Help! Blaster removal Tools did not remove virus. Now what?

[Nate Goulet]

Help! Blaster removal Tools did not remove virus. Now what?

I'm trying to fix a machine for someone who is infected by the Blaster
virus. Their Windows XP machine brings up the NT Administrator
Windows and shuts the computer down after they've made a connection to
the Internet.

I've tried removing it in SafeMode too.

I used the Tool from Symantec. After it removes the virus, it asks if
I want to go directly to the Microsoft site & download the Windows
patch. As soon as the site comes up, the NT Administrator message
comes up and shuts the computer down again.

I've tried it a few times, powered the computer off completely,
Clicked No to going to the Microsoft site (there isn't an option to
just close the window). Each time the Administrator message comes
up.

I saw nothing in the removal instructions that mentioned it would even
prompt to go to Microsoft's site. I'm guessing the virus may be
generating that window, since as soon as I select an option the virus
seems to trigger.

Please e-mail me you've responded to this message if you have any
suggestions: (e-mail address removed)

Thanks

 

[brushes]

Help! Blaster removal Tools did not remove virus. Now what?

I'm trying to fix a machine for someone who is infected by the Blaster
virus. Their Windows XP machine brings up the NT Administrator
Windows and shuts the computer down after they've made a connection to
the Internet.

I've tried removing it in SafeMode too.

I used the Tool from Symantec. After it removes the virus, it asks if
I want to go directly to the Microsoft site & download the Windows
patch. As soon as the site comes up, the NT Administrator message
comes up and shuts the computer down again.

I've tried it a few times, powered the computer off completely,
Clicked No to going to the Microsoft site (there isn't an option to
just close the window). Each time the Administrator message comes
up.

I saw nothing in the removal instructions that mentioned it would even
prompt to go to Microsoft's site. I'm guessing the virus may be
generating that window, since as soon as I select an option the virus
seems to trigger.

Please e-mail me you've responded to this message if you have any
suggestions: (e-mail address removed)

Thanks

first, disconnect the system from broadband supply and kill the running
process

run removal tool, apply patch. Enable the xp firewall (ICF) on the network
connection

restart and reconnect to broadband

if, for any reason it was not removed start - run & type shutdown -a

this will prevent the shutdown so you can download anything else you need

B

 

[David H. Lipman]

When you get the shutdown message...

Go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/ or the Microsoft Lovsan/Blaster and Nachi/Welchia
Removal Tool
http://www.microsoft.com/downloads/...8B-FE98-493F-AD76-BF673A38B4CF&displaylang=en
and install the following patch for the RPC/RPCSS and DCOM Vulnerabilities that are
addressed by Microsoft Security Bulletin MS04-012 - KB828741
http://support.microsoft.com/default.aspx?scid=kb;en-us;828741 and finally
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

Please read: http://www.microsoft.com/security/incident/blast.asp

You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected.

I also suggest the installation of *ALL* MS Critical Updates ASAP.

Dave





| Help! Blaster removal Tools did not remove virus. Now what?
|
| I'm trying to fix a machine for someone who is infected by the Blaster
| virus. Their Windows XP machine brings up the NT Administrator
| Windows and shuts the computer down after they've made a connection to
| the Internet.
|
| I've tried removing it in SafeMode too.
|
| I used the Tool from Symantec. After it removes the virus, it asks if
| I want to go directly to the Microsoft site & download the Windows
| patch. As soon as the site comes up, the NT Administrator message
| comes up and shuts the computer down again.
|
| I've tried it a few times, powered the computer off completely,
| Clicked No to going to the Microsoft site (there isn't an option to
| just close the window). Each time the Administrator message comes
| up.
|
| I saw nothing in the removal instructions that mentioned it would even
| prompt to go to Microsoft's site. I'm guessing the virus may be
| generating that window, since as soon as I select an option the virus
| seems to trigger.
|
| Please e-mail me you've responded to this message if you have any
| suggestions: (e-mail address removed)
|
| Thanks

 

[Kjell Harnesk]

Help! Blaster removal Tools did not remove virus. Now what?

You must disable System Restore before You run the removal tool, then
enable it again.

 

[Miles Fromier]

Help! Blaster removal Tools did not remove virus. Now what?

Maybe you didn't really have the virus.

I'm trying to fix a machine for someone who is infected by the Blaster
virus. Their Windows XP machine brings up the NT Administrator
Windows and shuts the computer down after they've made a connection to
the Internet.

Not really an indication that the machine has the virus. If an RPC worm comes a knockin' wearing the wrong exploit it causes
the shutdown. Applying the firewall should prevent this until you get patched against this (and other) exploit(s). Either
patch (recommended) or hide the vulnerabilities from the network (the ostrich method - not recommended).

I've tried removing it in SafeMode too.

You could try doing it while standing on a chair and quoting Shakespeare - but that won't help either if the symptoms are
of attempted attacks that failed.

 

[Wannabe A+]

I also suggest the installation of *ALL* MS Critical Updates ASAP.

If the XP machine is on SP1 update it to SP2.

Windows Update does not always give you everything you need to stay
current. Download the Microsoft Baseline Security Analyzer at
http://www.microsoft.com/technet/security/tools/mbsahome.mspx and run it to
get a list of missing patches. A word of caution--on my SP2 PC the MBSA
program identified a patch as missing when indeed it was installed. Verify
the list of missing patches with your PC before downloading any patches.
Another M$ confuser is that the site lists MBSA 1.2.1 when in reality it
downloads 1.2.4.

Good luck