Hi all, I have win98 and backdoor.optix virus, I have reinstalled win98 and got most function back running. All anti-virus and security programs will not work and even email and secure websites are shutdown by this virus. I have ran anti-virus (with latest protection) in safe mode and it doesn't pick up the virus...please help me remove it. Thanks Mark

Mark, 1. Start Windows Explorer. 2. Browse to the folder where Windows is installed. By default this is C:\Windows or C:\Winnt. 3. Locate and delete the Winstart.bat file. Delete the Winstart.bat file This is necessary only if Backdoor.Optix was detected on your computer. Most variants of Backdoor.Optix will create a batch file named Winstart.bat in the %Windows% folder. Winstart.bat is a standard Windows file that can be created and used by programs when you install software. If the Winstart.bat file exists, it will run when you start Windows, and any commands in it will be executed. NOTE: %Windows% is a variable. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location. Backdoor.Optix keeps a second copy of itself on the hard drive. It also may add commands to the Winstart.bat, so that if you delete the Trojan from its original location, when Winstart.bat is run, it will recreate the Trojan file. Additional information: If a backdoor Trojan was successfully installed on the computer, it is possible that your system has been accessed remotely by an unauthorized user. For this reason it is impossible to guarantee the integrity of a system that has had such an infection. The remote user could have made changes to the system, including but not limited to the following: * Stealing or changing passwords or password files * Installing remote-connectivity host software, also known as backdoors * Installing keystroke logging software * Configuring firewall rules * Stealing credit card numbers, banking information, personal data, and so on * Deleting or modifying files * Sending inappropriate or even incriminating material from a customer's email account * Modifying access rights on user accounts or files * Deleting information from log files to hide such activities To be certain that your organization is secure, you must reinstall the operating system, restore files from a backup that was made before the infection took place, and change all passwords that may have been on the infected computers or that were accessible from it. This is the only way to ensure that your systems are safe. For more information regarding security in your organization, contact your system administrator. There are several variants to this virus/trojan that require different steps to remove... Follow the above advice, then my personal advice outlined below... 1) update you antivirus software and run a full scan of your system. if you do not have a antivirus program... go to http://www.grisoft.com/html/us_index.htm and download this very good free anti virus program. 100% detection rate of AVG Anti-Virus System is continuously certified by independent ICSA laboratories 2) use a software firewall... if you don't have one.. download the free version of Zonealarm from: http://www.zonelabs.com/ The award-winning personal firewall automatically blocks dangerous Internet threats - known and unknown - guarding your PC from hackers and data thieves. ZoneAlarm provides the basic protection individuals need to secure their PC and keep their valuable information private. this will prevent anyone from accessing your computer. 3) go to http://www.majorgeek.com/index2.html or http://www.lsfileserv.com/ and download their free program called ad-aware 5.81. this will remove any spy-ware that is on your system. Ad-aware is a free multi spyware removal utility that scans your memory, registry and hard drives for known spyware and scumware components and lets you remove them safely. It is updated frequently. 4) go to: http://www.finjan.com/ and down load SurfinGuardŽ Pro 5.7 - Beta. SurfinGuardŽ Pro protects PC users from new, unknown Internet threats by monitoring and containing the behavior of downloaded progams and active content. SurfinGuard Pro runs active content (e.g., executables, ActiveX, scripts, Windows scripting files and Java) in a protected "sandbox" called the Safe Zone that automatically blocks potentially hostile actions. 5) go to http://lockdowncorp.com/bots/downloadswatit.html download a program called Swat-it. It will remove trojans and bots. Swat It is a Completely FREE program that scans your files for Trojans, Worms, Bots and other Hacker programs. Swat It can detect and remove over 3000 different Trojan programs plus variants. 6) go to: http://www.diamondcs.com.au/ download TDS Ver 3.21. It is a trial for a Trojan finder and removal tool. The worlds most comprehensive anti-trojan system just got even better! There are several anti-trojan systems in existance, but none can even be compared to TDS. This will help,... I know it is alot.... but you will be sfae... Tank863

Mark, find Winstart.bat and delete it. That file recreated the optix trojan. Then run a virus scan here: http://housecall.antivirus.com/ If that scan doesn't find anything download Startlog.com from here and run it. Then copy and paste the results of just Startlog (not the stubpaths file) to your reply here. http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html

Thanks guys, It infected wmmiexe.exe and this was cleaned, but its still must be in there somewhere because all the anti-virus and security problems are still there. I have looked for winstart.bat and its not there and also looked in the registry but it has to be there, its driving me nuts. I dont know if you can help but anything would be appreciated. Could it be attached to the anti-virus programs?in files or registry? Thanks for the help. Mark

Thanks Jaz, is this what you needed? [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SAITEKAUTOCONFIGURE"="C:\\Program Files\\Saitek\\Saitek Gaming Extensions\\saicnfig.exe /autorun" "iamapp"="C:\\Program Files\\Norton Internet Security\\IAMAPP.exe" "NvInitialize"="RUNDLL32.EXE NVQTWK.DLL,NvXTInit" "EnsoniqMixer"="starter.exe" "Trickler"="\"c:\\windows\\system\\fsg_3202.exe\"" "New.net Startup"="rundll32 C:\\WINDOWS\\NEWDOT~1.DLL,NewDotNetStartup" "KazaaLoader"="c:\\windows\\win32loader.exe" "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun" "TaskMonitor"="C:\\WINDOWS\\taskmon.exe" "SystemTray"="SysTray.Exe" "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" "NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\NAVAPW32.exe" "NPROTECT"="C:\\Program Files\\Norton SystemWorks\\Norton Utilities\\NPROTECT.exe" Mark

Well that's not the whole Startlog. Can you paste all of it here? You mentioned that your anti-virus and security programs won't work. Did you try uninstalling then reinstalling them? This entry is spyware: "Trickler"="\"c:\\windows\\system\\fsg_3202.exe\" Click start--run--type msconfig--ok. Open the startup tab and uncheck it. This is garbage you don't need: "New.net Startup"="rundll32 C:\\WINDOWS\\NEWDOT~1.DLL,NewDotNetStartup" Uncheck it in msconfig also. This entry is suspicious to me: KazaaLoader"="c:\\windows\\win32loader.exe I did a quick web search and found no info on either KazaaLoader or win32loader.exe. Do you have Kazaa installed? Do you know for sure if that's part of Kazaa? I wonder if it could be the optix trojan disguised as a kazaa file? As a test uncheck it in msconfig also then ok out and restart. Then see if your antivirus and firewall work then and if everything is back to normal. Let us know.

i just restored registry from dos.... scanreg /restore