Here is a complete fix for the MSBLAST virus

[ashenfang]

Upon rebooting, Windows comes up, forces a reboot, but the customer has a minute before the reboot takes effect
During that minute, the customer needs to hit Start/Run and type cmd
In the DOS window type in services.msc and press <enter>
This opens a control panel with a list of services
Double click the listing for Remote Procedure Call (RPC) item which opens a Dialogue Box (if there are two, select the one that does NOT say Locator next to it)
In this box are four tabs, choose the Recovery tab
The Recovery tabs lists three line items, change each line item to Take No Action and hit Apply
This will stop the reboots
Find the file msblast.exe and delete it if present
Then advise the customer to visit the Microsoft site for the security patch for their OS: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

 

[engjohn]

Shorten that by a few steps by pressing & hold "Windows Key" then "R" to open the run dialog box. In the run box type services.msc and that will open the same window. It will save you a few keystrokes...

 

[Kendan]

Bump

 

[schismspeak]

bump, for good reason.

 

[Ebola]

this thing got me and my dad's computer. its evil.

bump.

 

[Bigdogbmx]

Last night i got the msblast thing and spent about 2hours cleaning every trace off the system (registry etc.) then I left a download on overnight and guess what. I check task manager and its running away happily
Kendan gave me this link before when i posted about it and you should check taht if you have it. It says which registry key to delete.
P.S. EVERYONE should check their task managers for msblast.exe because not all antivirus programs find it. If you get it early it wont do any damage I dont think so do it.

 

[Bigdogbmx]

You might want the link as well so here it is.
http://forum.oc-forums.com/vb/showthread.php?s=&threadid=223261

 

[Kendan]

Also to be protected from getting it a hardware firewall like a router running NAT will stop you from getting it

 

[SupaNgr]

Stupid question, but if I have all updates from windows update, I'm safe from this right? I mean, MS doesn't release fixes and not put them on windows update, correct? So what's the issue, why aren't these people running windows update..

 

[Bigdogbmx]

I am running it but on 56k if i just let it update itself I would have no bandwidth for a week.

 

[DarkNight]

Most people don't do any updates, even when things like this popup. When you ask the ordinary home user when was the last time they updated windows, their usual reply is : " what, I just bought it last year, don't tell me I need a new one!"

 

[OC Detective]

The information here is pretty definitive. I had the virus on both my home and work computer causing svchost.exe to crash!

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

 

[BaD CrC]

I don't remember having seen a virus spreading so fast and causing so much havoc on the net.
Can't wait for August 16th when it'll launch DOS attack on Windowsupdate.com. This is gonna be real hell for those guys, unless they simply unplug the servers?

 

[David]

Yikes, I just checked my task manager and there it was, msblast.exe....

How does it infect me?

Ran the Symantec tool just now - its fixed and Im patched.

 

[HeXenViRii]

i cant find the patch for win2000 .... at least one that works

the one on the frontpage is for XP also

 

[Bigdogbmx]

The link in the first post of teis thread was the one I used and it had the win2k patch on there. Im all sorted now after the patch and using the advice from the symantec link. Whats all this DOS attack stuff though Bad CrC?

 

[UnseenMenace]

Its made the front page now
http://www.overclockers.com/tips00445/

 

[Kendan]

i cant find the patch for win2000 .... at least one that works

the one on the frontpage is for XP also

Here is the link that was linked in the first post of thiis thread. It includes a link to the one you need.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp


David,

It infects you over port 135 all it needs is an open port. Then it downloads the virus from port 4444 on the infected machine that just spread it. There are even some reports that it can still infect patched computers although I am not sure about that. The only way to Stop it for sure is to use a firewall to block port 135. There is a chance that varients will pop up using different ports

 

[seren]

Try this link the link for the tool is about half way down the first page, it gets rid of the virus and corrects the registy it's from Symantec.

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

 

[IceMan3928]

Whats all this DOS attack stuff though Bad CrC?

All the computers infected with the virus are supposed to start a syn flood against windowsupdate on the 16th.