Aces High Bulletin Board
Help and Support Forums => Technical Support => Topic started by: WhiteHawk on September 01, 2003, 01:50:39 PM
-
Had the lovsan worm, got rid of it, however, when I got rid of it I get a 'cannot find winlogin.exe' error at stratup. So I did a system restore, and that fixed it. However, the virus is in my restore and now I got it again. Anybody help here.
the virus is in my c:\windows\system32\yuetyutr.dll file.
If I remove this file, i get the error.:confused:
-
http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?NAV=18&m=a&virus=&alt=&key=&payload=&type=Worm&day=&month=&year=&wkday= (http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?NAV=18&m=a&virus=&alt=&key=&payload=&type=Worm&day=&month=&year=&wkday=)
start there ... the thing you need to do most is get it out of your system registry
MANUAL REMOVAL INSTRUCTIONS
Terminating the Malware Program
This procedure terminates the running malware process from memory.
Open Windows Task Manager, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate the process:
MSBLAST.EXE
Select the malware process, then press the End Process button.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
"windows auto update" = MSBLAST.EXE
Close Registry Editor.
then scan your pc with a good AV program that has been updated for the different varients. also clean out all your temp files ect... the above link may lead to other tricks also good luck
-
thnx roscoroo,
peculiar thing tho. the virus is laying dormant. My puter is functioning well, it just turns up on virus scans. And the AVG cannot remove it. Anytime I try to edit it or type it cor move it, my puter shuts down and reboots. I can rename it, and delete it however, but then i pick up an error at startup. Then I do a system restore and the file with the virus is restored.
hmmm, I need a clean c:\windows\system32\yuetyutr.dll file.
-
oh i found this ...
http://vil.mcafee.com/dispVirus.asp?virus_k=100549 (http://vil.mcafee.com/dispVirus.asp?virus_k=100549)
i dont think you are supposed to have that yuetyutr.dll file. after reading the above page ... it looks like its part of a virus. it says its spyware ....
one thing to note is that i believe the patch . repair for that worm may leave a spoof file on your machine to keep it from being reinfected .
you may have to reinstall the latest update/patch for xp also .
look for these baddie's in your sysregistry also ..
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Runonce "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "NDplDeamon" = winlogin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon "Shell" = explorer.exe winlogin.exe
-
Try this if you have had no success...
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
-
THNX GUYS.Will work with it and let ya know.
-
Well, after extensive virus cleansing attempts with the above mentioned tools, no luck. They do not recognize it as a virus, AVG is the only one that recognizes this as a virus. Now i cannot even delete it. It says it is in use by another application:eek:
Oh well, If ya get any emails from me, you may want to just toss them out;)
PS anybody know how to break into an unremovable file?
I use the dos command prompt (C:\ del command) It says access denied. I have renamed it, just in case a program may be calling it by its virus name. ( I renamed it ' virus.dll to avoid any confusion)
-
http://www.trendmicro.com/en/products/desktop/pc-cillin/use/erd.htm (http://www.trendmicro.com/en/products/desktop/pc-cillin/use/erd.htm)
This page i posted is were you can get pc-cillins emergency rescue disk set .
Its a 7 part floppy disc set that will scan your pc in Dos .
you have to boot your pc with the floppy drive . f-8 during startup
i think ussually...
To make this you need 7 formated floppys .... and a CLEAN PC to use to build them.
One thing if you do use these or anyother dos type removal/ scan tool you will need to rename the virus back to what it was originally so it can be caught.
now this works on xp if its been set up in the 32bit format . for nt format i think you can email them or use a different program . AVG used to have dos scanners also ... im not shure if they developed a good one for nt format
this thing might be hiding in your ram /or cmos ... bios along with the regestry "the regedit " youve got to get its exe out of there so it stops running .
perhaps some of the other guys can help out here .
I beat on a neibors pc that had a bad virus that kept comming back and back and back . and finnally got it clean enough to burn her to keep stuff to cd ... (no .exe's ) and had to fdisc the monster . I even used anouther hd to test it to beshure the darn thing didnt come back .... thats the worst case end senario
-
Boot into safe mode and remove it that way.
ack-ack
-
boy, this is tricky booger, removed it successfully, but it comes back after I reboot:mad:
guess thats not a successful removel eh?
can somebody w win xp, cntrl -shift- esc, and see if they have a 'winlogon.exe' running. This is the error i got when i was able to delete this thing.
-
Yup, 'winlogon.exe' is running. BTW you can also right-click taskbar and select 'Task Manager".
DJ229 - AIR MAFIA
-
ya..i found that out when I tried to close it:confused:
But I successfully removed that summa*****. the safe boot, or bootable disk suggestion woulda worked, I think, but the ole f8 key aint the safe boot anymore eh?
Oh well, while the puter was booting up, i jumped right into c:\
as quickly as possible and did the del yuetyutr.dll command and it seemed to worked. Ive done this before but it has come back.
the scan before i did this got me 6 more lovsans, I got rid of all of them with the AVG except that yuetyutr.dll thing.
After this, I scanned clean, so i am happy. I will scan after a reboot but i think we done it.
Thnx for the help guys and . Its a lot easier struggling with my first virus with the guys who shoot me down:D .