Bad virus

[waffendennis 0]

got the same here.... But I'm not infected but I never get infected with it.

[Supah 0]

I'm behind a router so I don't really have to worry about hackers that much, but we still keep norton up and running all the time in case I open an infected email or something like that.

Hacking through a router is no more harder then without one for a serious hacker. As for the most recent trojan, it spreads its self through email. It , once again, runs on preview in IE (which you cant really turn off, even if you close the window it still makes a preview. It just doesnt show it to you) Programs to use aside from those denoir said: Spy bot and Adaware.  If that doesnt rid you of this little bugger then nothing will If all fails just format your HDD under MSDOS is you dont have XP or in command prompt under XP. THIS VIRUS DOES NOT CAUSE THE Remote procedure Call Error, which allot of ppl are getting under XP.

What it looks llike That would appear to be a faulty patch which was recently released. Update windows to rid you self of that get the patch here.

Also, if you have a firewall and are getting hits on port 6667 while not using IRC this may be a trojan too. These things contain a mini IRC client and connect to certain large networks or private servers to get their orders for flooding or doing damage. As an IRCop we are constantly hunting these networks down. We manage to get about 20.000 plus a month. If you dont use IRC (or dont even know what it is) Block port 6667 that way you still have a trojan but in allot of cases it will be uterly harmless as it wont be getting orders.

[SpecOp9 0]

OHH MY GOD!

Thats EXACTLY the bloody message ive been getting!

Thank you so much man, FINALLY I can get rid of this annoying thing

[Mahooney 0]

there is a new virus running:

http://securityresponse.symantec.com/avcente....ol.html

click the above link to scan your system with a free tool

[denoir 0]

OHH MY GOD!

Thats EXACTLY the bloody message ive been getting!

Thank you so much man, FINALLY I can get rid of this annoying thing

Ditto. I had my firewall down for a few days and then this started appearing. Furthermore I found a mIrc trojan lurking in my windows system32 directory posing as "svchost32.exe"

NAV did not find it and neither did PestPatrol nor TDS-3.

So I had to do it the hard way: looking for suspicious files and registry entries. Turns out that it's a cunning little piece of software. It masks itself as a program one has already installed on the sytem. And when I deleted it, after reboot there would be another instance of it posing as a different program. I think I've got rid of it now, but I'm keeping my firewall in a paranoid mode.

There's one thing that still worries me though. I ran a port scanner on my computer and I found a number of ports in use that I know nothing about. Does anybody know if there's a way to list which programs use which ports under XP?

My ports in use (my firewall has been stopping calls to most of them though):

21 <-- my ftp server

80 <-my web server

135

139

445

777

1025

1051

5679

13165

43958

[benu 1]

The RPC bug in windows is known for more than a week and the blaster worm is just the most recent program exploiting but there have been other, earlier. As i am not infected i can't test for the various files/processes myself. So my question is: if your computer gets restarted by nt authority/system does this mean you have the blaster/lovsan worm? Or is it something else exploiting the rpc security hole?

[Supah 0]

21 <-- my ftp server

80 <-my web server

135

139

445

777

1025

1051

5679

13165

43958

More often then not a quick google will turn up some results. Also blocking these ports and seeing what happens is a favorite of mine

Quote[/b] ]Ditto. I had my firewall down for a few days and then this started appearing. Furthermore I found a mIrc trojan lurking in my windows system32 directory posing as "svchost32.exe"

That one has been popping up more recently. We (irc.efnet.nl opers) succesfully infiltrated one drone network running this and took it down. There may be others around though.

Quote[/b] ]The RPC bug in windows is known for more than a week and the blaster worm is just the most recent program exploiting but there have been other, earlier. As i am not infected i can't test for the various files/processes myself. So my question is: if your computer gets restarted by nt authority/system does this mean you have the blaster/lovsan worm? Or is it something else exploiting the rpc security hole?

No, the virus uses it but offcourse tries to stay hidden so it wouldnt be causing this. I think the ppl using this are just using some netrestart msg like thing. Run the patch, even if you are not getting the RPC error. Better safe then sorry in this case.

[denoir 0]

More often then not a quick google will turn up some results. Also blocking these ports and seeing what happens is a favorite of mine

I have them blocked. The problem is that from what I've seen it masks itself as an existing program. So when I'm thinking that I'm giving my web server permissions to access the net, I might be giving the trojan access.

[Supah 0]

I have them blocked. The problem is that from what I've seen it masks itself as an existing program. So when I'm thinking that I'm giving my web server permissions to access the net, I might be giving the trojan access.  

Humzzz from what i know about this one it only masks the process name. If it changes ports too the ones the real program uses thats pretty darn cunning of it. I will try to find the link on how to completly remove it once i get home from work and PM it to you

[denoir 0]

Gwargh. I think I located another one. The bastard installed itself as the outlook express executable (which I've removed a long time ago as I use the full version). In a moment where I forgot about I, I apparently gave it net access.

The only thing that I have to go on is creation dates, and that's getting a bit fuzzy as the trojan very successfully replicates itself. I think I have it contained though, since I've not seen new exacutables beeing created after I did my first cleanup.

Now it is just a matter to get rid of all the residues.

[Supah 0]

Gwargh. I think I located another one. The bastard installed itself as outlook express (which I've removed a long time ago as I use the full version). In a moment where I forgot about I, I gave it net access.

The only thing that I have to go on is creation dates, and that's getting a bit fuzzy as the trojan very successfully replicates itself.

Try to do a netstat -a in an msdos command prompt. It should show all connections to and from your pc. if there is anything with suspicious ports running you should find out soon enough.

[denoir 0]

Thanks that was exactly what I was looking for. I seem to have some NetBios ports open. Goddamnit I thought that I disabled those.

netstat -a -o gives a list of process IDs associated with the ports. I'll have to go through it all now..

[Supah 0]

Thanks that was exactly what I was looking for. I seem to have some NetBios ports open. Goddamnit I thought that I disabled those.

netstat -a -o gives a list of process IDs associated with the ports. I'll have to go through it all now..

hey my pleasure if we can help each other like this as a community ..... I'd suggest doing that netstat thing every now and then when you have no internet associated programs (like IE and stuff) running

[lonesoldier 0]

I turned my PC on this morning and it kept rebooting every 60 seconds.

Found out i had a virus called "msblast". Its going around, and shitloads of people all over the world have it.

If you have a firewall it will not restart your PC, but if you do not have a firewall then it will reboot your PC every 60 seconds.

I advise that EVERYONE does a search in the WINDOWS folder for "msblast".

[Supah 0]

I turned my PC on this morning and it kept rebooting every 60 seconds.

Found out i had a virus called "msblast". Its going around, and shitloads of people all over the world have it.

If you have a firewall it will not restart your PC, but if you do not have a firewall then it will reboot your PC every 60 seconds.

I advise that EVERYONE does a search in the WINDOWS folder for "msblast".

Pbb exploiting the windows vulnerablility i posted the patch too on the previous page. Once again, install the patch Keeping your firewall up works but its better to cure the disease then fix the symptoms

[denoir 0]

Found out i had a virus called "msblast". Its going around, and shitloads of people all over the world have it.

Yepp, that's the one. However, that's just a phase of it, it changes names and locations. These are some files that I've found:

space.exe

speedtest.exe

speedtest.zip

svchost16.exe

svchost32.exe

sysdrivers.dll

serv-u.exe

etc..

But perhaps the easiest approach is to wait a couple of days for Norton to make a remover

[Tamme 0]

I've got viruses at least once a week. Trojans and Worms. Norton can't do much to them so I have to remove them manually. Also it seems to be the time to format my computer soon. Errors all the time and such.

[SpecOp9 0]

Well I got the BLAST virus out of my system thank god also.

Gone ;)

[Supah 0]

Is that tool freeware? If so, got a link?

*Edit :DOH found it myself at symantec's site here

[the editing man 0]

I have searched  the windows folder and found nothing thank god, But what do you expect with a up to date firewall just downloaded a newer update of norton antivirus, Did a major scan on my harddisk and nothing found. searched manually found nothing.

Its a virus that will activate someday on all computers and millions of people will update their computer at microsoft the same time. You gues what will happen.

Well the server from Microsoft cant handle so much visiors and it will crash.

I recommend start your  firewall immediatly and protect your compute

[SpecOp9 0]

Is that tool freeware? If so, got a link?

yes it is, I have uploaded it on Sci Fi server for download.

BLAST FIXER

Simply run the program and it will scan and delete the virus no problem.

Quote[/b] ]Well the server from Microsoft cant handle so much visiors and it will crash

Very ture, I have already noticed a significant slow down int he past half hour or so.

[tankieboy 0]

This is the bugger I get.

Can someone explain to me what it is and how do I get rid of it in laymens terms please.

[Supah 0]

This is the bugger I get.

Can someone explain to me what it is and how do I get rid of it in laymens terms please.

Read the previous pages, i posted a link to a patch that fixes this

Breaking news: Apparently the Blaster virus is a trojan that DDOS (Floods) The MS update page making it harder to get the patch for the very bug it exploites This is beginning to look pretty shitty Oh well atleast it wont be a boring day at work

[tankieboy 0]

So I need to get Zone Alarm firewall (freewhare?) and the patch then. Anything else?

[VXR 9]

run this program to get rid of the virus BitDefender

i also had the virus, also after the security update from microsoft i still had the virus in my computer but this program solved the problem

i had a hint from someone, When you have a firewall block 135