Blaster worm in Win98 computer

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

jazekeet

Thread Starter
Joined
Apr 28, 1999
Messages
76
Hi guys,
I have Checkpoint Firewall and I have set rules to block ports used by Blaster virus to get into Win2000/WinXp. I just discovered that now my Win98 PCs have blaster virus in them! After checking my Firewall Log file I realised that most of my win98 PCs were infected and been trying to send nasty packets out of my gateway.
I have tried using Trendmicro Blaster Removal, Symantec Blaster Removal and McAffee Blaster Removal with no success. These removal shows "No virus exist" in any of the computers shown to be "infected" by my Firewall Log files.
I need to remove this nasty urgently coz the virus been creating lots of traffic at my firewall.
Anyone had this experince before? Why Win98?

Gracias
Keet
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

IMM

Joined
Feb 1, 2002
Messages
3,257
Are u sure this isn't normal netbios traffic?
You could try setting the EnableDCOM string to N for a while to see in the following key
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE

(you may have to add the entry)
 

jazekeet

Thread Starter
Joined
Apr 28, 1999
Messages
76
Thanks for reading this thread guys, here is the log from my Win2K server:

Logfile of HijackThis v1.97.3
Scan saved at 11:26:23 AM, on 10/16/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
D:\PROGRA~1\sav\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
d:\Program Files\NAVMSE\NAVESRV.EXE
D:\PROGRA~1\sav\Rtvscan.exe
C:\WINNT\Explorer.EXE
d:\Program Files\NAVMSE\NAVECTRL.EXE
d:\Program Files\NAVMSE\navesp.exe
d:\Program Files\NAVMSE\navesp.exe
d:\Program Files\NAVMSE\NAVELOG.EXE
D:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
D:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
D:\PROGRA~1\sav\vptray.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
D:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
C:\WINNT\system32\MsgSys.EXE
d:\Program Files\Pwrchute\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\dns.exe
D:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
d:\exchsrvr\bin\mad.exe
d:\exchsrvr\bin\events.exe
d:\Program Files\NAVMSE\NAVEAP.EXE
D:\EXCHSRVR\connect\msexcimc\bin\msexcimc.exe
C:\WINNT\System32\svchost.exe
d:\Program Files\NAVMSE\navesp.exe
D:\exchsrvr\bin\ADMIN.EXE
C:\WINNT\System32\cmd.exe
C:\WINNT\system32\ntvdm.exe
A:\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\sav\vptray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = leehishammuddin.com.my
O17 - HKLM\System\CCS\Services\Tcpip\..\{92A127CD-BA17-4842-B882-0EF293244BAA}: NameServer = 192.168.1.1,192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = leehishammuddin.com.my
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = leehishammuddin.com.my

And here is the log from my Win98 workstation:

Logfile of HijackThis v1.97.3
Scan saved at 11:09:13 AM, on 10/16/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v4.72 SP1 (4.72.3110.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
L:\NLRUN\LOCUS.EXE
L:\NLRUN\LOCSRVR.EXE
L:\NLRUN\MENU.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\EXCEL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
L:\NLRUN\TIMD.EXE
A:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O11 - Options group: [TB] Toolbar
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top