1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

W32.Blaster.Worm

Discussion in 'Windows XP' started by BryenWorscht, Sep 15, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. BryenWorscht

    BryenWorscht Thread Starter

    Joined:
    Jun 6, 2002
    Messages:
    32
    I just got a new PC that came with Windows XP, this is the first time I have ever used Windows XP. About 2 1/2 minutes into my first connection with my new PC, I got the blaster worm virus. Norton first tells me that I have the virus, then it tells me I cant get rid of it, then it tells me to download a Norton tool to remove the virus, THEN, when that tool scans my system, it tells me i DONT have the virus. then i look in my virus log reports and see about 1000 attempts to delete and/or access the virus within about 1 hour. I realize that there are probbaly 1000 solutions and threads for this problem, but I always just start my own new thread when I have a problem, even the most common ones. I try searching for threads containing the words "blaster worm" but i get a lot of stuff that has nothing to do with what i am trying to do. i just dont want my new pc to be infected anymore and was hoping someone here knows EXACTLY which simple steps i need to take to rid mysef of this. thank you

    norton says that

    We recommend that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications:


    TCP Port 135, "DCOM RPC"
    UDP Port 69, "TFTP"


    i probably should find out how to do this also or what it even means anyhow... does this mean i should download zone alarm - - also how much better is zone alarm pro than just the freeware version of it?
     
  2. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    Here is some steps that have worked before. They come from Sophos Security.

    msblast.exe Fix from Sophos....."how to list"

    To clean computers infected with MS Blast, users must delete the
    registry key and the executable.

    1. Using regedit.exe, locate the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    2. Delete the value listed below:

    "windows auto update"="msblast.exe"


    3. Delete the file:

    %Windir%\system32\msblast.exe

    4. Open Task Manager, and stop the msblast.exe process.

    Clean-up utilities:
    X-Force recommends the following clean-up tool, offered by Sophos:
    http://www.sophos.com/support/disinfection/blastera.html#2

    Additional Information:

    ISS X-Force Alert
    http://xforce.iss.net/xforce/alerts/id/147

    Micosoft Security Bulletin MS03-026
    http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

    BTW, how did you manage to get it in less than 3 minutes? If you do not have a firewall, I'd get one now. You can get a great free one at Zone Alarm

    The Pro version of ZoneAlarm adds several features. Comparison chart. But the free version is a great basic firewall.


    Hope this helps.
     
  3. KeithKman

    KeithKman

    Joined:
    Dec 28, 2002
    Messages:
    1,983
    Do this:

    Here is how to find out if you have the worm, and how to delete this worm.

    Subject: Checking for W32.blaster worm infecting the network and How to fix computers if the computers are infected
    How can you tell if you computer is infected with the virus:

    Please check you computer for possible infection! If you computer is
    infected with the worm then you should be able to locate a file call
    msblast.exe in the following location:

    C:\winnt\system32\msblast.exe
    C:\windows\system32\msblast.exe

    You will also find the following registry entry in your computer
    registry:


    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\windows
    auto update="msblast.exe"

    * If you didn't find the worm, you shall make sure to update your
    windows computers to fix the RPC vulnerabilities. See the following for
    the installation instruction:
    http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp Also, please make sure Symantec Antivirus install and updated.

    * If you find a computer with the worm, disconnected off the
    network by removing the network cable. Please inform or E-mail Help
    Desk about the infection and make sure to have them install or update
    the Antivirus software.

    To Remove the worm download the following tool from symantec web site
    and save in into a CD or Diskette then follow the instruction below or
    contact help desk or systems duty administrator to get the Microsoft RPC
    Patch and worm fix:

    1. Download the FixBlast.exe file from: http://securityresponse.symantec.com/avcenter/FixBlast.exe

    2. Save the file to a convenient location, such as your downloads
    folder or the Windows Desktop (or removable media that is known to be
    uninfected, if possible). Store it on a diskette or CD.

    3. Close all the running programs before running the tool. If you are running Windows XP, then disable System Restore.
    Refer to the section, "System Restore option in Windows Me/XP," for
    additional details.

    CAUTION: If you are running Windows XP, we strongly recommend
    that you do not skip this step. The removal procedure may be
    unsuccessful if Windows XP System Restore is not disabled, because
    Windows prevents outside programs from modifying System Restore.

    4. Double-click the FixBlast.exe file to start the removal tool.
    5. Click Start to begin the process, and then allow the tool to
    run.

    NOTE: If, when running the tool, you see a message that the tool was not
    able to remove one or more files, run the tool in Safe mode. Shut down
    the computer, turn off the power, and wait 30 seconds. Restart the
    computer in Safe mode and run the tool again. All the Windows 32-bit
    operating systems, except Windows NT, can be restarted in Safe mode. For
    instructions, read the document "How to start the computer in Safe Mode
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    6. Restart the computer and reconnect the network cable.
    7. Run the removal tool again to ensure that the system is clean.
    8. If you are running Windows XP, then re-enable System Restore.
    9. you must update your windows computers to fix the RPC
    vulnerabilities. Follow the installation instruction:
    http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp Also, Contact Help Desk to install Symantec Anti-Virus Software and Run Update to make sure that you are using the most current virus definitions.
     
  4. horrorofdeb

    horrorofdeb

    Joined:
    Oct 16, 2002
    Messages:
    567
    HOW DO I GET BLASTER WORM OFF MY COMPUTER??????
     
  5. BryenWorscht

    BryenWorscht Thread Starter

    Joined:
    Jun 6, 2002
    Messages:
    32
    The only way I know how is if you have Norton AntiVirus and you go to the Symantec site and there will be a link to a tool that you can download called FixBlast, I deleted it awhile back, but it should still be there. I actually dont know for sure if you need to have a Norton subscription to download it...
     
  6. jnibori

    jnibori

    Joined:
    Jul 21, 2002
    Messages:
    1,226
    Have a look HERE
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Also get the M$ critical updates for your OS and IE to keep from getting reinfected.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/164989

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice