1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fix for "Remote Procedure Call Terminated Unexpectedly"! MSBlast Worm

Discussion in 'All other topics' started by Dela, Aug 11, 2003.

  1. Dela

    Dela Administrator Staff Member

    Joined:
    Aug 25, 2002
    Messages:
    8,949
    Likes Received:
    2
    Trophy Points:
    118
    Hi guys, I'm sure a lot of you were hit by this worm like i was! There is a patch to stop the shutdown but MSBlast is in fact a worm. It has pretty much a stupid purpose, to launch a DoS attack on Microsoft Windows Update! So firstly, lets get the patch to stop the annoying dialogue that pops up and then we'll gte rid of the actual file itself.

    Get the patch from http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

    Then on your computer hit CTRL, ALT and DELETE and find MSBlast.exe in the running processes (under processes tab in Windows XP). End the process then go to your windows folder and to system32. If system32 is not seen, then it must be hidden so just type c:\windows\system32 in the address bar. Delete the msblast.exe file. Now the actual file itself is gone but, it was set to boot with your computer so next time you boot your computer, you would get a message saying that it cant find the file. But you can remove it from startup easily by clicking start - run and type msconfig. Click the startup tab and uncheck it. Now it wont be set to boot with the computer but it wont disappear from the list on its own so if you're like me and dont even like having it in the list, do the following instead!

    Click start - run and type regedit. Now navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and remove the string with the value msblast.exe. It should be called Windows Update or something similar!

    Now hit the f5 key to refresh your registry. Close it and I recommend a reboot! Then when you reboot, go to http://www.windowsupdate.com and download any security updates for your OS. The reason for that is because if you (or I) had been getting the updates in the first place, we wouldnt have been effected by this worm at all! The worm itself is exploiting a Windows RPC Vulnerability discovered in most Micrsoft OS's.

    So I hope you enjoy getting rid of that annoyance :)_X_X_X_X_X_[small]http://www.BillLonero.com - Check out a true artists music!

    aD channel on IRC: rod.liquidirc.com #ad_buddies[/small]
     
    Last edited: Aug 11, 2003
  2. j|mmyR|X

    j|mmyR|X Guest

    VIRUS ALERT!!!
    Posted by 2eX Jubei @ 21:43 GMT, 11 Aug 2003 - iMsg*, Reply (Major News: HW)

    --------------------------------------------------------------------------------

    There was a worm set loose on the internet early yesterday evening called w32.blaster.worm. This basically causes ur computer to restart after 50 seconds with the following message:

    'Windows must now restart because the remote procedure call (RPC) service terminated unexpectedly'

    Some more information on the virus can be found here:

    http://www.microsoft.com/security/security_bulletins/ms03-026.asp

    http://securityresponse.symantec.com/avc...32.blaster.worm.html

    Take the following steps to get rid of this menace:

    U can stop the computer restarting so that can deal with the problem by doing the following:

    Click on start > run > type ‘services.msc’ > scroll down to the top remote procedure call (rpc) > right click on this and select properties > click on the recovery tab > change all 3 failure boxes to take no action instead of restart > click on apply and then ok > close services.msc.

    Now that u can stay online, take urself off to:

    http://windowsupdate.microsoft.com

    Grab the security updates from microsoft to close off the ports that the worm uses on ur system.

    Tool for removing the virus has been released by symantec here:

    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

    Job done =]


    *TAKEN FROM ESREALITY.COM*
    :)
     
    Last edited by a moderator: Aug 13, 2003
  3. j|mmyR|X

    j|mmyR|X Guest

    The guide above was taken from news *WWW.ESREALITY.COM*

    Dela.. , how about yours.? got infected..?


    My comp was infected by the virus ... luckily got it cleaned..!!!

    Pll's comp that was infected may be won't even have a chance to read this forum.. so plsss inform your friends...!!!
    This virus will make the comp to restart after some time ( about few minutes i think!! ) connecting to the net... ;O
     
  4. Dela

    Dela Administrator Staff Member

    Joined:
    Aug 25, 2002
    Messages:
    8,949
    Likes Received:
    2
    Trophy Points:
    118
    I killed it with the method i said in the first post and that is what all my friends did aswell!
     
  5. j|mmyR|X

    j|mmyR|X Guest

    Luckily ..its not a very bad one..!! ^.^' really lotsa comp got infected....
     
  6. Dela

    Dela Administrator Staff Member

    Joined:
    Aug 25, 2002
    Messages:
    8,949
    Likes Received:
    2
    Trophy Points:
    118
    I know that!! Lucky for me i found a fix very fast anyways! then i heard loadsa ppl had the same problem so i spread the fix around a bit
     
  7. j|mmyR|X

    j|mmyR|X Guest

    Ahh... thank god.. ;D
     
  8. j|mmyR|X

    j|mmyR|X Guest

    I found out this that morning when i saw wtf was msblast.exe running...!!! kindda weird.. , then got to know about the RPC thing... hahah ^.^'
     
  9. Dela

    Dela Administrator Staff Member

    Joined:
    Aug 25, 2002
    Messages:
    8,949
    Likes Received:
    2
    Trophy Points:
    118
    lol
     
  10. xbennyboy

    xbennyboy Guest

    I got this new variety of the worm. I can't find the process running. The freakin' microsoft website can't work cause it keeps using RPC. However, I prevented it from shutting down my comp using the services program.
     
  11. FIXIT

    FIXIT Regular member

    Joined:
    Mar 4, 2002
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    26
  12. Dela

    Dela Administrator Staff Member

    Joined:
    Aug 25, 2002
    Messages:
    8,949
    Likes Received:
    2
    Trophy Points:
    118
    That had no effect waht so ever! lol wheras msblast itself had the potential to cause the most severe chaos!! too bad its programmer was a bit culmbsy ;-)
     
  13. xbennyboy

    xbennyboy Guest

    Huh, finally I can access the Microsoft Website. I used Symantec Desktop Firewall to close the ports the virus uses. Good thing I said "Blocked" to the dialog box that said "Allow DLLHOST.exe to access the internet?" God how many varieties does this thing have?_X_X_X_X_X_[small]Windows XP Professional
    Pentium II 450 MHz with 256 MB of SD-RAM
    GeForce4 MX-440 SE with 64 MB of DDR from eVGA.com[/small]
     
    Last edited by a moderator: Aug 19, 2003
  14. Dela

    Dela Administrator Staff Member

    Joined:
    Aug 25, 2002
    Messages:
    8,949
    Likes Received:
    2
    Trophy Points:
    118
    Just a few but its dieing now :)
     

Share This Page