Virus/Trojan question

[Clayton Sutton]

Virus/Trojan question



I am working on a friend's PC (Windows 2k Pro. w/sp 1) and I believe he has
a virus or trojan. Can anyone help me identify the culprit? Here are the
symptoms:



1. I can not see ANY files or folders in C:\Winnt or below (although the
task bar says that there are 142 objects in C:\Winnt).



2. I get the following error msg.: "Svchost.exe has generated errors and
will be closed by Windows. You will need to restart the program".



3. The Remote Procedure Call (RPC) service then stops.



4. Norton Antivirus is installed, up to date and running.



Anyone know of a virus or trojan that have these characteristics? I
remember once someone was able to drop a single file into my ftproot folder
and I was no longer able to see any of my files remotely. However, once I
removed that one file everything was okay again.



Thanks for any and all help.





Clayton

 

[David H. Lipman]

Read the following URL: http://vil.nai.com/vil/content/v_100547.htm

Try the McAfee utility Stinger: http://vil.nai.com/vil/stinger/

Dave

 

[Clayton Sutton]

Hey Dave,

Thanks for the feed back. I think that is the virus that he has. I
remember seeing the same reg. key that is in the url. I downloaded the fix
but will not get to try it until tomarrow night (Tue. California time). I
will repost here just to let you know, however, I am sure that this is it.
Thanks again for your help.


Clayton

 

[OzzieNet Administration]

Msblast is a worm that expliots a vuneralabity in Win 2k and Xp he is a
couple of links to check out
http://www.europe.f-secure.com/v-descs/msblast.shtml
http://abcnews.go.com/sections/scitech/US/blasterwormtips030812.html

It is quite easy to deal with Hope this helps.

Cya

 

[Clayton Sutton]

Hey Fred,

First go to this link and download the Windows patch and run it.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS03-026.asp

Then go to http://vil.nai.com/vil/stinger/ and download the fix called
"Stinger" and run it on each system AFTER you apply the Windows patch. The
will take care of it.

Once you apply the Windows patch, the system can't be infected you that
viurs again. It's only a matter of cleaning the infected system.

Hope that helps.


Clayton

 

[Clayton Sutton]

Thanks Dave, that worked!!


Clayton

Hey Dave,

Thanks for the feed back. I think that is the virus that he has. I
remember seeing the same reg. key that is in the url. I downloaded the fix
but will not get to try it until tomarrow night (Tue. California time). I
will repost here just to let you know, however, I am sure that this is it.
Thanks again for your help.


Clayton

 

[FromTheRafters]

Once you apply the Windows patch, the system can't be infected you that
viurs again. It's only a matter of cleaning the infected system.

Right!

Sort of...

That worm can't use that exploit to run itself on your system
if that vulnerability is patched. There are other ways that that
worm (or any other malware) can access a system however.

The patch will stop the exploit, not the worm. You still would
need to have AV help with the other vectors (trojan.downloader,
and usenet or e-mail distribution methods)