almost like WIN32.BLASTER.WORM

[Heath]

ok, i have a computer that has the same symptoms as WIN32.BLASTER.WORM but i ran the scan from sympathec and it says nothing is working, i turned off the system restore thing, liike i have read from somewhere, but it still dosnt work, so what can be done about this?

thanx

[snapdragin]

Hi Heath,

If you could give us more information it would better help us to help you.

Quote:

quoting: Heath link=board=31;threadid=14203;start=0#msg89731 date=1064460106]
ok, i have a computer that has the same symptoms as WIN32.BLASTER.WORM

What program (anti-virus) alerted you to the possibility you have this worm? If it wasn't an anti-virus that flagged an infection, then what particular symptoms are you experiencing that has given you the idea you have been infected with the Blaster Worm?

Quote:

but i ran the scan from sympathec and it says nothing is working, i turned off the system restore thing, liike i have read from somewhere, but it still dosnt work, so what can be done about this?

What scan did you run? If you are meaning the Blaster Worm Removal Utility that Symantec offers, then you will have to download the Microsoft Patch first before the utility will work.

From the Symantec site:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Important Notes:

W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, and a patch is available there. You must download and install the patch. In many cases, you will need to do this before continuing with the removal instructions. If you are not able to remove the infection or prevent re-infection using the following instructions, first download and install the patch.

snap

(fixed my typos)

[Heath]

ok, the symptoms were first the computer goes really slow, then it just shuts down...

i went to the Symantec site and downloaded thee first one, and ran it, i couldnt find anything about the patch..

so, if you konw like the regstry files that i could remove or some other process, that would be greatly appriciated

[Dan Perez]

Hi Heath,

Can you please download and run HijackThis from

http://www.tomcoyote.org/hjt/hijackthis.zip

and scan the system but do *not* try to fix anything yet as many of the items listed are necessary, instead press the "save log" button and copy and paste the log here for someone to review and advise on.

Thanks

[Heath]

here you go...

Logfile of HijackThis v1.97.2
Scan saved at 4:53:21 PM, on 9/25/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\wins\DLLHOST.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\Charles Nichols\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://service.bfast.com/bfast/click?bfmid=253985&bfsiteid=30397089&bfpage=homelink3
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.academicplanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.academicplanet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AcademicPlanet
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe"
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: WebMail (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.academicplanet.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.5636111111



Disabled bfast link

[Dan Perez]

Hi Heath,

Your HijackThis log looks pretty clean except that the running process list shows that you have a probably Welchia Worm component running.

http://www.trusecure.com/knowledge/h.../welchia.shtml

I do not know why your AV has not noticed it but you might want to look at downloading a dedicated Welchia removal tool. One from Symantec (with detailed usage instructions) can be obtained here

http://securityresponse.symantec.com...oval.tool.html

Please give this a shot and let us know how things stand afterwards.

[ Many thanks to snap for independently confirming my suspicion of dllhost.exe; you got a cookie for that ]

Snapdragin Gobbling Cookies ->

[Pieter_Arntz]

Hi Heath,

After taking care of the urgent matter (the worm) have HijackThis fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://service.bfast.com/bfast/click?bfmid=253985&bfsiteid=30397089&bfpage=homelink3
Make sure to have all IE windows closed when you click Fix checked and reboot after doing so.

Info: http://www.pestpatrol.com/PestInfo/db/b/bfast_com.asp

Regards,

Pieter

[Heath]

done that, thank you, dont know if any problems still persist


any other suggestions would be greatly appriciated

[snapdragin]

Hi Heath,

If you could do another scan with HijackThis and post the log again, then Pieter and Dan can re-check it to make sure nothing has re-surfaced.

Also, ensure you have all Microsoft Critical Updates. You can go to the Microsoft Update Site through Internet Explorer using the menu bar at the top of the browser. Click on the Tools, then choose Windows Update. Make sure you have ActiveX enabled as Microsoft Update Site requires this. There you can do a scan and it will list all the Critical Updates needed for your computer.

Make sure you have download and installed the Critical Update No. 823980, which will protect you from the Blaster Worm.

A firewall will also protect you from this. If you do not have a firewall, you can either enabled XP's internal firewall, or look through the "Other Firewalls" forum here at wilders to see the different views members have.

i would also suggest an on-line anti-virus scan....you can choose one from here:
http://www.wilders.org/free_services.htm

For spyware "protection", i would recommend Javacool's SpywareBlaster, which is free. His forum is here at wilders too.

For spyware "removal" i would recommend either of these two excellent programs (or even both as one may detect something the other doesn't)

Spybot Search & Destroy (which is also free) http://www.safer-networking.org/

Ad-Aware (there is a free version for Ad-Aware) http://www.lavasoftusa.com/

HTH,

snap

[Heath]

Logfile of HijackThis v1.97.2
Scan saved at 1:00:35 PM, on 9/27/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\Charles Nichols\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.academicplanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.academicplanet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AcademicPlanet
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe"
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: WebMail (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.academicplanet.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.5636111111









That Is The Log, After i deleted thoes two things, and i browsed the internet for like 20 minutes, so if anything would have time to pop up, it would, so... anything different?

[Pieter_Arntz]

Hi Heath,

Looking good there.

Following snapdragin's tips will help in keeping it that way.

Regards and cookies,

Pieter

heath this is Mike hey just ask me anytime it wont take you so long then the next time!
Later,
Mike