msblast - with vengeance !

[Coxy01]

Hi,
My friends machine has the MSBLAST.exe virus, i have removed the virus from machines before (stopping msblast.exe in services, apply the removal tool and patch, windows up date - sorted!) the issue is that when the machine boots, msblast starts running and no matter how quickly i stop it it still screws the machine. There is no access to anything ( e.g hard drive, floppy, cd-rom), the processor usage is 100% constantly, stopping the processe's using the most processing power drops the usage but then it goes back up again straight away. If you try to access my computer or explorer - "explorer has generated errors and will be closed". The machine will not boot in safe mode, just sits on "windows is starting up". Click on "start" it just hangs. task manager is accessible throughout the "attack". Cant run new task a: it hangs!

How can i remove the virus and keep windows in tact?

Many thanks.

Pete Cox

 

[MakeItSo]

Try starting in safe mode (by pressing f8 on startup).
If this does not work, try safe mode, command shell only.

If that does not work either, start from a clean boot disk (have one of your friends create one on his machine)

MakeItSo

Andreas Galambos
EDP / Technical Support Specialist
Bowne Global Solutions Wuppertal, Germany
(andreas.galambos@bowneglobal.de)
HP:

http://home.arcor.de/andygalambos

 

[Coxy01]

safe mode will not boot "windows is starting up" thats as far as it gets. Is there more likely hood of command shell only booting, i pressume this means less unnecesary stuff starting up? will i be able to use windows to apply the patch?

If i boot from floppy (or c-d?), will i be able to apply the patch from a dos command line?

Cheers mate

 

[teddysherri]

It could be the nachi virus which works in the same way as the blaster, download the nachi fix from sophos or something.

Hope that helps.

 

[Coxy01]

The issue is not access to any patch/fix it is not being able to access any drive or internet to apply the patch as described above. Ms blast.exe runs as a service and msblast error messages seen. I think thats sufficient evidence to suggest that its msblast not nachi.

Thanks
for the input

 

[teddysherri]

Ok well in that case you have to stop the service in task manager, then search for blast.exe on the c: and also in the registy and delete from both places.

cheers

 

[Coxy01]

The issue is that the whole machine is locked up! after ending the service cpu still 100% (please readabove for full info) if it were as simple as ending the task and then removing then i would have done that. i cant do anything on the machine. I wish to keep windows in tact. I dont know why i cant boot in safe when i can boot to win2k! what ever i do the whole machine stops responding i only have access to task manager!

cheers for the input

 

[MakeItSo]

OK: Check, if one of your mates has an updated anti-virus software with a removal for that virus.
Let him create a bootable clean-disk.
Make sure, floppy seek on boot is enabled and boot from that disk.
Good anti-virus sw should be able to create bootable disinfect-disks. and then hope....

If that does not work:
There is a full OS on CD, which enables you to handle your data without starting windows. this should also enable you to download and run a patch: It's called Knoppix
You might try to have one of your mates download it from here:

http://www.knopper.net/knoppix-mirrors/index-en.html

and burn it on CD.
Then boot from this CD and do what you need to do... ;-)
MakeItSo

Andreas Galambos
EDP / Technical Support Specialist
Bowne Global Solutions Wuppertal, Germany
(andreas.galambos@bowneglobal.de)
HP:

http://home.arcor.de/andygalambos

 

[Coxy01]

Thanks for your help but.......

The link takes me to a site and which ever link i choose none of them appear to be a download link? and most of the stuff appears to be in German, its for Linux from what i understand (which isnt much considering i have just looked at it). Sounds like a good idea in principal, any chance of a bit of further info, that would be much appreciated.

Thanks
Pete Cox

 

[bcastner]

Knoppix Mirrors:

http://www.knoppix.net/get.php

 

[mrtoledo]

Another option (a lot of work though), would be to remove the HD from the computer install it as a secondary drive in an another comptuer. From there you should be able to access the data and delete the files or try a scan.

Note: Make sure the second machine has the latest virus software installed.

 

[markholmes]

One thing I would suggest. Boot from the 2000 CD, select Recovery Console.

From the recovery console type ListSVC to see what services are currently running - see if msblast.exe is running. If it is, type disable msblast.exe or whatever the msblast service calls itself. Then navigate to the \winNT\system32 directory using the cd command (as you would in DOS). When you are in \winNT\system32, type del msblast.exe to delete it.

Then reboot your machine.

Hopefully this will prevent is from loading next time Windows boots, once you are in to Windows, run the blaster worm removal tool from Symantec and then apply the patch. Don't connect to the net before you have applied the patch!.
If you don't have the patch and removal tool, download them from a friends computer and put them on CD, then run then on your machine from the CD.

Once you have applied the patch, go online and download the AVERT Stinger from McAfee

http://vil.nai.com/vil/stinger/

and run it to make sure you haven't got any other of the recent worm viruses.

Make sure you download all the recent patches from October and November as well, there are quite a few. You can do this through Windows Update (might take a while) or go to Microsoft's technet website and download them manually.

Hope this helps.

Mark Holmes
MCP A+