almost like WIN32.BLASTER.WORM

Discussion in 'malware problems & news' started by Heath, Sep 24, 2003.

Thread Status:
Not open for further replies.
  1. Heath

    Heath Registered Member

    Joined:
    Aug 14, 2003
    Posts:
    60
    Location:
    Paris, Texas
    ok, i have a computer that has the same symptoms as WIN32.BLASTER.WORM but i ran the scan from sympathec and it says nothing is working, i turned off the system restore thing, liike i have read from somewhere, but it still dosnt work, so what can be done about this?

    thanx
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Heath,

    If you could give us more information it would better help us to help you.

    What program (anti-virus) alerted you to the possibility you have this worm? If it wasn't an anti-virus that flagged an infection, then what particular symptoms are you experiencing that has given you the idea you have been infected with the Blaster Worm?

    What scan did you run? If you are meaning the Blaster Worm Removal Utility that Symantec offers, then you will have to download the Microsoft Patch first before the utility will work.

    From the Symantec site:

    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

    Important Notes:

    W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, and a patch is available there. You must download and install the patch. In many cases, you will need to do this before continuing with the removal instructions. If you are not able to remove the infection or prevent re-infection using the following instructions, first download and install the patch.


    snap

    (fixed my typos)
     
  3. Heath

    Heath Registered Member

    Joined:
    Aug 14, 2003
    Posts:
    60
    Location:
    Paris, Texas
    ok, the symptoms were first the computer goes really slow, then it just shuts down...

    i went to the Symantec site and downloaded thee first one, and ran it, i couldnt find anything about the patch..

    so, if you konw like the regstry files that i could remove or some other process, that would be greatly appriciated
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Heath,

    Can you please download and run HijackThis from

    http://www.tomcoyote.org/hjt/hijackthis.zip

    and scan the system but do *not* try to fix anything yet as many of the items listed are necessary, instead press the "save log" button and copy and paste the log here for someone to review and advise on.

    Thanks
     
  5. Heath

    Heath Registered Member

    Joined:
    Aug 14, 2003
    Posts:
    60
    Location:
    Paris, Texas
    here you go...

    Logfile of HijackThis v1.97.2
    Scan saved at 4:53:21 PM, on 9/25/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\wins\DLLHOST.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
    C:\Documents and Settings\Charles Nichols\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://service.bfast.com/bfast/click?bfmid=253985&bfsiteid=30397089&bfpage=homelink3
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.academicplanet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.academicplanet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AcademicPlanet
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe"
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: WebMail (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.academicplanet.com
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.5636111111



    Disabled bfast link
     
  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Heath,

    Your HijackThis log looks pretty clean except that the running process list shows that you have a probably Welchia Worm component running.

    http://www.trusecure.com/knowledge/hypeorhot/2003/welchia.shtml

    I do not know why your AV has not noticed it but you might want to look at downloading a dedicated Welchia removal tool. One from Symantec (with detailed usage instructions) can be obtained here

    http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

    Please give this a shot and let us know how things stand afterwards.

    [ Many thanks to snap for independently confirming my suspicion of dllhost.exe; you got a cookie for that :D ]

    Snapdragin Gobbling Cookies -> [​IMG]
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Heath,

    After taking care of the urgent matter (the worm) have HijackThis fix:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://service.bfast.com/bfast/click?bfmid=253985&bfsiteid=30397089&bfpage=homelink3
    Make sure to have all IE windows closed when you click Fix checked and reboot after doing so.

    Info: http://www.pestpatrol.com/PestInfo/db/b/bfast_com.asp

    Regards,

    Pieter
     
  8. Heath

    Heath Registered Member

    Joined:
    Aug 14, 2003
    Posts:
    60
    Location:
    Paris, Texas
    done that, thank you, dont know if any problems still persist


    any other suggestions would be greatly appriciated
     
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Heath,

    If you could do another scan with HijackThis and post the log again, then Pieter and Dan can re-check it to make sure nothing has re-surfaced.

    Also, ensure you have all Microsoft Critical Updates. You can go to the Microsoft Update Site through Internet Explorer using the menu bar at the top of the browser. Click on the Tools, then choose Windows Update. Make sure you have ActiveX enabled as Microsoft Update Site requires this. There you can do a scan and it will list all the Critical Updates needed for your computer.

    Make sure you have download and installed the Critical Update No. 823980, which will protect you from the Blaster Worm.

    A firewall will also protect you from this. If you do not have a firewall, you can either enabled XP's internal firewall, or look through the "Other Firewalls" forum here at wilders to see the different views members have.

    i would also suggest an on-line anti-virus scan....you can choose one from here:
    http://www.wilders.org/free_services.htm

    For spyware "protection", i would recommend Javacool's SpywareBlaster, which is free. His forum is here at wilders too. :)

    For spyware "removal" i would recommend either of these two excellent programs (or even both as one may detect something the other doesn't)

    Spybot Search & Destroy (which is also free) http://www.safer-networking.org/

    Ad-Aware (there is a free version for Ad-Aware) http://www.lavasoftusa.com/

    HTH,

    snap
     
  10. Heath

    Heath Registered Member

    Joined:
    Aug 14, 2003
    Posts:
    60
    Location:
    Paris, Texas
    Logfile of HijackThis v1.97.2
    Scan saved at 1:00:35 PM, on 9/27/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
    C:\Documents and Settings\Charles Nichols\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.academicplanet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.academicplanet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AcademicPlanet
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe"
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: WebMail (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.academicplanet.com
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.5636111111









    That Is The Log, After i deleted thoes two things, and i browsed the internet for like 20 minutes, so if anything would have time to pop up, it would, so... anything different?
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Heath,

    Looking good there. :)

    Following snapdragin's tips will help in keeping it that way.

    Regards and cookies,

    Pieter
     
  12. nadekimtech

    nadekimtech Guest

    heath this is Mike hey just ask me anytime it wont take you so long then the next time!
    Later,
    Mike
     
Loading...
Thread Status:
Not open for further replies.