Virus
Caiman
Join Date: 2003-06-01 Member: 16900Members
Join Date: 2003-06-01 Member: 16900Members
<div class="IPBDescription">mcblast.exe</div> I have no idea where else to post this; as I cannot post in other forums, the virus prevents me from registering.
My computer was infected with the worm, and so I dowloaded the patch, and updated my virus killer (McAfee)
When the virus was found, the virus scanner could not "clean" it, or delete it, because the file was moved or renamed. Because of a previous post, I have a screenshot of the processes on my Task manager.
You will notice that I now I have three svchost.exe, instead of two. I cannot end any of them, and the virus still wreaks havoc.
When I ran my virus scanner again (remember that it's fully updated), it did not detect any viruses, even though it is CLEARLY still there.
And furthermore, I cannot download anything. What I don't understand is why it originally let me download the patch.
Here are my system specs:
Intel Pentium III
128mb RAM
Windows 2000 Professional
DirectX 9.0b
ATI RAGE MOBILITY M1
Yamaha DS-XG
No idea why you would need them, but rules are rules.
My computer was infected with the worm, and so I dowloaded the patch, and updated my virus killer (McAfee)
When the virus was found, the virus scanner could not "clean" it, or delete it, because the file was moved or renamed. Because of a previous post, I have a screenshot of the processes on my Task manager.
You will notice that I now I have three svchost.exe, instead of two. I cannot end any of them, and the virus still wreaks havoc.
When I ran my virus scanner again (remember that it's fully updated), it did not detect any viruses, even though it is CLEARLY still there.
And furthermore, I cannot download anything. What I don't understand is why it originally let me download the patch.
Here are my system specs:
Intel Pentium III
128mb RAM
Windows 2000 Professional
DirectX 9.0b
ATI RAGE MOBILITY M1
Yamaha DS-XG
No idea why you would need them, but rules are rules.
This discussion has been closed.
Comments
Here is a link to the previous screenshot: <a href='http://www.unknownworlds.com/forums/index.php?act=ST&f=18&t=38586&st=0&hl=performance' target='_blank'>link</a>
Edit: I cannot use Microsoft photoeditor and paint is just too big. Also, i have no file compressor. Take my word for it, there are 3 svchost.exe and as an afterthought, 2 upd.exe.
Edit: I cannot open halflife, via the shortcut, or through the applocation itself. Just another symtom of this virus (types many swears but then deletes them ).
Also - my dialup connection has different "property" settings than the ones that microsoft gave instructions to edit. I cannot disable so and so and change so and so - the settings simply do not exist. Instead of saying "TCP/IP" etc etc, it just says "IP," and i cannot click properties there, because there is no "properties" button to click ! !
edit: Ok thanx monse, I knew it was a system process but people seem to be paranoid about it, so I just wanted to make sure
After i gave myself administrative rights "heh heh", i ran the program.
It generated errors and shut itself down.
Now I am running it again, see what happens
edit: same thing, error. I cannot download Day of Defeat, so the virus is still there.
monsieur - i am here and refreshing my screen constantly, so I will see your posts and reply minutes after you post them
There is a fixblast text thing on my desktop too, it says i need administrative rights, but that is old news and already taken care of.
edit: Ok thanx monse, I knew it was a system process but people seem to be paranoid about it, so I just wanted to make sure <!--QuoteEnd--> </td></tr></table><span class='postcolor'> <!--QuoteEEnd-->
there is a s<b>c</b>vhost process that is a trojan.
What do you mean by root of C drive? I checked C drive, there is no blaster.log
edit: just ran a search of the whole computer, there is definately no "blaster.log"
here is what fixblast said: "You do not have Administrator rights to run the tool.
Please contact your Network Administrator for more information."
You're in luck though, I figured out how to fix this crash this very afternoon. Open a command ('DOS') prompt, and type:
chkdsk /R
then hit enter. It will ask you to hit Y/N to run this command at next startup. Hit 'Y' to schedule it, then restart your system. Your PC will come back up in check disk mode, and will run through your whole drive and look for errors and fix them. THIS CAN TAKE AWHILE, depending on your hardware and amount of data - while it runs DO NOT TOUCH YOUR PC AT ALL. When done, log back in, and attempt to run the fixblast.
I'll be here...
EDIT: ahh wait, you are not an administrator? You need to be a local admin to run this - preferrably, run it as the 'administrator' account.
Don't hold your breath though, my computer is slow..
what do you mean by "log back in"
k um about the admin thing, i went to control panel, users and passwords, and gave myself administrative rights. Right now i am an "administrator". The way i did this was to log in as the administrator himself, and then have him (i.e. me) give me adminstrative rights
The DOS prompt didn't mind that i wasn't the original admin, it said that the next time i restart, it will run something or other (can't remember)
That's good enough for admin rights. run chkdsk /R now and go read the newspaper. <!--emo&;)--><img src='http://www.unknownworlds.com/forums/html/emoticons/wink.gif' border='0' style='vertical-align:middle' alt='wink.gif'><!--endemo-->
Will do. New York Times it is ! <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin.gif' border='0' style='vertical-align:middle' alt='biggrin.gif'><!--endemo-->
edit: nope: it still crashed. I managed to get a "prntScrn" in, so i can read off the last thing that it checked if you want.
ok i did a search, found the file that it crashed on, turns out it was in "temporary internet files" deleted that, and am redoing the search.
edit: It didn't work that way either
I can't delet this file, it is still there, and when i right click, properties, it says "the properties of this file are not available" Also, i cannot delete, rename, move, or copy this file either.
the file itself is called, without the quotes "TR_Popunder;kw=Age+of+Kings+strategy;pos=1;sz=720x300;tile=1;!category=gaming;!category=tobacco;!category=adult;!category=sexualovertones;ord=21915360623438[1]
Save this file, execute it, click big green 'scan now' button. Wait about 10-30 minutes, depending on hardware...
edit: Ok thanx monse, I knew it was a system process but people seem to be paranoid about it, so I just wanted to make sure <!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
there is a s<b>c</b>vhost process that is a trojan. <!--QuoteEnd--> </td></tr></table><span class='postcolor'> <!--QuoteEEnd-->
Maybe there is one
but it is s<u>cc</u>host.exe is another one
Try booting into safe mode, and going into that admin account, you probably wont have the virus running, try em all in safe mode
edit: that was a bump. Feel free to delete this post.
ok - open your task manager - can you tell me if the msblast.exe really is running?
Close all running programs..
Start> Run> MSConfig
Goto the Startup tab
Look for anything that says msblast if you find any uncheck its box
Go back to the General Tab and click Normal Startup
How about this:
Do you know you have access to an UNINFECTED computer?
If so, download the programs from that ocmputer to either CD-R (Not cd-rw, lets be paranoid) or a floppy disk, which you then LOCK! run the programs from the disk.. this way they cannot be infected
No i do not have access to an uninfected computer and no MSTask does not work.
edit: I meant MSConfig, sorry
It says: "cannot find the file... make sure the path and filename... available." so basically it doesn't exist
also, msblast.exe is not running either <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin.gif' border='0' style='vertical-align:middle' alt='biggrin.gif'><!--endemo--> <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin.gif' border='0' style='vertical-align:middle' alt='biggrin.gif'><!--endemo-->
Not mcblast - looking for mSblast - is there any way you can post up a screenshot of your task manager window? Alternately, you could use:
start | run | 'winmsd' | software environment | startup programs
and post what you see in there.
Edit: and it really sounds like you have multiple virus infections to me - not just msblast. Your symptoms are not matching the blaster worm.
Ran that, got a bunch of things, nothing like msblast though
I edited my post, reread it <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif'><!--endemo-->
Do you know your way around the registry editor?
If you don't you can try this but CHANGE NOTHING! if you change something you may break your computer..
<b> There is no "UNDO" in regedit</b>
If so, go here:
Hkey_local_machine\software\Microsoft\Windows\CurrentVersion\Run
Look for this: "windows auto update" = msblast.exe
It should be there, you may have one with a changed filename..
look for "windows auto update" its value should be the name of the virus file, (this value dosent appear on uninfected computers)
Thats the filename, find that file and toast it.
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->(msconfig is not a standard app, for example - it comes with MSOffice)<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd--> Are you sure? I dont have office installed, I use Openoffice.org, a freeware replacement... as far as I know, MSOffice was never installed.. wordperfect was installed by defualt
It comes with a lot of different MS apps, office being the most common deliverer. But no, it is not always present for a variety of reasons. Winmsd is almost guaranteed to be there though in Win 2000 and XP.
I really do not think we are dealing with msblast here based on how his PC is behaving. Caiman, I have one last checker for you to run:
<a href='http://www.trendmicro.com/ftp/products/tsc/sysclean.com' target='_blank'>http://www.trendmicro.com/ftp/products/tsc...sc/sysclean.com</a> < download this file
<a href='http://www.trendmicro.com/ftp/products/pattern/lpt610.zip' target='_blank'>http://www.trendmicro.com/ftp/products/pat...tern/lpt610.zip</a> < download this file and place it in the same directory as where you placed the sysclean.com file.
Run the sysclean.com file and let us know what's up.
And zerogreat, quit interrupting us with your nonsense or I will remove your posting rights in here. I've already had to delete your posts twice. Third time you are gone.
Anyway, everything WAS working just fine before I connected to the internet one unlucky morning.
Now NS runs, but i still cannot download DoD.
In Startup Programs, how do I change which ones start up? Because some of them are long since been uninstalled.
Before you start this, be warned that a stray press on the delete key could mess things up big time.
I reccommend that you remove any animals, small children, or anything else that could tap delete on the keyboard.
To start regedit, goto start> run> and type regedit.
<img src='http://pages.cthome.net/useless/virus/1.jpg' border='0' alt='user posted image'>
This is what regedit will look like, to open a folder, click the + next to it
Next, expand HKEY_LOCAL_MACHINE
It will then look like this
<img src='http://pages.cthome.net/useless/virus/2.jpg' border='0' alt='user posted image'>
Have you figured out how to expand stuff pretty good yet?
Its not hard..
Next, expand SOFTWARE
Then Microsoft
Then Windows
Then Currentversion
Then, click Run
Looks like this:
<img src='http://pages.cthome.net/useless/virus/3.jpg' border='0' alt='user posted image'>
Your view will look different.
Now, look on the right side for something that says "windows auto update", then under the Data section, look and see what it says,
edit: ok - way to many people offering advice at once. This is a bad way to work a problem, so I am going to bow out and let devicenull talk to you. You're going to break something otherwise. I'll check back in a few hours.
I keep forgetting that just because I would do it the hard way first, dosen't mean that everyone else will
Have you tried swearing at the computer yet? That usually scares it into working
Do you know anyone who knows a lot about computers + fixing them? I assume you don't because you are posting here..
Are you sure this isnt your OS being weird?
You use internet explorer, don't you? Is there another browser on your computer you could use? IT might let you download files better
OK um no i don't know anyone, the thing Monsieur said is STILL downloading, and before blaster worm came out i could download DoD just fine, except since it took 16 hours i thought i would wait for another day.
I noticed a lot of crap piled up in regedit, mostly things that I have deleted. Is there any "safe" way of getting rid of all this, other than combing through regedit and praying that "DaiktanaDemo.exe" doesn't make the computer start up?
I am running what monse said right now... it just finished... hope it works..
Did you try the tools monse posted above my post with pictures?
If you look in regedit, at the top of the right side you will see collum headings, thats what I meant by data.. but if you didn't see "windows auto update" don't worry about it
If you use internet explorer the virus may be infecting every file from inside IE..
Try the tools monse posted though
Try this too: <a href='http://housecall.trendmicro.com/' target='_blank'>http://housecall.trendmicro.com/</a>
Worry about the other junk later.. there are plenty of guides online about what you can toast and what you can save