| | | | | | | | |
| | | | | | | | |
|
So you have been hit by CIH - tough luck - let's see if we can help you out of there. First of all, boot your PC with a system disk. If the PC was using FAT-32 ( it i always the case if you have partitions bigger than 2 GB on Win 95 or Win 98), you must boot from a Win 95 OSR 2 or Win 98 installation disk. Norton Utilities' recovery disks are ideally suited to the task. We'll assume you have them, or if you choose to use another disk editor, I'll assume that you know what you do. The damage inflicted by CIH is simple : the first 2048 sectors of the drive is overwritten with garbage. If the drive has 63 sectors per track, the corruption will begin on track 0 and end in the middle of track 31 |
|||||||||||||||||
| FAT-16 and one single C: partition | FAT-16 and several partitions | ||||||||||||||||
| Really bad news here - if 2048 sectors have been erased, your first track (often 64 sectors nowadays), the boot sector, both FAT (each a maximum of 256 sectors), the root directory and some data have been wiped.- Tiramisu from Ontrack and Lost&Found by Powerquest may allow you to recover unfragmented files. Note that each and every file smaller than your cluster size ( usually 16 kilobytes or 32 kilobytes nowadays ) is recoverable. | Same as above as far as the first partition is concerned. However, the other partitions are intact. Search for them with disk editor (tools - find object) and, once you have located them, read the partition recovery guide | ||||||||||||||||
| FAT-32, initial partition smaller than 1 GB | |||||||||||||||||
| This is not as bad as a single partition under FAT-16 since only part of the second FAT as been corrupted. It may very well be possible to recover many of your files. The recovery should proceed along the lines of the next case, except that less data will be recovered. Read on. | |||||||||||||||||
| FAT-32 and the initial partition was bigger than 1 GB | |||||||||||||||||
|
Your drive is fully recoverable ! The process is not going to be easy, but it is possible. Don't format or repartition your drive. The process is straightforward 1) rebuild your
partition table You also have to understand the boot sector structure of FAT-32. It has been greatly expanded. |
Knowing the default cluster size will help you
|
||||||||||||||||
| And here is the infamous extended BPB structure | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| If you are willing to make a few assumptions, fixing a FAT-32 drive is quite easy. Govind Rammurthy of MicroWorld has developed a CIH recovery program that assumes some values to be constant (while they theoretically could be variable, it seems they are fairly constant in current implementations). You might want to give this program a try. Get it here. Save it on a Windows 98 Boot Floppy, boot the trashed machine, run and follow the instructions if any. |
|
The quickest way to recover from CIH trashed drive - and teh way we use in house - is as follow 1) Install the disk
in a booting windows 98 machine When Windows 98 detects that the first fat is corrupted, it automagically uses the second FAT. Presto... |