msblast.exe WTF?!?!?!?!?!

OK, so about 40 minutes ago, my connection was really slow. I stupidly shut down Zone Alarm :smack: and about 3 minutes later, my whole system shut down, I’m running XP Pro, and my system only shut down like that once before, when I was closing running processes, and I closed a critical process. I wasn’t doing that this time though. I was here, reading the boards. Anyway…after I rebooted, A ZA popup came on asking if I wanted to give “msblast.exe” internet rights. I clicked no, and went to google to check it out. Well, nothing came up, on the web OR usenet. I updated Norton, and ran a scan on the file, and it came up clean. The file was created about the same time I shut down ZA. Does anyone know what this is?

Its not the RIAA is it? Please don’t tell ,me its the RIAA grabs tinfoil hat Its the government isn’t it…they know I used to draw anarchy symbols on my Chuck Taylors in the 80s, don’t they. puts down tinfoil hat

In all seriousness, what should I do?


In which folder does msblast.exe reside on your hard drive? Are you sure you got the name exactly right? (e.g. msb1ast.exe…) If this is some kind of adware/scumware/virus, it’s strange that noone else mentions it in Google or newsgroups.

Good idea, so I cut and pasted the name of the file on google, and, nope, nothing. Its in the system32 folder.


It’s a Trojan, brand new today! You’ve been hacked.

Reformat and reinstall is the only way to be sure you’re clean.

FUCKING A. I had ZA off for all of three minutes. Man, I just got everything configured the way I like it. Can I just re-install XP? Or do I have to wipe my whole drive clean. What if I uninstall XP, go back to ME, re-install ME and upgrade back up to XP? Thanks in advance to you brad and anyone else who has any advice. When I couldn’t find anything on google, I knew the best place to come was here!


You have been hit by the RPC-DCOM exploit. This allows a remote user to gain administrator access to your computer, thus allowing them to install programs of their choice, access your files, or use your computer to attack remote users. You will know you’re infected when you see a message about an “NT AUTHORITY” error saying that the system will shut down in 60 seconds.

First, install the patch from Microsoft. You can download the patch and read more information at Microsoft Technet.

After this is installed, go to start, run, and type in msconfig. Go to the startup tab and UNCHECK “msblaster.exe”. Restart the computer, enter safemode by pressing the F8 key before windows loads and choosing Safemode from the menu that appears, and delete msblaster.exe.

WARNING: It is entirely possible that other viruses or trojans could have been installed. Furthermore, there may still be keyloggers or file servers running. Keyloggers will send your passwords or any credit card data you type in to a remote user. A file server could be hosting child pornography, pirated software, or other illegal content. I strongly suggest that your format, then install the patch on a clean system BEFORE you connect it to the internet.

I would advise you to do a clean install of XP in a new folder - this is one of the options during the XP installation process. That way, if there’s anything you need from the old install you have it, but you sould be safe from anything related to the old install. You will need to reinstall your apps and of course you should do a full virus scan anyway.

For future reference, ZoneAlarm has an option to go to their website and get more information about the program requesting access in that little window that pops up asking for permission.

It might not have told you much in this case since it sounds like this is a new trojan, but it might be helpful in the future.

would this effect my computer running ME?

Wow. What a cleverly wicked worm. According to this article, posted just an hour ago, the worm is scheduled to to use the affected systems to lauch a SYN flood on on August 16th. In other words, if you’re affected by this, you’d better download the patches NOW, because the Windows Update service may not be there in five days.

Oh, and while browsing some other tech support forums on an unrelated matter, I was quite surprised by the number of people with this very same problem. Batten down the hatches, fellow IT folks, 'cause it looks like this one might hit hard.

Aceospades, no, this exploit affects NT/2K/XP. Some would argue that Windows Me is a virus itself, but that’s beyond the scope of this thread. :slight_smile:

>> It’s a Trojan, brand new today! You’ve been hacked.

How can someone install a Trojan without me doing anything? I do not understand this. I need to understand this mechanism.

>> would this effect my computer running ME?


While this particular Trojan may be new today, the vulnerability it exploits was, apparently, patched back on July 21. So, if you’ve been keeping up with your Windows updates, you should already be protected against it.

You can blame it on the numerous security holes in various Microsoft products. When Microsoft becomes aware of the exploit they usually supply a “Critical Security Update” through their website and Windows Update. One of the problems with this is that when they come out with a security update, they practically advertise the fact that there’s a vulnerability to all the hackers out there. Then the hackers focus their efforts on using the vulnerability on all the systems out there that haven’t been patched yet.

That’s why it’s important to have three things always up-to-date:

  1. ALL “Critical Updates” from Microsoft (set your system to auto-update and let you know when it does)

  2. A good virus scanner, (again, preferably with auto-update)

  3. A good firewall where you only grant permission to known programs.

You could get a trojan from practically anywhere if you don’t have all of the protection above. Websites, emails, someone randomly scanning open ports over the internet, etc.

Systems are infected by exploiting a vulnerability in the operating system, sailor. According to Microsoft:

The lesson here? Patch your system frequently. This fix was released on July 21st, but the exploit wasn’t discovered in the wild until today.

Ok, I see. I had already applied the patch but i still do not understand something: If I am running a firewall, wouldn’t this prevent access from the outside?

Users of decent firewalls shouldn’t be affected, sailor. Note that the OP was only infected when he shut down ZoneAlarm while still connected to the Internet.

Oh, and, as I mentioned in the other thread on this subject, I’m getting one-to-three requests on port 135 today, according to my firewall logs. That’s the exploit port. So if I didn’t have the patch already installed, and I shut down Outpost (my firewall program) for just a couple of minutes, I could be infected that quickly. That’s why it’s a good idea to get the patch even if you do have a software firewall program. You may need to shut it down for something or, hell, it might even crash.

Ok, so having my patches up to date and the firewall running I am reasonably safe. That’s what I wanted to know. Thanks.

Whoops. That doesn’t make any sense at all, does it? I meant to say I’m getting a port 135 request every one-to-three minutes.