Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/malware Infected On Window 98 Se


  • Please log in to reply
7 replies to this topic

#1 mmax

mmax

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 27 June 2007 - 12:36 PM

I am pretty sure my friend's pc got infected with various of malware and virus.He is currently using window 98 SE and being verify that it being infected with CoolWebSearch and Wareout rootkit and some trojan.Not sure how he got infected but he said something popup and he just click it , and it had been half a year those malware/virus stay in his computer.
Any window 98 SE expert can fix this problem ? I do not know the way to fix his system if possible I really hope someone can clear those malware.

Thank you


Logfile of HijackThis v1.99.1
Scan saved at 7:27:07 PM, on 6/24/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\INTRENAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\MIXER.EXE
C:\PROGRAM FILES\WINPOET BROADBAND CONNECTION\WINPPPOVERETHERNET.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = --欢迎访问 http://www.zscn.com--
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: CShowKuroBar Class - {59062B7A-61BD-4A26-A7A6-6A213F2601F7} - C:\PROGRA~1\KUROM7\CALLTO~1.DLL
O2 - BHO: Name - {033448A0-8999-11D9-9E4B-004005372A5D} - C:\WINDOWS\SYSTEM\MSBUD.DLL
O2 - BHO: (no name) - {17EDC3C1-8999-11D9-9E4B-00408DFD87FD} - C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL
O3 - Toolbar: KuroBar - {37DE7A73-1E01-47d6-BB9B-99BEDB7A22E2} - C:\PROGRA~1\KUROM7\KUROBAR.DLL
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\DOCNTROP.DLL
O3 - Toolbar: ___(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Intrenat] C:\WINDOWS\intrenat.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\RunServices: [Intrenat] C:\WINDOWS\intrenat.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [IEXPLORE.EXE] IEXPLORE.EXE http://www.zscn.com
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Kuro搜索mp3 - res://C:\PROGRA~1\KUROM7\KUROBAR.DLL/MENUSEARCH.HTM
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PowerWord - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: Joyo - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .scr: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,195.225.176.37
O18 - Filter: text/html - {17EDC3C0-8999-11D9-9E4B-0040E2B12266} - C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL
O18 - Filter: text/plain - {17EDC3C0-8999-11D9-9E4B-0040E2B12266} - C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL

Edited by mmax, 28 June 2007 - 12:36 AM.


BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:05 AM

Posted 07 July 2007 - 02:23 AM

Hello mmax and welcome to BleepingComputer!

My name is Johannes and I will be dealing with your log today.
Please note that comments are made in green, links are in red and important things are outlined by using the blue color.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 mmax

mmax
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 07 July 2007 - 06:09 AM

You are mostly welcome :thumbsup: . Next week I'll be going to my friend's house.So take your time , he is not in a hurry.
Thank you

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:05 AM

Posted 07 July 2007 - 07:34 AM

Hi mmax,

Step #1

Please download FxAgentB.exe
  • Please run FxAgentB.exe
  • Let it fix anything it finds and reboot your system afterwards.
  • Let the tool run a second time and reboot your system again.
Step #2

Run HijackThis, press Scan, and put a check mark next to all these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = --欢迎访问 http://www.zscn.com--
O2 - BHO: Name - {033448A0-8999-11D9-9E4B-004005372A5D} - C:\WINDOWS\SYSTEM\MSBUD.DLL
O2 - BHO: (no name) - {17EDC3C1-8999-11D9-9E4B-00408DFD87FD} - C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\DOCNTROP.DLL
O4 - HKLM\..\Run: [Intrenat] C:\WINDOWS\intrenat.exe
O4 - HKLM\..\RunServices: [Intrenat] C:\WINDOWS\intrenat.exe
O4 - HKCU\..\Run: [IEXPLORE.EXE] IEXPLORE.EXE http://www.zscn.com
O8 - Extra context menu item: Kuro搜索mp3 - res://C:\PROGRA~1\KUROM7\KUROBAR.DLL/MENUSEARCH.HTM
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,195.225.176.37
O18 - Filter: text/html - {17EDC3C0-8999-11D9-9E4B-0040E2B12266} - C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL
O18 - Filter: text/plain - {17EDC3C0-8999-11D9-9E4B-0040E2B12266} - C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL


Close all other windows and browsers, and press the Fix Checked button.

Step #3

Please now delete the following files and folders (NB: if you cannot find a file or folder that is just fine):

C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL
C:\WINDOWS\SYSTEM\MSBUD.DLL
C:\WINDOWS\SYSTEM\DOCNTROP.DLL
C:\WINDOWS\intrenat.exe


Step #4

* Clean your Cache and Cookies in InternetExplorer:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Download TrojanHunter 30-Day Trial and save to your desktop. With the trial version of TrojanHunter you need to manually update the rule files before you can start scanning. Download the latest rule files (Update.zip) from here.
  • Important! Before installing, go offline, and boot into "SAFE MODE" by pressing F8 at startup to get the Windows Configuration screen. Use the arrow keys to select Safe mode, then press Enter.
  • Double-click TrojanHunterSetup.exe to install and exit the program when done. Once the program is installed it automatically configures to protect the system and All files. You should not need to change anything.
  • Extract (unzip) the Update.zip file to C:\Program Files\TrojanHunter\RuleFiles <- this folder.
    (Click here for information on how to do this if not sure. Win 9x/2000 users click here. A ZIP file requires an unzipping utility. If you need one, download 7zip (its free).)
  • Restart TrojanHunter and do a full scan. Be sure the boxes are checked (green) beside your main hard drive folders, then click on Full Scan.
  • Please now navigate to C:\Program Files\TrojanHunter 4.6\Scan Reports and look for a file called year-month-day_24hrtime.rtf. Now please copy the contents of that file in your next reply.
Please post back with a fresh HijackThis log, the Trojan Hunter log (year-month-day_24hrtime.rtf), and the log from FxAgentB.exe.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 mmax

mmax
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 07 July 2007 - 08:24 AM

I haven't done any step yet but I'd like to ask a few question I didn't understand before starting.

Please run FxAgentB.exe
Let it fix anything it finds and reboot your system afterwards.
Let the tool run a second time and reboot your system again (Do you mean run the program and fix again for second time ?)

Restart TrojanHunter and do a full scan. Be sure the boxes are checked (green) beside your main hard drive folders, then click on Full Scan. ( Is it doing all the scan at safe mode ? )

After doing step 1 to step 4 , can he go online ? He did not install any anti virus/malware and firewall.Is it fine to install a firewall such as 'LooknStop 2.06' (Suggest me a better free firewall if LooknStop is not suitable )(If LooknStop is suitable , what configurate do I need ? )
He need to go online and access his webmail and reply to his customer.

Thanks again.:thumbsup:

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:05 AM

Posted 07 July 2007 - 10:34 AM

Hi mmax,

...(Do you mean run the program and fix again for second time ?)...

Yes

( Is it doing all the scan at safe mode ? )

Yes. Doing this gives better chances of detection and cleaning of malware installed.

After doing step 1 to step 4 , can he go online ?

Yes, but he should install a firewall and antivirus beforehand if possible (downloading setup files via another pc and use usb stick or such to transfer the installers).

Is it fine to install a firewall such as 'LooknStop 2.06'

I (personally) have not heard of this one, but that does not mean its not fine to use. I use Kerio 2.15 as firewall and Avira Antivir. Suggested progs are the following:If you want to have a look at the user manuals for the above suggested programs, have a look at the following:Hope this helps.

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 mmax

mmax
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 07 July 2007 - 12:23 PM

Hi mmax,

...(Do you mean run the program and fix again for second time ?)...

Yes

( Is it doing all the scan at safe mode ? )

Yes. Doing this gives better chances of detection and cleaning of malware installed.

After doing step 1 to step 4 , can he go online ?

Yes, but he should install a firewall and antivirus beforehand if possible (downloading setup files via another pc and use usb stick or such to transfer the installers).

Is it fine to install a firewall such as 'LooknStop 2.06'

I (personally) have not heard of this one, but that does not mean its not fine to use. I use Kerio 2.15 as firewall and Avira Antivir. Suggested progs are the following:If you want to have a look at the user manuals for the above suggested programs, have a look at the following:Hope this helps.

Johannes


Thanks a lot for the information.Isn't Kerio 2.15 an old version of firewall that had been discontinue 2 years ago ? I saw it when I did some googling.Does it able to block most of the intrusion ? (Sorry for my less knowledgeable on security)
From the above , which antivirus program is the most less requirement usage ? Since my friend is using an old computer with window 98 se and the age of 6 years old.(Not sure his pc specification , will check out next week)

Thank you :thumbsup:

#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:05 AM

Posted 07 July 2007 - 06:09 PM

Hi mmax,

yes 2.15 is an old version. The Version 4 of Sunbelt Kerio is just as fine. They are two different approaches. 2.15 is very "simplistic" and has you make rules for it. Version 4 is more Graphical User Interface and further developed. As I said, the suggested firewall by you is supposed to also be a good one, so you may use that one. As for ease of use, ZoneAlarm is fairly good at that. As for the resources and compatability, you will need to check on their sites, as I dont know it off the top of my head.

Sorry, very tired. Gota get some sleep.

Regards,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users