Author Topic: Anybody Help w this??  (Read 430 times)

Offline WhiteHawk

  • Parolee
  • Silver Member
  • ****
  • Posts: 1815
Anybody Help w this??
« on: September 01, 2003, 01:50:39 PM »
Had the lovsan worm, got rid of it, however, when I got rid of it I get a 'cannot find winlogin.exe' error at stratup.  So I did a system restore, and that fixed it.  However, the virus is in my restore and now I got it again.  Anybody help here.

the virus is in my c:\windows\system32\yuetyutr.dll  file.

If I remove this file, i get the error.:confused:

Offline Roscoroo

  • Plutonium Member
  • *******
  • Posts: 8424
      • http://www.roscoroo.com/
Anybody Help w this??
« Reply #1 on: September 01, 2003, 02:23:43 PM »
http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?NAV=18&m=a&virus=&alt=&key=&payload=&type=Worm&day=&month=&year=&wkday=

start there ... the thing you need to do most is get it out of your system registry

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

Open Windows Task Manager, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate the process:
MSBLAST.EXE

Select the malware process, then press the End Process button.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
"windows auto update" = MSBLAST.EXE
Close Registry Editor.
 

then scan your pc with a good AV program that has been updated for the different varients. also clean out all your temp files ect...    the above link may lead to other tricks also  good luck
Roscoroo ,
"Of course at Uncle Teds restaurant , you have the option to shoot them yourself"  Ted Nugent
(=Ghosts=Scenariroo's  Patch donation

Offline WhiteHawk

  • Parolee
  • Silver Member
  • ****
  • Posts: 1815
Anybody Help w this??
« Reply #2 on: September 01, 2003, 02:54:49 PM »
thnx roscoroo,
  peculiar thing tho.   the virus is laying dormant.  My puter is functioning well, it just turns up on virus scans.  And the AVG cannot remove it.  Anytime I try to edit it or type it cor move it, my puter shuts down and reboots.  I can rename it, and delete it however, but then i pick up an error at startup.  Then I do a system restore and the file with the virus is restored.
hmmm, I need a clean c:\windows\system32\yuetyutr.dll file.

Offline Roscoroo

  • Plutonium Member
  • *******
  • Posts: 8424
      • http://www.roscoroo.com/
Anybody Help w this??
« Reply #3 on: September 01, 2003, 03:38:56 PM »
oh i found this ...
http://vil.mcafee.com/dispVirus.asp?virus_k=100549

i dont think you are supposed to have that yuetyutr.dll file.  after reading the above page ... it looks like its part of a virus.  it says its spyware ....  

one thing to note is that i believe the patch . repair for that worm may leave a spoof file on your machine to keep it from being reinfected .
you may have to reinstall the latest update/patch for xp also .

look for these baddie's in your sysregistry also ..

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Runonce "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "NDplDeamon" = winlogin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon "Shell" = explorer.exe winlogin.exe
Roscoroo ,
"Of course at Uncle Teds restaurant , you have the option to shoot them yourself"  Ted Nugent
(=Ghosts=Scenariroo's  Patch donation

Offline oblitt

  • Zinc Member
  • *
  • Posts: 16
Anybody Help w this??
« Reply #4 on: September 01, 2003, 10:33:52 PM »

Offline WhiteHawk

  • Parolee
  • Silver Member
  • ****
  • Posts: 1815
Anybody Help w this??
« Reply #5 on: September 02, 2003, 05:01:16 PM »
THNX GUYS.Will work with it and let ya know.

Offline WhiteHawk

  • Parolee
  • Silver Member
  • ****
  • Posts: 1815
Anybody Help w this??
« Reply #6 on: September 02, 2003, 06:42:33 PM »
Well, after extensive virus cleansing attempts with the above mentioned tools, no luck.  They do not recognize it as a virus, AVG is the only one that recognizes this as a virus.  Now i cannot even delete it.  It says it is in use by another application:eek:
  Oh well, If ya get any emails from me, you may want to just toss them out;)

PS anybody know how to break into an unremovable file?
I use the dos command prompt  (C:\ del command)  It says access denied.  I have renamed it, just in case a program may be calling it by its virus name.  ( I renamed it ' virus.dll to avoid any confusion)

Offline Roscoroo

  • Plutonium Member
  • *******
  • Posts: 8424
      • http://www.roscoroo.com/
Anybody Help w this??
« Reply #7 on: September 02, 2003, 07:37:26 PM »
http://www.trendmicro.com/en/products/desktop/pc-cillin/use/erd.htm

This page i posted is were you can get pc-cillins emergency rescue disk set .

Its a 7 part floppy disc set that will scan your pc in Dos .
you have to boot your pc with the floppy drive .  f-8 during startup
i think ussually...

To make this you need 7 formated floppys .... and a CLEAN PC to use to build them.

One thing if you do use these or anyother dos type removal/ scan tool you will need to rename the virus back to what it was originally  so it can be caught.  

now this works on xp if its been set up in the 32bit format . for nt format i think you can email them or use a different program . AVG used to have dos scanners also ... im not shure if they developed a good one for nt format
 
this thing might be hiding in your ram /or cmos ... bios along with the regestry  "the regedit "  youve got to get its exe out of there so it stops running .

perhaps some of the other guys can help out here .


I beat on a neibors pc that had a bad virus that kept comming back and back and back . and finnally got it clean enough to burn her to keep stuff to cd ... (no .exe's )  and had to fdisc the monster . I even used anouther hd to test it to beshure the darn thing didnt come back .... thats the worst case end senario  
Roscoroo ,
"Of course at Uncle Teds restaurant , you have the option to shoot them yourself"  Ted Nugent
(=Ghosts=Scenariroo's  Patch donation

Offline Ack-Ack

  • Radioactive Member
  • *******
  • Posts: 25260
      • FlameWarriors
Anybody Help w this??
« Reply #8 on: September 02, 2003, 10:49:53 PM »
Boot into safe mode and remove it that way.



ack-ack
"If Jesus came back as an airplane, he would be a P-38." - WW2 P-38 pilot
Elite Top Aces +1 Mexican Official Squadron Song

Offline WhiteHawk

  • Parolee
  • Silver Member
  • ****
  • Posts: 1815
Anybody Help w this??
« Reply #9 on: September 03, 2003, 05:16:50 PM »
boy, this is   tricky booger, removed it successfully, but it comes back after I reboot:mad:

guess thats not a successful removel eh?

can somebody w win xp, cntrl -shift- esc, and see if they have a 'winlogon.exe' running.  This is the error i got when i was able to delete this thing.

Offline DAVENRINO

  • Silver Member
  • ****
  • Posts: 1084
Anybody Help w this??
« Reply #10 on: September 03, 2003, 05:53:46 PM »
Yup, 'winlogon.exe' is running.  BTW you can also right-click taskbar and select 'Task Manager".
DJ229 - AIR MAFIA
DAVE aka DJ229-AIR MAFIA
CH USB HOTAS/ONKYO 705 7.2 SURROUND SOUND/ 60" SONY A3000 SXRD  TV

Offline WhiteHawk

  • Parolee
  • Silver Member
  • ****
  • Posts: 1815
Anybody Help w this??
« Reply #11 on: September 03, 2003, 06:50:27 PM »
ya..i found that out when I tried to close it:confused:

But I successfully removed that summa*****.  the safe boot, or bootable disk suggestion woulda worked, I think, but the ole f8 key aint the safe boot anymore eh?
 
Oh well, while the puter was booting up, i jumped right into c:\
as quickly as possible and did the del yuetyutr.dll command and it seemed to worked.  Ive done this before but it has come back.

the scan before i did this got me 6 more lovsans, I got rid of all of them with the AVG  except that yuetyutr.dll thing.


After this, I scanned clean, so i am happy.  I will scan after a reboot but i think we done it.

Thnx for the help guys and .  Its a lot easier struggling with my first virus with the guys who shoot me down:D .