Msblast or Not Msblast??

Ok have a friend who has a Dell PIII 600, 128MB Ram running xp home after an upgrade from Win98. Using a US Robotics 56k external modem and BT dial up.

As soon as he upgraded (so he says) he caught the Msblast worm.

This then destroyed his modem (his words not mine) and was forced by a nice sales man at PCWorld to purchase another modem for £40. He also purchased McAfees anti virus.

He installed the new modem, it worked for 1 evening then won't dial.

I visited his this evening, removed the new modem, reinstalled his old one (it works fine now) ran a Stinger and Blastgui to look for any traces of Blast or variants, found nothing. McAfee claimed to find w32/Lovsan.worm.a and deleted it. On reboot, McAfee found the same file and deleted it.

Visited a website he hwas given by the sales man as to how to remove the worm. Downloaded MS patch, turned off system restore, installed patch, rebooted, ran Symantecs Blaster removal tool foound nothing, rebooted, ran Sys tool again still nothing. McAfees not reported anything either.

Checked MSCONFIG nothing unusual in the startup.ini.

Now it gets odd.....

Go online.....after approx 5 mins up pops the infamous NT AUTHORITY SHUT DOWN message associated with the MsBlast worm and counts down from 30 to 0 and reboots the pc.

I could stop the shutdown with the run command shutdown -a but I then couldn't disconnect from the internet. I could open up the dial up properties but when selecting disconnect nothing happened? Only way was either turn off the modem or reboot pc.


The only thing I didnt do was look in the registry, but I was quite fed up after 2 hours and the machine was so slow it was gettign frustrating (not to mention hes on dial up and I'm used to DSL)

Any ideas what I've missed or am missing apart from the possible registry entry? Thing is the Stinger or MSBlastgui should have fixed anything there. Also McAfees (which was updated Saturday) is not reporting anything either now, but there is something there alright.

Any help/advice much appreciated. Oh and formatting and reinstallation is not an option (well not yet any way )

 

You need to enable the firewall before getting on the internet, and immediately go to Windows Update and get all the critical updates.
As you found out, it only takes less than 10 seconds to get infected with MSblast without a firewall and an updated XP.
Without the updates, MSblast bypasses AV programs.
Here are three pages that tell you have to enable the firewall.
http://www.d-a-l.com/viewtopic.php?t=371
http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp
http://www.techtv.com/callforhelp/howto/story/0,24330,3382166,00.html
Try the Norton removal tool, it does the registry entries.
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
NOTE: When the critical updates are done, get a better firewall than what XP has. It only blocks unsolicited incoming connections, does nothing about controlling outgoing connections.

 

See this thread to identify and work-around until repaired. If still having problems, download HijackThis from the CWShredder link in my signature (it will fit on a floppy), place it in a permanent folder, open and scan. Then save the log. Once saved, it will open in notepad. Click edit, select all, copy and paste it here. Don't fix anything with it yet! Someone experienced with the logs will tell you what/how to fix.

 

I can see that the setup will need all the latest MS patches as it was a brand new up date. However does a dial up really benefit from a firewall? I've always been under the impression that a dial up didnt benefit from one??

Also I have tried that Nortons tool and it said it found nothing. However I didnt do the tuff with the RPC so will revist that and the 'maunal' removal' see if that makes a difference.

I'll also go for the Hijackthis route. I already have a copy so will try and get the machine to my house (a bit less pressure from my friend then as he wont be breathing down my neck asking... "whats that? ") The post the results. I'll also run Spybot and adaware (I have these too) as he was being redirected to russian **** sites when ehtering www.rathergood.com (which wasn't **** when I tried it on my pc )

Thanks so far, fingers crossed

 

Ok here is the Hijackthis log from this machine...

Logfile of HijackThis v1.97.7
Scan saved at 12:44:07, on 15/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\MSOffice\Office\Msoffice.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sureseeker.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com/togetherinternet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sureseeker.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/togetherinternet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Together with 24/7 Internet
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: 198.65.160.24 auto.search.msn.com
O2 - BHO: (no name) - {F8A53FBE-5846-11D2-A022-006097D2400E} - C:\PROGRAM FILES\MINDMAKER\COMMON FILES\WINDOWS\IELINK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O13 - DefaultPrefix: http://prolivation.com/cgi-bin/r.cgi?
O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi?
O16 - DPF: Win32 Classes -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38091.467650463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

What needs fixing please?

Oh and checked the registry and no trace of balst in there either.

 

Scan again, place a check next to these and fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sureseeker.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com/togetherinternet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sureseeker.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/togetherinternet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Together with 24/7 Internet
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O13 - DefaultPrefix: http://prolivation.com/cgi-bin/r.cgi?
O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi?
O16 - DPF: Win32 Classes -


These are optional but not needed at startup.

O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE

I would also recommend fixing this;
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background...then locate msmsgs.exe on the processes tab of task manager, end task on it and paste this command in the run box to uninstall Windows Messenger.......RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove

Reboot when done.

If you have questions, feel free to ask.

 

Brillaint I'll go remove that lot then

About the 'extra bit' and Windows messenger. Do you mean MSN messenger? As my friends son uses messenger all the time and 'needs' it

 

No, I meant Windows Messenger. There are three messengers.
Messenger Service - which should be set to disabled in services.....type services.msc in the run box, locate, right click and stop, then right click and properties to disable.
Windows Messenger - default instant messaging program with XP.....used more in network environment and exploited by spammers.....tends to run in background without your knowledge....should be removed (my opinion as well as many others)
MSN Messenger - alternative instant messaging program that is similar to windows messenger but more controlable....totally independent from other mesengers previously mentioned.

 

Ah, thanks for clearing that up. I wasn't aware of that one. I have already disabled the Messenger service, so I'll do as you suggested for the Windows messenger.

Won't be able to test anything until I get the computer home tonight, so fingers crossed

Will post back later today. Thanks once again.

 

You're welcome.

 

Ok have carried out all you suggested/recommended.

1 thing I noticed when I ran that line to remove Windows messenger was an error box "Error unregistering the OCX16422" then a deleing files box appeared and deleted some files??

I got the pc home to my house, got it connected to the internet through my adsl connection (havent got my router yet arriving tomorrom) and got the pc online to MS website anad have downloaded all the critical. security and xp patches that are relevant for this pc.

Can I assume that as its been online for over 30 minutes each time that the blast issue that was on this pc has now gone?

1 other thing I went with your suggestion about the msoffice lines in the hijackthis log and removed the top 2 but left the tool bar one...and now on starting up once it gets to desktop the tool bar appears but there is a button in the taskbar saying tool bar and I have to double click it to get rid of it??

Have also increased its memory too

Decided to run an online virus checker I always use (trend micro house call -->http://housecall.trendmicro.com/) just to see...and it found the NACHI worm and killed it! And this was after I'd downloaded all the patches. Will double check I have the nachi fix one installed.

 

That is a normal message to get when uninstalling WM. I would say that 30 min. online is plenty of time for the blaster worm to shut down RPC, but it wasn't present in the log either. Curious why you left the toolbar shortcut but not the others. If you open HJT and click config then the backup tab, you can put the other Office entries back to see if it changes anything on reboot. I would also run at least one more online scan, preferrably a different one. eTrust in my signature. RAV Do you remember what location the nachi was in?

 

Silly me didnt make a backup before removing the office items so have removed that one too

Am running that scanner now.

Didn't see where the nachi was found, sorry.

Odd thing too though, MSN Messenger had been removed (it would start up same time windows started) so repaired it from its listing under programmes. Seems to have lost all its settings tho Hope my friends son can remember them

 

Ran that suggested online checker you recommended, it found nothing. ran the RAV one it found 2 trojans.

Also updated the installed McAfees and it also found 2 trojans and removed them.

ram McAfees again and it all seems (for now at least) ok

Thanks once again for your help it was really much appreciated

 

I downloaded the Blaster patch before I installed XP and made sure that was the first thing I installed when I put XP on this machine. Then I put my antivirus and firewall on and downloaded all the other **** I'd need.

 

Any internet connection will benefit from a good firewall.
There are two free ones in my signature. These will control outgoing. With a firewall, you would have known if those trojans were running and trying to connect out. They would have been denied until you allowed access.