?
Solved

won't boot in safe mode, i know it has a trojan virus, can't get to it

Posted on 2003-03-26
22
Medium Priority
?
572 Views
Last Modified: 2010-04-11
Hi, my sister recently downloaded a screen saver program and infected one of our computers with a trojan virus. My problem is that I seem to be unable to enter safe mode which was working fine a few weeks ago.. After I choose "safe mode" from the windows 98 menu at startup, instead of running in safe mode, it reads:

windows bypassing startup files....

HIMEM is testing extended memory...done.

And then a Windows prompt appears.

When I attempt to run the CPU without safe mode, it freezes every single time at the Windows 98 colored screen...If I press ESC here, it scans the computer very quickly revealing a OBS.Trojan...Perhaps there is an easy solution to this, any help would by GREATLY appreciated.

Thanks so much.
0
Comment
Question by:joekmama3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 7
  • 2
  • +3
22 Comments
 

Expert Comment

by:strats2
ID: 8213686
What is the exact name of the virus/trojan?
0
 

Author Comment

by:joekmama3
ID: 8213815
This is what comes up
Scanning C://

Pass1
Pass2
C://Command.exe        Found APStrojan.ob Trojan!!!
Pass 3
Pass 4
Pass 5
Pass 6
Pass 7.

Thank you.
0
 

Expert Comment

by:slaxs
ID: 8213931
Hello
   Create an emergency disk from mcafee (or any other antivirus software you prefer)
http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/tools.asp
Download Emergency v4 .DAT files
-OR- (if the above doesnt work)
F-Prot for DOS:
http://www.f-prot.com/download/index.html
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 2

Expert Comment

by:MCSE-2002
ID: 8213961
you are booting into safe mode with command prompt.

This virus is a password stealer trojan. Normally it wouldnt kill your system, just steal your password. Maybe the programmer used to work at M$?

Try booting into "safe mode", not safemode with command prompt.

click start --> run --> regedit.

Go to "HKEY_Local_Machine/software/microsoft/windows/currentversion/run"

look for "WinProfile"="C:\Command.exe" and delete it.

when you are done, reboot into Dos Mode(safe mode with command prompt), and type in these commands,

ATTRIB -H C:\AMERIC~1.0\BUDDYL~1.EXE
DEL C:\AMERIC~1.0\BUDDYL~1.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\NORTON~1\REGIST~1.EXE
DEL C:\WINDOWS\SYSTEM\NORTON~1\REGIST~1.EXE

ATTRIB -H C:\COMMAND.EXE
DEL C:\COMMAND.EXE

ATTRIB -H C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\AIMREM~1.EXE
DEL C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\AIMREM~1.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\WINSAVER.EXE
DEL C:\WINDOWS\SYSTEM\WINSAVER.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\VCLCNTL.DLL
DEL C:\WINDOWS\SYSTEM\VCLCNTL.DLL


This should fix it.

Happy trails,

Paul
0
 
LVL 2

Expert Comment

by:MCSE-2002
ID: 8214035
If safemode doesn't work,

Windows creates a copy of your registry every time you boot, and successfully start windows.

if all you can get is the DOS prompt, try this

SCANREG /RESTORE.

choose the oldest copy. Once you are done, type these commands (EXACTLY) from DOS:

ATTRIB -H C:\AMERIC~1.0\BUDDYL~1.EXE
DEL C:\AMERIC~1.0\BUDDYL~1.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\NORTON~1\REGIST~1.EXE
DEL C:\WINDOWS\SYSTEM\NORTON~1\REGIST~1.EXE

ATTRIB -H C:\COMMAND.EXE
DEL C:\COMMAND.EXE

ATTRIB -H C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\AIMREM~1.EXE
DEL C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\AIMREM~1.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\WINSAVER.EXE
DEL C:\WINDOWS\SYSTEM\WINSAVER.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\VCLCNTL.DLL
DEL C:\WINDOWS\SYSTEM\VCLCNTL.DLL

This should be easier. You will get some errors on bootup... It is now looking for files that dont exist.

Look in WIN.INI for
load= C:\Americ~1.0\BuddyList.exe
run=c:\windows\system\NortonAntiVir\RegistryReminder.exe

look in SYSTEM.INI for
SCRNSAVE.EXE=c:\windows\system\WinSaver.exe


and delete these entries, they are created by the worm.


Good Luck! :)
0
 

Expert Comment

by:JacksonGalloway
ID: 8214162
SO,
I have ran into this once with a diffrent trojan, what you can do is boot into dos via holding down the F8 key during boot up (before the Windows 9x screen), and then choose 5 for command prompt.
From there, type:
cd c:\progra~1
then you want to find the name of your virus scanning software, try:
dir /p
that will let you see everything in the directory and you can then find you program file for virus scan, typically it is network associates or symantec.
go to that directory via:
cd networ~1
the above is for network associates, ie. mcaffe.
you need to find your .exe that is your virus scanning program, do again:
dir /p
and find the virus scanner, it should be virus something (i forget the name of the program)
then just run the executable via:
(name of the file).exe
on my computer it is viruss~1.exe
and let it scan, it will take a while.
if you want some options type:
(name of the file) /?
and it will tell you the files command line options and what you can specify how to scan.
That "should" work, again, it has been years since i did a Win 9x command line scan, and my only win 98 computer at work is about dead, and i dont have virus scan on it since it is so slow.
Good luck,
Jackson
0
 

Expert Comment

by:JacksonGalloway
ID: 8214179
Also,
That help i just posted, i assume that you have some what recent virus definitions since yer computer is able to detect the virus. If you cant clean it that way, down load the newest ones, and do what i specified.
Once more, good luck,
Jackson
0
 

Author Comment

by:joekmama3
ID: 8214397
Ok, Thanks a lot guys...seems that it passes all of the tests now...my only problem now is...that after it says...

Pass 1, 2, 3, 4, 5, 6, 7, 8, 9...i am prompted again..and am not sure how to get the cpu to load the rest of the way..Thanks again.
0
 

Expert Comment

by:JacksonGalloway
ID: 8214444
try holding f8 down during boot, and then type 1 at the prompt. That should work.
good luck,
jackson
0
 

Author Comment

by:joekmama3
ID: 8214466
Jackson, just tried that...pressed 1 at the menu screen and I was prompted again
0
 

Expert Comment

by:JacksonGalloway
ID: 8214525
Ah, ok,
1. check your msdos.sys file, via the command prompt again, go to the directory c: i think, and type edit msdos.sys then check to see if bootgui = 0, if it does, change it to 1.
2. try typing win at the command prompt
3. if bootgui is set to one, check to see if winboot.ini is present, if it is, then rename it to something else via move (name of file) (new name of file)
the third suggestion is ONLY if msdos.sys has bootgui = 1, and you dont get the windows interface.
that should get you on your windows way
later,
jackson
0
 

Author Comment

by:joekmama3
ID: 8214966
OK, Windows started fine the first time when it prompted and I typed WIN...the second time when I typed WIN...it said that HIMEM.SYS file is missing...? I need to access windows in order to download a Norton update because my virus software is outdated as I never use this computer...and you can't connect to the internet in safe mode...thanks again.
0
 

Author Comment

by:joekmama3
ID: 8215108
Jackson, just tried that...pressed 1 at the menu screen and I was prompted again
0
 
LVL 3

Expert Comment

by:cduke250
ID: 8215112
Isn't there a program somewhere with a safe-mode boot with network support?

I'm sure Norton's got a dos auto-updater.
0
 

Author Comment

by:joekmama3
ID: 8215127
Jackson, just tried that...pressed 1 at the menu screen and I was prompted again
0
 

Expert Comment

by:JacksonGalloway
ID: 8215162
I dont think safe-mode will allow you to load any drivers, except for necessary junk to run windows, ie mouse, keyboard. I would honestly go to work tommorrow....make a windows98 boot disk....download the norton updates to your work computer....burn them to a cd...and then boot in the dying win 98 computer you have with the win 98 boot disk, you will have access to boot with cdrom drivers, and then you can unzip the files, install them, unless they dont do that in DOS. Which would be what would occur....so, see if norton has a cleaning utility for it.
On another note, did the fixes work? did you just give up? because if norton is discovering the trojan, and it should be able to fix it.
sorry this aint an elegant fix, but, hopefully it will work,
jackson
0
 

Author Comment

by:joekmama3
ID: 8215175
Yeah, you are right about that..The thing is that when I do a virus scan in Safe Mode nothing is detected for some reason...
0
 

Author Comment

by:joekmama3
ID: 8215208
The strange thing is...at the screen it says.

Checking system memory for viruses...OK

Then it says checking ...

Pass 1, 2, and then at 3 the virus message appears again..and it just freezes at the bootup screen..very strange
0
 

Accepted Solution

by:
JacksonGalloway earned 200 total points
ID: 8217915
Alrighty then!
How about this, http://securityresponse.symantec.com/avcenter/venc/data/aol.pwsteal.32512.html
This is the symantec (norton anti-virus) website, and it gives a step by step explanation of how to kill off this trojan house. It is similiar to MCSE-2002's anwser, but it has a program called fixbuddy.exe that should take care of all of the gorey details about cleaning off this trojan horse. Just follow the steps and it should be good,
Once again, be persistant, and Good luck,
Jackson
0
 

Author Comment

by:joekmama3
ID: 8220498
FIXED FIXED FIXED!!!!!!! thanks Jackson and all others who have helped me with this, you guys are life savers!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
0
 

Author Comment

by:joekmama3
ID: 8220505
Wow, what a great knowledge and patience level this guy has. thanks
0
 

Expert Comment

by:JacksonGalloway
ID: 8220990
no problem, glad to help
jackson
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A look at what happened in the Verizon cloud breach.
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question