How can I get my PC to boot after a sleeper virus?
November 10, 2005 4:16 AM Subscribe

I got virused (a wininit.exe problem) on my computer about ten days ago, and after I thought I had cleaned it, it seems to have zapped me with a sleeper program and now I can't boot to windows, even in Safe Mode. Help!

The virus was originally a Tspy_ALEMOD.A that came with a bunch of search toolbars. I ran HijackThis, Spybot, AdAware, and then online checked with Panda scan and with Symantec;s Trend Micro, which found and deleted 6 viruses, but could not delete the Tspy-ALEMOD_A found in Windows/System/WININET.DLL.

I use Windows 98 SE, and I have had problems with using Firewalls, because I am connected as a slave machine to a computer (Windows 2000 XP) that has a strong firewll and Norton, and was not affected at all.

Much googling later, I thought I had been able to replace the infected wininet.dll by using "restore" function in my Control Panel add/remove programs box. I was suspicious thgough,because there seemed to be some bugginess when I was running certain programs.

This morning when I try to turn on the PC,it gets through running the initail boot sequence, and then, instead of going to the windows startup wallpaper prior to starting it simply says C:/WINDOWS/WININET.EXE than C:/ and then a line with a bunch of random (?) letters. Within five seconds it tells me it is now safe to turn my computer off. Can't get it to start Safe mode, either. Was able to run Command prompt with a floppy and a CD, though.

I was able to run scandisk using my Floppy startup disk, and I have the original Windows 98 CD in the drive. ANyway I can get this old warhorse running? I suspect I would have to replace a corrupted wininit.dll via dos or something, any advice?

posted by zaelic to computers & internet (23 comments total)

Hmmm... seems spellcheck could be on strike today... sorry. I actually do speak English...
posted by zaelic at 4:17 AM on November 10, 2005

My memory of 98 is not so good. If you boot from the CD, are you given an option to repair/reinstall windows?
posted by Optamystic at 4:25 AM on November 10, 2005

Post the contents of AUTOEXEC.BAT here.
posted by flabdablet at 4:50 AM on November 10, 2005

Win98 is completely DOS-based, so you should be able to boot to a command prompt. Try pressing F8 the second you hear the "beep" after the initial memory check (basically, right after you boot up your computer). You'll be presented with a list of boot options. Boot into command prompt and see if you can navigate around (you remember your DOS commands, right?) Find the file WININET.EXE and WININET.DLL from your Win98 CD. They might be compressed, so they'll be called WININET.EX_ and WININET.DL_ -- there is a program called EXPAND that decompresses the files. Copy them over the old versions.

You'll probably have to replace more than just these two files, however. I'd suggest backing up everything that matters to you and doing a fresh installation after formating the HD. (aka, "Nuke the drive from orbit... it's the only way to be sure.")
posted by Civil_Disobedient at 4:59 AM on November 10, 2005

Post the contents of AUTOEXEC.BAT here

Would love to. How do I do that? Can I access this using a command prompt? I can't boot to windows. I am using my girlfriend's computer to write this.

you remember your DOS commands, right?

No. I've been in DOS at times when I had instructions from off of said girlfriend's computer,which is one meter away from mine...

there is a program called EXPAND that decompresses the files. Copy them over the old versions.

Hopefully I will be able to find this program when I am in DOS, yes? I'm not touching anythging just yet. Still googling for more answers, so that I can maybe describe the problem better, thanks!
posted by zaelic at 5:12 AM on November 10, 2005

Did you attempt to reboot and press F8 as mentioned previously? That should dump you to the command prompt.
posted by Civil_Disobedient at 6:54 AM on November 10, 2005

I have managed to get as far as command prompt.
posted by zaelic at 7:45 AM on November 10, 2005

To get the contents of the autoexec at the command prompt, type "type c:\autoexec.bat", without the quotation marks. To copy it to a disk: "copy c:\autoexec.bat a:".
posted by prentiz at 8:06 AM on November 10, 2005

Hmmm.. did that, no results. copy c:\autoexe.bat then tells me file cannot be copied onto itself. I put a floppy into the A drive... am I missing some prompt?

When I typed in "type c:\autoexec.bat the screen shows info about Java settings...
posted by zaelic at 8:26 AM on November 10, 2005

The command should be "copy c:\autoexec.bat a:"
(without the quotes, but everything between the quotes)

I'm pretty sure WININET.EXE is not a legitimate file.

There's an account of what is likely to have happened here. See if it makes sense.
posted by grahamwell at 8:36 AM on November 10, 2005

I saw that page on the Wotron worm. The problem is, I can't get into my regisatry to clean and check anything via DOS, and I can't even get as far as Safe Mode in windows before the worm turns my computer off. I can get into prompt command, though.

I was able to copy the autoexec.bat file, now I am struggling with my girlfriend's A drive, which is being a bastid... not recognizing any disc... hang on...
posted by zaelic at 8:40 AM on November 10, 2005

Would you do one other thing? Just check and see if the file c:\windows\wininet.exe actually exists.

"c:"
"cd\windows"
"dir wininet.exe"

Will either print out the size date etc, or tell you "file not found"
posted by grahamwell at 8:46 AM on November 10, 2005

I believe the file is put in the /system directory, grahamwell.

Ok, do this:

C:>cd\windows
C:\WINDOWS>ren wininet.exe wininet.old
C:\WINDOWS>cd system
C:\WINDOWS\SYSTEM>ren wininet.exe wininet.old

Now reboot.
posted by Civil_Disobedient at 8:53 AM on November 10, 2005

grahamwell: the PC says: Volume in drive C has no label
Volume Serial number is 144A-16F5 Directory of C:\windows

Civil: The answer to both commands was "File not found"

When I did the original virus scans the infected file, which could not be cleaned, was C:\WINDOWS/system/wininet.dll

Should I attack the original .dll file?
posted by zaelic at 9:01 AM on November 10, 2005

grahamwell: The info on the dir wininet.dll check was:
DLL 585,728 11-04-05 1:17 p
1 file 585,728 bytes

Which is the date and time of the attack.
posted by zaelic at 9:04 AM on November 10, 2005

Oh, yeah. Forgot about the .dll. Do the above steps, only substitute .DLL for .EXE.
posted by Civil_Disobedient at 9:15 AM on November 10, 2005

It looks as though wininet.dll could use replacing. I'm puzzled by the error message you get when starting though, did you get it right in saying it was "c:\windows\wininet.exe ...."?

There may be a problem here. This file may exist and be hidden, or being requested in such a way that a failure causes the machine to crash.

What would be requesting it? Possibly the autoexec.bat, config.sys, (in c:\) the win.ini and system.ini files (in c:\windows) or the registry on startup. That's about it. The best thing to do would be to check all of these files. A nasty shortcut would be to try and copy a known file, for example notepad.exe to wininet.exe - firstly to see if you can (if there is a hidden file there then you won't be able to) and then to see what happens ;-).

I'd like a second opinion here though, perhaps from the much more attentive Civil (seriously) - follow his advice first.
posted by grahamwell at 9:18 AM on November 10, 2005

Tried Civil's advice, but on reboot the same problem occurs... WININIT.EXE Because I can't get to windows or safe mode I can't really copy anything.

Further surfing suggested renaming the wininit.exe or dll in my system 32 cahe, but now it doesn't find that either. Asking dir wininet.exe still locates the same info however.
posted by zaelic at 9:25 AM on November 10, 2005

Here is the best explanation of the original virus.
posted by zaelic at 9:34 AM on November 10, 2005

I've put my copy of the wininit.dll in the mail to your hotmail address. Try extracting from the CDs first, but it is tricky, so this may help (of course if yours is Hungarian windows, service pack 2004345/x then it may make matters worse ;-)

Forgive this comment but are you absolutely sure you can't get into safe mode. It's an absolute bitch, even when everything is working properly. I find it takes about four goes before I get the timing just precisely right.

If you can copy the files c:\autoexec.bat, c:\config.sys, c:\windows\system.ini and c:\windows\win.ini, then either post them up here or return my mail.

Best of luck.
posted by grahamwell at 9:36 AM on November 10, 2005

Thanks grahamwell. I have been trying to get into safe mode all day. I may stop off at a friend's place tonite abnd email the autoexec.bat info later - the PC I am working on can't deal with FLoppies...

Thanks again.
posted by zaelic at 9:43 AM on November 10, 2005

I copied those files in DOS to a floppy, and will send them tonite or tommorow, Grahamwell.
posted by zaelic at 10:13 AM on November 10, 2005

Hi Zaelic,

As mentioned on the Symantec page linked earlier in this thread, you have a hosed registry value. That very critical value is the reason that you can't boot into Windows.

I've created a .reg file that will correct the value for you:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
@="\"%1\" %*"

Simply copy the FOUR lines above, including the blank line after "REGEDIT4", and then paste them into a file called (for example) FIXIT.REG.

Copy fixit.reg to a floppy. Boot your sick machine into DOS and then run the fixit file from an A:\ prompt with this command.

c:\windows\regedit fixit.reg

Once you've done that, you should be able to boot into Windows again.

Replacing your corrupted wininet.dll file is a different story... Pulling up properties on URLMON.DLL will give you a clue as to which version of wininet.dll is required. Typically, but not always, these two files are synced up by version number.
posted by shinybeast at 4:49 PM on November 10, 2005

« Older Wififilter: I want a miniPCI c... | Why did email encryption never... Newer »

This thread is closed to new comments.

How can I get my PC to boot after a sleeper virus? November 10, 2005 4:16 AM Subscribe

How can I get my PC to boot after a sleeper virus?
November 10, 2005 4:16 AM Subscribe