[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 583
  • Last Modified:

won't boot in safe mode, i know it has a trojan virus, can't get to it

Hi, my sister recently downloaded a screen saver program and infected one of our computers with a trojan virus. My problem is that I seem to be unable to enter safe mode which was working fine a few weeks ago.. After I choose "safe mode" from the windows 98 menu at startup, instead of running in safe mode, it reads:

windows bypassing startup files....

HIMEM is testing extended memory...done.

And then a Windows prompt appears.

When I attempt to run the CPU without safe mode, it freezes every single time at the Windows 98 colored screen...If I press ESC here, it scans the computer very quickly revealing a OBS.Trojan...Perhaps there is an easy solution to this, any help would by GREATLY appreciated.

Thanks so much.
0
joekmama3
Asked:
joekmama3
  • 10
  • 7
  • 2
  • +3
1 Solution
 
strats2Commented:
What is the exact name of the virus/trojan?
0
 
joekmama3Author Commented:
This is what comes up
Scanning C://

Pass1
Pass2
C://Command.exe        Found APStrojan.ob Trojan!!!
Pass 3
Pass 4
Pass 5
Pass 6
Pass 7.

Thank you.
0
 
slaxsCommented:
Hello
   Create an emergency disk from mcafee (or any other antivirus software you prefer)
http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/tools.asp
Download Emergency v4 .DAT files
-OR- (if the above doesnt work)
F-Prot for DOS:
http://www.f-prot.com/download/index.html
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
MCSE-2002Commented:
you are booting into safe mode with command prompt.

This virus is a password stealer trojan. Normally it wouldnt kill your system, just steal your password. Maybe the programmer used to work at M$?

Try booting into "safe mode", not safemode with command prompt.

click start --> run --> regedit.

Go to "HKEY_Local_Machine/software/microsoft/windows/currentversion/run"

look for "WinProfile"="C:\Command.exe" and delete it.

when you are done, reboot into Dos Mode(safe mode with command prompt), and type in these commands,

ATTRIB -H C:\AMERIC~1.0\BUDDYL~1.EXE
DEL C:\AMERIC~1.0\BUDDYL~1.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\NORTON~1\REGIST~1.EXE
DEL C:\WINDOWS\SYSTEM\NORTON~1\REGIST~1.EXE

ATTRIB -H C:\COMMAND.EXE
DEL C:\COMMAND.EXE

ATTRIB -H C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\AIMREM~1.EXE
DEL C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\AIMREM~1.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\WINSAVER.EXE
DEL C:\WINDOWS\SYSTEM\WINSAVER.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\VCLCNTL.DLL
DEL C:\WINDOWS\SYSTEM\VCLCNTL.DLL


This should fix it.

Happy trails,

Paul
0
 
MCSE-2002Commented:
If safemode doesn't work,

Windows creates a copy of your registry every time you boot, and successfully start windows.

if all you can get is the DOS prompt, try this

SCANREG /RESTORE.

choose the oldest copy. Once you are done, type these commands (EXACTLY) from DOS:

ATTRIB -H C:\AMERIC~1.0\BUDDYL~1.EXE
DEL C:\AMERIC~1.0\BUDDYL~1.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\NORTON~1\REGIST~1.EXE
DEL C:\WINDOWS\SYSTEM\NORTON~1\REGIST~1.EXE

ATTRIB -H C:\COMMAND.EXE
DEL C:\COMMAND.EXE

ATTRIB -H C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\AIMREM~1.EXE
DEL C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\AIMREM~1.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\WINSAVER.EXE
DEL C:\WINDOWS\SYSTEM\WINSAVER.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\VCLCNTL.DLL
DEL C:\WINDOWS\SYSTEM\VCLCNTL.DLL

This should be easier. You will get some errors on bootup... It is now looking for files that dont exist.

Look in WIN.INI for
load= C:\Americ~1.0\BuddyList.exe
run=c:\windows\system\NortonAntiVir\RegistryReminder.exe

look in SYSTEM.INI for
SCRNSAVE.EXE=c:\windows\system\WinSaver.exe


and delete these entries, they are created by the worm.


Good Luck! :)
0
 
JacksonGallowayCommented:
SO,
I have ran into this once with a diffrent trojan, what you can do is boot into dos via holding down the F8 key during boot up (before the Windows 9x screen), and then choose 5 for command prompt.
From there, type:
cd c:\progra~1
then you want to find the name of your virus scanning software, try:
dir /p
that will let you see everything in the directory and you can then find you program file for virus scan, typically it is network associates or symantec.
go to that directory via:
cd networ~1
the above is for network associates, ie. mcaffe.
you need to find your .exe that is your virus scanning program, do again:
dir /p
and find the virus scanner, it should be virus something (i forget the name of the program)
then just run the executable via:
(name of the file).exe
on my computer it is viruss~1.exe
and let it scan, it will take a while.
if you want some options type:
(name of the file) /?
and it will tell you the files command line options and what you can specify how to scan.
That "should" work, again, it has been years since i did a Win 9x command line scan, and my only win 98 computer at work is about dead, and i dont have virus scan on it since it is so slow.
Good luck,
Jackson
0
 
JacksonGallowayCommented:
Also,
That help i just posted, i assume that you have some what recent virus definitions since yer computer is able to detect the virus. If you cant clean it that way, down load the newest ones, and do what i specified.
Once more, good luck,
Jackson
0
 
joekmama3Author Commented:
Ok, Thanks a lot guys...seems that it passes all of the tests now...my only problem now is...that after it says...

Pass 1, 2, 3, 4, 5, 6, 7, 8, 9...i am prompted again..and am not sure how to get the cpu to load the rest of the way..Thanks again.
0
 
JacksonGallowayCommented:
try holding f8 down during boot, and then type 1 at the prompt. That should work.
good luck,
jackson
0
 
joekmama3Author Commented:
Jackson, just tried that...pressed 1 at the menu screen and I was prompted again
0
 
JacksonGallowayCommented:
Ah, ok,
1. check your msdos.sys file, via the command prompt again, go to the directory c: i think, and type edit msdos.sys then check to see if bootgui = 0, if it does, change it to 1.
2. try typing win at the command prompt
3. if bootgui is set to one, check to see if winboot.ini is present, if it is, then rename it to something else via move (name of file) (new name of file)
the third suggestion is ONLY if msdos.sys has bootgui = 1, and you dont get the windows interface.
that should get you on your windows way
later,
jackson
0
 
joekmama3Author Commented:
OK, Windows started fine the first time when it prompted and I typed WIN...the second time when I typed WIN...it said that HIMEM.SYS file is missing...? I need to access windows in order to download a Norton update because my virus software is outdated as I never use this computer...and you can't connect to the internet in safe mode...thanks again.
0
 
joekmama3Author Commented:
Jackson, just tried that...pressed 1 at the menu screen and I was prompted again
0
 
cduke250Commented:
Isn't there a program somewhere with a safe-mode boot with network support?

I'm sure Norton's got a dos auto-updater.
0
 
joekmama3Author Commented:
Jackson, just tried that...pressed 1 at the menu screen and I was prompted again
0
 
JacksonGallowayCommented:
I dont think safe-mode will allow you to load any drivers, except for necessary junk to run windows, ie mouse, keyboard. I would honestly go to work tommorrow....make a windows98 boot disk....download the norton updates to your work computer....burn them to a cd...and then boot in the dying win 98 computer you have with the win 98 boot disk, you will have access to boot with cdrom drivers, and then you can unzip the files, install them, unless they dont do that in DOS. Which would be what would occur....so, see if norton has a cleaning utility for it.
On another note, did the fixes work? did you just give up? because if norton is discovering the trojan, and it should be able to fix it.
sorry this aint an elegant fix, but, hopefully it will work,
jackson
0
 
joekmama3Author Commented:
Yeah, you are right about that..The thing is that when I do a virus scan in Safe Mode nothing is detected for some reason...
0
 
joekmama3Author Commented:
The strange thing is...at the screen it says.

Checking system memory for viruses...OK

Then it says checking ...

Pass 1, 2, and then at 3 the virus message appears again..and it just freezes at the bootup screen..very strange
0
 
JacksonGallowayCommented:
Alrighty then!
How about this, http://securityresponse.symantec.com/avcenter/venc/data/aol.pwsteal.32512.html
This is the symantec (norton anti-virus) website, and it gives a step by step explanation of how to kill off this trojan house. It is similiar to MCSE-2002's anwser, but it has a program called fixbuddy.exe that should take care of all of the gorey details about cleaning off this trojan horse. Just follow the steps and it should be good,
Once again, be persistant, and Good luck,
Jackson
0
 
joekmama3Author Commented:
FIXED FIXED FIXED!!!!!!! thanks Jackson and all others who have helped me with this, you guys are life savers!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
0
 
joekmama3Author Commented:
Wow, what a great knowledge and patience level this guy has. thanks
0
 
JacksonGallowayCommented:
no problem, glad to help
jackson
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 10
  • 7
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now