Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 296
  • Last Modified:

computer infected!!(probly by worm)

hi. i think my computer (win 98) is infected by worm.
the win.ini is added this line run=c:\windows\puta!!.com,c:\windows\natal.scr
but sometimes the c:\..\natal!.pif

the computer always hangs (i think low in resources)

can any1 help me identify the infection and tell me wat to do?

thanx..
0
HLLau
Asked:
HLLau
1 Solution
 
_Commented:
First thing to try is download Spybot, Adaware, and CWShedder ( with current updates ) and see if they will kill it. If you don't have anti-virus, get one of those also. AVG is free and pretty good.
Links and more info here:

http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html
0
 
caza13Commented:
W32.Opaserv.AE.Worm


When W32.Opaserv.AE.Worm runs on Windows 95/98/Me-based computers, it does the following:

Attempts to create a mutex named 4wsDosFDPS! and exits if the mutex already exists. This ensures that only one instance of the worm is running on the computer.

Registers itself as a service process.

Lowers its priority so that it runs only when the system is otherwise idle.

Copies itself as %Windir%\Natal.scr.

Checks for the value:

Natal!Old

in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


If the value exists, the worm deletes the file to which the Natal!Old value points.


If the Natal!Old value does not exist, then the worm will determine whether the value:

Natal

exists in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


If the value does not exist, the worm will add the value:

"Natal"="%Windir%\Natal.scr"

to that registry key.


Creates the file named C:\lammer!, which contains the text:

run=c:\windows\natal.scr

Attempts to contact a predetermined Web site, probably to update itself. The Web site was inactive at the time of this writing.

Uses a security vulnerability in Microsoft Windows 95/98/Me to spread to other computers. The worm sends single-character passwords to network shares, attempting to get access to other Windows 95/98/Me file shares without knowing the entire password. The affected systems include:

Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Me

Attempts to copy itself as Natal.scr to vulnerable network shares.

Modifies the[windows]section of the %Windir%\Win.ini file by adding one of the following lines:

run= c:\windows\natal.scr
run= c:\lammer!

so that Windows 95/98/Me-based computers will run the worm each time you start Windows.

http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.ae.worm.html
0
 
nobusCommented:
download stinger, adaware and spybot and run them first

Spybot :       http://www.download.com/3000-8022-10122137.html
adaware :  http://www.lavasoftusa.com/
STINGER   http://www.chip.de/downloads/c_downloads_11105456.html

nobus
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
BillDLCommented:
HLLau.

Some of the good advice above relies on a knowledge of using Regedit to make changes to your Registry.  Is this something you are familiar with, or would you need further advice on what to do?  If so, please ask for it, because it's not difficult to do but can cause more problems than you have if you do something wrong.

Not sure if you know this, but a good Windows utility for selectively disabling entries in your text-based system files and also items that start up automatically is MSCONFIG.

Start Menu > RUN option > and type MSCONFIG > click "OK".

Unchecking items in the autoexec.bat and the .ini files will "remark them out" so that they are not read.  You can later open the files (Start > Run > and type SYSEDIT > click "OK") and delete them permanently.

This is just extra information that might help if you are still left with problems after running Stinger, Adaware, and SpyBot.
0
 
pjedmondCommented:

hi. i think my computer (win 98) is infected by worm.
the win.ini is added this line run=c:\windows\puta!!.com,c:\windows\natal.scr
but sometimes the c:\..\natal!.pif

the computer always hangs (i think low in resources)

Boot into DOS, and delete the following files (del filename):

c:\windows\puta!!.com
c:\windows\natal.scr
c:\..\natal!.pif                         (if you can find it!)
c:\lammer!

Once you have done that, you will be able to boot into windows, although you will probably receive a whole load of errors about being unable to find files (which you can ignore). You can run any of the aforementioned utilities.

Then after reflecting on how lucky you are not to have lost all your data, you need to go out and get an up to date anti virus solution, and update the virus signatures regularly!

Next use the update tool in internet explorer to ensure that all your security updates have been carried out.:
Menu: Tools->Windows update.

If you've never done this before, it'll take some time, and a number of reboots, but it does ensure that your system is better protected than it has been before!

HTH:)




remember that the files may try and hide themselves from DOS, but the attrib *.* will always reveal them!


0
 
HLLauAuthor Commented:
thanx you guys for your comments. i have checked the registry and this isn't nothing wrong with it.

anyway thanks again!!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now