleaning these files. After cleaning the computer you should delete this 

    update and the reference in the AVP.SET - you do not need it anymore. If you 

  

    are unfortunate and get the CIH infection again, you should use standard the 

  

    AVP32 build 122 package, which removes the CIH viruses without leaving any 

    left-overs! 

    Is Kaspersky Lab working on making it easier to remove this virus (without 

    having to go through e.g. command line mode) ? 

    Yes, of course. Build 122 now does the following: 

  

    Run AVP. It will carefully scan Windows memory, detect the virus copy, 

        and patch it so that the virus would not be able to infect other files. 

        AVP32 then scans itself and detects if the virus has infected it. AVP 

        cannot disinfect running applications, so it creates a copy of itself, 

        disinfects it, executes it and exits. The new copy locates its host 

        file, detects that it is a disinfected copy, copies itself back to the 

        original one, executes and exits. AVP then locates the disinfected copy 

        and deletes it. AVP is clean, memory is disinfected. 

  

        Scan your hard drive. Any infected file that is allowed for writing will 

  

        be disinfected with no virus traces. All read-only (running now) files 

        will be copied with .AVP extension (NOTEPAD.EXE.AVP) and disinfected. 

        Reference for these files is placed to a batch file that is executed on 

        next boot-up. AVP then modifies C:\AUTOEXEC.BAT to run this batch helper 

  

        automatically. 

        AVP will ask about rebooting your system. Do it. Wait. Your system is 

        clean! 

  

  

    Ouch - it's too late! Win95.CIH has left my machine in unbootable state. 

    What can I do? Some earlier motherboards had an emergency boot-up routing, 

    that could be activated by changing a jumper on the motherboard. This 

    allowed to boot from a floppy and reflash the BIOS with new code. Newer 

    motherboards often have a jumper to disable BIOS "flashing". However it 

    seems, that on some motherboards, this jumper has no effect at all. And yet 

    other motherboards don't offer such a protection at all (for economical 

    reasons). Check your motherboard's manual and your motherboard manufactures 

    web-site for more information. You may have to return your motherboard to 

    the manufacturer or get it replaced entirely. 

    How can I prevent the possible damages Win95.CIH may cause? 

    To prevent Win95.CIH from being able to do it's nasty business, you have a 

    couple of options: 

    If possible, try to make sure, that the Jumper to write to Flash Memory 

        is correctly set to disable "flashing" the BIOS (This might have no 

        effect, depending on your motherboard though) 

        Check your system with AVP 3.0 before a date on which Win95.CIH triggers 

  

        (and of course remove Win95.CIH !) 

        Prevent from getting infected at all by checking all files before you 

        run them on your system. 

  

  

-- 

上帝創造貓，是為了讓人類體驗撫摸老虎的 

-- 

      哦 算了吧  就這樣忘了吧