Worm Blaster?

[mxh]

A friend of mine is having trouble with his system and (over the phone) it
sounds like the worm blaster virus. His system will only stay up for about
30 seconds and then reboots. Evidently, it does this in safe mode and
command prompt as well. I've tried to find info on removing this without
accessing windows (as he can't), but the only info I can find is how to
prevent it (patches and firewall) or how to remove it from windows.
Has anyone removed this virus under these circumstances (unable to keep
system running longer than 30 seconds)?

Thanks for any ideas,

mxh

 

[Bob Knowlden]

See here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

The downloadable utility is only 133 kB in size, so you could download it
onto a floppy and run it form there. (I'd suggest a boot floppy, but I doubt
that it'd be of much use if your friend's system uses NTFS for the XP
partition.)

I can't vouch for its safety and effectiveness, as I haven't needed it so
far (touch wood).

Good luck.

Bob Knowlden

Spam dodger may be in use. Replace nkbob with bobkn.

 

[T.C.]

The Blaster worm is VERY specific. It brings up a dialog box and ticks down
60 seconds, and then the system reboots. If it's just 30 seconds without
the a dialog box and a system reboot, most likely it isn't Blaster. But if
it is Blaster and you can't keep the system up long enough to download the
Blaster Removal tool at:

http://www.symantec.com/avcenter/

Then boot Into Safe Mode, click Start/Run and type: regedit. When the
Registry Editor opens, navigate to the Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane you'll see a string:

"windows auto update"="msblast.exe"

Right click that string In the right pane, and left click Delete. That will
at least stop the rebooting. Then reboot into Normal Mode, and download and
use the Removal Tool as described at the Symantec site above (it's located
halfway down the page, and the right side, under the heading: Removal Tools.
After Blaster is removed, go to the Windows Update site, and download the
Security Update dealing with the correcting the system flaw that allows
worms like Blaster access to your system. Getting a decent firewall would
make your system even less accessible to outside attacks.

 

[Rick \Nutcase\ Rogers]

Hi,

Information on stopping blaster:
http://www.kellys-korner-xp.com/xp_qr.htm#rpc
http://www.dougknox.com/xp/scripts_desc/xp_msblast.htm

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x

Associate Expert - WinXP - Expert Zone

 

[Ken Blake]

In

A friend of mine is having trouble with his system and (over the
phone) it sounds like the worm blaster virus. His system will only
stay up for about 30 seconds and then reboots. Evidently, it does
this in safe mode and command prompt as well. I've tried to find info
on removing this without accessing windows (as he can't), but the
only info I can find is how to prevent it (patches and firewall) or
how to remove it from windows.
Has anyone removed this virus under these circumstances (unable to
keep system running longer than 30 seconds)?

To remove it, do the following:

The instructions are in three parts

1. Stop it from running

2. Remove it from your system

3. Make sure it doesn't come back



Before beginning, if you have an always-on internet connection,
it's a good idea to disconnect it.

1. Stop it from running

Press Ctrl-Alt-Delete to bring up the Task Manager, then on the
Processes tab, click msblast.exe and then "End process." Reply
"Yes" to the warning message that comes up.

This stops the worm from running, so your system will not shut
down. However, it doesn't remove it, and if that's all you do, it
will start up again the next time you boot.

2. Remove it from your system

a. Start the registry editor program, regedit, by going to Start
| Run, and typing REGEDIT
Navigate to HKEY_Local_Machine\Software\Microsoft\Windows\Current
Version\Run
by clicking the plus signs next to each of the folders in the
left hand pane. When you get to the last of them, Run, click the
word Run itself.

Find an entry called "Windows Auto Update" on the right side.
Right-click it and delete it.

b. Do a Windows search for msblast, and delete all files found.

The worm is now gone, and won't start again the next time you
boot. But if that's all you do, you can get reinfected just as
you did the first time.

3. Make sure it doesn't come back

a. If you've disconnected your internet connection, reconnect it.
Download and install the Microsoft patch at
http://download.microsoft.com/downl...e-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

That will remove the vulnerability that the worm exploits.

b. Make sure you're running a firewall that prevents worms like
this from getting in. You can enable the built-in Windows XP
firewall, or download and install another one such as the free
version of ZoneAlarm. To enable the built-in firewall, go to
Control Panel, double-click Networking and Internet Connections,
then click Network Connections. Right-click your connection, then
click Properties, and on the Advanced tab, click the option
"Protect my computer and network..."

c. Be sure you are running an anti-virus program, and that you
regularly download the latest updated virus definitions.

 

[mxh]

The Blaster worm is VERY specific. It brings up a dialog box and ticks down
60 seconds, and then the system reboots. If it's just 30 seconds without
the a dialog box and a system reboot, most likely it isn't Blaster. But if
it is Blaster and you can't keep the system up long enough to download the
Blaster Removal tool at:

According to those symptoms, it must not be Blaster. Also, I had him boot
from the XP CD into the Recovery Console and search the system32 dir for
msblaster.exe and it isn't there.
New information:
He boots the system, gets and error message stating that Autochk.exe could
not be found, skipping autocheck. At this point, the system reboots in an
endless loop inot the same error message only to reboot again. His
windows\system32 dir does have autochk.exe, but we copied a new copy from
the I386 dir on the CD anyway (again from the recovery console). This didn't
seem to help, as it continues to do the same thing.

Any ideas?

Thanks,
mxh

http://www.symantec.com/avcenter/

Then boot Into Safe Mode, click Start/Run and type: regedit. When the
Registry Editor opens, navigate to the Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane you'll see a string:

"windows auto update"="msblast.exe"

Right click that string In the right pane, and left click Delete. That will
at least stop the rebooting. Then reboot into Normal Mode, and download and
use the Removal Tool as described at the Symantec site above (it's located
halfway down the page, and the right side, under the heading: Removal Tools.
After Blaster is removed, go to the Windows Update site, and download the
Security Update dealing with the correcting the system flaw that allows
worms like Blaster access to your system. Getting a decent firewall would
make your system even less accessible to outside attacks.
--
T.C.
Pay it forward...
t__cruise@[REMOVE]hotmail.com
Delete [REMOVE] from email address to respond by email

A friend of mine is having trouble with his system and (over the phone) it
sounds like the worm blaster virus. His system will only stay up for about
30 seconds and then reboots. Evidently, it does this in safe mode and
command prompt as well. I've tried to find info on removing this without
accessing windows (as he can't), but the only info I can find is how to
prevent it (patches and firewall) or how to remove it from windows.
Has anyone removed this virus under these circumstances (unable to keep
system running longer than 30 seconds)?

Thanks for any ideas,

mxh

 

[Bruce Chambers]

Greetings --

Sorry, but this doesn't sound at all like the effects of
W32.Blaster.Worm, which acts only when the PC connects to a network,
and then gives a 60 second countdown. If the PC is shutting down in
both Safe Mode and the Recovery Console, there's no way the worm could
possibly be involved. It sounds more like a severe hardware failure.
Prime suspects would include the power supply and/or thermally-damaged
motherboard or CPU.

Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH