What's new

Possible virus

Trotterwatch

New member
Just experienced what I would consider viral activity first of all:

MSblast.exe
ATIsgag.exe
and
CMD.exe
along with a few other wierd names load in at startup. Google along with several other search engines is inaccessible. The system also keeps restarting with RPC shutdown errors, the patch to fix that exploit is installed btw.

I have ran F-Prot for Windows on a full scan with no problems found (fully updated). I have also ran Spybot search and destroy, as well as trying a full system restore.

Any help guys?
 

Knuckles

Active member
Moderator
Trotterwatch said:
Just experienced what I would consider viral activity first of all:

MSblast.exe
ATIsgag.exe
and
CMD.exe
along with a few other wierd names load in at startup. Google along with several other search engines is inaccessible. The system also keeps restarting with RPC shutdown errors, the patch to fix that exploit is installed btw.

I have ran F-Prot for Windows on a full scan with no problems found (fully updated). I have also ran Spybot search and destroy, as well as trying a full system restore.

Any help guys?
I got one too hidden in the system32 directory, msconfig35.exe. loaded with windows. it automaticly close the task manager and the ms config dialog as soon as they are open. I, after lot of retries, finished by closing it with a fast CTRL+ALT+DEL, "MS", DEL, ENTER, I got into the msconfig to find the file name/stop service and remove it of my system32 folder.

But I also got this shut down thing only one, because since I deleted this file, I never got is anymore.... :)
 
Last edited:
OP
T

Trotterwatch

New member
Just managed to stop it running, and then I updated F-Prot once more, and what do you know, it's now found a virus.

It seems like the ATIs2gag file may have been stopping F-Prot from doing its work.
 

Knuckles

Active member
Moderator
THis virus is circulating via MSN and ICQ, one of my friend just got it.

Damn virus, what the fun of making virus to infect other computers, it can infiect the computer of the one who made it...
 

Stezo2k

S-2K
Mate, if you dont have auto-protect on, your asking for trouble, i thought i was safe to avoid viruses when i 1st had my new pc, last month it had a bad virus (though i had norton 2k3 preinstalled) i couldnt get rid of it no matter what, it just infected all the exe files, even getting rid of it in safe mode didnt help, it just came back.

If you never had auto-protect on mate, i'm sorry but it looks like you may have to format
 
OP
T

Trotterwatch

New member
I can't seem to access that page. Indeed most pages are currently not working :( Could you post the info here Stezo? Thanks matey.

Could someone do a search for MadB, Virus, into Google and post the results here.
 

vampireuk

Mr. Super Clever
TO CANCEL THE SHUTDOWN GO TO START -> RUN -> TYPE CMD TO ACCESS CMD PROMPT AND
TYPE (SHUTDOWN -A) TO CANCEL IT.

DO CTRL+ALT+DELETE AND KILL MSBLAST.EXE FROM THE PROCESSES LIST

GO TO C:\WINDOWS\SYSTEM32 AND FIND MSBLAST.EXE AND RENAME IT TO BLASTMS.BAK (DON'T DELETE IT SINCE I DON'T KNOW IF IT IS AN IMPORTANT FILE, IF ITS A VIRUS IT WILL NOT
BE ABLE TO START IF U RENAME IT, RENDERING IT USELESS.)

NOW GO TO C:\WINDOWS\PREFETCH AND DELETE THE FILE THAT HAS MSBLAST.EXE IN ITS NAME.
(IT STARTS WITH MSBLAST.EXE IN ITS FILENAME)

THE VIRUS ADDS A REGISTRY VALUE TO AUTO LOAD WHEN WINDOWS STARTS UP, YOU MUST DELETE THE REGISTRY KEY.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit

3. Then click OK. (The Registry Editor opens.)

4. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

5. In the right pane, delete the value:

"windows auto update"="msblast.exe"

6. Exit the Registry Editor.

INSTALL THE PATCH FOR YOUR SYSTEM FROM THE LINKS BELOW

NON SP1 USERS =
http://microsoft.com/downloads/deta...6C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

SP1 USERS = http://securityresponse.symantec.com/avcenter/security/Content/8205.html


BY
MIKE WILSON
thx to fAlCoNNiAn from WINBETA :)
 
OP
T

Trotterwatch

New member
I've done all that bar the last part (which I can't download!) and, I didn't know about the shutdown -a part.

Trying to fix the Internet problems now. IE barely works, and Mozilla won't load anything.
 

LazerTag

Leap of Faith
http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_faqid=506

MSBLAST.EXE

Question
What is Worm/Lovsan.A?

Answer
Don't wait to be a victim of a computer virus attack, get Vexira Antivirus today.

Manually removing an infection from your computer can put your data at risk for damage that may or may not be recoverable. Central Command strongly recommends that you backup all of your data prior to attempting to remove an infection or repair any damage causes by an infection.


Details:
--------
Name: Worm/Lovsan.A
Alias: W32/Lovsan.A
Type: Internet Worm
Discovered: August 11, 2003
Platform: Windows NT/2000/XP
Size: 6.176KB


Description:
------------
Worm/Lovsan.A is an Internet worm that exploits a known security vulnerability in Microsoft's Windows Distributed Companent Object Model (DCOM) Remote Procedure Call (RPC) interface. This security breach allows someone with malicious intent to run code of their choice. TCP port directly affected by this exploit include: 135.

If executed, Worm/Lovsan.A will download and run the file msblast.exe using Tftp

The following are components of Worm/Lovsan.A:

- msblast.exe (the main component)

So that it gets run each time a user restart their computer the following registry key gets added:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"

Microsoft has issued a patch to protect against the exploit used by Worm/Lovsan.A. This patch is available here.

Worm/Lovsan.A spreads by randomly scanning a given range of IP addresses on TCP port 135 for other vulnerable systems.
 
Last edited:

Knuckles

Active member
Moderator
I searched for this file, but I couldn't find it(even if hidden/system files). But instead, I found another virus on another file :\
hhvolafzhy.exe

And I have auto-protect on and I did a scan the friday.

EDIT: :( Virus time, after a little scan of all *.exe files, I got that:

-The file C:\System Volume Information\_restore{E58AF48A-8234-4894-91E0-008E6572CDF8}\RP6\A0000263.exe is infected with the W32.Spybot.Worm virus
-The file C:\System Volume Information\_restore{E58AF48A-8234-4894-91E0-008E6572CDF8}\RP11\A0006085.exe is infected with the W32.Spybot.Worm virus.
-The file C:\System Volume Information\_restore{E58AF48A-8234-4894-91E0-008E6572CDF8}\RP25\A0009674.exe is infected with the W32.Spybot.Worm virus.
-The file C:\WINDOWS\system32\cuddgzehcx.exe is infected with the W32.Spybot.Worm virus.
with the other one:
-The file C:\WINDOWS\system32\hhvolafzhy.exe is infected with the W32.Spybot.Worm virus.


some ar system restore files! crap!
 
Last edited:

aprentice

Moderator
ive had this worm, its easy to get rid of. just delete it fromt he reg, system32, and pretech folder. Then install the updates from windows update and your good to go again :p Worked for me at least.

edit: it couldve been worse, instead of the worm attacking windowsupdate on the 16th, i could be reformatting everyones pc.
 

dukenukem

lord freiza
al that stuff knuckles posted there i found once before and it caused my system to reformat and i lost tons of mp3's and good mugen characters,have never been infected by any other virus since.
 

Top