Remote Procedure Call?

[hc1001]

oh its not about the shutdown ting...that stopped...but now i cant boot up properly....it wont load windows unless i go to safemod with networking then reboot then load normally...that usually lets me into normal mode...sometimes it freezes and sometimes it BSODs and reboots....ill try and dc teh network cable and see if it laods right...

 

[rogerdugans]

Steps I took (through a phoneline talking to someone who didn't he had a "delete" key on his keyboard )

1) Disconnect from the Internet
2) boot pc
3) use Task Manager to stop msblast.exe
4) used windows "search" to find and delete msblast.exe; empty Recycle Bin.
5) Turn OFF System Restore (important step- if you are running System Restore you have archived the virus!)
6) deleted registry value from the appropriate key (see this link to Symantec for which key)
7) enabled Windows XP firewall
8) connected lan cable
9) download/install patch from Microsoft
10) apparently virus-free

Note that there is a further step: update and run you anti-virus software!!!! The virus may still be hiding inside a file on your pc.

(I hope I didn't miss anything we did.....it was over 3 hours on the phone.....)

 

[CISAvril]

Yea I just got this exact same fag problem and I think it's gone I just wanna know what it is and how did it spread. Yea I checked msconfig.exe and all of a sudden msblast was running or some **** so I unchecked that and unplugged everything and now it works. But yea, how did it spread to people and start screwing stuff.

 

[cjc_75]

I'm curious how it gets in too, I think I read its a email attachment but, after my new install/format I had'nt recieved any when I noticed it.

I guess my windows version would have been full of the unpatched security issues at that time though.

C

 

[hc1001]

it fixed my comp...im so happy i didint have to reformat...thx for the help guys...my antivirus didint detect it(norton 2002)

 

[amdmadman]

Good Post starting happening to me today. Thx for the input

 

[JigPu]

Geez, sounds like some people out there don't use their firewalls Or does this worm bypass the firewall?

One thing about 56K... We're not effected nearly as much as broadband users when new worms hit
JigPu

 

[thefly]

http://vil.nai.com/vil/averttools.asp#stinger

Nai has a tool called "stinger" which is free. It can remove the rpc virus/tro/worm.

This one seems to be spreading fast!

 

[cjc_75]

My Norton just updated itself, and removed the virus. It must be a new patch as I checked earlier today right before my first post.

C

 

[ninthebin]

I just got rid of this thing myself, heavily annoying little thing that - not hard to get rid of though

 

[Verocity]

Hit me today. Very annoying. Spent the last 3 hrs researching and compiling info on how to fix it when I get home from work. It's getting national attention and I have read that the major antivirus companies have now released a definition for it.

 

[Kendan]

Yep this thing is going to be very very bad

 

[CISAvril]

Yeah but how does it get around. It's not email because I haven't read any emails and it just started to fling.

 

[Kendan]

Yeah but how does it get around. It's not email because I haven't read any emails and it just started to fling.

Port 135. If you had a firewall stealthing or blocking that port you would not get it.

 

[T20]

Bwhahahaa this was fantastic, I havent had this much fun with computers since the day of my 486's.

It was a race against time I tell ya, trying to install the MS patch under 60 seconds... before the PC reboots. HAd to try it 4 times, before I pulled it off..


And they say computers are getting boring

 

[dreamtfk]

Lol I accidentally downloaded the 64-bit version. I had to race back here to the post, get the link bookmark it *restart* then download it *restart* then install *restart* whew!

 

[Spyder_360]

I've had about enough of this worm already. My work got hit by it yesterday afternoon and i got the pleasure of going in at 10 P.M. to patch every computer in the plant and use stinger to remove the worm from the systems already infected. I'd say I patched about 150 computers last night out of about 250 that we have. I just got home .

 

[T20]

btw guys, you still know that even after the patch, you still have manually remove the worm from the system?

go alt ctr del, if "MSBLAST.EXE" is runing in proceses, you gotta terminate it, and remove it from the registry.

 

[dreamtfk]

btw guys, you still know that even after the patch, you still have manually remove the worm from the system?

go alt ctr del, if "MSBLAST.EXE" is runing in proceses, you gotta terminate it, and remove it from the registry.

Can you navigate me to where it is in the registry?

 

[T20]

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

Open Windows Task Manager press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
MSBLAST.EXE

Select the malware process, then press either the the End Process button.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
”windows auto update" = MSBLAST.EXE
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.