1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Blaster worm in Win98 computer

Discussion in 'Virus & Other Malware Removal' started by jazekeet, Oct 13, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. jazekeet

    jazekeet Thread Starter

    Joined:
    Apr 28, 1999
    Messages:
    76
    Hi guys,
    I have Checkpoint Firewall and I have set rules to block ports used by Blaster virus to get into Win2000/WinXp. I just discovered that now my Win98 PCs have blaster virus in them! After checking my Firewall Log file I realised that most of my win98 PCs were infected and been trying to send nasty packets out of my gateway.
    I have tried using Trendmicro Blaster Removal, Symantec Blaster Removal and McAffee Blaster Removal with no success. These removal shows "No virus exist" in any of the computers shown to be "infected" by my Firewall Log files.
    I need to remove this nasty urgently coz the virus been creating lots of traffic at my firewall.
    Anyone had this experince before? Why Win98?

    Gracias
    Keet
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,149
    First Name:
    Derek
    go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    Are u sure this isn't normal netbios traffic?
    You could try setting the EnableDCOM string to N for a while to see in the following key
    HKEY_LOCAL_MACHINE\Software\Microsoft\OLE

    (you may have to add the entry)
     
  4. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
  5. jazekeet

    jazekeet Thread Starter

    Joined:
    Apr 28, 1999
    Messages:
    76
    Thanks for reading this thread guys, here is the log from my Win2K server:

    Logfile of HijackThis v1.97.3
    Scan saved at 11:26:23 AM, on 10/16/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    D:\PROGRA~1\sav\DefWatch.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\cba\pds.exe
    C:\WINNT\System32\ismserv.exe
    C:\WINNT\System32\llssrv.exe
    d:\Program Files\NAVMSE\NAVESRV.EXE
    D:\PROGRA~1\sav\Rtvscan.exe
    C:\WINNT\Explorer.EXE
    d:\Program Files\NAVMSE\NAVECTRL.EXE
    d:\Program Files\NAVMSE\navesp.exe
    d:\Program Files\NAVMSE\navesp.exe
    d:\Program Files\NAVMSE\NAVELOG.EXE
    D:\Program Files\SSC\NSCTOP.EXE
    C:\WINNT\system32\ntfrs.exe
    D:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
    D:\PROGRA~1\sav\vptray.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\locator.exe
    D:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
    C:\WINNT\system32\MsgSys.EXE
    d:\Program Files\Pwrchute\ups.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wins.exe
    C:\WINNT\System32\dns.exe
    D:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\system32\ams_ii\hndlrsvc.exe
    C:\WINNT\system32\ams_ii\iao.exe
    C:\WINNT\system32\cba\xfr.exe
    d:\exchsrvr\bin\mad.exe
    d:\exchsrvr\bin\events.exe
    d:\Program Files\NAVMSE\NAVEAP.EXE
    D:\EXCHSRVR\connect\msexcimc\bin\msexcimc.exe
    C:\WINNT\System32\svchost.exe
    d:\Program Files\NAVMSE\navesp.exe
    D:\exchsrvr\bin\ADMIN.EXE
    C:\WINNT\System32\cmd.exe
    C:\WINNT\system32\ntvdm.exe
    A:\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\sav\vptray.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = leehishammuddin.com.my
    O17 - HKLM\System\CCS\Services\Tcpip\..\{92A127CD-BA17-4842-B882-0EF293244BAA}: NameServer = 192.168.1.1,192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = leehishammuddin.com.my
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = leehishammuddin.com.my

    And here is the log from my Win98 workstation:

    Logfile of HijackThis v1.97.3
    Scan saved at 11:09:13 AM, on 10/16/03
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v4.72 SP1 (4.72.3110.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    L:\NLRUN\LOCUS.EXE
    L:\NLRUN\LOCSRVR.EXE
    L:\NLRUN\MENU.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\EXCEL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
    L:\NLRUN\TIMD.EXE
    A:\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O11 - Options group: [TB] Toolbar
    O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/171591

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice