• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Help! How do I get rid of this virus?

 
Ranch Hand
Posts: 3143
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I turned on my laptop at home last night, dialled in to my ISP and almost as soon as I connected my Anti-Virus Software (McAfee Virsu Scan) alerted me to files that it believed contained This Virus. Naturally I tried to use the anti-virus software to delete/clean/quarantine the files but it couldn't do it (access rights). Eventually I deleted the offending files myself using explorer and emptied the recycle bin, just as I was about to restart a window popped up telling me that the machine would shut down in 1 minute because of an interuption to the RPC or something like that! My machine then shut down and rebooted by itself.
I ran a full virus check (I had only updated my definitions the previous day so I knew they were up to date) and nothing came up. So I connected to the internet again, and within a minute, that little window popped up again and the machine rebooted, and the virus was back when I checked again!
I can't seem to get rid of it?
Any ideas?
 
Ranch Hand
Posts: 1936
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator


Backdoor.IRC.Cirebot
Discovered on: August 02, 2003
Last Updated on: August 12, 2003 12:16:18 PM
The capabilities of this backdoor component include:
Using ICQ to send a notification message when the backdoor is started
Downloading and executing files
Ending running processes
Dynamically updating the installed Trojan
Performing Denial of Service (DoS) attacks
Stealing CD keys
"Securing" the machine by removing network shares
Logging keystrokes
Attacking other systems using various exploits


Hmm, mighty!! I am no expert, but its possible that its a varient of the above said virus. May be booting and running anti-virus from a fresh disk (anti-virus rescue boot disk, if you have one) might help!
And Symantec said something about WinXP restore there!
Best of Luck to you!
 
Angela Poynton
Ranch Hand
Posts: 3143
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ahh on further investigation it would appear to actually be the MSBlaster worm currently going around.
 
Ranch Hand
Posts: 1340
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
According to the link you need to turn off System Restore (on XP) then do a virus def update, then do the scan/delete. This applies to msblaster too.
Might help doing it all in safe mode if you're not on XP
There's a registry change to make too.
[ August 12, 2003: Message edited by: Richard Hawkes ]
 
Sheriff
Posts: 3341
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For Balster, make sure you do the RPC update described by M$
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
Norton has a neet tool which will remove the virus easily.
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Yes, the definitions to detect and block this just came out yesterday!
 
Author
Posts: 6055
8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This bug was actually discovered back in July. MS put out a patch shortly after it was discovered. The virus didn't actually pop its head up until a day or so ago.
Moral of the story: although MS sucks in terms of providing security, they are pretty good about providing service (that is the "providing" is good). I check the [url=http://v4.windowsupdate.microsoft.com/en/default.asp]Windows Update site[/url} once a week to keep my computer up to date against attacks like this.
--Mark
 
Angela Poynton
Ranch Hand
Posts: 3143
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well the trick was keeping the machine ON long enough to download the MS patch since it was too big to put on a floppy and I can't write to CD on my work machine!
It took me 4 hours of sheer frustration but I *THINK* I've got rid of it.
Thanks All
 
Ranch Hand
Posts: 2166
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My home pc was infected, too. First time I was targeted by a major virus attack. Problem seems cleared now. Used the tips from this thread.
here is some more usefull information, especially link after SANS Internet Storm Center:
http://fishbowl.pastiche.org/archives/001451.html
The problem was that the hackers visiting my system or some program they installed is stopping the RemoteProcedureCall Service. When that service is stoped per default windows starts rebooting the system. So one might not have the time to download the anti-virus patches, before being rebooted.
You can change the rebooting behaviour on the third tab of the service in the service settings windows.
 
Angela Poynton
Ranch Hand
Posts: 3143
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Axel Janssen:

You can change the rebooting behaviour on the third tab of the service in the service settings windows.



Don't you HATE it when you learn something that could have made things much easier AFTER the fact!
 
Axel Janssen
Ranch Hand
Posts: 2166
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Angela, this must have really been the most wonderful 4 hours of your life.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic