Have Virus - Need Help

[Guest]

I'm running Windows XP SP2 and every time I log on I receive NT SYSTEM
AUTHORITY message and the machine reboots in one minute. In researching how
to fix it (still haven't been able to) I now know how to stop the shutdown or
fool it by changing the clock and have the timer run longer, but no tools
(whether from Microsoft or Kelley's Korner or wherever I got the tool
installed in AV-CLS or anywhere else I've found anything) detect a virus. I
did find a registry entry where
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows
auto update" = "msblast.exe". I removed that registry entry and one for
mslaugh.exe. I could not find files named msblast or mslaugh anywhere on the
PC. Anybody have any ideas?

 

[Elendil]

To remove any and all viruses use David Lipman's Multi_AV tool:

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot
the PC.

You can choose to go to each menu item and just download the needed files or
you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe
Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to
run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://harrisonrj.home.comcast.net/step_by_step_pc_cleaning_process.htm#Step_3_%96_Getting_Help

I recommend you use the McAfee and Kaspersky modules.

To remove all other non-viral malware go to the Fast Malware Removal Section
on my website: www.stopmalware.tk and omit all steps that involve anti-virus
programs (David's tool should have caught all of them viruses). After these
steps have been performed your computer should be at least 99.9% clean of
all malware.

BTW (By The Way) what anti-virus program are you using.

 

[Malke]

To remove any and all viruses use David Lipman's Multi_AV tool:

Please change the wording of this advice. As David would tell you, his
Multi_AV utility, while excellent, is a *first-run* antivirus tool. It
will not remove "any and all viruses" nor should it be viewed as a
substitute for a full-featured antivirus.

As you correctly point out, the OP has not told us what antivirus he has
installed. He should run Multi_AV or Sysclean and then proceed with
other non-viral scanning and updating his computer. Installing a
full-featured current version (not earlier than 2005) antivirus after
using the first-line av tool is imperative.

http://www.elephantboycomputers.com/page2.html#TrendMicros_Sysclean
http://www.ik-cs.com/multi-av.htm - how to use Dave Lipman's Multi-AV
http://www.ik-cs.com/programs/virtools/Multi_AV.exe - Multi-AV download
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Malke

 

[David H. Lipman]

From: "Michael Fischer" <[email protected]>

| I'm running Windows XP SP2 and every time I log on I receive NT SYSTEM
| AUTHORITY message and the machine reboots in one minute. In researching how
| to fix it (still haven't been able to) I now know how to stop the shutdown or
| fool it by changing the clock and have the timer run longer, but no tools
| (whether from Microsoft or Kelley's Korner or wherever I got the tool
| installed in AV-CLS or anywhere else I've found anything) detect a virus. I
| did find a registry entry where
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows
| auto update" = "msblast.exe". I removed that registry entry and one for
| mslaugh.exe. I could not find files named msblast or mslaugh anywhere on the
| PC. Anybody have any ideas?

They are certauinly indications of the Lovsan/Blaster worm that uses TCP port 135 to infect
a PC through a vulnerability in RPC/RPCSS DCOM.

However if you are running WinXP SP2 you should'nt be getting this via a TCP port 135
exploitation attempt.

The following is the pertinent patch -- KB828741
http://www.microsoft.com/downloads/...BB-DA77-448D-8FF0-0A649A0D8FC3&displaylang=en

If you get a NT SYSTEM AUTHORITY shutdown message and you are connected to the internet,
disconnectr form the Internet. If you get the message and you are NOT connected to the
Internet then it is NOT a TCP port 135 explouiatation attempt but something has gone awry
with the RPC/DCOM sub-system.

 

[Elendil]

Whoops, I didn't realize I was implying that the Multi_AV was a substitute
for full-time anti-virus protection.

 

[Guest]

I do get the NT SYSTEM AUTHORITY message when disconnected from the Internet.
I do not get the message when starting in safe mode. The hole issue started
after installing VPN software from my employer which disabled my Kaspersky
anti-virus and installed McAfee. McAfee is installed and up to date. When I
run it, it does not find any virus, nor does the Microsoft Malicious Software
Removal tool. I'm really at a loss.

 

[David H. Lipman]

From: "Michael Fischer" <[email protected]>

| I do get the NT SYSTEM AUTHORITY message when disconnected from the Internet.
| I do not get the message when starting in safe mode. The hole issue started
| after installing VPN software from my employer which disabled my Kaspersky
| anti-virus and installed McAfee. McAfee is installed and up to date. When I
| run it, it does not find any virus, nor does the Microsoft Malicious Software
| Removal tool. I'm really at a loss.
|

It is NOT a virus issue (although you had Registry settings indicative of the Lovsan/Blaster
at one time) as indicated by the shutdiown message being seen when NOT connected to the
Internet. This means it is not an attempt at a TCP port 135 exploitation but a problem with
the RPC/DCOM sub-system.

Remove the VPN software as it looks like it is the cause. Contact the MIS/IT support
personnel of your company and tell them the VPN is causing the problems thus described.
They will be *best* to support you with the VPN issue.

 

[Guest]

*best* I hope they'll be able to help, but I don't hold out much hope.

 

[Guest]

Malke , you(and everyone else interested) can have a look NOD32 for DOS. I
have tried it recently and it works great and found all malware I loaded on
the test machine.It uses NOD32's definitions and its heuristic but
unfortunately the special advanced heuristic will not be supported in future.


Panda_man

 

[Guest]

The recommendation from the IT folks was to do a Windows restore or a Windows
re-install. I'm a little naive here, so would a restore (which I don't even
know how to do, so I have to track that down) work in a case like this?
Everything I've read for viruses says no, but in this case, it sounds like it
may not actually be a virus.

And here's a total exposure of my naivete. If I do need to go the route of
re-installing Windows, do I need to worry about existing hardware and
software being reconfigured?

 

[David H. Lipman]

From: "Michael Fischer" <[email protected]>

| The recommendation from the IT folks was to do a Windows restore or a Windows
| re-install. I'm a little naive here, so would a restore (which I don't even
| know how to do, so I have to track that down) work in a case like this?
| Everything I've read for viruses says no, but in this case, it sounds like it
| may not actually be a virus.
|
| And here's a total exposure of my naivete. If I do need to go the route of
| re-installing Windows, do I need to worry about existing hardware and
| software being reconfigured?


It is NOT a virus based upon our discussions and a System Restore may do the trick -- or it
may not.

In your accessories as the Systerm Restore program where you can restore the system back to
the state of a time prior to installing the VPN.

 

[helpi]

The recommendation from the IT folks was to do a Windows restore or a
Windows
re-install. I'm a little naive here, so would a restore (which I don't
even
know how to do, so I have to track that down) work in a case like
this?
Everything I've read for viruses says no, but in this case, it sounds
like it
may not actually be a virus.

And here's a total exposure of my naivete. If I do need to go the route
of
re-installing Windows, do I need to worry about existing hardware and
software being reconfigured?

:

From: "Michael Fischer" (e-mail address removed)

| I do get the NT SYSTEM AUTHORITY message when disconnected from the
Internet.
| I do not get the message when starting in safe mode. The hole issue
started
| after installing VPN software from my employer which disabled my
Kaspersky
| anti-virus and installed McAfee. McAfee is installed and up to
date. When I
| run it, it does not find any virus, nor does the Microsoft
Malicious Software
| Removal tool. I'm really at a loss.
|

It is NOT a virus issue (although you had Registry settings
indicative of the Lovsan/Blaster
at one time) as indicated by the shutdiown message being seen when
NOT connected to the
Internet. This means it is not an attempt at a TCP port 135
exploitation but a problem with
the RPC/DCOM sub-system.

Remove the VPN software as it looks like it is the cause. Contact
the MIS/IT support
personnel of your company and tell them the VPN is causing the
problems thus described.
They will be *best* to support you with the VPN issue.

hi i need to know what msblaster is?
how to fix it ?
and how to prevent it ?

it is really confusing trying to search for it on the net!!!

 

[David H. Lipman]

From: "helpi" <[email protected]>


| hi i need to know what msblaster is?
| how to fix it ?
| and how to prevent it ?
|
| it is really confusing trying to search for it on the net!!!-- helpi

Install WinXP SP2.

Use a FireWall and if you are on Broadband Internet, use a Cable/DSL Router sucgh as the
Linksys BEFSR41.

Make sure that at the very least KB828741 is installed.
http://www.microsoft.com/downloads/...BB-DA77-448D-8FF0-0A649A0D8FC3&displaylang=en

Finally... Here is how to remove it.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Malke]

From: "helpi" <[email protected]>

| hi i need to know what msblaster is?
| how to fix it ?
| and how to prevent it ?
|
| it is really confusing trying to search for it on the net!!!-- helpi

Install WinXP SP2.

Use a FireWall and if you are on Broadband Internet, use a Cable/DSL
Router sucgh as the Linksys BEFSR41.

Make sure that at the very least KB828741 is installed.
http://www.microsoft.com/downloads/...BB-DA77-448D-8FF0-0A649A0D8FC3&displaylang=en

Finally... Here is how to remove it.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

With all due respect, the OP should not try to install SP2 on an
infected or questionable machine. Based on the OP's posts, he should
just take the machine to a professional computer repair shop.

Malke

 

[David H. Lipman]

From: "Malke" <[email protected]>


| With all due respect, the OP should not try to install SP2 on an
| infected or questionable machine. Based on the OP's posts, he should
| just take the machine to a professional computer repair shop.
|
| Malke

You are right, I should have stated once the computer is deemed to be free of malware,
install SP2.

Thanx !