Blaster Dilemma
Hello fellow XP users,
My name is Owen Brown, I am 23 from Sydney
I asked how I could back up several gigabytes of data for a reformat of an XP Pro system which is displaying signs of a worm infection. Several people have been quick to try and help so I won’t give up on removing the problems just yet.
I’ll explain the problem form the start…
At about 12:00 pm yesterday I received an RPC call restart message and immediately cursed turning off the firewall that is on the network I have at home here. I restarted windows and tried to run Norton AV only to find that a) My subscription had ended and b) the “virus” wouldn’t allow a Norton scan to run.
I used the Symantec online scanner and found that my computer had NO viruses.
I wasn’t convinced because Norton Anti Virus still wouldn’t run and AVG (grisoft) anti virus wouldn’t install. Like a confident Neo entering the Matrix I looked at my System32 folder and found two newly modified files scvhost.exe and winhlpp32.exe, both 57kb and both looking VERY shifty. Scvhost.exe could NOT be deleted because it could not be removed from the processes list, winhlpp32.exe could be deleted.
I did a forum search and they all recommended downloading and running a Microsoft security patch, I could only do this in safe mode (It wouldn’t work normally) and when I did it didn’t appear to do much except leave who strange looking blue folders in my WINDOWS folder. Then they recommended removing msblast.exe from my processes list, but this process wasn’t there, it isn’t on my system at all
I headed over to Symantec and found that the virus most resembling the one I seemed to have was this:
http://www.symantec.com/avcenter/ven...gaobot.ao.html
I tried to use this to solve my problem, however, Symantec, after acknowledging that the virus disables AV software, recommend a full system scan, which is annoying. The help page said that scvhost.exe and winhlpp32.exe were the screwy files so I knew I was on the right track. However, I opened up the registry in safe mode (because it wouldn’t work in normal mode thanks to the bug) and found that of the values suggested by the help page to be removed from the registry locations;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
RunServices
Those being:
• "Registry Loader"="regloadr.exe"
• "Configuration Loader" = "dosrun32.exe"
• "Windows Explorer" = "lsas.exe"
• "Registry Loader"="winhlpp32.exe"
• "Config Loader" = "scvhost.exe"
NONE were there, as far as I could tell, my registry was totally clean…
Symantec also recommends removing Regloadr.exe, Dosrun32.exe, or Lsas.exe from the processes list, they’re not there, and it’s just not my virus!
I downloaded the blast fix program from Symantec and a few other programs offered by AV sites and they all came up with the same answer: No blaster worm was on my system. So why the hell were none of my programs working and why the hell couldn’t I get rid of this damn scvhost.exe process?
What about system restore? I ran it to no avail…
It a fit of rage like Neo against Agent Smith I dived into my processes list and decided to delete scvhost.exe for all it was worth….
Silly me, I deleted four SVCHOST.exe processes… I think I may have even deleted it from the system folder. The SCVHOST.exe file remains and cannot be removed form the system32 folder or the processes list.
So what happened? Well, Networking is screwed, the sound card has vanished, so has the modem and the saviour of all saviours, the beloved reformat is not possible because the one program, Neo, I mean Nero, won’t work. Something about a COM/OLE error. I can’t save any of my beloved gigabytes of stuff to CD so I can’t reformat. I am SCREWED!
OK, I checked out,
http://www.sophos.com/support/disinf.../blastera.html and discovered this:
--<<<8. Why am I getting errors associated with SVCHOST.EXE even if my computer is not infected with W32/Blaster-A?
If a vulnerable computer is probed by W32/Blaster-A, even if infection is not successful, the svchost service will fail. This will cause a variety of problems with other software.
To recover from these problems install the patch at
http://www.microsoft.com/security/se...s/ms03-026.asp and restart the svchost service. >>>---
Now this seems to be what I am experiencing. No virus but all the rubbish that it comes with. It’s possible svchost.exe was just fine and I ruined it by tinkering.
I can’t download a windows update because I cannot connect to the internet. I took the svchost.exe file from the computer I am using now and attempted to copy it to my computers system32 folder (Which involved opening it in notepad and saving it because the bug won’t allow moving or pasting) and set my services to their default configurations, but still nothing seems to work (The bug is greatly efficient at stopping applications from running).
It seems that in my determination to remove the “virus” I have removed a hugely critical file (svchost.exe) and now I can’t get it back. I get the feeling that if I hadn’t removed the svchost.exe services Nero would have at least run and I could have fixed this problem forever.
So there you go, a virus that can’t even be detected has caused me to completely destroy my system with about 10 gigabytes of valuable stuff…
I ask four questions:
1) How can I get a new copy of sVChost.exe running that will restore all my services back to their original setting? Should I delete the one I stole from my sisters PC? Remember, I cannot cut and paste.
2) If I manage to do this, how can I rid myself of this evil and undeletable sCVhost.exe once and for all and get my system back a point where it likes running AV software? (Please do answer this because this computer may be affected)
3) If neither of the above two requests are fixable, can you think of any possible way to save my data elsewhere so that I can safely run a reformat and not lose all my stuff?
4) Lastly, will my XP Pro CD allow me to reformat my system, removing all the silly bugs and programs, WITHOUT touching the stuff in my “My Documents” Folder? I would see for myself, but you guys know already what happens when I experiment!
I really appreciate your time in reading this. I hope I have explained the problem comprehensibly enough for you to want to help me. I cannot describe how thankful I am. I will keep checking the forum but could you please also CC your response (if you think it would help) to
obliky@hotmail.com or add me to ICQ: 48666738.
Here are the Hijack scan details for further help:
Deepest thanks,
Owen.
Logfile of HijackThis v1.97.3
Scan saved at 11:44:08 AM, on 3/11/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\scvhost.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\Owen Brown\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://forum.theunsentletter.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.web-entrance.com/main.cgi?ID=215"); (C:\Program Files\Netscape\Users\ohbrown\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: YExplorer1_8US.CAB -
http://photos.groups.yahoo.com/ocx/u...lorer1_8us.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) -
http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/s...sh/swflash.cab
Blaster virus help request - thanks!
ben_p
Linear Mode
