I used Trend Micro online scan, and it found a trojan called SAGIC15. It gives directions on how to remove it. The only problem is, This trojan has taken over as Administrator of my pc. I cannot access anything in the Control Panel, and I can't access the list of running tasks, even in safe mode. I can still run my Ad-Aware, and Spybot Search and Destroy, however they come up clean(again, even in safe mode) I have windows ME, and am wondering if there is anything else I can try, in order to rid my machine of this problem. When I turn on my pc, I get a log-in prompt with my name already in the box, and I just X it and windows will go ahead and starts. When I removed my name and typed in Administrator, windows still started up,but I don't think I was actually logged on as Administrator, because I never set a password, and so I first tried it w/o a password, and then with a password(just a random string of letters, and windows still came up. Does anyone have a suggestion.....Thanks for your time, and sorry for the long post!!

[Reply or follow-up to this message]

Sounds like you and a very few other who run Windows ME have had a lot of problems getting rid of this thing. There is almost no information on it, so it must be something new.

First step is you need to boot the system from a Windows ME boot diskette (or an image of one on a bootable CD). You can make one on any Windows ME system in Control Panel, Add/Remove Programs, Startup Disk tab. If you do not have one and can not get to Add/Remove Programs, you will have to have someone make one for you on Windows ME system. If necessary, you could use a Windows 98 boot diskette if that is all you have or can get. But the first step requires deleting some files with DOS.

Boot with the Windows ME startup diskette and at the DOS prompt delete the hidden System Restore folder and files. Use:

DELTREE  C:\_RESTORE

This should remove all of the System Restore files.

Then delete all of the TEMP files with:

DELTREE  C:\WINDOWS\TEMP\*.*

It will prompt you for all of the folders in your Windows\Temp folder. Delete them.

With the basic clean up done, remove the boot diskette and reboot the system. The next step is to try to find the module causing the problem. The TrendMicro virus scan should give you the exact location and module name of the module(s) causing the problem. Write the whole path and name down so that you can later boot with the Windows ME boot diskette and use DOS to rename or remove the modules.

I would also recommend running the OnLine scan from CA eTrust 'Scan for Virus' (click on the "Scan for Virus" link on their web page), as they are currently doing a better job of finding and removing new threats of this type.

If you can locate module names (most likely random names) of the DLL files of the Trojan, and the AV scans do not delete them all, you can use the Windows ME startup diskette and DOS to rename or delete these modules. It might be best to post what path/names you find first. Also keep in mind that this type of Trojan often has more than one copy of itself on your system, makes new copies each time you reboot and prevents you from deleting the active copy while Windows is running, even in Safe Mode.

[Reply or follow-up to this message]

Thanks for responding Jack. You have given me the best , most comprehensive advise. I am now running the online scan from the link you gave me. And I will get a friend to make me a boot diskette this weekend. I am considering changing to Windows XP in the near future. Do u think it is better security wise that ME? I don't know how I got this trojan problem, because I am very careful and don't open attachments, or go to any crazy sites, and ALWAYS keep my AV stuff up to date................Again thanks for the great info!!! And Have a nice weekend!!


On Thursday, July 14, 2005 at 2:35 pm, Jack Gulley wrote:
>

Sounds like you and a very few other who run Windows ME have had a lot of problems
>getting rid of this thing. There is almost no information on it, so it must be something
>new.
>

First step is you need to boot the system from a Windows ME boot diskette
>(or an image of one on a bootable CD). You can make one on any Windows ME system
>in Control Panel, Add/Remove Programs, Startup Disk tab. If you do not have one and
>can not get to Add/Remove Programs, you will have to have someone make one for you
>on Windows ME system. If necessary, you could use a Windows 98 boot diskette if that
>is all you have or can get. But the first step requires deleting some files with
>DOS.
>

Boot with the Windows ME startup diskette and at the DOS prompt delete the hidden
>System Restore folder and files. Use:
>
>DELTREE C:\_RESTORE
>
>

This should remove all of the System Restore files.
>

Then delete all of the TEMP files with:
>
>DELTREE C:\WINDOWS\TEMP\*.*
>
>

It will prompt you for all of the folders in your Windows\Temp folder. Delete
>them.
>

With the basic clean up done, remove the boot diskette and reboot the system.
>The next step is to try to find the module causing the problem. The TrendMicro virus
>scan should give you the exact location and module name of the module(s) causing
>the problem. Write the whole path and name down so that you can later boot with the
>Windows ME boot diskette and use DOS to rename or remove the modules.
>

I would also recommend running the OnLine scan from >target="_blank">CA eTrust 'Scan for Virus' (click on the "Scan for Virus" link
>on their web page), as they are currently doing a better job of finding and removing
>new threats of this type.
>

If you can locate module names (most likely random names) of the DLL files of
>the Trojan, and the AV scans do not delete them all, you can use the Windows ME startup
>diskette and DOS to rename or delete these modules. It might be best to post what
>path/names you find first. Also keep in mind that this type of Trojan often has more
>than one copy of itself on your system, makes new copies each time you reboot and
>prevents you from deleting the active copy while Windows is running, even in Safe
>Mode.

[Reply or follow-up to this message]

• Search this forum
• Start a new thread on a different subject

• Report abuse of the forum