Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

computer infected!!(probly by worm)

Posted on 2004-08-18
6
290 Views
Last Modified: 2013-12-29
hi. i think my computer (win 98) is infected by worm.
the win.ini is added this line run=c:\windows\puta!!.com,c:\windows\natal.scr
but sometimes the c:\..\natal!.pif

the computer always hangs (i think low in resources)

can any1 help me identify the infection and tell me wat to do?

thanx..
0
Comment
Question by:HLLau
6 Comments
 
LVL 32

Expert Comment

by:_
ID: 11838046
First thing to try is download Spybot, Adaware, and CWShedder ( with current updates ) and see if they will kill it. If you don't have anti-virus, get one of those also. AVG is free and pretty good.
Links and more info here:

http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html
0
 
LVL 6

Accepted Solution

by:
caza13 earned 50 total points
ID: 11838510
W32.Opaserv.AE.Worm


When W32.Opaserv.AE.Worm runs on Windows 95/98/Me-based computers, it does the following:

Attempts to create a mutex named 4wsDosFDPS! and exits if the mutex already exists. This ensures that only one instance of the worm is running on the computer.

Registers itself as a service process.

Lowers its priority so that it runs only when the system is otherwise idle.

Copies itself as %Windir%\Natal.scr.

Checks for the value:

Natal!Old

in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


If the value exists, the worm deletes the file to which the Natal!Old value points.


If the Natal!Old value does not exist, then the worm will determine whether the value:

Natal

exists in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


If the value does not exist, the worm will add the value:

"Natal"="%Windir%\Natal.scr"

to that registry key.


Creates the file named C:\lammer!, which contains the text:

run=c:\windows\natal.scr

Attempts to contact a predetermined Web site, probably to update itself. The Web site was inactive at the time of this writing.

Uses a security vulnerability in Microsoft Windows 95/98/Me to spread to other computers. The worm sends single-character passwords to network shares, attempting to get access to other Windows 95/98/Me file shares without knowing the entire password. The affected systems include:

Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Me

Attempts to copy itself as Natal.scr to vulnerable network shares.

Modifies the[windows]section of the %Windir%\Win.ini file by adding one of the following lines:

run= c:\windows\natal.scr
run= c:\lammer!

so that Windows 95/98/Me-based computers will run the worm each time you start Windows.

http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.ae.worm.html
0
 
LVL 92

Expert Comment

by:nobus
ID: 11838887
download stinger, adaware and spybot and run them first

Spybot :       http://www.download.com/3000-8022-10122137.html
adaware :  http://www.lavasoftusa.com/
STINGER   http://www.chip.de/downloads/c_downloads_11105456.html

nobus
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 38

Expert Comment

by:BillDL
ID: 11841927
HLLau.

Some of the good advice above relies on a knowledge of using Regedit to make changes to your Registry.  Is this something you are familiar with, or would you need further advice on what to do?  If so, please ask for it, because it's not difficult to do but can cause more problems than you have if you do something wrong.

Not sure if you know this, but a good Windows utility for selectively disabling entries in your text-based system files and also items that start up automatically is MSCONFIG.

Start Menu > RUN option > and type MSCONFIG > click "OK".

Unchecking items in the autoexec.bat and the .ini files will "remark them out" so that they are not read.  You can later open the files (Start > Run > and type SYSEDIT > click "OK") and delete them permanently.

This is just extra information that might help if you are still left with problems after running Stinger, Adaware, and SpyBot.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 11843930

hi. i think my computer (win 98) is infected by worm.
the win.ini is added this line run=c:\windows\puta!!.com,c:\windows\natal.scr
but sometimes the c:\..\natal!.pif

the computer always hangs (i think low in resources)

Boot into DOS, and delete the following files (del filename):

c:\windows\puta!!.com
c:\windows\natal.scr
c:\..\natal!.pif                         (if you can find it!)
c:\lammer!

Once you have done that, you will be able to boot into windows, although you will probably receive a whole load of errors about being unable to find files (which you can ignore). You can run any of the aforementioned utilities.

Then after reflecting on how lucky you are not to have lost all your data, you need to go out and get an up to date anti virus solution, and update the virus signatures regularly!

Next use the update tool in internet explorer to ensure that all your security updates have been carried out.:
Menu: Tools->Windows update.

If you've never done this before, it'll take some time, and a number of reboots, but it does ensure that your system is better protected than it has been before!

HTH:)




remember that the files may try and hide themselves from DOS, but the attrib *.* will always reveal them!


0
 

Author Comment

by:HLLau
ID: 11848773
thanx you guys for your comments. i have checked the registry and this isn't nothing wrong with it.

anyway thanks again!!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Change size 15 53
Remote control Windows CE 7 96
Windows Restrict installation 11 38
Unable to connect MacBook from Windows 10 in the same network 6 21
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question