|
Donations |
|
 |
|
|
|
If you found this site helpful, please donate to help keep it online.
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
oren100
Cadet
Joined: Apr 04, 2004
Posts: 3
Location: USA
|
 Posted: Sun Apr 04, 2004 7:30 pm Post subject: a new virus? need your assistance |
|
|
Hello guys. Great forum!
Here is my problem: I think I have a virus that I cannot remove:
Every few hours, the Norton is Disabled and gone from the shortcut bar. When manually opening it, the email protection is disabled and the email scanning shows error.
I cannot surf to certain websites, such as Norton, MacAfee etc.
When running HijackThis.exe the program shuts itself down after few seconds.
When trying to solve the problem, I noticed few things:
New registry entries are created in "RUN" and RUN SERVICES" named " Video Device Loader" and two files, named "testfile" and "MSDTC32.EXE" appears on the D root. When deleting the services and the file the problem ends, but happens again after few hours.
Any suggestions? |
|
| Back to top |
|
 |
Marianna
1st Responder
Premium Member
Joined: Nov 05, 2003
Posts: 1071
Location: Canada
|
| Posted: Wed Apr 07, 2004 7:01 pm Post subject: |
|
|
Hi,
Yep, I just found it:
A variant of the Gaobot worm appeared at Yale over the weekend. This worm strongly resembles the W32.Gaobot.UM strain, but there are differences in the filenames. It spreads through administrative shares with weak passwords, and can affect W2000 and Windows XP machines that are fully patched and have up-to-date NAV definitions.
Infections have included servers throughout the Academic and Administrative departments, in addition to the original outbreak at CLS.
Characteristics of the Worm
1. The worm copies and executes itself as %Systemroot%\msdtc32.exe.
2. It installs a value called "Video Device Loader" to the
following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
3. The worm ends any antivirus or firewall software. and attempts to kill processes associated with other worms. It will interfere with the Task Manager.
http://216.239.53.104/search?q=cache:TQ...n&ie=UTF-8
Scroll down - there you will see instructions to remove. |
|
| Back to top |
|
|
oren100
Cadet
Joined: Apr 04, 2004
Posts: 3
Location: USA
|
| Posted: Fri Apr 09, 2004 1:01 am Post subject: |
|
|
| Dear Marianna, Thanks a lot. |
|
| Back to top |
|
|
Marianna
1st Responder
Premium Member
Joined: Nov 05, 2003
Posts: 1071
Location: Canada
|
| Posted: Fri Apr 09, 2004 11:31 am Post subject: |
|
|
Hi oren100
You're Welcome 
Happy Safe Computing ! |
|
| Back to top |
|
|
Acheton
Forums Admin
Premium Member
Joined: Sep 04, 2003
Posts: 2555
Location: Uk
|
| Posted: Fri Apr 23, 2004 1:10 pm Post subject: |
|
|
| I've locked this thread since the issue is resolved Please pm a mod if you want it reopened for any reason. |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB 2.0.8a © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
