Lovsan

[unoito]

The following occurred twice today:
DSL connection to internet.
#1. Iam at my desk in front of the computer but the computer is not turned on. Monitor is switched on. A message flashes on the screen indicating that:

AVG (free version) residentshield found lovsan in:
C:|Systemvolumeinformation\_restore{2656719A-5050-4D61-B35A-6511d161FE8A}RP21}\A0001315.exe. Please run AVG right now.

So I do just that. Atually I run the program twice just for good measure. No evidence is shown during the scan that a virus has been found and erased. Not even in the log. I checked the location of the file as indicated and nothing...not even such a directory can be found.


#2. About 30minutes later. This time I am working on the computer and the same message is flashed on the screen.

I respond in the same manner and get the same results.

What else can I try?

 

[dragonic]

another anti-virus program?

 

[unoito]

...tried trendmicro house call...three infected files found ... "Javabytverify.A" x2 and Javaneedy.A

...may or may not have any relation to lovsan...will see

 

[Flatline]

You could also try Mcafee's Stinger standalone detection/removal tool

Link

It'll find and remove any one of about 30 virii and it's only a 700kb download; see if it finds something new.

 

[unoito]

thanks...Stinger found Exploit-DcompRPC trojan.

Now it says it cannot repair C:\windows\system32\winsockdrv.dll...
how can i replace this file with a new version...is it possible from Xp install disk without a complete reinstall?

 

[unoito]

merry- go- round is now in effect...I run the stinger...and thhe same files are found again ... i shut down and restart and they are all in place again.

Can somebody suggest a good commercially available Virus checker that is capable of removing all this VERMIN from my drive.

 

[EeyoreX]

Go to the Windows update site, follow the directions right on the front page on how to protect yourself from MSBlaster. Blaster and LovSan are the same virus. Then, run your AV software again, see if that fixes the problem.

\Dan

 

[unoito]

Thanks Dan, i have the patches "ms03-026" and "823980" in place sine August 16 and suffer no ill effects other than the knowledge that the remnants of the virus remains in place.

No matter how many times I scan and delete and reboot...the following remains in place for another day.

C:\WINDOWS\System32\win32sockdrv.dll
Found the Exploit-DcomRpc trojan !!!
C:\WINDOWS\System32\win32sockdrv.dll could not be repaired.
C:\Documents and Settings\Neville\Local Settings\Temp\.txt\.txt\00003460.EXE
Found the Exploit-DcomRpc trojan !!!
C:\Documents and Settings\Neville\Local Settings\Temp\.txt\.txt\00003460.EXE has been deleted.
C:\WINDOWS\system32\nstask32.exe\nstask32.exe\00003460.EXE
Found the Exploit-DcomRpc trojan !!!
C:\WINDOWS\system32\nstask32.exe\nstask32.exe\00003460.EXE has been deleted.
C:\WINDOWS\system32\win32sockdrv.dll
Found the Exploit-DcomRpc trojan !!!
C:\WINDOWS\system32\win32sockdrv.dll could not be repaired.
Number of clean files: 76412
Number of Trojans: 4
Number of files deleted: 2

a merry go round which can be activated everytime from somewhere

 

[EeyoreX]

Hmmmm... Maybe try Symantec's online scanner? I don't know if they remove viruses (there would be little incentive for this I guess, why buy if an online scan does this for free?). This is what I found at the Symantec site. Not sure if it will help though.

\Dan

 

[drag]

Screw the scanners. They are obviously not helping you and your probably just screwing the OS up more then the virus did by installing and trying out all this stuff.

Do it manually. The scanner itself said that it was only able to delete 2 out of 4 the infected files, when you reboot the the infected files that are in the commonly used executable and the .dll library file used by a large percentage of your OS is just reinstalling them. The virus writer is just exploiting a weakness in the design of your scanner. The patches to protect yourself from the worm are useless because you've already been hacked by the worm, they are not going to affect it now that it installed itself on the system.


Now keep in mind that I've haven't used Windows for serveral years now, but I thought it was common knowledge that you can extract the system files from your i386 folder/install cd with since windows is so easy to use and all.

here is the link to the microsoft tech site were it explains to you in painfull detail how to go about getting new files. This is for XP pro, but w2k and above use about the same scheme since they are basically all the same OS with different "window" dressing. (forgive the pun)

Now what I would do would be to let the virus scanner delete the 2 files and see if you can find the locations of the backups of the 2 system files that have been corrupted. Then extract/copy them into place and then reboot. I'd probably do this in safe mode and cross my fingers and hope this doesn't crash it. It shouldn't, but since this is Windows and your not allowed to understand how anything works it's hard to tell and a disclamer is in order.


Good Luck,

Oh and if did manage to get rid of it before you read this, be sure to bookmark that link (or the version related to your OS), it's good to know.

 

[Flatline]

Since you're using XP, you should turn system restore off before cleaning virii out of your system; same goes for WinME users (poor bastards).

 

[unoito]

many thanks you'all " flatline, Drag, Dan" for the very helpful advice and the links...

the Mstech site helped tremendously