Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 98


  • This topic is locked This topic is locked
27 replies to this topic

#1 elomont

elomont

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 08 February 2009 - 01:07 PM

I was told by a BC Moderator to let whoever ends up looking at this that I am using W98 and it's to clarify: it's referring to HiJack This ~ OB all I can get to work.

Referred here from: http://www.bleepingcomputer.com/forums/t/200802/windows-98/ ~ OB

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:44 PM, on 2/6/2009
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v4.72 SP1 (4.72.3110.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\TAPISRU.EXE
C:\WINDOWS\SYSTEM\MSWHEEK.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\LOGAGENS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.bleepingcomputer.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~2\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~2\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SULFNBJ] C:\WINDOWS\COMMAND\SULFNBJ.EXE
O4 - HKLM\..\Run: [SYSOCMGQ] C:\WINDOWS\OPTIONS\CABS\PWS\SYSOCMGQ.EXE
O4 - HKLM\..\Run: [MKCOMPAS] C:\WINDOWS\SYSTEM\MKCOMPAS.EXE
O4 - HKLM\..\Run: [MSCONFIF] C:\WINDOWS\SYSTEM\MSCONFIF.EXE
O4 - HKLM\..\Run: [TAPISRU] C:\WINDOWS\SYSTEM\TAPISRU.EXE
O4 - HKLM\..\Run: [SCANREGV] C:\WINDOWS\SCANREGV.EXE
O4 - HKLM\..\Run: [mswheek] C:\WINDOWS\SYSTEM\mswheek.exe
O4 - HKLM\..\Run: [nsplayeq] C:\My Documents\Microsoft NetShow\Player\nsplayeq.exe
O4 - HKLM\..\Run: [CHLINSS] C:\Program Files\Internet Explorer\CHLINSS.EXE
O4 - HKLM\..\Run: [MSO7FTPR] C:\Program Files\Microsoft Office\Office\MSO7FTPR.EXE
O4 - HKLM\..\Run: [setuo] C:\WINDOWS\TEMP\RarSFX0\setuo.exe
O4 - HKLM\..\Run: [winzip81] C:\winzip81.exe
O4 - HKLM\..\Run: [uninss] C:\Program Files\CCleaner\uninss.exe
O4 - HKLM\..\Run: [logagens] C:\Program Files\Windows Media Player\logagens.exe
O4 - HKLM\..\Run: [RunScanneq] C:\Runscanner\RunScanneq.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O11 - Options group: [TB] Toolbar
O16 - DPF: Yahoo! Chat 1.0 - http://cs1.chat.yahoo.com/c109/chat.cab

--
End of file - 2678 bytes

Edited by Orange Blossom, 08 February 2009 - 10:59 PM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 14 February 2009 - 08:07 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

When was the last time I saw a 98? Let's see what we can do.

Download and Run DDS
If you already have a copy of DDS, there is no need to download a new one.

DDS is a tool that gives us a general overview of the condition of your machine.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 15 February 2009 - 09:06 PM

Since I feel a bit silly referring to you as "PP", Panda it is!

I will not be back in front of that computer until tomorrow night (Monday night) or early Tuesday morning, so I will post back then.

However, as you can see in the referred link, I was not able to run a DDS initially and that is why I had to post the log file using the Trend Micro HijackThis v2.0.2 format.

Regarding your question as to what has changed: The only thing I did was disable some startup items after reading the "Startup List" tutorial. I will post a new log using the Trend Micro HijackThis v2.0.2 format. I will also see if I can use the DDS format that you mentioned, but no promises.

Until then........

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 16 February 2009 - 01:45 PM

Hello.

In that case, we'll stick with HijackThis. Just post a new HijackTHis log then.

See you,
The Panda

#5 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 16 February 2009 - 10:58 PM

Here is the new Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:57 PM, on 2/16/2009
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v4.72 SP1 (4.72.3110.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\TAPISRU.EXE
C:\WINDOWS\SYSTEM\MSWHEEK.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\LOGAGENS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.bleepingcomputer.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SYSOCMGQ] C:\WINDOWS\OPTIONS\CABS\PWS\SYSOCMGQ.EXE
O4 - HKLM\..\Run: [MKCOMPAS] C:\WINDOWS\SYSTEM\MKCOMPAS.EXE
O4 - HKLM\..\Run: [MSCONFIF] C:\WINDOWS\SYSTEM\MSCONFIF.EXE
O4 - HKLM\..\Run: [TAPISRU] C:\WINDOWS\SYSTEM\TAPISRU.EXE
O4 - HKLM\..\Run: [mswheek] C:\WINDOWS\SYSTEM\mswheek.exe
O4 - HKLM\..\Run: [nsplayeq] C:\My Documents\Microsoft NetShow\Player\nsplayeq.exe
O4 - HKLM\..\Run: [CHLINSS] C:\Program Files\Internet Explorer\CHLINSS.EXE
O4 - HKLM\..\Run: [MSO7FTPR] C:\Program Files\Microsoft Office\Office\MSO7FTPR.EXE
O4 - HKLM\..\Run: [setuo] C:\WINDOWS\TEMP\RarSFX0\setuo.exe
O4 - HKLM\..\Run: [uninss] C:\Program Files\CCleaner\uninss.exe
O4 - HKLM\..\Run: [logagens] C:\Program Files\Windows Media Player\logagens.exe
O4 - HKLM\..\Run: [RunScanneq] C:\Runscanner\RunScanneq.exe
O11 - Options group: [TB] Toolbar
O16 - DPF: Yahoo! Chat 1.0 - http://cs1.chat.yahoo.com/c109/chat.cab

--
End of file - 1954 bytes

I only changed the startup list with files that I could find in the Startup tuturial and were not needed at startup. The others I could not find when entered in the search field.

Enjoy.

#6 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 16 February 2009 - 11:02 PM

Also, no luck on any of those 3 links for downloading the DDS.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 17 February 2009 - 08:27 AM

Hello.

DDS will require the cmd.exe, which 98 doesn't have. HijackThis will do fine.

Please give me a run down of the current problems you are having.

With Regards,
The Panda

#8 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 17 February 2009 - 02:38 PM

Here's a list.

Various pop ups once the OS loads, which include:

1. Windows Setup Error: Invalid program arguments were specified. /i:<master_oc_inf>, Specicfies the name of the master inf (required). /n Forces the specified master inf to be treated as new. /s:<source_path>, Specifies the source path for installation (required). /u:unattend_spec>, Specifies unattended operation parameters.

2. A "make compatible" pop up with 5 choise and boxes to check/ uncheck. Choices include Don't spool to enhanced meta files, Give application more stack space, Lie about printer device mode size, Lie about Window's version number and Win 3.1 style controls.

3. Error, unable to create Active X control.

4. NSIS error. Installer integrity check has failed. Common causes include incomplete download and damaged media.

5. SETUO Error. Cannot load engine. (Related to Dr. Web scanner)

Those are all on startup.

Once I start IE: (By the way, I'm trying to get away from using IE completely, but I can't access the Mozilla website)

1. Internet Explorer Script erros.

2. Redirects from the Windows Update Website, Mozilla Firefox website. In other words, it doesn't let me access those sites directly or at all.

I think that about covers my "issues". At least related to the computer!

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 17 February 2009 - 06:38 PM

Hello.

Let's try disabling some items relating to the errors.

Fix HijackThis Entries
  • Double click the HijackThis icon on your desktop.
  • Close all other open windows.
  • Select Do a System Scan Only.
  • To the left of each entry you will see a box.Put a checkmark next to the following entries:


    O4 - HKLM\..\Run: [SYSOCMGQ] C:\WINDOWS\OPTIONS\CABS\PWS\SYSOCMGQ.EXE
    O4 - HKLM\..\Run: [setuo] C:\WINDOWS\TEMP\RarSFX0\setuo.exe
    O4 - HKLM\..\Run: [uninss] C:\Program Files\CCleaner\uninss.exe
    O4 - HKLM\..\Run: [RunScanneq] C:\Runscanner\RunScanneq.exe

  • Close all open windows except HijackThis.
  • Click Posted Image and OK at the prompt.
  • Close HijackThis.
Which errors still occur?

With Regards,
The Panda

#10 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 18 February 2009 - 03:50 AM

Panda,

After restart I still get # 2 and 3 in my previous post.

When using IE, both problems still exist.

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 18 February 2009 - 06:43 PM

Hello.

Remove the following lines using HijackThis:
O16 - DPF: Yahoo! Chat 1.0 - http://cs1.chat.yahoo.com/c109/chat.cab

For "error 2", is there a program file name given?

With Regards,
The Panda

#12 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 18 February 2009 - 11:03 PM

OK. Done.

I restarted to see if anything changed and nothing has regarding the pop ups.

The error box that you are referring to does not contain a program file name. It's just a generic error box, no references. It does have the yellow and black exclamation point, if that helps any.

Honestly, I could live with those two pop ups if all else fails. I'm more concerned with the website redirection, but I know you need to go through certain steps so this is where I'll shut up and press add reply.

#13 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 19 February 2009 - 03:34 AM

Some updates:

I've discovered that when I clicked on the Start tab and then scrolled up to Windows Update it would always redirect me to another site or web page. However, if I used Google to search "Windows Update" one of the first choices led me to the correct update page. Also, I've been trying to update my IE web browser from 4 to IE 6 Service Pack 1 and finally found a link that would work. Most of the time, if I tried to update through the Microsoft website, the page for IE6 would not load correctly and I couldn't even read the print in some areas. Those areas were almost always the areas I needed too. I would use my laptop and compare what it was supposed to look like on the machine running 98, but to no avail.

So to sum it up I've downloaded ALL Windows security updates AND have been able to "upgrade" to IE 6, which in turn lead me to download Mozilla FF and some free antivirus from Avast along with Spybot, Adaware and Spywareblaster.

I still receive those pop ups at startup though, but at least with this hurdle cleared and your help earlier in this thread I'm a few steps closer to getting where I want to be.

Just some FYI.

Edited by elomont, 19 February 2009 - 03:40 AM.


#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 19 February 2009 - 05:50 PM

Hello.

I have a trouble shooting method in mind, if you can call it that. I'm just asking around to make sure it is safe first.

With Regards,
The Panda

Edited by PropagandaPanda, 19 February 2009 - 05:51 PM.


#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 19 February 2009 - 07:07 PM

Hello.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Fix these items with HijackThis:
O4 - HKLM\..\Run: [SYSOCMGQ] C:\WINDOWS\OPTIONS\CABS\PWS\SYSOCMGQ.EXE
O4 - HKLM\..\Run: [MKCOMPAS] C:\WINDOWS\SYSTEM\MKCOMPAS.EXE
O4 - HKLM\..\Run: [MSCONFIF] C:\WINDOWS\SYSTEM\MSCONFIF.EXE
O4 - HKLM\..\Run: [TAPISRU] C:\WINDOWS\SYSTEM\TAPISRU.EXE
O4 - HKLM\..\Run: [mswheek] C:\WINDOWS\SYSTEM\mswheek.exe
O4 - HKLM\..\Run: [nsplayeq] C:\My Documents\Microsoft NetShow\Player\nsplayeq.exe
O4 - HKLM\..\Run: [CHLINSS] C:\Program Files\Internet Explorer\CHLINSS.EXE
O4 - HKLM\..\Run: [MSO7FTPR] C:\Program Files\Microsoft Office\Office\MSO7FTPR.EXE
O4 - HKLM\..\Run: [setuo] C:\WINDOWS\TEMP\RarSFX0\setuo.exe
O4 - HKLM\..\Run: [uninss] C:\Program Files\CCleaner\uninss.exe
O4 - HKLM\..\Run: [logagens] C:\Program Files\Windows Media Player\logagens.exe
O4 - HKLM\..\Run: [RunScanneq] C:\Runscanner\RunScanneq.exe

Reboot.

(These steps may differ slightly due to you OS being W98)
  • Double click the My Computer icon.
  • In the explorer window that pops-up, select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Remove the checkmark from the the checkbox labeled Display the Contents of System Folders.
  • Put a checkmark in the checkbox labeled Hide File Extensions for Known File Types, if it is not already unchecked.
  • Put a checkmark in the checkbox labeled Hide Protected Operating System Files, if it is not already unchecked.
  • Click the Apply button and then the OK button.
  • Close all the windows.
Submit File Sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/201720/windows-98/
  • Under Browse to the file you want to submit, input:
    C:\WINDOWS\SYSTEM\mswheek.exe
    C:\My Documents\Microsoft NetShow\Player\nsplayeq.exe
    C:\Program Files\Internet Explorer\CHLINSS.EXE
    C:\Program Files\Windows Media Player\logagens.exe
    (Please repeat for each file. It is possible that some do not exist.)
  • Under the comments section, say that Panda asked for the submission.
Please tell me which errors are still present.

With Regards,
The Panda

Edited by PropagandaPanda, 20 February 2009 - 08:19 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users