Hi guys, I'm sure a lot of you were hit by this worm like i was! There is a patch to stop the shutdown but MSBlast is in fact a worm. It has pretty much a stupid purpose, to launch a DoS attack on Microsoft Windows Update! So firstly, lets get the patch to stop the annoying dialogue that pops up and then we'll gte rid of the actual file itself. Get the patch from http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp Then on your computer hit CTRL, ALT and DELETE and find MSBlast.exe in the running processes (under processes tab in Windows XP). End the process then go to your windows folder and to system32. If system32 is not seen, then it must be hidden so just type c:\windows\system32 in the address bar. Delete the msblast.exe file. Now the actual file itself is gone but, it was set to boot with your computer so next time you boot your computer, you would get a message saying that it cant find the file. But you can remove it from startup easily by clicking start - run and type msconfig. Click the startup tab and uncheck it. Now it wont be set to boot with the computer but it wont disappear from the list on its own so if you're like me and dont even like having it in the list, do the following instead! Click start - run and type regedit. Now navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and remove the string with the value msblast.exe. It should be called Windows Update or something similar! Now hit the f5 key to refresh your registry. Close it and I recommend a reboot! Then when you reboot, go to http://www.windowsupdate.com and download any security updates for your OS. The reason for that is because if you (or I) had been getting the updates in the first place, we wouldnt have been effected by this worm at all! The worm itself is exploiting a Windows RPC Vulnerability discovered in most Micrsoft OS's. So I hope you enjoy getting rid of that annoyance _X_X_X_X_X_[small]http://www.BillLonero.com - Check out a true artists music! aD channel on IRC: rod.liquidirc.com #ad_buddies[/small]
VIRUS ALERT!!! Posted by 2eX Jubei @ 21:43 GMT, 11 Aug 2003 - iMsg*, Reply (Major News: HW) -------------------------------------------------------------------------------- There was a worm set loose on the internet early yesterday evening called w32.blaster.worm. This basically causes ur computer to restart after 50 seconds with the following message: 'Windows must now restart because the remote procedure call (RPC) service terminated unexpectedly' Some more information on the virus can be found here: http://www.microsoft.com/security/security_bulletins/ms03-026.asp http://securityresponse.symantec.com/avc...32.blaster.worm.html Take the following steps to get rid of this menace: U can stop the computer restarting so that can deal with the problem by doing the following: Click on start > run > type ‘services.msc’ > scroll down to the top remote procedure call (rpc) > right click on this and select properties > click on the recovery tab > change all 3 failure boxes to take no action instead of restart > click on apply and then ok > close services.msc. Now that u can stay online, take urself off to: http://windowsupdate.microsoft.com Grab the security updates from microsoft to close off the ports that the worm uses on ur system. Tool for removing the virus has been released by symantec here: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html Job done =] *TAKEN FROM ESREALITY.COM*
The guide above was taken from news *WWW.ESREALITY.COM* Dela.. , how about yours.? got infected..? My comp was infected by the virus ... luckily got it cleaned..!!! Pll's comp that was infected may be won't even have a chance to read this forum.. so plsss inform your friends...!!! This virus will make the comp to restart after some time ( about few minutes i think!! ) connecting to the net... ;O
I know that!! Lucky for me i found a fix very fast anyways! then i heard loadsa ppl had the same problem so i spread the fix around a bit
I found out this that morning when i saw wtf was msblast.exe running...!!! kindda weird.. , then got to know about the RPC thing... hahah ^.^'
I got this new variety of the worm. I can't find the process running. The freakin' microsoft website can't work cause it keeps using RPC. However, I prevented it from shutting down my comp using the services program.
Sounds like the MSblast.d variant which has a different method for removal the instructions can be found here http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D I was lucky i had the update installed allready but i had to remove it from no less than 14 other machines for other people
That had no effect waht so ever! lol wheras msblast itself had the potential to cause the most severe chaos!! too bad its programmer was a bit culmbsy ;-)
Huh, finally I can access the Microsoft Website. I used Symantec Desktop Firewall to close the ports the virus uses. Good thing I said "Blocked" to the dialog box that said "Allow DLLHOST.exe to access the internet?" God how many varieties does this thing have?_X_X_X_X_X_[small]Windows XP Professional Pentium II 450 MHz with 256 MB of SD-RAM GeForce4 MX-440 SE with 64 MB of DDR from eVGA.com[/small]
