Tried to install SAS, but it crashed… reported unable to register some DLL due to “old Windows version”… ??? But in the system requirements they claim that SAS is compatible with WIN98/SE (my father and I both have the same version 4.8.2222A)… ??? Well, at this point I feel forced to skip the SAS passage and go directly for Firefox… :-\
I’m afraid you are going to continually bump into things like this with win98 as less and less programs will support it and many of the tools to try and clean malware are going to be the same.
I thought that SAS was meant to be compatible with win98, seems not so in your case.
It is possible that this could be a form of malware blocking as is common in some malware, but I don’t know if that is the case here.
[PART 1]
In the hope not only to get some help, but to help others in the same situation, I’m trying to give an accurate report of what happened today.
After one last update of Avast’s virus data file, and one last scan which reported nothing, I installed (from CD) the latest version of Firefox compatible with Windows 98 (V2.0.0.20). I ran it just to get the last updates from Mozilla, and to verify whether the “Wikipedia thing” continued to happened: it was gone, Wikipedia opened perfectly.
[from now on I would use a “should-be” English translation of Firefox functions and buttons, since I have the Italian version of Firefox and I’m not 100% sure of the word they used in the English version]
I opened the Options menu in Firefox, set the Popup stop, but when I opened the list of “Exceptions” (allowed sites) for the poopup blocker, I had two bad surprises: 1) the “Exceptions” list was absurdly slow in opening (about 20 seconds, on my PC it’s instantaneous), and 2) despite it was Firefox’s first run, the list of popup “Exceptions” was ALREADY FILLED IN with HUNDREDS of sites like XXX, porn, gambling etc… :o
I clicked the “Remove All” button, saved the changes, closed and restarted Firefox and… the “Exceptions” list was NOT totally empty. >:( There was ONE entry in the list, “hausaufgaben”. I deleted that only entry, saved the changes, reopened the Exceptions list (either restarting or not Firefox, it was just the same) and that “hausaufgaben” entry had been recreated… ???
Both Avast and Spybot gave a “nothing found” outcome…
At this point, I ran REGEDIT and exported the Register, and I found something which, not my knowledge but my nose, definitely says should NOT be there: but I can’s say whether it’s related or not to the “hausaufgaben” entry being continuously recreated.
I cannot post the whole exported Register as it’s huge. If it can be of any usefulness, I can ZIP and send it privately.
This is the BEGINNING of the first of the two sections of the Register containing the AD/XXX entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=“”
“Trusted”=“1”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\007guard.com]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\007guard.com\www]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\007guard.com\install]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\007guard.com\www.install]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\007guard.com\the]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\007guard.com\www.the]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\008i.com]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\008k.com]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\008k.com\www]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\00hq.com]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\00hq.com\www]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\010402.com]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\032439.com]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\032439.com\www]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\032439.com\80gw6ry3i3x3qbrkwhxhw]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\100888290cs.com]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\100888290cs.com\www]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\100888290cs.com\mir]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\100888290cs.com\woool]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\100sexlinks.com]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\100sexlinks.com\www]
“*”=dword:00000004
.
.
.
.
…etc etc…
I would know what does the first key value mean: “Trusted”=“1”
It implies that all the following sites are TRUSTED?..
[PART 2]
OK, scrolling down the HKEY_LOCAL_MACHINE part, we reach the “hausaufgaben” thing:
.
.
.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hardpornmpg.com]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hardwareseek.net]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\harukaigawa.com]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hastalavista.com]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hastalavista.com\www]
“*”=dword:00000004
[b][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben.de]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben.de\www]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-referate.de]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-referate.de\www]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben–referate.de]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-server.com]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-server.com\www]
“*”=dword:00000004[/b]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\havy.biz]
“*”=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hazzetta.it]
“*”=dword:00000004
.
.
.
…etc etc etc…
Then we come to the HKEY_USERS part of the Register, where the tune repeats once again… this is the beginning:
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=“”
“Trusted”=“1”
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\05p.com]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com\www]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net\www]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com\www]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\scoobidoo.com]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\babe.the-killer.bz]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\babe.k-lined.com]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\did.i-used.cc]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com]
“*”=dword:00000004
.
.
.
…etc etc…
The names of the sites aren’t the same (or at least aren’t in the same order), but the values of the keys are identical, and the first line, again, says “Trusted”=“1”… What does this mean?
Scrolling down, we get to the hausaufgaben thing:
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hardpornmpg.com]
“*”=dword:00000004
[b][HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben.de]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben.de\www]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-referate.de]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-referate.de\www]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben–referate.de]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-server.com]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-server.com\www]
“*”=dword:00000004[/b]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\herocodec.com]
“*”=dword:00000004
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\herocodec.com\www]
“*”=dword:00000004
What the hell is happening there?.. And, especially, what can I do at this point?..
Spybot put them there.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hardpornmpg.com]
“*”=dword:00000004
The 00000004 means they are in the Restricted Zone.
Okay but… there’s always that entry in Firefox’s popup exceptions list that is rebuilt every time I delete it… and there is the ABNORMAL TIME Firefox takes to open that simple list, about 20 seconds! That’s not normal. My feeling is that there is (obviously) something interfering with the normal operation of Firefox >:(
More info… this was a thread in the Mozilla support forum where, last year, a few users were dealing whit the same issue:
http://support.mozilla.com/tiki-view_forum_thread.php?locale=it&comments_parentId=57357&forumId=1
Apparently no one got any helpful answer at the time.
Today, some kind soul in that forum told me:
Hunted down the cause of this and intentionally infected win98 in a virtual machine with it. There is no way to undo this infection.You are infected with a polymorphic file infector. This infection can and will infect all the machine’s executable files .exe, .scr, .rar, .zip, .htm, .html
Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.
But he didn’t give me any more detail about the threat, a name, some clue… It’s so strange that something that has been around 1yr+ can’t be better addressed (not to mention the fact that it escapes Avast and Spybot!).
If possible, could someone give me some more detail please?..
Thank you!
By using Search on Vundo you will find:
Removal of latest vundo-fake av scanner very difficult…
http://forum.avast.com/index.php?topic=44550.0
But, then, is Vundo the bug my father is dealing with?.. :o I started the thread assuming it was Vundo/Virtumonde, but I could have been wrong. The user who made the test (“…polymorphic file infector…”) did NOT state it was Vundo! ???
Polymorphic, is as the name suggests, ever changing so very difficult to detect and much harder to repair the damage done.
It sounds more like Virut or Vitro given the files it is infecting.
This is some stuff from a while ago, so may not be up to date for current variants (but should give an idea of what it is):
– Virut - Virtob - http://www.hm2k.com/posts/win32-virtob-virut-removal and http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html#IDComment15344616
.
Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker - for example to download/run more malware on the compromised computer. Emails may be harvested as well. This latest variant may also search for htm, html, asp and php files on the drives and modifies them by inserting an iframe that points to a malicious website. So you can already imagine what may happen if the owner is a webdesigner and uploads the infected webpages.
Also see, http://www.microsoft.com/security/portal/Entry.aspx?Name=Virus%3AWin32%2FVirut.BM and http://support.microsoft.com/kb/222473.
Try this Virut Removal Tool, this Win32/Virut Remover 1.2.0.342 8th Aug 2008 version, though that link should take you to the latest version.
- General Virut advice (the bad news) and other links by essexboy, see http://forum.avast.com/index.php?topic=43272.msg406710#msg406710 infects (*.exe *.scr *.htm *.html *.xml *.zip *.rar *.doc *.jpg *.pdf).
…studying all the information you forwarded me, and still unsure about the nature of the malware…
One question: at this point, how in your opinion could I pinpoint a file (whatever extension in has) that is FOR SURE infected?.. I could then send the file to Kaspersky and have it characterized…
Make sure that when you wipe it out (As I literally got infected with Virtumonde a week ago) you’re running in safe mode NO NETWORKING
Else’ it just rebuilds itself. which results in it taking longer to wipe from your system…which isn’t really that fun in the first place.
It was purely for information only, as a result of your comment and question in Reply #26 and #28 of page 2 of this topic…
But he didn't give me any more detail about the threat, a name, some clue... [b]It's so strange that something that has been around 1yr+ can't be better addressed [/b](not to mention the fact that it escapes Avast and Spybot!).If possible, could someone give me some more detail please?…
and
But, then, [b]is Vundo the bug my father is dealing with?[/b]... Shocked I started the thread assuming it was Vundo/Virtumonde, but I could have been wrong. The user who made the test ("...polymorphic file infector...") [b]did NOT state it was Vundo[/b]! Huh
Bold effect for clarity as to what I was responding to/about, you wanted information, presumably to try and identify what it is.
Virut and later Virtob infections infect the targeted files (*.exe *.scr *.htm *.html *.xml *.zip *.rar *.doc *.jpg *.pdf) when any of them are opened, so the more files you open the greater the number of infected files.
From the information I gave it doesn’t pinpoint for sure a file that is infected as that job falls to an AV detection, then and only then could you upload it to another scanner.
Okay… after some research, I concluded that 1) I don’t know what I’m dealing with, and 2) since the damn thing can elude two of the best antivirus around, there is no chance to get rid of it without characterizing it before… So, I must locate a file that is infected FOR SURE. There are a few companies out there (Kaspersky and others) to which a virus can be delivered for characterization. At that point, once the thing has a name, it could be easier to find the appropriate tool.
In your opinion, what kind of “bait” could I use, and how, in order to get hold of an infected file?..
There are no end of tools for analysis, by what do you send for analysis, if the prerequisite is that you must know ‘for sure’ that it is infected. It is normal to send files to said tools on suspicion that it is infected. That is as I have said that is a task for an AV scanner.
Surely on your fathers computer there is a file that was detected as infected by some scanner or other (that would be a sample, but I fear that wouldn’t return much) ?
Have you not run any on-line scanners:
On-line Virus Scanners and other useful Links Security-Ops.eu.tt
I don’t know what scanners will work with win98 and this is essentially the problem here, finding something which will run on win98 and do a half decent scan.
May I say; Superantispyware will run on Windows 98SE
You may try this older version from http://www.filehippo.com/download_superantispyware/
the suggested exe is
http://www.filehippo.com/download_superantispyware/2579/
but a word of caution ; do NOT update the program but just the definitions; I found the up to date program WILL clash with Windows 98se
Also Stinger will run on it
http://vil.nai.com/vil/stinger/ (11/23/2009)
And Dr web Curit is also a choice
http://www.freedrweb.com/cureit/?lng=en
|The Esset on- line scanner might also help
http://www.eset.com/onlinescan/
I hope this information helps your helpers and you