Win. Explorer not working after Virus

G'day,
I have no Idea on how I managed to get My Doom onto my 98 SE system lucky I have dual boot and my XP is OK. I have AV running on 98 but My Doom has put both of my AV's on 98 out of action. I had EZ AV running on my XP and it was scanning C drive on 98 when it found the 2 Files with My Doom. I then changed to 98 to run the AV there but it refused to scan any drives.
I then renamed the files from within XP I have both SE & XP on Fat32 and Win Explorer and stuff worked except the AV program so I decidet to go back into XP and delete the infected files and this did the damage then. The AV program worked in Safe Mode everything workes in Safe Mode SFC can not find any missing or damaged system files, but as soon as I go back into Widows 98 things start to go bad. Windows Explorer is the main culprit. I wanted to reload the AV program but Explorer hangs when trying to open the CD.
I just wonder if overinstalling 98SE would do any good. Is it possible to get Safe Mode to read the CD Rom drive.
My BIOS is set to read from CD first.
Some time back when I uninstalled Acronis Drive Image on 98 I had very similar problems and by reinstalling the program everything went back to normal, I was lucky then I had the program backed up on my E:\ drive and re-installed it in safe mode.
Any good sugestions here
thanks
hawk22

 

May I suggest that you go into the security forum and search the archives for Doom removal. You have to properly and thoroughly clean this virus out and that includes the registry keys and values this leaves behind.

As I recall this also has a few special steps that need to be adhered to for a clean removal.

A reinstall of windows will not clean the registry dregs this virus includes. The fact that you can get into windows in safemode indicates that your registry, when attempting a Normal bootup, is involved in your current bootup problem.

There are or is a special tool or removal utility that can be downloaded and put on a floppy that may help. Links and references to this or these can also be found in the archives.

A google.com search will also include instructions for manually removing this bugger.
doom googled

If you have any problems doing any of the above suggestions just give me a shout and I'll see what I can do about finding the time to make this a more beginner/intermediate user friendly post.

Note*
Hang in there. With a little elbow grease, some reading glasses (if needed), a beverage of choice at your side and a few deep breaths, you should be able to clean this up and recover from the problem.

And for a headsup....Not familar with your particular AV program but if it has a feature which Fixes files detected as infected, you must remember, the fixed file although not infected also may not function as it did or should.

If you got a log of the cleanup and the files envolved and if any of these are replacable with clean new ones, I tried renaming older ones and extracting new uninfected, unrepaired, fresh spanking new ones.

Additionally....Yes it is possible to have cdrom support even in safemode:

Alternatives to entering safemode other than using the can't or F8 key:

>From with in win98 try a restart in dosmode
>type cd\ and hit enter to clear the dosprompt
>type WIN /D:M and hit enter
^this is the safemode switch for win.com

OR

>From windows 98 and on the startbutton run line>type msconfig
>click on the [general tab]
>select the advance button
>put a tick in the option: "enable startup menu "
>Reboot and you should find yourself at the startup menu that will allow a safemode option.

OR

I think tweakui has an option on one of the tabs that will change startup to go/show the bootmenu options. I just don't remember which tab. I'm on xp at the moment and tweakui is different version/animal.

#1 option of mine does have the advantage of safemode CDrom support if autoexec.bat and config are properly setup. Just a little F.Y.I. in case an occasion should arise were this would come in handy.

Safe mode with cdrom support:
http://support.microsoft.com/defaul...b;EN-US;q194846

How to Use Real-Mode CD-ROM Drivers from Windows 98 Startup Disk: http://support.microsoft.com/defaul...b;en-us;Q190303
__________________

 

Hi Ann, looks like you're my Goodez and I love you for ever;
A special thanks for your offer to help me through this trouble. I am doing research at the moment, and the Google Link looks very promising. with Trend Micro offering instructions for Manual removal or Automatic removal, the manual includes as you say diving into the registry, one thing I have never done
I paste you the Log Files from the AV maybe it tells you something.

Number of files scanned: 64352.
Number of files that could not be scanned: 1
Number of infections: 2
Number of infected files not cleaned/deleted/renamed: 2
C:\BOOTWIZ\VK000003\WINDOWS\TEMP\V2102Ea59217 (ZIP.Mydoom.A worm)
C:\BOOTWIZ\VK000003\PROGRA~1\IncrediMail\Data\Identities\{81691F20-6854-11D6-B6E0-444553540000}\Message Store\Attachments\update_naked2.Vcom (Win32.Netsky.C worm)

Finished scanning: 9:21:51 PM, 1/05/2004
Number of files scanned: 64356.
Number of files that could not be scanned: 1
Number of infections: 2
Number of infected files deleted: 2

Trend Micro offer a scan of the PC and I will do that now.

Again Ann I thank you so much.

regards
hawk22

 

Hi again Hawk22,

I found a site with stand alone cleaning tools for both your virus's (?viri):

http://www3.ca.com/threatinfo/collateral.aspx?CID=40387

Or specifically (links copied from the above):

MyDoom:
http://www3.ca.com/Files/VirusInformationAndPrevention/clnmydoom.zip

win32.netskyC.worm:
http://www3.ca.com/Files/VirusInformationAndPrevention/clnnetsky.zip

These state they will clean the registry and restore proper key values.

Sounds like just the ticket...
Much better than having to search and do this manually.
Files contain readmes with the instructions for removal.
Give them a shot and let me know how it goes.

-----
By the way, I would think it is the Netsky infection, if given the chance to infect, that has caused the bootup constipation. It deletes needed run keys. See description:
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=38406

-----
Also, in case this hasn't occured to you yet, once cleaned and confirmed clean, I would overwrite any of scanreg's current registry backups by running scanreg from the runline. I'd have to do this 5 times, in my case, cause I am using the default number of backups. You'd have to adjust yours accordingly.

You wouldn't want to find scanreg restoring an older botched registry at some later date, if needed.

For XP, I'm pretty sure System Restore is going to have to be turned off which deletes all current restore points. This takes care of the risk of a bad registry restore ala' XP.

 

Hi there Ann, & Pete;
Well thank you both again, I actually have EZ or E Trust from Comp Assoc. running on my XP curtesy of MS the free update CD.
Arie does recommend it highly so I am happy about that.
Things have changed here very much, and I can only guess at what was going on. I am back in 98SE as if nothing had ever been wrong.
My guess is: Ez E Trust AV that detected MyDoom on my C drive was actually recognizing the 2 Infected files (going back 2 month I had received 2 E-mails with attachments containing the My Doom virus (I did not open them) at the time running NOD32 could not clean the Virus so I had taken the option to quarantine the files and the same with the NetSky. Is it possible that the AV that I was running from within XP scanning files on 98SE did not recognize them as quarantine files.
My being unable to work in 98SE could have been a coincidence because I had just finished downloading the latest AV updates from Norton and I have read in this Forum Members having had trouble after downloading and installing updates from Norton. Could this be the case??
I have run Registry Mechanic (I like it I find that I can trust it) and it could not find any problems in the Registry.
One thing that I would like to ask is, should I install on the 98SE OS the updates from the MS CD I installed them on the XP setup. I can not remember which updates I have installed all I know is it’s not many.
Somehow after a scare you become more conscious about your security.
I will just the same, just to be sure run a AV scan from the link that you have given me.
How ! my 98 SE found it’s way back to behaving normally I don’t know as everything I tried it just froze not even Ctrl-Alt- Delete would move it.
I will let you know about the AV scan and if there is still any trace left.
For now thank you again so much.
Regards
Hawk22