Virus Problems, I think.

ViSCeRaL · **Posted:** Mon Aug 15, 2005 9:50 am **Post subject:** Virus Problems, I think.

Looks like I'v been a little lax lately with system scans and the like. Got a pop-up window like this the other day:

which indicates a sasser worm infection (or variant). Did a full scan with up to date AVG and picked up a few problems, which it removed. Did a Trendmicro housecall online scan, which picked up another.

Tried to connect to windows update to get any critical patches, but hit problems. Same thing when trying to get to any of the major anti-virus sites (connection refused). Thought that might be a browser hijack, so ran 'hijack this' and CWShredder (Shredder found a couple of things, but they weren't affecting browsing).

Then ran Spybot, and found a whole load of shit (~80 items, mostly cookies).

So I've scanned and cleaned and updated and scanned and cleaned with everything I can think of, but the connections refused to prominent sites is still happening. Anyone else got any other ideas?

This is my report from Startuplist :

Code:

StartupList report, 14/08/2005, 23:47:38
StartupList version: 1.52
Started from : C:\Documents and Settings\Administrator\Desktop\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\UGSPLM\I-DEAS11\sec\lmgrd.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe
C:\UGSPLM\I-DEAS11\sec\eds_id11.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe
C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Office Mouse\moffice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Office Mouse\MOUSE32A.DAT
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\system32\winpnp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
HPDJ Taskbar Utility = C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
(Default) = 
ATICCC = "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
FLMOFFICE4DMOUSE = C:\Program Files\Office Mouse\moffice.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
SoundMan = SOUNDMAN.EXE
NeroFilterCheck = C:\WINNT\system32\NeroCheck.exe
SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
Windows PNP = winpnp.exe
WINDOWS SYSTEM = botzor.exe
csm Win Updates = csm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Windows PNP = winpnp.exe
WINDOWS SYSTEM = botzor.exe
csm Win Updates = csm.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

internat.exe = internat.exe
Google Desktop Search = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
NBJ = "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
Windows PNP = winpnp.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

Windows PNP = winpnp.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab

[WUWebControl Class]
InProcServer32 = C:\WINNT\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124040838625

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38210.4716435185

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
Protocol #2: C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
Protocol #8: C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

Spot anything untoward?

jimmytheclaw · **Posted:** Mon Aug 15, 2005 10:17 am **Post subject:**

ack ive reformatted for less

ViSCeRaL · **Posted:** Mon Aug 15, 2005 11:07 am **Post subject:**

I normally reformat about once a year, but I'm reluctant to do it as it takes so bloody long. :lol:

jimmytheclaw · **Posted:** Mon Aug 15, 2005 11:18 am **Post subject:**

i once lost 20 gigs of mp3's because of a worm. so now i built homemade recover cd's where i can go from trashed hdd to ready to go in 2-3 hours

avatar · **Posted:** Mon Aug 15, 2005 11:37 am **Post subject:**

the message you got looks exactly like the one i got when my pc was infected with the blaster worm.

i advise you to have a look at these pages (if you can still do this):
http://securityresponse.symantec.com/av ... .tool.html
http://www.microsoft.com/security/incident/blast.mspx

the following is a link to the Microsoft? Windows? Malicious Software Removal Tool. This should help...
http://www.microsoft.com/downloads/deta ... laylang=en
in case you don't have access to the site, download the tool on another pc. that's what i had to do to get rid of the damn blaster.

good luck :beerchug:

ViSCeRaL · **Posted:** Mon Aug 15, 2005 11:50 am **Post subject:**

Cheers avatar. :beerchug:

My laptop is still virus free, so I can grab the relevant stuff with that and then transfer it to the main PC. I'll give it a shot tonight.

That pop-up seems to have gone now, it's just the blocking of certain sites which is the main problem now.

spudthedestroyer · **Posted:** Mon Aug 15, 2005 11:37 pm **Post subject:**

erm, the sasser worm was a remote thing... you don't actually have the virus, but someone else who had it then infects you by remotely closing your pc.

You need to a) disinfect b) secure the pc, else you'll just keep getting it.

Your firewall should block port 113 remotely (or whatever the port is) else your net connection is really insecure.

I'm amazed that your router isn't blocking already! The only way it should get past your router is if your router sucks or you have DMZ, both of which mean your router is misconfigured.

ViSCeRaL · **Posted:** Tue Aug 16, 2005 12:23 am **Post subject:**

spudthedestroyer wrote:

I'm amazed that your router isn't blocking already! The only way it should get past your router is if your router sucks or you have DMZ, both of which mean your router is misconfigured.

Or if my router is in its box ready to go back to SVP for a replacement. :lol:

I'm using my poxy speedtouch usb ATM.

Think I've finally got the system clean, except for rdriv.sys worm which is a fucking nightmare to remove.

spudthedestroyer · **Posted:** Tue Aug 16, 2005 12:39 am **Post subject:**

lol, ah right, that's why you got the virus then you douchebag! Are you seriously running windowsXP with no updates on it? Get your ass on sp2, this virus was fixed like 3 months after XP launched wasn't it?

I'm almost positive this was fixed by microsoft almost immediately after launch 2 or 3 years ago (or more, can't remember how long ago xp came out)... its quite amazing really if you think about it.

You should grab SP2 integrated install cd whilst your on emule, there's enough of them about. Just grab the one with corporate in the name. That way you don't have to deal with this shit every time you reinstall :lol:

ViSCeRaL · **Posted:** Tue Aug 16, 2005 8:59 am **Post subject:**

spudthedestroyer wrote:

Are you seriously running windowsXP with no updates on it?

No, I'm running Windows 2000 SP4. :lol:

Maybe it's time for an upgrade......

spudthedestroyer · **Posted:** Tue Aug 16, 2005 10:35 am **Post subject:**

you say that as if the only difference isn't the name :lol:

ViSCeRaL · **Posted:** Tue Aug 16, 2005 10:44 am **Post subject:**

And cartoon buttons. :lol:

Virus Problems, I think.

Who is online