PDA

View Full Version : This virus keeps coming back after it is removed


Pete
01-08-2004, 12:24 PM
This virus keeps coming back after it is removed with AVG and Symantec removal tool.
Also attempted to use the regedit but did not understand what to do after I got to windows auto update.
Machine running XP I need to do windows update but this virus blocks me every time. I attempted to Change the system time back by several hours. This does not work the download stops and cannot get it started again.
Any suggestions? Pete


Attention: Are you looking for info about the cause of "Remote Procedure Call (RPC)", initiated by NT Authority\System error message that shuts down Windows (you might also see svchost.exe error occasionally)?
It is a virus that started spreading very quickly on August 11, 2003. It works by exploiting unpatched Windows 2000/XP computers. It's been named Lovesan (LovSan, LuvSan) or Blaster.
Use McAfee VirusScan Online to scan your PC for viruses now <http://click.linksynergy.com/fs-bin/click?id=4PJwnEXKiY8&offerid=50252.6&type=3&subid=3> and prevent such future problems.
Here is additional info about the virus from McAfee: ** MEDIUM VIRUS ALERT - 'LovSan' Worm** <http://click.linksynergy.com/fs-bin/click?id=4PJwnEXKiY8&offerid=50252.10000017&type=3&subid=3>
Here <http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe> is Microsoft's security patch for Windows XP that fixes this dangerous vulnerability allowing anyone to execute any program on your computer across the Internet. Here <http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe> it is for Windows 2000. If you have a slower connection, you may not be able to download it before your computer shuts down. In this case, look at other options below or use another computer to download it and then copy it over and run it on your computer. Here <http://support.microsoft.com/?kbid=823980> is more info from Microsoft. You should also regularly use Windows Update.
There are several options to avoid the system shutdown:
 Go to Start->Control Panel->Administrative Tools->Services->Remote Procedure Call (RPC)->Recovery Tab and choosing "Take No Action" for all three choices.
 Go to Start->Run, type in shutdown/a, and press Enter.
 Change the system time back by several hours.
 Disconnect from the Internet.
Symantec has made available a virus removal tool <http://securityresponse.symantec.com/avcenter/FixBlast.exe> (more info here<http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html>).
Another removal option for more advanced users is:
1. Delete msblast.exe (usually found at c:\windows\system32\msblast.exe).
2. Delete the Windows Registry key: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\windows auto update" containing "msblast.exe". This is what causes the virus to start on reboot. To edit the Registry, go to Start->Run and put in "regedit".

Ronan
01-08-2004, 12:32 PM
You could try this.

Shut off the system restore, and run the symantec cleaner again.
Then when its clear, turn restore back on.

Pete
01-08-2004, 12:40 PM
Thanks Ronan already did this.
Shut off the system restore, and run the symantec cleaner again.
Then when its clear, turn restore back on. Pete

Ronan
01-08-2004, 02:08 PM
If you look at the screen shot I have attached, the windows auto update isnt found in the Run section as directed by your instructions.

Its here

" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
entVersion\WindowsUpdate\AutoUpdate"

When you get to that point in the tree, see if msblast.exe is in the right hand pane.

If it is, delete that key, and ONLY that one.

Be sure to reboot after youve made the change.


Edit: if its not there, close the regeditor and post back

brett
01-08-2004, 02:38 PM
Click Start - Run and type:

SERVICES.MSC

Scroll and right-click on Remote Procedure Call (RPC). Choose Properties - Recovery - First Failure - Restart the Service. Click OK.

Download, unzip and run the attached (courtesy of Kelly Theriot).
Visit Windows Updates and install a firewall!!!

HTH.

Pete
01-09-2004, 05:54 PM
First thanks to Ronan & Brett. I tried every thing you suggested and more BUT
I have worked for hours with this VIRUS and attempting to download windows updates and Msblast I discovered if I watched really close and set the time back several hours the down load would continue sometimes other times it would stop and I would start over.
I still have several Window Updates to download and install.

Now I have this computer so screwed up that when I an trying to do something on the internet or just idle with the desktop showing a window popup and tell me.
Virus identified Worm/Lovsan.A Run AVG. I run AVG no virus found.
I run Msblast no virus.
Pete

sixpac
01-09-2004, 06:12 PM
Disable System Restore

Close port 135/tcp (and if possible 135-139, 445 and 593)

SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET

this causes a remote shell on port 4444 at the TARGET

the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444

the target will now connect to the tftp server at the SOURCE

or

You can give this a try

entering the command

"shutdown /a" (no quotes)

in the Start menu's Run dialog should stop the countdown. With the countdown halted, you can try the free removal tool from Symantec (http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html)
or do the job by hand.

To clean out Blaster yourself, start by physically disconnecting the computer from the network and Internet.

Then kill off the MSBLAST.EXE process.

Press Ctrl+Alt+Del to bring up the Task Manager in Windows 2000 you'll also click the Task Manager button. Click the Processes tab, highlight MSBLAST.EXE in the list, and click the End Process button.

The MSBLAST.EXE program is launched at startup from a Registry entry.

Launch REGEDIT from the Start menu's Run dialog and navigate to the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run.


In the right-hand pane you should see a value whose name is

"windows auto update"

and whose data is

MSBLAST.EXE.

Delete this value.

If for some reason you couldn't kill off the MSBLAST.EXE process in the preceding step, restart the computer at this point.


Use Search from the Start menu to locate all instances of files named MSBLAST.EXE and delete them. Next, disable DCOM temporarily.

Launch DCOMCNFG.EXE from the Start menu's Run dialog.

Those running Windows XP or Windows Server 2003 will now need to navigate to

Start\Control Panel\Administrative Tools\Component Services\Computers\My Computer, then right-click My Computer and choose Properties. Click the Default Properties tab, un-check "Enable Distributed COM on this computer", and click OK.

Now you can reconnect the computer to the network - even if Blaster were to attack your system again it can't function with DCOM disabled.

The first thing you must do is download and install a personal firewall you can get a free one from ZoneLabs (http://www.zonelabs.com/store/content/home.jsp)
or Sygate (http://www.sygate.com/). Once the personal firewall is up and running, go back and re-enable DCOM. Finally, install the Microsoft patch (http://www.microsoft.com/security/security_bulletins/ms03-026.asp)
that blocks the vulnerability exploited by Blaster.

brett
01-09-2004, 06:24 PM
Enable ICF (http://www.microsoft.com/security/incident/icf.asp), download and run Stinger (http://vil.nai.com/vil/stinger/) and, if the problems persist, run the attached file and copy and post the contents of the automatically generated log file.

Pete
01-10-2004, 12:00 AM
Have Sygate running now and all but one critical updates, things are looking much better now.
Had all this computer I can take for one day. Thanks Brett
Hope this is what you ask for.
Run Stinger no problem.

StartupList report, 1/9/2004, 10:51:52 PM
StartupList version: 1.52
Started from : E:\Documents and Settings\pete\Local Settings\Temp\Temporary Directory 1 for startuplist152[1].zip\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\Grisoft\AVG6\avgserv.exe
E:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
E:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WNCLIENT\PROGRAMS\WNCSMS~1.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Outlook Express\msimn.exe
E:\Documents and Settings\pete\Local Settings\Temp\Temporary Directory 1 for startuplist152[1].zip\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[E:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Microsoft Office Shortcut Bar.lnk = E:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
Office Startup.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG_CC = E:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
SmcService = E:\PROGRA~1\Sygate\SPF\smc.exe -startgui

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "E:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from E:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - E:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = E:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37993.3444907407

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: E:\WINDOWS\system32\SHELL32.dll
CDBurn: E:\WINDOWS\system32\SHELL32.dll
WebCheck: E:\WINDOWS\System32\webcheck.dll
SysTray: E:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 4,226 bytes
Report generated in 0.461 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

brett
01-10-2004, 04:26 AM
Lookin' good! I take it the reboots have now stopped? If so, disable and then re-enable system restore. This'll flush all existing restore points so there'll be no risk of you unintentionally restoring this beast at some later date.

Pete
01-10-2004, 11:31 AM
A special thanks to all that helped me on this problem.
The computer has been up and running for several hours now
and looks like things are OK. Pete