Blaster virus

[Guest]

Thank you for being so helpfu

How do i get rid of the Blaster virus, my pc was formatted, with windows re-installed, i was only on line for an hour, can the virus live on an hard drive when it's formatted

Thank

Jules

 

[David H. Lipman]

If and when you get the shutdown message...

Go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/ or the Microsoft Lovsan/Blaster and Nachi/Welchia
Removal Tool
http://www.microsoft.com/downloads/...8B-FE98-493F-AD76-BF673A38B4CF&displaylang=en
and install the following patch for the RPC/RPCSS Buffer Overflow Vulnerability that is
addressed by Microsoft Security Bulletin MS03-39 http://support.microsoft.com/?kbid=824146

Please read: http://www.microsoft.com/security/incident/blast.asp

You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected.

I also suggest the installation of *ALL* MS Critical Updates ASAP.

Dave




| Thank you for being so helpful
|
| How do i get rid of the Blaster virus, my pc was formatted, with windows re-installed, i
was only on line for an hour, can the virus live on an hard drive when it's formatted.
|
| Thanks
|
| Jules

 

[Chris]

No it cannot. You probably went back online without having a firewall
turned on, and without having the proper critical updates applied. See
David H Lipman's post for removal info.

Thank you for being so helpful

How do i get rid of the Blaster virus, my pc was formatted, with windows

re-installed, i was only on line for an hour, can the virus live on an hard
drive when it's formatted.

 

[John Thomas Smith]

How do i get rid of the Blaster virus, my pc was formatted, with windows re-installed, i was only on line for an hour, can the virus live on an hard drive when it's formatted.

You can be online for ONE MINUTE and get the Blaster virus if you do
not have a firewall installed and activated

Remove Blaster with a tool from Symantec
http://securityresponse.symantec.com/avcenter/tools.list.html
Then install the Sygate firewall
http://smb.sygate.com/products/spf/spf_ov.htm


John Thomas Smith
http://www.direct2usales.com
http://www.pacifier.com/~jtsmith

 

[Ken Blake, MVP]

In

Thank you for being so helpful

How do i get rid of the Blaster virus, my pc was formatted, with
windows re-installed, i was only on line for an hour, can the virus
live on an hard drive when it's formatted.

The following instructions are in three parts

1. Stop it from running

2. Remove it from your system

3. Make sure it doesn't come back



Before beginning, if you have an always-on internet connection,
it's a good idea to disconnect it.



1. Stop it from running

Press Ctrl-Alt-Delete to bring up the Task Manager, then on the
Processes tab, click msblast.exe and then "End process." Reply
"Yes" to the warning message that comes up.

This stops the worm from running, so your system will not shut
down. However, it doesn't remove it, and if that's all you do, it
will start up again the next time you boot.


***

2. Remove it from your system

a. Start the registry editor program, regedit, by going to Start
| Run, and typing REGEDIT
Navigate to HKEY_Local_Machine\Software\Microsoft\Windows\Current
Version\Run by clicking the plus signs next to each of the
folders in the left hand pane. When you get to the last of them,
Run, click the word Run itself.

Find an entry called "Windows Auto Update" on the right side.
Right-click it and delete it.

b. Do a Windows search for msblast, and delete all files found.

The worm is now gone, and won't start again the next time you
boot. But if that's all you do, you can get reinfected just as
you did the first time.

***


3. Make sure it doesn't come back

a. Make sure you're running a firewall that prevents worms like
this from getting in. You can enable the built-in Windows XP
firewall, or download and install another one such as the free
version of ZoneAlarm. To enable the built-in firewall, go to
Control Panel, double-click Networking and Internet Connections,
then click Network Connections. Right-click your connection, then
click Properties, and on the Advanced tab, click the option
"Protect my computer and network..."


b. If you've disconnected your internet connection, reconnect it.
Download and install the Microsoft patch at
http://www.microsoft.com/downloads/...8b-fe98-493f-ad76-bf673a38b4cf&displaylang=en

That will remove the vulnerability that the worm exploits.


c. Be sure you are running an anti-virus program, and that you
regularly download the latest updated virus definitions.

 

[David H. Lipman]

Mistakes Ken !

The information I extracted from your post is incorrect !

What you have provided is NOT a patch. It is the Lovsan/Blaster & nachi/Wechia removal
tool. It will not correct the RPC/RPCSS Buffer Overflow Vulnerability that is addressed by
Microsoft Security Bulletin MS03-39 http://support.microsoft.com/?kbid=824146 That is the
"patch" to prevent the internet worms.

A *better* tool (non Microsoft) is McAfee's Stinger: http://vil.nai.com/vil/stinger/


Dave


| b. If you've disconnected your internet connection, reconnect it.
| Download and install the Microsoft patch at
|
http://www.microsoft.com/downloads/...8b-fe98-493f-ad76-bf673a38b4cf&displaylang=en
|
| That will remove the vulnerability that the worm exploits.

 

[Malke]

Mistakes Ken !

The information I extracted from your post is incorrect !

What you have provided is NOT a patch. It is the Lovsan/Blaster &
nachi/Wechia removal
tool. It will not correct the RPC/RPCSS Buffer Overflow Vulnerability
that is addressed by
Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146 That is the "patch" to
prevent the internet worms.

A *better* tool (non Microsoft) is McAfee's Stinger:
http://vil.nai.com/vil/stinger/

Actually, Dave, Stinger will not patch the operating system either. And
Ken did address the necessity of patching the system in Item 3.b.
(quoted below).

Cheers,

Malke

 

[David H. Lipman]

I called Stinger a TOOL not a PATCH. It removes the infector it does not patch the
RPC/RPCSS Buffer Overflow Vulnerability.

The URL;
http://www.microsoft.com/downloads/...8B-FE98-493F-AD76-BF673A38B4CF&displaylang=en
Is also a removal tool
I quote...
"This tool will help remove the Blaster worm from Windows XP and Windows 2000 machines
infected with Blaster and patched with MS03-26 [KB823980] or MS03-039 [KB824146]."

Ken did NOT provide the patch in 3b.

The PATCH fort the RPC/RPCSS Buffer Overflow Vulnerability is addressed by Microsoft
Security Bulletin MS03-39 http://support.microsoft.com/?kbid=824146 and is KB824146.

Please correct your information as well.

Dave



| David H. Lipman wrote:
|
| > Mistakes Ken !
| >
| > The information I extracted from your post is incorrect !
| >
| > What you have provided is NOT a patch. It is the Lovsan/Blaster &
| > nachi/Wechia removal
| > tool. It will not correct the RPC/RPCSS Buffer Overflow Vulnerability
| > that is addressed by
| > Microsoft Security Bulletin MS03-39
| > http://support.microsoft.com/?kbid=824146 That is the "patch" to
| > prevent the internet worms.
| >
| > A *better* tool (non Microsoft) is McAfee's Stinger:
| > http://vil.nai.com/vil/stinger/
| >
|
| Actually, Dave, Stinger will not patch the operating system either. And
| Ken did address the necessity of patching the system in Item 3.b.
| (quoted below).
|
| Cheers,
|
| Malke
|
| > | > | b. If you've disconnected your internet connection, reconnect it.
| > | Download and install the Microsoft patch at
| > |
| > http://www.microsoft.com/downloads
| details.aspx?FamilyID=e70a0d8b-fe98-493f-ad76-bf673a38b4cf&displaylang=en
| > |
| > | That will remove the vulnerability that the worm exploits.
|
| --
| MS MVP - Windows Shell/User
| Elephant Boy Computers
| www.elephantboycomputers.com
| "Don't Panic!"