Jump to content
Sign in to follow this  
Dee

Help I Have Major Problems Here :(

Recommended Posts

That's good.

 

When you have installed and set it up then click on PORT 135 Scanner in my sig below.

 

Port 135 is the main way in for Blaster, but not the only way in, so it would be best to do the Full Port scan test.

 

It will tell you which ports, if any, are open. What you want to see is Stealthed, that way you are safe even without the patch.

 

But keep trying for the patch just the same.

Share this post


Link to post
Share on other sites

That's good.

 

When you have installed and set it up then click on PORT 135 Scanner in my sig below.

 

Port 135 is the main way in for Blaster, but not the only way in, so it would be best to do the Full Port scan test.

 

It will tell you which ports, if any, are open. What you want to see is Stealthed, that way you are safe even without the patch.

 

But keep trying for the patch just the same.

 

 

 

 

I am about 50% there on that firewall download and I am also just after downloading the stinger and it is running as we speak. I will try what you said when I get firewall downloaded.

 

 

:)

Share this post


Link to post
Share on other sites

That's good.

 

When you have installed and set it up then click on PORT 135 Scanner in my sig below.

 

Port 135 is the main way in for Blaster, but not the only way in, so it would be best to do the Full Port scan test.

 

It will tell you which ports, if any, are open. What you want to see is Stealthed, that way you are safe even without the patch.

 

But keep trying for the patch just the same.

 

 

 

I have just completed installing the firewall.....I clicked on your link to port 135....I am sorry I don't see the full port scan test????....is it called leaktest???...what do I click on

 

Sorry I must seem like a right pain, apologies

 

De

Share this post


Link to post
Share on other sites

That's good.

 

When you have installed and set it up then click on PORT 135 Scanner in my sig below.

 

Port 135 is the main way in for Blaster, but not the only way in, so it would be best to do the Full Port scan test.

 

It will tell you which ports, if any, are open.  What you want to see is Stealthed, that way you are safe even without the patch.

 

But keep trying for the patch just the same.

 

 

 

I have just completed installing the firewall.....I clicked on your link to port 135....I am sorry I don't see the full port scan test????....is it called leaktest???...what do I click on

 

Sorry I must seem like a right pain, apologies

 

De

:)

 

The stinger test is done and it has deleted

 

rcfg.ini

msrpc.bat

web.swf

secure.bat

v32driver.bat

rconnect.exe

rconnect.conf

STDE9.exe

 

 

Also something has come up on my screen when I restarted the computer and I am not sure should I go with it.....the reason being it is an unlicenced copy???

 

It's an mIRC V5.91......is this the correction to my problem of being able to log on properly. My origional message on that error for logging on was ...."unable to resolve IRC"

 

:blink:

Share this post


Link to post
Share on other sites

Hi Dee,,Inprofile went to bed,,so if ya need anything myself or someone else will help ya out.

 

Run the port scan and online virus scans below to make sure your free of the worm,,and that all the right ports are closed. :) v

 

 

 

http://scan.sygate.com/

 

http://www.ravantivirus.com/scan/

 

 

Thanks Volt

 

I really appreciate all the help ...this site is just wonderful :)

 

I will run those scans now

 

De

Share this post


Link to post
Share on other sites

I'm a little out of the loop here,, :mrgreen: do you have an IRC client installed?? ;) v

Share this post


Link to post
Share on other sites

Hi Dee,,Inprofile went to bed,,so if ya need anything myself or someone else will help ya out.

 

Run the port scan and online virus scans below to make sure your free of the worm,,and that all the right ports are closed. :) v

 

 

 

http://scan.sygate.com/

 

http://www.ravantivirus.com/scan/

 

 

 

Volt

 

This is the result I got on the

 

syga security scan

=============

 

 

Operating System = Windows 2000

Browser = Microsoft Internet Explorer 6.0

 

Trying to find out your computer name...

 

Unable to determine your computer name! :huh:

 

 

Trying to find out what services you are running...

 

Unable to detect any running services! :huh:

 

 

 

 

 

:blank:

Share this post


Link to post
Share on other sites

Do you or anyone else using your computer "chat" using mIRC?

edit: looks like you're "stealth" on the 135 port :tup:

Edited by Jacee

Share this post


Link to post
Share on other sites

And here is what it told me,,go run that virus scan up there,,I need to run off for about about a 20-30 minutes,,will be right back tho. :) v

 

 

 

Trying to gather information from your web browser...

 

Operating System = Windows 2000

Browser = Microsoft Internet Explorer 5.01

 

Trying to find out your computer name...

 

Unable to determine your computer name!

 

 

Trying to find out what services you are running...

 

Unable to detect any running services!

 

 

 

Share this post


Link to post
Share on other sites

I'm a little out of the loop here,, :mrgreen: do you have an IRC client installed?? ;) v

 

 

 

Darn it anyways, still will not allow me to apply the patch... :erm: ...I will keep trying

 

Volt I have two problems (1) the worm plus whatever other problems it creates

(2) logging onto my computer to get on line

 

 

(2) Logging on

 

The computer will not start up as normal and run to desktop options....I have to go into administration mode

do control/alt/delete and then into task manager and enter program files. That gets me to desktop with icons to allow me connect to the internet. "It is saying unable to resolve IRC". Since I have been working on clearing this worm thing - the following has popped up on my screen and I am unsure what to do with me....do I accept it and is that the way of rectifying the problem with IRC

 

It says it is mIRC V5.91

but underneath it is saying unlicenced copy

written by Khaled Mardam-Bey

 

 

We have cleared some of the infected files but after running the RAV Anti Virus scan just there now, here is a list of what is still infected :blink::huh: ..........I am beginning to think my computer is a natural diaster.

 

 

It is showing me 22 files still infected :( ....it's not allowing me copy and paste them to here.....mixture of all I said before Pitchfork, Backdoor, Svchost, explore, Trogan etc

 

 

It's now 3am in the morning here and I am nearly wasted..... :snooze: ..

 

De

Share this post


Link to post
Share on other sites

Do you or anyone else using your computer "chat" using mIRC?

edit: looks like you're "stealth" on the 135 port :tup:

Jacee

 

Yes MSN Messenger was on our system until yesterday. We deleted it as we thought it might be the cause of the problem but I see it's much more than that now.

 

Thanks

 

De :(

Share this post


Link to post
Share on other sites

Go ahead and hit the sack Dee,,we need to go a little further here,,and we are out of time for now. :) v

 

http://www.mirc.com/khaled/about.html

 

 

Okey Dokey,

 

I can see things are not as cut and dry with this, I do appreciate all your help and PATIENCE ;)

 

I will get back online to-morrow

 

Take care and Keep safe

 

De :snooze:

Share this post


Link to post
Share on other sites

Inprofile gets up before me,,he will love this one. :) take care Dee!!

Share this post


Link to post
Share on other sites

Hope you get it sorted Dee, it's quiet round here now. ;)

Share this post


Link to post
Share on other sites

Morning Dee.

 

Seems you like you have more than Blaster on your pc.

 

The mIRC programme, you did install it knowingly at one point?

 

Read this - IMPACT:

 

http://www.uuuppz.com/research/adv-001-mirc.htm

 

This is an example of what we are dealing with:

 

http://www.trendmicro.com/vinfo/virusencyc...BAT_IRCFLOOD.CD

Share this post


Link to post
Share on other sites

Morning Dee.

 

Seems you like you have more than Blaster on your pc.

 

The mIRC programme, you did install it knowingly at one point?

 

Read this - IMPACT:

 

http://www.uuuppz.com/research/adv-001-mirc.htm

 

This is an example of what we are dealing with:

 

http://www.trendmicro.com/vinfo/virusencyc...BAT_IRCFLOOD.CD

 

Good Morning :)

 

 

Oh Holy Moley :help:

 

Looks like I am being really hammered lol

 

 

De

Share this post


Link to post
Share on other sites

Read this:

 

http://www.nohack.net/gtbots.htm

 

Then d/l, install, update and run this free Trojan scanner:

 

http://www.swatit.org/

 

It may take a while to scan.

 

 

OK I have done that download etc and I had to use the zip version as the other one kept showing me errors. I have completed the scan and it is coming up 0% infected

 

:woot: that must be a good sign for starters :)

Share this post


Link to post
Share on other sites

Update:

======

 

(1) Did a McAfee online scan and it showed 17 files still infected

 

(2) Then again I used the Symantec Removal Tool again and it said 2 files removed and 2 registry entries fixed

 

(3) I ran the Trend Cleaner and it showed as if all was clean

 

(4) I ran Stinger and all seemed to be clean

 

(5) continued to try downloading patch will not apply for me

 

(6) I have identified that port 113 is open and all other ports are "closed"....how can I make sure all these are "Blocked" completely. It indicated that 113 is open with possible trojan "Kazimas"

 

Also it indicates that ICMP 8 is open too.

 

(7) after all that I decided to run the McAfee Online scan and right now I just want to bang my head off the nearest wall......it has just returned showing me that there is still 17 infected files. :angry: ...still showing that

the following are still present in different forms.

 

mblast

Deloder

IRCFlood

Pitchfork

Backdoor

Svchoest

SlimFPT

 

 

I just seem to be looping.....what am I not doing???

 

I need some time out from this, so I will be back later this evening.

 

See ya then

 

:(

 

 

PS on the Swat It Scan I did earlier, this is what is in the process area......what do I do with them????

 

 

C:\Program Files\Swat It v2.1\SwatIt.exe

C:\WINNT\system32\notepad.exe

C:\WINNT\system32\msblast.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\CFGSAFE\AUTOCHK.EXE

C:\winnt\system32\msiexec16.exe

C:\WINNT\System32\api32.exe

C:\WINNT\System32\msapp.exe

C:\WINNT\loadqm.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

C:\WINNT\System32\RunDll32.exe

C:\WINNT\System32\Atiptaxx.exe

C:\WINNT\System32\tp4serv.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\Explorer.exe

C:\WINNT\system32\Explorer.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

c:\winnt\svchost.exe

c:\winnt\srvany.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\crypserv.exe

C:\WINNT\System32\ati2evxx.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\winlogon.exe

csrss.exe

C:\WINNT\System32\smss.exe

System

System Idle Process

Share this post


Link to post
Share on other sites

if you don't have a firewall as of yet get- sygate-should block all your open ports

Edited by BOB C

Share this post


Link to post
Share on other sites

Dee, did we ever ask (or tell you), that if you have XP or ME to turn off system restore before scanning for viruses? You can turn it back on when they're cleaned up.

Share this post


Link to post
Share on other sites

From what the port scan said its a 2000 machine.

 

Seems from some of the running processes to be an ibm thinkpad??

 

But I thought they had run the blaster removal tool??

 

Its showing C:\WINNT\system32\msblast.exe in that swat it list up there??

Share this post


Link to post
Share on other sites

I don't know what's going on here, some of those like Deloder, Pitchfork, etc.. should have been removed after all the scanning that has been done.

 

Can you post a test of your machine so that we see what you have installed:

 

Howto.

 

EDIT.

 

I have checked the Swat-It list posted above and some of that stuff should simply not be there:

 

CSRSS.EXE is WORM_LADEX.A

 

MSAPP.EXE is BKDR_RSBOT.A and BKDR_RSBOT.B

 

There are others, that's just an example and they should have been removed by Trend!

 

The crap seems to be reloaded when you start up Windows and what is causing that is the mIRC programme you have installed!

Edited by Inprofile

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...