|
|
Author |
Thread |
Cameron
Bipolar (III) Inmate
From: Brisbane Insane since: Jan 2003
|
posted 04-22-2004 00:07
I've recently picked up a new hard drive and upon a nice clean win XP install, I managed to pickup the Blaster Worm within 20 min's of first connecting to the internet -- That has to be some kind of record. I'm fairly certain I've removed it, all patched, no more shutdowns (and the removal tools from various well known anti-virus companies are saying it's clean), but something is still a miss.
Whenever I start up XP, I get a message asking me if I want to connect to the internet, something is trying to access kuruptsucksat.servecounterstrike.com ??? I'd never been to this page before, hell I don't even play counterstrike although I'm slightly more dusturbed about the "kurupt - sucks - at" sub domain.
I went there and it's a page about MS's Internet Information Server or something, looks like a placeholder page for IIS itself. My connection details are reporting unusually high upstream traffic, much more than what's require to request web pages and the like. I'm thinking the two might be related. I've scanned for viruses and have a fresh instal of ZoneAlarm but it's still happening.
Any ideas?
|
InI
Paranoid (IV) Mad Scientist
From: Somewhere over the rainbow Insane since: Mar 2001
|
posted 04-22-2004 00:12
The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.
|
Cameron
Bipolar (III) Inmate
From: Brisbane Insane since: Jan 2003
|
posted 04-22-2004 00:38
Well, it was 20 mins before my computer shutdown, so I was probably infected before that. It's odd, I never caught it last time around. Infact, it's one of the first noticable viruses I've had since the old "stoned" virus my 286 picked up back in the early 90's.
Thanks for the links though, hopefully they'll get things sorted.
|
InI
Paranoid (IV) Mad Scientist
From: Somewhere over the rainbow Insane since: Mar 2001
|
posted 04-22-2004 01:19
The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.
|
synax
Maniac (V) Inmate
From: Cell 666 Insane since: Mar 2002
|
posted 04-22-2004 01:32
I've been there. Instant infection upon fresh OS install. I rectified the problem by unplugging my connection, installing the OS, throwing up every possible firewall, and then plugging back in and downloading/installing the Windows security updates and such.
Major pain in the ass, but joo gotta do what joo gotta do. :/
"Nothin' like a pro-stabbin' from a pro." -Weadah
|
eyezaer
Lunatic (VI) Mad Scientist
From: the Psychiatric Ward Insane since: Sep 2000
|
posted 04-22-2004 02:16
joo.... joo.... joo.... joooooo.... (sounds like a train)
[antique sigs are us]
|
Xpirex
Paranoid (IV) Inmate
From: Dammed if I know... Insane since: Mar 2003
|
posted 04-23-2004 08:36
Yes, I installed XP Pro on someone's machine last weekend.. everything when fine.. till we logged onto the internet with a brand new account... a moment later a form of the blaster worm was playing that "now you have a connection, now you don't" game with us. and the NT Authority\\System Error Message: "This system is shutting down. Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly" etc.. Must have been lass then a minute online..
QUOTATION: I have noted that persons with bad judgment are most insistent that we do what they think best. (Lionel Abel )
(Edited by Xpirex on 04-22-2004 23:37)
|
Cameron
Bipolar (III) Inmate
From: Brisbane Insane since: Jan 2003
|
posted 04-26-2004 07:23
Crap crap carp...
I've tried everything and still can't seem to get rid of this thing. It's not the Blaster Worm, I've removed that for sure now, but something is causing the winscv.exe to try and access kuruptsucksat.servecounterstrike.com
I've tried to google information about it but have found nothing. Could this be some kind of new virus that I picked up because I went online with a raw (no service pack and no security patches) XP installation? I've updated everything but this still seems to linger for some reason.
I've got my firewall blocking it, but I'd prefer to get rid of it completly, here's the log text from my firewall:
BLOCKED
Reason: Undefined Rule
Application: WINSCV.EXE
Remote Host: kuruptsucksat.servecounterstrike.com
Remote Port: 27015
Direction: Outbound
Protocol: TCP
I've run add aware and it didn't pick up anything. I'm downloading spybot now to see if that pickes it up, but I'm doubtfull.
Actually, a goole search for WINSCV.EXE turns up nothing... Lots of stuff for WINSVC but nothing for WINSCV, in fact, I can't even find that file on any of my hard disks, but it's shown as a running process in the task manager... ???
*scratches head*
Now I'm just confused...
|
shekky
Bipolar (III) Inmate
From: St Louis ,Mo. Insane since: Aug 2002
|
posted 04-26-2004 14:28
http://www.spywareinfo.com/~merijn/downloads.html
HiJackThis is another nice tool to show all processes running and where they originate from on your pc. it produces a very nice logfile for analyzing the source of your problem. If spybot and adaware fail me , this usually gives me indication.
hope this helps
|
Rooster
Bipolar (III) Inmate
From: the uterus Insane since: Nov 2002
|
posted 04-26-2004 20:17
quote: in fact, I can't even find that file on any of my hard disks, but it's shown as a running process in the task manager... ???
Have you changed the windows setting that says, "do not show hidden system files and folders" on the new install yet?
[edit]...??[/edit]
(Edited by Rooster on 04-26-2004 11:19)
|
bodhi23
Paranoid (IV) Inmate
From: Greensboro, NC USA Insane since: Jun 2002
|
posted 04-27-2004 18:15
I had a weird thing like this recently, and ended up downloading and installing SpyBot Search & Destroy, Ad-Aware and one other that I can't remember the name (Clean something or other 8.0) of off the top of my head to get it all.
Sounds like you may have to try several apps before you get rid of the problem. SpyBot has been said to be one of the best though.
Good luck!
|
Cameron
Bipolar (III) Inmate
From: Brisbane Insane since: Jan 2003
|
posted 04-28-2004 04:32
Well, Spybot didn't help, and yes I couldn't see the file because I stupidly had that "Hide protected system files" option checked.
I decided to reboot in safe mode and delete that file as I couldn't find any information about it anywhere. All seems good now. Before I deleted it though, I noticed it was trying to get around my firewall but trying every single avaliable port number in order, I figured that just wasn't normal for any trustworthy program so that coupled with the lack of information about it convinced me it just shouldn't have been there.
Since then, I haven't noticed anything out of order. Thanks for the help everyone.
|
Mad Scientist
Nervous Wreck (II) Inmate
From: Charles River Insane since: Apr 2004
|
posted 04-28-2004 08:49
Try searching your registry for that name, or parts of it. If you find any key with it, delete it.
A backup before messing with the registry is a good idea.
|
InI
Paranoid (IV) Mad Scientist
From: Somewhere over the rainbow Insane since: Mar 2001
|
posted 04-28-2004 08:52
The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.
|