1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Seems like MSBLAST, but...

Discussion in 'Virus & Other Malware Removal' started by e_buddha, Apr 27, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. e_buddha

    e_buddha Thread Starter

    Joined:
    Apr 27, 2004
    Messages:
    15
    We have 1 workstation(Windows 2000 PRO with all patches) that I see on our Firewall sending outbound traffic on port 135. I have searched the registry for any MSBLAST keys and found none. I have run Symantec's MSBLAST removal tool, and it has found none. We run CA Anti-Virus, and it is up to date, and a full system scan also reveals nothing. I even ran AdAware and "quarantined" everything it found, rebooted, but yet the problem exists.

    My Firewall logs point to it being MSBLAST as the address it tries to connect to is a variant of our internal IP scheme. Any ideas?

    Thanks!
     
  2. dr_cool_j

    dr_cool_j

    Joined:
    Feb 14, 2004
    Messages:
    127
    have u installed the

    Blaster Worm Removal Tool for Windows XP and Windows 2000 (KB833330)

    http://www.microsoft.com/downloads/...8b-fe98-493f-ad76-bf673a38b4cf&DisplayLang=en

    it could be the welcha virus

    run the mcafee stinger tool
    get it here
    http://download.nai.com/products/mcafee-avert/stinger.exe
    for help
    http://vil.nai.com/vil/stinger/

    also download the nod32 from my site

    run the nod32 & stinger in safe more
    here's how
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam
     
  3. e_buddha

    e_buddha Thread Starter

    Joined:
    Apr 27, 2004
    Messages:
    15
    PC will boot into safe mode, but ctrl-alt-delete doesn't work. I think we may just write this thing off.
     
  4. e_buddha

    e_buddha Thread Starter

    Joined:
    Apr 27, 2004
    Messages:
    15
    OK, I wrote off the Win2000 Machine, however we have an XP machine in another location that has the same problem. Before anyone rushes to judgement, the answer is NO this is not spreading. The same machines have had this now for about 2 months. We run a SUS server and all our workstations are fully patched and verified, including the 2 showing what appears to be some sort of MSBLAST leftover.

    Steps taken so far:

    1.) Verified the RPC patch and all other security updates were run in.
    2.) Turned off system restore
    3.) Ran Symantecs MSBLAST + Welchia removal tools, both came back fine
    4.) Manually checked the registry for any errant keys
    5.) Booted into safe mode, ran NOD32, and it came back clean.

    I enable logging on my firewall and still see a TON of outbound access attempte on port 135 from this workstation. The IP it is trying to reach is a variant of our internal scheme and matches the pattern for the MSBLAST worm. I am out of ideas and I hope someone can help.

    Here is the HiJackThis Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:24:29 AM, on 4/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\diagent.exe
    C:\PROGRA~1\CA\ETRUST~1\realmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    \spring-nas1\programs\Spyware Removal\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    O1 - Hosts: 198.2.110.250 APTNOSS1
    O1 - Hosts: 198.2.110.40 APTNOSS
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Diagnostic Agent] diagent.exe
    O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
    O4 - HKLM\..\RunServices: [Diagnostic Agent] diagent.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
     
  5. e_buddha

    e_buddha Thread Starter

    Joined:
    Apr 27, 2004
    Messages:
    15
    Looks like it may be this...W32/Agobot-CW, but I would still appreciate any other throughts while I follow this lead.
     
  6. dr_cool_j

    dr_cool_j

    Joined:
    Feb 14, 2004
    Messages:
    127
  7. dr_cool_j

    dr_cool_j

    Joined:
    Feb 14, 2004
    Messages:
    127
  8. e_buddha

    e_buddha Thread Starter

    Joined:
    Apr 27, 2004
    Messages:
    15
  9. dr_cool_j

    dr_cool_j

    Joined:
    Feb 14, 2004
    Messages:
    127
    nice catch
    i saw that file diagent.exe

    and should have trusted my gut and looked into it
    sorry for that
     
  10. e_buddha

    e_buddha Thread Starter

    Joined:
    Apr 27, 2004
    Messages:
    15
    No appologies necessary, thanks for your help!
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/224392

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice