Reloader Posted April 22, 2005 Report Share Posted April 22, 2005 I got a virus that my antivirus can't clean...Antivirus log: eTrust EZ Antivirus Version 6.1.9.7 Started scanning: 11:12:55 PM, 4/21/2005 Dat file v9089 Scanning boot sectors... C:\ Master Boot Record is OK: standard Win2000 (1). C:\ Partition Boot Record is OK: standard Win2000 (2). Scanning file(s)... C:\WINDOWS\system32\Wauclt~1.exe - Win32.Clspring!generic trojan. Finished scanning: 11:13:01 PM, 4/21/2005 Number of files scanned: 1. Number of infections: 1 Number of infected files not cleaned/deleted/renamed: 1 C:\WINDOWS\system32\Wauclt~1.exe (Win32.Clspring!generic trojan) Can't find the file manualy to delete it...anyone here have a clue? Quote Link to comment Share on other sites More sharing options...
PAbowhunter4life Posted April 22, 2005 Report Share Posted April 22, 2005 Re: Anyone good with cleaning computers? I am about to use my 835 to "clean" my Dell. I hate computers. They're like cars, a necessary evil Quote Link to comment Share on other sites More sharing options...
Shaun_300 Posted April 22, 2005 Report Share Posted April 22, 2005 Re: Anyone good with cleaning computers? [ QUOTE ] I am about to use my 835 to "clean" my Dell. I hate computers. They're like cars, a necessary evil [/ QUOTE ] yeah, i have been having problems with my Dell too Quote Link to comment Share on other sites More sharing options...
Griz Posted April 22, 2005 Report Share Posted April 22, 2005 Re: Anyone good with cleaning computers? COMPUTERS! Sorry, But I'm like that monkey when it comes to these things... Quote Link to comment Share on other sites More sharing options...
LifeNRA Posted April 22, 2005 Report Share Posted April 22, 2005 Re: Anyone good with cleaning computers? I searched the entire Symantec website, nothing like that comes up! Where did you pick it up at? You should get Norton Anti-virus, stops everything I ever came accross! Quote Link to comment Share on other sites More sharing options...
Orion_70 Posted April 22, 2005 Report Share Posted April 22, 2005 Re: Anyone good with cleaning computers? Boot into safe mode first. To do this restart then keep hitting f8 until you get into safe mode. Run virus scan then. If it doesn't clean the file, go to System 32, sort it by modified date, find the file and delete it. Then open msconfig and check the startup programs for anything fishy. Quote Link to comment Share on other sites More sharing options...
ILSNIPER1 Posted April 22, 2005 Report Share Posted April 22, 2005 Re: Anyone good with cleaning computers? Reloader, First, get rid of eTrust EZ Antivirus Version 6.1.9.7.. My aunt went out & got that & it SUCKS! She installed it & it found 3-5 viruse's, but, that's all it would do!? I had her install AVG Free Edition & that was the end of that mess! It's the best free antivirus you can get.. plus, it's ten X's better than eTrust EZ Antivirus IMO. Or, if you have an extra $69.00 you should get the full version (good for 12 months) or, download the 15 day trial of Symantec's Norton Internet Security 2005. This is what i'm useing & it has every thing you need to stay safe on the net. I installed it & updated everything & ran a full scan & it found some key logging BS, but, it mad quick work of it & now it's GONE! lol & YES.. I changed all my passwords. Good Luck, Phil B. Quote Link to comment Share on other sites More sharing options...
VermontHunter Posted April 22, 2005 Report Share Posted April 22, 2005 Re: Anyone good with cleaning computers? Hhmmmm,,this one must be very,very new I've done all kinds of searches for this Trojan and find nothing.... And whats really confusing is that (wauclt.exe) is a neccessary operating system file it stand for ( windows automated update client),,,,,until something runs arry I would choose to ignore this file until Symantec or another reputable anvirus company puts out a release on this Trojan if that what it really is... Or better yet I would send the file name to Symantec for futher invertigation on their part... Quote Link to comment Share on other sites More sharing options...
Orion_70 Posted April 22, 2005 Report Share Posted April 22, 2005 Re: Anyone good with cleaning computers? Follow the instructions below.. It's anoterh variant of the W32. Gaobot http://www.hkcert.org/valert/vinfo/lsass_worm.html W32.Gaobot and variants (attack LSASS Vulnerability) Description Several new variant of W32.Gaobot worms exploit a known Microsoft Windows Local Security Authority Subsystem Service vulnerability (LSASS) which described in Microsoft Securiy Bulletin MS04-011 to propagate across the Internet. Affected System (Microsoft Windows LSASS Vulnerability MS04-011) Microsoft windows NT4 Microsoft windows 2000 Microsoft windows XP Microsoft windows Server 2003 W32.Gaobot and variants (attack LSASS Vulnerability) discovered by antivirus vendor: W32.Gaobot.AFC W32.Gaobot.AFJ W32.Gaobot.AFW W32.Gaobot.AJD (Updated on 12 May 2004) W32.Gaobot.AJE (Updated on 12 May 2004) W32.Gaobot.AJJ (Updated on 14 May 2004) W32.Gaobot.AIS (Updated on 18 May 2004) W32.Gaobot.ALO (Updated on 20 May 2004) W32.Gaobot.ALU (Updated on 21 May 2004) W32.Gaobot.ALW (Updated on 28 May 2004) W32.Gaobot.AOL (Updated on 5 June 2004) W32.Gaobot.AQS (Updated on 10 June 2004) Once the computer is attacked by the worm, it shows a System Shutdown dialog box: The worm have the ability to act as a backdoor server program and attack other systems. The worm attempts to kill the process of many anti-virus and security applications. It also add a list of common antivirus and security software websites to the system HOSTS file to allocate to a local IP address, so that it prevents the user from accessing the list of websites. It also steals Windows Product ID and the CD keys of certain game applications. Additionally, it also sends HTTP POST messages containing large amounts of data (250 KB per POST message) to the following hosts: www.ryan1918.net www.ryan1918.org www.ryan1918.com yahoo.co.jp www.nifty.com www.d1asia.com www.st.lib.keio.ac.jp www.lib.nthu.edu.tw www.above.net www.level3.com nitro.ucsc.edu www.burst.net www.cogentco.com www.rit.edu www.nocster.com www.verio.com www.stanford.edu www.xo.net de.yahoo.com www.belwue.de www.switch.ch www.1und1.deverio.fr www.utwente.nl www.schlund.net The worm variants also exhibit slight differences. The specific characteristics of each variants, please refer to Appendix. Payload Modifies the HOSTS file Terminates many antivirus and security software processes Steals the Windows Product ID and the CD keys of certain game applications. Sends HTTP POST messages containing large amounts of data (250 KB per POST message) to the list of websites Opens a randomly selected TCP port and sends a copy of itself to any process connecting to that port. Connects to a remote IRC server and awaits commands from the remote attacker. Solution For infected computer, If you keep getting the "Shutdown in 60 seconds" dialog, click Start -> Run, and execute command 'shutdown -a' to get rid of the shutdown temporarily. Check the system HOSTS file which located at %System%\drivers\etc Note: %Sytem% is a variable, C:\Winnt\System32\drivers\etc (Windows NT/2000/2003), or C:\Windows\System32\drivers\etc (Windows XP). Right-click the HOSTS file, and then click "Open With." Scroll through the list of programs , select "Notepad" application to open the file and then click "OK". When the file is opened, by default it only have one 127.0.0.1 record as belows: 127.0.0.1 localhost Please delete all the entries execept the above default entry and self defined entry, then save the HOSTS file and close the Notepad application. Common steps for all unpatched computer, Download and Install Microsoft Windows LSASS vulnerability patch Note: It is advised to use a Win98 / WinME PC or a patched PC to download the patch software and transfer it via floppy diskette or CD-R to the infected system. This is safer. Please choose ONLY ONE correct Windows platform and Language to download: Windows NT Workstation 4.0 (Eng): http://www.microsoft.com/downloads/detai...;displaylang=en Windows NT Workstation 4.0 (Traditional Chi): http://www.microsoft.com/downloads/detai...25-3CF72C1A0A3E Windows NT Server 4.0 (Eng): http://www.microsoft.com/downloads/detai...;displaylang=en Windows NT Server 4.0 (Traditional Chi): http://www.microsoft.com/downloads/detai...7E-3B8DC44F9D79 Windows NT 4.0 Terminal Server (Eng): http://www.microsoft.com/downloads/detai...;displaylang=en Windows 2000 (Eng): http://www.microsoft.com/downloads/detai...;displaylang=en Windows 2000 (Traditional Chi): http://www.microsoft.com/downloads/detai...EB-D2342FBB6C00 Windows XP Home and Windows Professional Edition (Eng): http://www.microsoft.com/downloads/detai...;displaylang=en Windows XP Home and Windows Professional Edition (Traditional Chi): http://www.microsoft.com/downloads/detai...F1-AF243B6168F3 Windows Server 2003 (Eng): http://www.microsoft.com/downloads/detai...;displaylang=en Windows Server 2003 (Traditional Chi): http://www.microsoft.com/downloads/detai...F1-AF243B6168F3 Other Windows platforms: http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx When "File Download" dialog box prompted, please select "Open" file¡CAfter the download is completed, the Installation starts. You can click "Next" button until "Finish". After Finished, please reboot the computer. Scanning and Cleaning the worm Update the new virus definition or signature from anti-virus vendors. WinXP machines need to turn off "System Restore" according to the following steps, before running the antivirus program (skip for Win2000 and WinNT) Click Start > Programs > Accessories > Windows Explorer Right-click My Computer, and then click Properties. Click the System Restore tab. Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box Click Apply and then click Yes. Click OK. Running the antivirus program in Safe Mode guarantees that no file will be locked by system and can be removed without problem. Reboot the Computer. Press "F8" many times during machine reboot until the bootup selection menu is shown. Choose "Safe Mode". After entering Safe Mode, run the antivirus program to start scan your computer. Scanning runs until completion. Restart the computer to "Normal Mode" . Resume WinXP Configuration to normal (skip for Win2000 and WinNT) Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box. Click Apply, and then click OK. Restart the computer. At this point, the infected computer should have been recovered. Since the patch has also closed the Windows LSASS security hole, the computer is immune to any new attacking worm variants. However, the following optional recommendation can further improve your protection -------------------------------------------------------------------------------- Optional Recommeded Steps to tackle the worm attack Configure Firewall to filter network traffic If the company has installed firewall or firewall-capable broadband router, you can configure it to block the imcoming LSARPC traffic from the Internet to safeguard all PCs in the internal network. This is very effective in mitigating the risk. The services that need to be blocked include: TCP/UDP 139 TCP/UDP 445 Furthermore the following ports may used by the worm should be blocked as well: TCP 1025 (Please vertify the existing service is not use before blocking this port) If access cannot be blocked for all external hosts, we recommend limiting access to only those hosts that require it for normal operation. As a general rule, we recommend filtering all types of network traffic that are not required for normal operation. Home or personal computers can install firewall-capable broadband router (hardware) or personal firewall (software) to achieve the same purpose. For WinXP, you can turn on the built-in personal firewall software called the "Internet Connection Firewall". Detail steps can be found at the following URL: http://www.microsoft.com/WindowsXP/home/using/howto/homenet/icf.asp Related Link(s) For more information, please refer to the following websites. Information from Symantec W32.Gaobot.AFC W32.Gaobot.AFJ W32.Gaobot.AFW W32.Gaobot.AJD W32.Gaobot.AJE W32.Gaobot.AJJ W32.Gaobot.AIS W32.Gaobot.ALO W32.Gaobot.ALU W32.Gaobot.ALW W32.Gaobot.AOL W32.Gaobot.AQS Appendix W32.Gaobot.AFC It copies itself as wmiprvsw.exe and adds the value: "System Updater Service = wmiprvsw.exe" to the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices so that the W32.Gaobot.AFC runs when you start Windows. W32.Gaobot.AFJ It copies itself as one of following: msiwin84.exe Microsoft.exe WinMsrv32.exe soundcontrl.exe msawindows.exe and adds one of following value: "Microsoft Update = msiwin84.exe" "Microsoft Update = Microsoft.exe" "WinMsrv32 = WinMsrv32.exe" "soundcontrl = soundcontrl.exe" "Microsoft Update = msawindows.exe" to the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices so that the W32.Gaobot.AFJ runs when you start Windows. W32.Gaobot.AFW It copies itself as hkey.exe and adds the value: "windows = hkey.exe" to the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices so that the W32.Gaobot.AFW runs when you start Windows. W32.Gaobot.AJD It copies itself as wauclt.exe and adds the value: "Automated Windows Updates = wauclt.exe" to the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices so that the W32.Gaobot.AJD runs when you start Windows. W32.Gaobot.AJE It copies itself as norton.exe and adds the value: "System Service Manager = norton.exe" to the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices so that the W32.Gaobot.AJE runs when you start Windows. W32.Gaobot.AJJ It copies itself as LSMAS.exe and adds the value: "LSMAS.exe" to the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices so that the W32.Gaobot.AJJ runs when you start Windows. W32.Gaobot.AIS It copies itself as netsvacs.exe and adds the value: "Network Services = netsvacs.exe" to the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices so that the W32.Gaobot.AIS runs when you start Windows. W32.Gaobot.ALO It copies itself as sysconf.exe and adds the value: "Video Process = sysconf.exe" to the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices so that the W32.Gaobot.ALO runs when you start Windows. W32.Gaobot.ALU It copies itself as svhost.exe and adds the value: "Windows Security Manager = svhost.exe" to the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices so that the W32.Gaobot.ALU runs when you start Windows. W32.Gaobot.ALW It copies itself as norton.exe and adds the value: "System Service Manager = norton.exe" to the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices so that the W32.Gaobot.ALW runs when you start Windows. W32.Gaobot.AOL It copies itself as lrbz32.exe and adds the value: "MS Config v13 = lrbz32.exe" to the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices so that the W32.Gaobot.AOL runs when you start Windows. W32.Gaobot.AQS It copies itself as wuamgrd16.exe and adds the value: "Microsoft Update = wuamgrd16.exe" to the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices so that the W32.Gaobot.AQS runs when you start Windows. Quote Link to comment Share on other sites More sharing options...
archerjg Posted April 22, 2005 Report Share Posted April 22, 2005 Re: Anyone good with cleaning computers? Try Norton Antivirus 2005 or go to www.trendmicro.com they have an online checker that you can download and it is similar to Norton. Archerjg Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.