Solved

computer infected!!(probly by worm)

Posted on 2004-08-18
6
294 Views
Last Modified: 2013-12-29
hi. i think my computer (win 98) is infected by worm.
the win.ini is added this line run=c:\windows\puta!!.com,c:\windows\natal.scr
but sometimes the c:\..\natal!.pif

the computer always hangs (i think low in resources)

can any1 help me identify the infection and tell me wat to do?

thanx..
0
Comment
Question by:HLLau
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 32

Expert Comment

by:_
ID: 11838046
First thing to try is download Spybot, Adaware, and CWShedder ( with current updates ) and see if they will kill it. If you don't have anti-virus, get one of those also. AVG is free and pretty good.
Links and more info here:

http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html
0
 
LVL 6

Accepted Solution

by:
caza13 earned 50 total points
ID: 11838510
W32.Opaserv.AE.Worm


When W32.Opaserv.AE.Worm runs on Windows 95/98/Me-based computers, it does the following:

Attempts to create a mutex named 4wsDosFDPS! and exits if the mutex already exists. This ensures that only one instance of the worm is running on the computer.

Registers itself as a service process.

Lowers its priority so that it runs only when the system is otherwise idle.

Copies itself as %Windir%\Natal.scr.

Checks for the value:

Natal!Old

in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


If the value exists, the worm deletes the file to which the Natal!Old value points.


If the Natal!Old value does not exist, then the worm will determine whether the value:

Natal

exists in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


If the value does not exist, the worm will add the value:

"Natal"="%Windir%\Natal.scr"

to that registry key.


Creates the file named C:\lammer!, which contains the text:

run=c:\windows\natal.scr

Attempts to contact a predetermined Web site, probably to update itself. The Web site was inactive at the time of this writing.

Uses a security vulnerability in Microsoft Windows 95/98/Me to spread to other computers. The worm sends single-character passwords to network shares, attempting to get access to other Windows 95/98/Me file shares without knowing the entire password. The affected systems include:

Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Me

Attempts to copy itself as Natal.scr to vulnerable network shares.

Modifies the[windows]section of the %Windir%\Win.ini file by adding one of the following lines:

run= c:\windows\natal.scr
run= c:\lammer!

so that Windows 95/98/Me-based computers will run the worm each time you start Windows.

http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.ae.worm.html
0
 
LVL 92

Expert Comment

by:nobus
ID: 11838887
download stinger, adaware and spybot and run them first

Spybot :       http://www.download.com/3000-8022-10122137.html
adaware :  http://www.lavasoftusa.com/
STINGER   http://www.chip.de/downloads/c_downloads_11105456.html

nobus
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 38

Expert Comment

by:BillDL
ID: 11841927
HLLau.

Some of the good advice above relies on a knowledge of using Regedit to make changes to your Registry.  Is this something you are familiar with, or would you need further advice on what to do?  If so, please ask for it, because it's not difficult to do but can cause more problems than you have if you do something wrong.

Not sure if you know this, but a good Windows utility for selectively disabling entries in your text-based system files and also items that start up automatically is MSCONFIG.

Start Menu > RUN option > and type MSCONFIG > click "OK".

Unchecking items in the autoexec.bat and the .ini files will "remark them out" so that they are not read.  You can later open the files (Start > Run > and type SYSEDIT > click "OK") and delete them permanently.

This is just extra information that might help if you are still left with problems after running Stinger, Adaware, and SpyBot.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 11843930

hi. i think my computer (win 98) is infected by worm.
the win.ini is added this line run=c:\windows\puta!!.com,c:\windows\natal.scr
but sometimes the c:\..\natal!.pif

the computer always hangs (i think low in resources)

Boot into DOS, and delete the following files (del filename):

c:\windows\puta!!.com
c:\windows\natal.scr
c:\..\natal!.pif                         (if you can find it!)
c:\lammer!

Once you have done that, you will be able to boot into windows, although you will probably receive a whole load of errors about being unable to find files (which you can ignore). You can run any of the aforementioned utilities.

Then after reflecting on how lucky you are not to have lost all your data, you need to go out and get an up to date anti virus solution, and update the virus signatures regularly!

Next use the update tool in internet explorer to ensure that all your security updates have been carried out.:
Menu: Tools->Windows update.

If you've never done this before, it'll take some time, and a number of reboots, but it does ensure that your system is better protected than it has been before!

HTH:)




remember that the files may try and hide themselves from DOS, but the attrib *.* will always reveal them!


0
 

Author Comment

by:HLLau
ID: 11848773
thanx you guys for your comments. i have checked the registry and this isn't nothing wrong with it.

anyway thanks again!!
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question