Still can’t stop msblast!!! 2

[Nohjekim]

I have to paste this in fast before it shuts down again!

My firewall is activated.

I have updated my virus definitions. Took about 6 connections.

I have found and removed the reference to msblast.exe from the registry.

I have found and removed the file C:\windows\system32\msblast.exe

I have confirmed that msblast.exe does not appear in task manager after boot up.

I have run a complete system scan with my Norton Antivirus program.

I have run a full system search for any reference to “msblast”, it came up negative.

The only things I have not done is to install the patch; I will not have access to an uninfected computer until tomorrow and I can’t stay online long enough to download it.
Also I do not know how to block access to…

TCP 4444,

TCP Port 135, DCOM RPC

or UDP Port 69, TFTP.

I looked at the Windows XP firewall options but don’t see how I do this.

Anyway after doing all this when I connect to the Internet I can stay on for a couple of minutes and then I get the same shutting down message.

I also get a message from my antivirus software saying that msblast has been detected so I am sure that my software has really been updated.

If someone can tell me how to block these ports I would be forever grateful.

Also is all this useless until I get the patch installed? I was hoping to get things working so I could download the patch myself.

Thanks for the help.

 

[EchoseveN]

Yes, patch download the patch (Don't run it from it's location) and then run the patch. I had to do the same exact thing earlier last night, was a painfully slow process with all the random restarts. But once you patch your system it should run fine with no more shutdowns.

-----
It takes 43 muscles to frown and 17 to smile, but it doesn't take any to sit there with a dumb look on your face.
I have fun. Usualy at my own expense, but I have fun regardless

 

[bcastner]

1. Not customization is needed for the XP firewall;

2. Use the direct download source for the patch and apply it immediately:

http://microsoft.com/downloads/deta...6C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

 

[shaner66]

If you can't stay on long enough to download the patch, here's what you do.

Start - run, type services.msc

Find Remote Procedure Call, right click it and choose properties. Click on the recovery tab, and where it says "first failure" change that from "reboot system" to "Restart the service."

That should buy you enough time to download the patch.

 

[Jontmke]

Or set it too do nothing, but just remember when you are all done to put it back.

Jon

There is much pleasure to be gained from useless knowledge. (Bertrand Russell)

 

[preetdsouza]

Hi ,

My laptop got infected by the MSblast worm but I didnt know about it. When I got an RPC service abruptly terminated error, I disabled the RPC service. This was before I came to know about the worm remember. However on rebooting the machine the next day I found that my taskbar had disappeared, I could not connect to the internet or copy paste any files. I have removed the MSblast.exe file and cleaned up the registry. But I still cant see the taskbar. Unfortunately I dont have a working CDROM drive so I cant reinstall Windows XP also.

Although I can acess the network (LAN) I cant go to the internet to download the patch again. Also I cant copy paste or run many programs from the network.

When I try to start the RPC service again it gives an error saying that the dependencies cannot be met.

Could someone give me some urgent help on this please. I am really bugged by this. Any help will be highly appreciated.

Regards

 

[linney]

Have a read of these for some clues, especially the bottom paragraphs.

"Event ID: 7000" or "Event ID: 7013" Error Message When You Attempt to Start a Service

http://support.microsoft.com/default.aspx?scid=kb;EN-US;314357

Generic Host Process for Win32 Services - Fix:

http://support.microsoft.com/?scid=kb;EN-US;q823980

 

[Nohjekim]

Thanks everyone I finally got the patch and installed it and everything seems to work fine now.

Mike

 

[delltech65]

Physically disconnect the system from the internet -
* Turn the system off
* While the system is off, disconnect any network (local network, cable modem, DSL, broadband, etc.) from the back of the system
* Turn the system on
* If using a dial-up (i.e., modem) connection, do NOT connect to the internet
* You will continue to get the NT authority error messages, just close them and get to the desktop

Manually disable DCOM -
* Click Start- Run
* In the Open box type dcomcnfg
* Click OK
* Under Console Root, click Component Services
* Open the Computers subfolder
* Right-click My Computer, and then click Properties
* Click the Default Properties tab
* Uncheck Enable Distributed COM on this Computer
* Click OK to apply the changes
* Close all boxes.

Remove the Virus/Worm from the system -
* Go here:

http://download.nai.com/products/mcafee-avert/stinger.exe

* Click Open
* Click Scan Now
* When finished close all boxes

-or-

* Go here:

http://securityresponse.symantec.com/avcenter/FixBlast.exe

* Click Open
* Click Start
* Click OK when finished
* Click No to open the URL
* When finished close all boxes

Run the Windows Updates -
* Click Start- Windows Updates
* Click Scan for Updates
* Load all Critical Updates
* When finished close all boxes

 

[Marcs41]

http://vil.nai.com/vil/content/v_100547.htm

to clean manually if still needed.

Apply ALL patches! That should already been done anyway.
Update ALL antivirus, or at least install them if not present. That too should already have been done!

Sorry to say so, but you (or whoever in charge) were asking for it!

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC![/sub]

 

[jagal255]

I solved the NT AUTHORITY/SYSTEM VIRUS BY DOING THE FOLLOWING:
GO TO CONTROL PANEL
FIND THE ADMINISTRATIVE TOOLS
CLICK ON COMPONENT SERVICES
LOCATE THE REMOTE PROCEDURE CALL (RPC) AND DOUBLE CLICK ON IT. REMEMBER THAT THERE ARE TWO REMOTE PROCEDURE ITEMS BUT WE DON'T CARE ABOUT THE SECOND OR LOCATOR.
CLICK ON THE RECOVERY TAB AND CHANGE THE CHOICE ON THE FIRST, SECOND AND THIRD FAILURE TO EITHER RESTART THE SERVICE OR TAKE NO ACTION.
NOW YOU STOPPED THE MACHINE FROM RESTARING. GO BACK TO THE INTERNET AND SELECT WINDOWS UPDATE FROM TOOLS SECTION OF THE INTERNET EXPLORER. SCAN FOR UPDATES. DOWNLOAD CRITICAL UPDATES AS SOON AS POSSIBLE ALONG WITH THE SERVICE PACK 1 AND THAT TOOK CARE OF THE VIRUS. PIECE OF CAKE.

JAIRO GALVIS, MIAMI, FLORIDA

 

[swashbuckler]

yes get

http://securityresponse.symantec.com/avcenter/FixBlast.exe

to remove the worm, then get a firewall like zonealarm and block those ports!

 

[smah]

And install the MS03-026 patch!!!!!!!!!!!!

 

[edemiere]

Make sure to clear your pc of bcastner.exe

OMG, illegal haxxor!!

LOL, sorry, I couldn't resist that one being his anniversary on tek-tips and all...

Cheers!

 

[kmcferrin]

Uhh...Jairo, that's not going to get rid of the virus. That will stop your system from rebooting when the RPC srevice fails, and it will install the patch that that closes the security hole that was used to originally infect your PC, but if you are already infected you will still be infected until you follow the steps at:

http://securityresponse.symantec.com/avcenter/FixBlast.exe

 

[bcastner]

edemiere,

Thanks,

Know you know why the mutex of msblast was "Bill"

 

[2035455]

I've been reading all kinds of recomendations to eliminate msblast.

Is there anybody that has personally eliminated it several times in a succesful way?

If this person exists, could you give clear instructions?

Thank you very much,

Horacio, Buenos Aires, Argentina

 

[bcastner]

Yes, and may be this can help.

Download any of these fixes, they will easily fit on a floppy in most cases, and they would certainly fit on a CD in all cases:

Symantec

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Trend Micro

http://www.trendmicro.com/download/tsc.asp

F-Secure

http://www.f-secure.com/v-descs/msblast.shtml

Computer Associates

http://www3.ca.com/virusinfo/virus.aspx?ID=36265

Panda Software

http://www.pandasoftware.com/download/utilities/

Gladiator AV

http://forum.gladiator-antivirus.com/index.php?showtopic=5882

Then:

1. Start the machine and logon. Do not access the internet. Ctrl-Alt-Del to bring up Task Manager. Look for a process msblast.exe If found, highlight and then use the "End Task" button on the lower right to stop the process.

2. Run your downloaded fix.

3. Enable the native XP firewall: Network Connection, Properties, Advanced, check to enable ICF.

4. Reboot.

Done.

While you are at each workstation, provide the newest possible set of anti-virus definitions. Do a thorough antivirus scan of the boot volume.

 

[Marcs41]

Instruction (manually, when no internet) were already posted:

Terminate the process msblast.exe
Delete the msblast.exe file from your WINDOWS SYSTEM32 directory (typically c:\windows\system32 or c:\winnt\system32)

Edit the registry
Delete the "windows auto update" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run

Also see:

http://vil.nai.com/vil/content/v_100547.htm

Apply ALL MS patches!




Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC![/sub]