Removing the most dangerous windows 98 trojan
-
- n00b
- Posts:7
- Joined:Sun Sep 18, 2005 9:30 am [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
Tutorial: How to remove the most dangerous trojan from windows 98 (not detected by antivirus programs)
Disclaimer:
This tutorial is provided only for educational purposes. You should not follow it´s instructions in anyway and if you do, i take no responsibility of your actions. By reading this tutorial you agree to take all responsibility of your actions regarding this tutorial. I take no responsibility of any mental or physical damages caused by this tutorial. If you accept these legal terms, then you shall continue reading this tutorial.
Well, i decided to write this tutorial because i think that this is important. This tutorial explains how to remove the most dangerous trojan available these days from your windows 98 operating system. This trojan is a rootkit trojan that replaces some of the windows 98 dll files with modified versions, it is originally a nt trojan, but by replacing some 98 files with nt files, it works in windows 98 and the antivirus programs does not detect it.
Tools you are going to need to remove the trojan:
Windows 98
Regedit, comes with windows 98
Some registry fixing tool, registry mechanic or system mechanic will work just fine.
Optional tools:
Free spyware scanner download it from this address: http://www.download.com/Free-Spyware-Sc ... ag=lst-0-1
Windows 98 original installation cd.
Before we start the actual removal process i suggest that you make a backup of your registry and important system files.
Now when you are ready, we can start the removal process by launching up the registry editor. You can do it by clicking the start button, selecting the run option and then writing regedit and pressing the ok button. Now locate the following registry key with the registry editor [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT] Now there should be all kinds of shit under that registry key, this is the whole thing that it contains:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32]
"msacm.lhacm"="lhacm.acm"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.voxacm160"="vct3216.acm"
"vidc.wmv3"="wmv9vcm.dll"
"vidc.divx"="DivX.dll"
"VIDC.MPG4"="mpg4c32.dll"
"VIDC.MP42"="mpg4c32.dll"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers.desc]
"lhacm.acm"="Lernout And Hauspie Codecs"
"msaud32.acm"="Windows Media Audio Codec"
"sl_anet.acm"="Sipro Lab Telecom Audio Codec"
"vct3216.acm"="Voxware Compression Toolkit"
"wmv9vcm.dll"="Microsoft Windows Media Video 9 VCM"
"DivX.dll"="DivX 5.1.1 Codec"
"mpg4c32.dll"="Microsoft MPEG-4 Video Codec"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug]
"Auto"="1"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DeleteRoamingCache"=dword:00000000
"AutoRestartShell"=dword:00000001
"Shell"="Explorer.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Fonts]
Now, what you have to do is delete the [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT] registry key from your registry by right clicking the windowsnt key with the mouse and selecting delete,NOTICE! YOU MUST DELETE ONLY THE WINDOWSNT KEY, NOT THE WHOLE HKEY_LOCAL_MACHINE KEY! IF YOU ARE NOT FAMILIAR WITH REGISTRY EDITING I SUGGEST THAT YOU READ SOME REGISTRY TUTORIALS BEFORE MESSING AROUND WITH THE REGISTRY! or optionally you can do this with the free spyware scanner, that i mentioned earlier in this tutorial, it detects the key as suspicious entries and gives the option to remove it. The reason we must delete this windowsnt key is that it should not exist in windows 98 operating system. The trojan exploits the windows registry by changing some file associations and paths of files and by replacing some windows 98 dll files and system files with nt files and that way it is possible to run a windows nt rootkit trojan on windows 98 operating system.
Next, we will restore one important system dll file that is changed by this trojan. The file is called iphlpapi.dll and the trojan replaces the original windows 98 dll file with its own version and it causes all kinds of problems, like some programs might not work. You can use the system file checker that is shipped with windows 98 to do that. Click the start button, then select run and write sfc.exe and press the ok button. Here is more information about the system file checker tool and instructions on how to use it http://help.expedient.net/general/sfc.shtml You will need your windows 98 cd to extract the original file. Other file that is modified by this trojan is ntdll.dll and you need to extract the original version of it too. If you dont got the windows 98 cd, then you can find these files from the internet by searching them from the google.
After you have done all this, you can use the registry mechanic or some registry fixing tool to fix the file associations and all that kinda shit. You might also want to examine your computer boot sector, i am not sure but i think that this trojan might use it to start everytime when you boot your computer. You can find some good tools to examine your boot sector from this site http://www.ciac.org/ciac/ToolsDOSVirus.html#Bootcomp If you dont know what the boot sector is, then it is better that you leave it alone!
I understand that this tutorial is not perfect. I have not researched this trojan so much, that i could give any better information. I dont know how my computer became infected by this trojan, but the antivirus programs dont detect it and i found it from my system after i did much research of my system files and registry. I would be gratefull if the antivirus developers could add this trojan in their definition files.
:D
Disclaimer:
This tutorial is provided only for educational purposes. You should not follow it´s instructions in anyway and if you do, i take no responsibility of your actions. By reading this tutorial you agree to take all responsibility of your actions regarding this tutorial. I take no responsibility of any mental or physical damages caused by this tutorial. If you accept these legal terms, then you shall continue reading this tutorial.
Well, i decided to write this tutorial because i think that this is important. This tutorial explains how to remove the most dangerous trojan available these days from your windows 98 operating system. This trojan is a rootkit trojan that replaces some of the windows 98 dll files with modified versions, it is originally a nt trojan, but by replacing some 98 files with nt files, it works in windows 98 and the antivirus programs does not detect it.
Tools you are going to need to remove the trojan:
Windows 98
Regedit, comes with windows 98
Some registry fixing tool, registry mechanic or system mechanic will work just fine.
Optional tools:
Free spyware scanner download it from this address: http://www.download.com/Free-Spyware-Sc ... ag=lst-0-1
Windows 98 original installation cd.
Before we start the actual removal process i suggest that you make a backup of your registry and important system files.
Now when you are ready, we can start the removal process by launching up the registry editor. You can do it by clicking the start button, selecting the run option and then writing regedit and pressing the ok button. Now locate the following registry key with the registry editor [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT] Now there should be all kinds of shit under that registry key, this is the whole thing that it contains:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32]
"msacm.lhacm"="lhacm.acm"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.voxacm160"="vct3216.acm"
"vidc.wmv3"="wmv9vcm.dll"
"vidc.divx"="DivX.dll"
"VIDC.MPG4"="mpg4c32.dll"
"VIDC.MP42"="mpg4c32.dll"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers.desc]
"lhacm.acm"="Lernout And Hauspie Codecs"
"msaud32.acm"="Windows Media Audio Codec"
"sl_anet.acm"="Sipro Lab Telecom Audio Codec"
"vct3216.acm"="Voxware Compression Toolkit"
"wmv9vcm.dll"="Microsoft Windows Media Video 9 VCM"
"DivX.dll"="DivX 5.1.1 Codec"
"mpg4c32.dll"="Microsoft MPEG-4 Video Codec"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug]
"Auto"="1"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DeleteRoamingCache"=dword:00000000
"AutoRestartShell"=dword:00000001
"Shell"="Explorer.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Fonts]
Now, what you have to do is delete the [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT] registry key from your registry by right clicking the windowsnt key with the mouse and selecting delete,NOTICE! YOU MUST DELETE ONLY THE WINDOWSNT KEY, NOT THE WHOLE HKEY_LOCAL_MACHINE KEY! IF YOU ARE NOT FAMILIAR WITH REGISTRY EDITING I SUGGEST THAT YOU READ SOME REGISTRY TUTORIALS BEFORE MESSING AROUND WITH THE REGISTRY! or optionally you can do this with the free spyware scanner, that i mentioned earlier in this tutorial, it detects the key as suspicious entries and gives the option to remove it. The reason we must delete this windowsnt key is that it should not exist in windows 98 operating system. The trojan exploits the windows registry by changing some file associations and paths of files and by replacing some windows 98 dll files and system files with nt files and that way it is possible to run a windows nt rootkit trojan on windows 98 operating system.
Next, we will restore one important system dll file that is changed by this trojan. The file is called iphlpapi.dll and the trojan replaces the original windows 98 dll file with its own version and it causes all kinds of problems, like some programs might not work. You can use the system file checker that is shipped with windows 98 to do that. Click the start button, then select run and write sfc.exe and press the ok button. Here is more information about the system file checker tool and instructions on how to use it http://help.expedient.net/general/sfc.shtml You will need your windows 98 cd to extract the original file. Other file that is modified by this trojan is ntdll.dll and you need to extract the original version of it too. If you dont got the windows 98 cd, then you can find these files from the internet by searching them from the google.
After you have done all this, you can use the registry mechanic or some registry fixing tool to fix the file associations and all that kinda shit. You might also want to examine your computer boot sector, i am not sure but i think that this trojan might use it to start everytime when you boot your computer. You can find some good tools to examine your boot sector from this site http://www.ciac.org/ciac/ToolsDOSVirus.html#Bootcomp If you dont know what the boot sector is, then it is better that you leave it alone!
I understand that this tutorial is not perfect. I have not researched this trojan so much, that i could give any better information. I dont know how my computer became infected by this trojan, but the antivirus programs dont detect it and i found it from my system after i did much research of my system files and registry. I would be gratefull if the antivirus developers could add this trojan in their definition files.
:D
Last edited by loser on Tue Oct 25, 2005 10:03 am, edited 3 times in total.
- UniX
- Veteran
- Posts:600
- Joined:Thu Jun 26, 2003 1:17 pm
- Location:input("Why are you looking here?") [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
/me wonders if anyone actually still uses win 98
"UNIX is an operating system, OS/2 is half an operating system, Windows is a shell, and DOS is a boot partition virus." — Peter H. Coffin .
http://cybergotham.net
http://cybergotham.net
- Tenchuu
- Reborn
- Posts:1160
- Joined:Tue Mar 16, 2004 3:27 pm
- Location:Society of Blazing Inferno
- Contact:
The whole tutorial is about: F*** up your Win98 install
The whole point in this tutorial is hiding the fact that you will delete this key
Where else would be sense in deleting a whole registry dir?
Could be that he found it funny that this antispyware tool sees the key as suspicious
The whole point in this tutorial is hiding the fact that you will delete this key
Code: Select all
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
Could be that he found it funny that this antispyware tool sees the key as suspicious
Keep your friends close, keep your keyboard closer
- NoUse
- time traveller
- Posts:2624
- Joined:Thu Aug 28, 2003 10:46 pm
- Location:/pr0n/fat [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
- NETKOJI
- Sargeant at Arms
- Posts:275
- Joined:Thu Nov 11, 2004 6:10 pm
- Location:Poland/Sweden
- Contact:
- Rodrigo.Toste.Gomes
- Corporal
- Posts:111
- Joined:Sun Oct 09, 2005 2:50 pm
- Location:<?php echo $_SERVER['REMOTE_ADDR']; ?> [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
There's always the possibility of using Damn Small linux (http://www.damnsmalllinux.org/)NETKOJI wrote:Yeppers - me, for example. My computer is so old it can't possibly run WinXP nor Win2K nice and smooth.UniX wrote:/me wonders if anyone actually still uses win 98
-
- 31337 Martial Artist
- Posts:1898
- Joined:Sat Feb 21, 2004 8:38 am
- Location:/etc/login.defs
- Contact:
Same for my desktop and laptop, that's one reason why they run on Slackware.NETKOJI wrote:Yeppers - me, for example. My computer is so old it can't possibly run WinXP nor Win2K nice and smooth.UniX wrote:/me wonders if anyone actually still uses win 98
Just because you run an old PC doesn't mean you have to run an old OS.
- NETKOJI
- Sargeant at Arms
- Posts:275
- Joined:Thu Nov 11, 2004 6:10 pm
- Location:Poland/Sweden
- Contact:
True, but this won't let me play some of my cool games(I hate wine when it comes to games) not to mention PRINT on my HP DeskJet (I just can't get that software PostScript support work on Linux).Rodrigo.Toste.Gomes wrote: There's always the possibility of using Damn Small linux (http://www.damnsmalllinux.org/)
-
- n00b
- Posts:7
- Joined:Sun Sep 18, 2005 9:30 am [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
I edited the tutorial, because i noticed that it contained some errors. Now it should be more accurate. My first language is not english, so it causes some troubles sometimes. I think that because so many peoples are still using the windows 98 operating system and are connected to the internet, it is very dangerous to be unconcerned about the security issues of it. Think about what kinda destruction a zombie network of million computers with windows 98 operating system could cause. These are very serious matters! :D
- Techizzie
- Hacker in Training
- Posts:66
- Joined:Wed Jun 02, 2004 11:42 pm
- Location:Tornado Alley [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
- mrc0de
- Strike 1
- Posts:9
- Joined:Fri Aug 08, 2003 10:04 pm
- Location:Right Behind You...
- Contact:
- GhostHawk
- Ex-Mod
- Posts:1447
- Joined:Wed Jul 30, 2003 12:10 am
- Contact:
- NoUse
- time traveller
- Posts:2624
- Joined:Thu Aug 28, 2003 10:46 pm
- Location:/pr0n/fat [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
- mrc0de
- Strike 1
- Posts:9
- Joined:Fri Aug 08, 2003 10:04 pm
- Location:Right Behind You...
- Contact:
WHO THE F*** LOOKS AT DATES ON THIS THING BEFORE THEY REPLY??
STOP FOLLOWING ME AROUND GHOSTHAWK THE ONLY REPLIES MORE USELESS THAN MINE ARE YOURS.
AND BESIDES I HAVENT BEEN ON THIS BOARD IN LIKE 3 YEARS SO GUESS WHAT DIPSHIT THESE ARE ALL NEW POSTS TO ME!!!
I suppose I thought a forum was a place for a continual discussion on topics of interest. Silly me.
WAZZUUPP y0gi!!
MrC0de
STOP FOLLOWING ME AROUND GHOSTHAWK THE ONLY REPLIES MORE USELESS THAN MINE ARE YOURS.
AND BESIDES I HAVENT BEEN ON THIS BOARD IN LIKE 3 YEARS SO GUESS WHAT DIPSHIT THESE ARE ALL NEW POSTS TO ME!!!
I suppose I thought a forum was a place for a continual discussion on topics of interest. Silly me.
WAZZUUPP y0gi!!
MrC0de
I am The Devil, And I've Come To Do The Devil's Work.
- IceDane
- Because I Can
- Posts:2652
- Joined:Wed May 12, 2004 9:25 am [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
Well, well, well. Ain't good ol' mrc0de, AKA Billy the hillbilly.mrc0de wrote:WHO THE F*** LOOKS AT DATES ON THIS THING BEFORE THEY REPLY??
STOP FOLLOWING ME AROUND GHOSTHAWK THE ONLY REPLIES MORE USELESS THAN MINE ARE YOURS.
AND BESIDES I HAVENT BEEN ON THIS BOARD IN LIKE 3 YEARS SO GUESS WHAT DIPSHIT THESE ARE ALL NEW POSTS TO ME!!!
I suppose I thought a forum was a place for a continual discussion on topics of interest. Silly me.
WAZZUUPP y0gi!!
MrC0de
Who looks at dates ? I do. Just to be sure that I'm not flaming an old post of yours.
And yeah, it shows you haven't been here long. I think I can safely speak for all of us, when I say that you should go back to wherever you were, and not punish us with your presence. Your obvious ignorance to pretty much everything shines in all of your posts. Especially this one, where you call GhostHawk's posts useless.
You calling someone's posts useless is like a retarded person calling someone.. retarded ?
For those who don't know this guy; he's mrc0de. The guy whose maturity matches his intelligence. (Scary, ain't it ?)
- mrc0de
- Strike 1
- Posts:9
- Joined:Fri Aug 08, 2003 10:04 pm
- Location:Right Behind You...
- Contact:
you have no idea who you are talking to homeboy.
you are the new guy at this party.
Its like this everytime I come back from deployment....
Admins and Founders Welcome me back... and the latest flock of
noobs turn around and go "who the F*** are you"
Since you seem to enjoy analogies it's like Elvis coming back from the dead and Nsync flaming "that old guy who shakes his wiener"
Guess what buddy... I did come back to where I came from....
and its right here at htd.0rg
MrC0de
you are the new guy at this party.
Its like this everytime I come back from deployment....
Admins and Founders Welcome me back... and the latest flock of
noobs turn around and go "who the F*** are you"
Since you seem to enjoy analogies it's like Elvis coming back from the dead and Nsync flaming "that old guy who shakes his wiener"
Guess what buddy... I did come back to where I came from....
and its right here at htd.0rg
MrC0de
I am The Devil, And I've Come To Do The Devil's Work.
- IceDane
- Because I Can
- Posts:2652
- Joined:Wed May 12, 2004 9:25 am [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
It seems that I was mistaken. I was referring to another mrc0de. Although I can safely say that the analogies above still apply. Does the mrc0de nick come with downs syndrome ?
No, you are wrong here. YOU are the "new guy at this party". You may have registered way before me, but I have been active much longer.
Haha, I find it funny that you call a moderator "dipshit", and then go around calling people new.
Anyway, I don't know you well enough to judge you completely; but if you are come to stay, I advise you to read the rules about posting, and stop calling moderators dipshits, especially not ghosthawk, since he can get you banned in a blink of an eye.
No, you are wrong here. YOU are the "new guy at this party". You may have registered way before me, but I have been active much longer.
Haha, I find it funny that you call a moderator "dipshit", and then go around calling people new.
Anyway, I don't know you well enough to judge you completely; but if you are come to stay, I advise you to read the rules about posting, and stop calling moderators dipshits, especially not ghosthawk, since he can get you banned in a blink of an eye.
- NoUse
- time traveller
- Posts:2624
- Joined:Thu Aug 28, 2003 10:46 pm
- Location:/pr0n/fat [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable
myc0de, I'm not Yogi as you can tell by my display name. Yogi was a plagerizer and a psuedo-intellectual. You should still remember me, though.
And I will strike down upon thee with great vengeance and furious anger
those who would attempt to poison and destroy my brothers.
And you will know my name is the Lord
when I lay my vengeance upon thee.
those who would attempt to poison and destroy my brothers.
And you will know my name is the Lord
when I lay my vengeance upon thee.
- The Legato
- Hacker in Training
- Posts:96
- Joined:Fri Jun 17, 2005 6:03 pm
- Location:C:/Dev-Cpp
- Contact:
Well, at least you admitted your replies are useless..mrc0de wrote:WHO THE F*** LOOKS AT DATES ON THIS THING BEFORE THEY REPLY??
STOP FOLLOWING ME AROUND GHOSTHAWK THE ONLY REPLIES MORE USELESS THAN MINE ARE YOURS.
as was mine..
http://cma.zdnet.com/book/c++/htm/ch01.htm <- Good C++ starter
http://www.linuxiso.org/ <- Need I say any more?
http://www.linuxiso.org/ <- Need I say any more?
-
- n00b
- Posts:7
- Joined:Sun Sep 18, 2005 9:30 am [phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1275: count(): Parameter must be an array or an object that implements Countable