I downloaded it but cannot get it to work it IE or mozzilla, none of my bookmarks work, nor my homepage will load up. I will try it later, trying to read this book and have to work in about half an hour.
OK, I got hit by this on my home computer. And I am not a tech person, so not one single word of what any of you has said makes any sense to me at all.
How do I fix this? In easy-to-understand words that wouldn’t confuse a five-year-old?
Okay, let me try to dumb down Anthracite’s instructions a bit:
If you’re using a dialup modem, disconnect. If you’re using cable or DSL, yank the network cable out of the back of the computer (or disable the connection, but I’ll just tell you to yank the cable because it’s easier).
Press Ctrl-Alt-Delete. Click the Task Manager button. When the Task Manager opens, make the Processes tab visible. In the list of processes, find msblast, select it, and click End Task.
Open up Windows Explorer (right click on Start Menu and choose Explore from the menu). Click “C:” Click “Windows.” Click “System32.” In this folder, find the file called msblast.exe and delete it.
Similar to step #3, except after you click “Windows,” click “Prefetch” instead of “System32.” Find a file in that folder with msblast in the name. I’m not sure of the exact name of the file, as I don’t have an XP machine handy and I’m not sure how it names prefetch files. If you can’t find it yourself, hopefully someone else will come along with the exact name.
If you don’t know how to do this, maybe it’s time to go back to the 'ol IBM Selectric.
Before you reconnect your modem or plug your network cable back in, do the following:
-
Go to the Control Panel (Start->Settings->Control Panel) and double-click Networking and Internet Connections, then click Network Connections.
-
Find your connection and right-click on it and choose Properties.
-
Click the Advanced tab, then put a check in the box next to the sentence that says “Protect my computer and network by limiting or preventing access to this computer from the Internet.”
Now, connect to the Internet and download and run the security patch.
Good luck, Eve. Hope this helps. By the way, this assumes you’re running XP. If you’re running Windows 2000 or Windows NT, the instructions will be slightly different. Replace all references to the “Windows” folder with the “WINNT” folder, ignore the prefetch step, and use a third party firewall program to block access to your computer. If you are running one of these other operating systems and need me to break that down further for you, just let me know.
Neutron Star,
What I was asking was, now that I’ve deleted msblast.exe from my system (my computer was infected) is there a way for me to know whether the virus copied itself over to any of my other files or anything like that?
I am not showing any of the wierd symptoms others have described, such as not being able to open new frames and things like that…
I scanned for viruses using an online scanner and it came up with nothing, but I am not sure this is one that can be found such scanners.
-DaHa
The only place msblast.exe will put itself is in the location already mentioned. If it’s not there and you have the patch installed, you have absolutely nothing to worry about. If it did infect other files, believe me, we’d know about it, since this virus has affected so many people that something like that couldn’t slip under the radar.
From what I’ve read the only payload the worm carrries is to connect to the internet to spread itself via port 135, and to launch the DOS attack on August 16. It has no code to insinuate itself into other programs or processes.
Don’t know if this has been posted yet, but Symantec Security Response has developed a removal tool to clean the W32.Blaster.Worm infections that
Terminates the W32.Blaster.Worm viral processes.
Deletes the W32.Blaster.Worm files.
Deletes the dropped files.
Deletes the registry values that the worm added.
Coupled with a virus scanner with the right signatures that should remove any trace of the worm.
BTW, people, its not necessary to block port 135 completely, as SVCHOST.eve, being the system file that controlls dll files listens on that port anyway. Just install a firewall (I got a good free one from Kerios Technologies) and pay attention to the messages it says to you.
Okay, I’ve got a question. I was struck by this worm yesterday. I downloaded the patch, disabled System Restore, ran BOTH Stinger and Fixblast, double-checked my registry and task manager to make sure it was gone, and restarted my computer.
Both Stinger and Fixblast say it’s gone and didn’t see it in either the registery or on task manager, but when I put ‘msblast’ into the search function it still comes up!
Is my computer clean or is it still on there?
Arrggh. Stoopid virus.
Greywolf, if when you search your computer you find msblast.exe, then the file still exists on your hard drive. But since you found it by searching, it should be a pretty simple matter to delete the file…
-FrL-
I got hit while my computer was on the DMZ for some much needed gaming :(. I foolishly decided to just reinstall XP, but I’m glad now. My comp was a bit sluggish and needed the redo. Anyway, anyone know how to tell if someone is calling port 135 on a D-Link router? I can’t find anything in the router configuration, and I’m curious.
In my estimation, this is most likely a function the level of System Packs that you’ve thus far installed. Depending on the degree of OS Windows Updates you’ve done, the Master Blaster worm impregnates itself to a lesser or greater degree of total success. On my various webservers yesterday, the different levels of Windows Updates and System Packs allowed varying degrees of success by the worm.
As I mentioned earlier, if your RPC software keeps dying after a reboot, use the Computer Management / Services interface to temporarily disable and stop your IIS, FTP, and WWW services and reboot your machine once again. By shutting down your webserver functions, the incoming worm URL hit doesn’t get anywhere.
Most D-Link models don’t have that feature. I think the only one that does is their SOHO VPN router. That one allows the router to email you intrusion detection logs. Exactly how to do it is detailed in the manual.
Thank you ANTH and ABSOUL and NEUTRON STAR for your great help and patient advice.
OK, my momma’s new computer got hit by this. I followed the directions on the Dell website (disconnect, disable the RPC-thingie, install the patch, and run Stinger to get rid of the worm thingie); is there anything else I need to do now?
Once the worm and related infestations are deleted and the security patch installed, your system is as safe as you can hope for now.
My company was hit with this thing yesterday, and I ended up spending most of my entire day fixing the damn thing. Apparently my Windows 2000 machine was horrendously out of date and required a service pack update in order to be compatible with the security patch. The 40-megabyte download from Microsoft’s horribly stressed (and possibly under attack ) Windows Update servers, which took a couple hours and several retries, but it’s all over now.
D
Blah, there’s a comma and a “which” I should have removed before posting that.
I might add that the symptom that stuck out the most was IE losing the ability to spawn new windows, which is required by most of the software I use.
D
So when they track the author down and arrest him, is he going to get the usual 3 mos probation? or what?
I kinda hope he gets his fingers chopped off, then shov…ahem. Sorry.
I suppose I had some variant of the worm, I had all the symptoms, but nothing could find it. Had to resort to reformatting. I’ve heard of a few other cases where it couldn’t be found either.