Removing the most dangerous windows 98 trojan

This is where members can submit tutorials that they have created on any computing related subject.
loser
n00b
Posts: 7
Joined: Sun Sep 18, 2005 9:30 am

Removing the most dangerous windows 98 trojan

Post by loser » Mon Oct 24, 2005 10:00 am

Tutorial: How to remove the most dangerous trojan from windows 98 (not detected by antivirus programs)

Disclaimer:
This tutorial is provided only for educational purposes. You should not follow it´s instructions in anyway and if you do, i take no responsibility of your actions. By reading this tutorial you agree to take all responsibility of your actions regarding this tutorial. I take no responsibility of any mental or physical damages caused by this tutorial. If you accept these legal terms, then you shall continue reading this tutorial.

Well, i decided to write this tutorial because i think that this is important. This tutorial explains how to remove the most dangerous trojan available these days from your windows 98 operating system. This trojan is a rootkit trojan that replaces some of the windows 98 dll files with modified versions, it is originally a nt trojan, but by replacing some 98 files with nt files, it works in windows 98 and the antivirus programs does not detect it.

Tools you are going to need to remove the trojan:
Windows 98
Regedit, comes with windows 98
Some registry fixing tool, registry mechanic or system mechanic will work just fine.
Optional tools:
Free spyware scanner download it from this address: http://www.download.com/Free-Spyware-Sc ... ag=lst-0-1
Windows 98 original installation cd.

Before we start the actual removal process i suggest that you make a backup of your registry and important system files.
Now when you are ready, we can start the removal process by launching up the registry editor. You can do it by clicking the start button, selecting the run option and then writing regedit and pressing the ok button. Now locate the following registry key with the registry editor [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT] Now there should be all kinds of shit under that registry key, this is the whole thing that it contains:
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32]
"msacm.lhacm"="lhacm.acm"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.voxacm160"="vct3216.acm"
"vidc.wmv3"="wmv9vcm.dll"
"vidc.divx"="DivX.dll"
"VIDC.MPG4"="mpg4c32.dll"
"VIDC.MP42"="mpg4c32.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers.desc]
"lhacm.acm"="Lernout And Hauspie Codecs"
"msaud32.acm"="Windows Media Audio Codec"
"sl_anet.acm"="Sipro Lab Telecom Audio Codec"
"vct3216.acm"="Voxware Compression Toolkit"
"wmv9vcm.dll"="Microsoft Windows Media Video 9 VCM"
"DivX.dll"="DivX 5.1.1 Codec"
"mpg4c32.dll"="Microsoft MPEG-4 Video Codec"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug]
"Auto"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DeleteRoamingCache"=dword:00000000
"AutoRestartShell"=dword:00000001
"Shell"="Explorer.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Fonts]

Now, what you have to do is delete the [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT] registry key from your registry by right clicking the windowsnt key with the mouse and selecting delete,NOTICE! YOU MUST DELETE ONLY THE WINDOWSNT KEY, NOT THE WHOLE HKEY_LOCAL_MACHINE KEY! IF YOU ARE NOT FAMILIAR WITH REGISTRY EDITING I SUGGEST THAT YOU READ SOME REGISTRY TUTORIALS BEFORE MESSING AROUND WITH THE REGISTRY! or optionally you can do this with the free spyware scanner, that i mentioned earlier in this tutorial, it detects the key as suspicious entries and gives the option to remove it. The reason we must delete this windowsnt key is that it should not exist in windows 98 operating system. The trojan exploits the windows registry by changing some file associations and paths of files and by replacing some windows 98 dll files and system files with nt files and that way it is possible to run a windows nt rootkit trojan on windows 98 operating system.

Next, we will restore one important system dll file that is changed by this trojan. The file is called iphlpapi.dll and the trojan replaces the original windows 98 dll file with its own version and it causes all kinds of problems, like some programs might not work. You can use the system file checker that is shipped with windows 98 to do that. Click the start button, then select run and write sfc.exe and press the ok button. Here is more information about the system file checker tool and instructions on how to use it http://help.expedient.net/general/sfc.shtml You will need your windows 98 cd to extract the original file. Other file that is modified by this trojan is ntdll.dll and you need to extract the original version of it too. If you dont got the windows 98 cd, then you can find these files from the internet by searching them from the google.

After you have done all this, you can use the registry mechanic or some registry fixing tool to fix the file associations and all that kinda shit. You might also want to examine your computer boot sector, i am not sure but i think that this trojan might use it to start everytime when you boot your computer. You can find some good tools to examine your boot sector from this site http://www.ciac.org/ciac/ToolsDOSVirus.html#Bootcomp If you dont know what the boot sector is, then it is better that you leave it alone!

I understand that this tutorial is not perfect. I have not researched this trojan so much, that i could give any better information. I dont know how my computer became infected by this trojan, but the antivirus programs dont detect it and i found it from my system after i did much research of my system files and registry. I would be gratefull if the antivirus developers could add this trojan in their definition files.

:D
Last edited by loser on Tue Oct 25, 2005 10:03 am, edited 3 times in total.

User avatar
UniX
Veteran
Posts: 600
Joined: Thu Jun 26, 2003 1:17 pm
Location: input("Why are you looking here?")

Post by UniX » Mon Oct 24, 2005 11:36 am

/me wonders if anyone actually still uses win 98
"UNIX is an operating system, OS/2 is half an operating system, Windows is a shell, and DOS is a boot partition virus." — Peter H. Coffin .

http://cybergotham.net

User avatar
Tenchuu
Reborn
Posts: 1160
Joined: Tue Mar 16, 2004 3:27 pm
Location: Society of Blazing Inferno
Contact:

Post by Tenchuu » Mon Oct 24, 2005 11:50 am

The whole tutorial is about: F*** up your Win98 install
The whole point in this tutorial is hiding the fact that you will delete this key

Code: Select all

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
Where else would be sense in deleting a whole registry dir?

Could be that he found it funny that this antispyware tool sees the key as suspicious
Keep your friends close, keep your keyboard closer

User avatar
NoUse
time traveller
Posts: 2624
Joined: Thu Aug 28, 2003 10:46 pm
Location: /pr0n/fat

Post by NoUse » Mon Oct 24, 2005 12:27 pm

Why would you write a tutorial about a trojan that affects an obsolete OS?
And I will strike down upon thee with great vengeance and furious anger
those who would attempt to poison and destroy my brothers.
And you will know my name is the Lord
when I lay my vengeance upon thee.

User avatar
NETKOJI
Sargeant at Arms
Posts: 275
Joined: Thu Nov 11, 2004 6:10 pm
Location: Poland/Sweden
Contact:

Post by NETKOJI » Mon Oct 24, 2005 1:10 pm

UniX wrote:/me wonders if anyone actually still uses win 98
Yeppers - me, for example. My computer is so old it can't possibly run WinXP nor Win2K nice and smooth.

User avatar
Rodrigo.Toste.Gomes
Corporal
Posts: 111
Joined: Sun Oct 09, 2005 2:50 pm
Location: <?php echo $_SERVER['REMOTE_ADDR']; ?>

Post by Rodrigo.Toste.Gomes » Mon Oct 24, 2005 1:23 pm

NETKOJI wrote:
UniX wrote:/me wonders if anyone actually still uses win 98
Yeppers - me, for example. My computer is so old it can't possibly run WinXP nor Win2K nice and smooth.
There's always the possibility of using Damn Small linux (http://www.damnsmalllinux.org/)

telcontar
31337 Martial Artist
Posts: 1898
Joined: Sat Feb 21, 2004 8:38 am
Location: /etc/login.defs
Contact:

Post by telcontar » Mon Oct 24, 2005 4:51 pm

NETKOJI wrote:
UniX wrote:/me wonders if anyone actually still uses win 98
Yeppers - me, for example. My computer is so old it can't possibly run WinXP nor Win2K nice and smooth.
Same for my desktop and laptop, that's one reason why they run on Slackware.

Just because you run an old PC doesn't mean you have to run an old OS.

User avatar
NETKOJI
Sargeant at Arms
Posts: 275
Joined: Thu Nov 11, 2004 6:10 pm
Location: Poland/Sweden
Contact:

Post by NETKOJI » Tue Oct 25, 2005 3:29 am

Rodrigo.Toste.Gomes wrote: There's always the possibility of using Damn Small linux (http://www.damnsmalllinux.org/)
True, but this won't let me play some of my cool games(I hate wine when it comes to games) not to mention PRINT on my HP DeskJet (I just can't get that software PostScript support work on Linux).

loser
n00b
Posts: 7
Joined: Sun Sep 18, 2005 9:30 am

Post by loser » Tue Oct 25, 2005 10:14 am

I edited the tutorial, because i noticed that it contained some errors. Now it should be more accurate. My first language is not english, so it causes some troubles sometimes. I think that because so many peoples are still using the windows 98 operating system and are connected to the internet, it is very dangerous to be unconcerned about the security issues of it. Think about what kinda destruction a zombie network of million computers with windows 98 operating system could cause. These are very serious matters! :D

User avatar
Techizzie
Hacker in Training
Posts: 66
Joined: Wed Jun 02, 2004 11:42 pm
Location: Tornado Alley

Post by Techizzie » Tue Oct 25, 2005 4:23 pm

work in an isp's tech support department. you'll find people still hanging onto their windows 95 machines with 133Mhz processors and 64megs of ram.

User avatar
mrc0de
Strike 1
Posts: 9
Joined: Fri Aug 08, 2003 10:04 pm
Location: Right Behind You...
Contact:

Post by mrc0de » Fri Jan 06, 2006 12:31 am

lol... if you use win98... you're just sad.

MrC0de :twisted:
I am The Devil, And I've Come To Do The Devil's Work.

User avatar
GhostHawk
Ex-Mod
Posts: 1447
Joined: Wed Jul 30, 2003 12:10 am
Contact:

Post by GhostHawk » Fri Jan 06, 2006 8:57 am

If you post stupid comments on old threads, you're just dumb.
Opinions are like ass holes, everyone has one. It is also my opinion, that I am an ass hole.

User avatar
NoUse
time traveller
Posts: 2624
Joined: Thu Aug 28, 2003 10:46 pm
Location: /pr0n/fat

Post by NoUse » Fri Jan 06, 2006 5:56 pm

Long time no see mrc0de.
And I will strike down upon thee with great vengeance and furious anger
those who would attempt to poison and destroy my brothers.
And you will know my name is the Lord
when I lay my vengeance upon thee.

User avatar
mrc0de
Strike 1
Posts: 9
Joined: Fri Aug 08, 2003 10:04 pm
Location: Right Behind You...
Contact:

Post by mrc0de » Sat Jan 07, 2006 3:42 am

WHO THE F*** LOOKS AT DATES ON THIS THING BEFORE THEY REPLY??

STOP FOLLOWING ME AROUND GHOSTHAWK THE ONLY REPLIES MORE USELESS THAN MINE ARE YOURS.

AND BESIDES I HAVENT BEEN ON THIS BOARD IN LIKE 3 YEARS SO GUESS WHAT DIPSHIT THESE ARE ALL NEW POSTS TO ME!!!

I suppose I thought a forum was a place for a continual discussion on topics of interest. Silly me.

WAZZUUPP y0gi!!


MrC0de :twisted:
I am The Devil, And I've Come To Do The Devil's Work.

User avatar
IceDane
Because I Can
Posts: 2652
Joined: Wed May 12, 2004 9:25 am

Post by IceDane » Sat Jan 07, 2006 3:56 am

mrc0de wrote:WHO THE F*** LOOKS AT DATES ON THIS THING BEFORE THEY REPLY??

STOP FOLLOWING ME AROUND GHOSTHAWK THE ONLY REPLIES MORE USELESS THAN MINE ARE YOURS.

AND BESIDES I HAVENT BEEN ON THIS BOARD IN LIKE 3 YEARS SO GUESS WHAT DIPSHIT THESE ARE ALL NEW POSTS TO ME!!!

I suppose I thought a forum was a place for a continual discussion on topics of interest. Silly me.

WAZZUUPP y0gi!!


MrC0de :twisted:
Well, well, well. Ain't good ol' mrc0de, AKA Billy the hillbilly.

Who looks at dates ? I do. Just to be sure that I'm not flaming an old post of yours.

And yeah, it shows you haven't been here long. I think I can safely speak for all of us, when I say that you should go back to wherever you were, and not punish us with your presence. Your obvious ignorance to pretty much everything shines in all of your posts. Especially this one, where you call GhostHawk's posts useless.
You calling someone's posts useless is like a retarded person calling someone.. retarded ?

For those who don't know this guy; he's mrc0de. The guy whose maturity matches his intelligence. (Scary, ain't it ?)

User avatar
mrc0de
Strike 1
Posts: 9
Joined: Fri Aug 08, 2003 10:04 pm
Location: Right Behind You...
Contact:

Post by mrc0de » Sat Jan 07, 2006 4:10 am

you have no idea who you are talking to homeboy.

you are the new guy at this party.

Its like this everytime I come back from deployment....

Admins and Founders Welcome me back... and the latest flock of
noobs turn around and go "who the F*** are you"

Since you seem to enjoy analogies it's like Elvis coming back from the dead and Nsync flaming "that old guy who shakes his wiener"

Guess what buddy... I did come back to where I came from....
and its right here at htd.0rg

MrC0de :twisted:
I am The Devil, And I've Come To Do The Devil's Work.

User avatar
IceDane
Because I Can
Posts: 2652
Joined: Wed May 12, 2004 9:25 am

Post by IceDane » Sat Jan 07, 2006 1:38 pm

It seems that I was mistaken. I was referring to another mrc0de. Although I can safely say that the analogies above still apply. Does the mrc0de nick come with downs syndrome ?

No, you are wrong here. YOU are the "new guy at this party". You may have registered way before me, but I have been active much longer.

Haha, I find it funny that you call a moderator "dipshit", and then go around calling people new.

Anyway, I don't know you well enough to judge you completely; but if you are come to stay, I advise you to read the rules about posting, and stop calling moderators dipshits, especially not ghosthawk, since he can get you banned in a blink of an eye.

User avatar
NoUse
time traveller
Posts: 2624
Joined: Thu Aug 28, 2003 10:46 pm
Location: /pr0n/fat

Post by NoUse » Sun Jan 08, 2006 4:33 pm

myc0de, I'm not Yogi as you can tell by my display name. Yogi was a plagerizer and a psuedo-intellectual. You should still remember me, though.
And I will strike down upon thee with great vengeance and furious anger
those who would attempt to poison and destroy my brothers.
And you will know my name is the Lord
when I lay my vengeance upon thee.

User avatar
The Legato
Hacker in Training
Posts: 96
Joined: Fri Jun 17, 2005 6:03 pm
Location: C:/Dev-Cpp
Contact:

Post by The Legato » Mon Jan 09, 2006 12:08 am

mrc0de wrote:WHO THE F*** LOOKS AT DATES ON THIS THING BEFORE THEY REPLY??

STOP FOLLOWING ME AROUND GHOSTHAWK THE ONLY REPLIES MORE USELESS THAN MINE ARE YOURS.
Well, at least you admitted your replies are useless..



as was mine..
http://cma.zdnet.com/book/c++/htm/ch01.htm <- Good C++ starter
http://www.linuxiso.org/ <- Need I say any more?

loser
n00b
Posts: 7
Joined: Sun Sep 18, 2005 9:30 am

Post by loser » Mon Jul 17, 2006 5:31 am

mrc0de wrote:lol... if you use win98... you're just sad.

MrC0de :twisted:
Yeah, i think i must be sad, that is so true! I just dont know anymore man, i really dont know...

Locked