"MSBLAST" IN MY COMPUTER... ...HELP PLEASE

[T O M M Y]

Dear XP experts,

please help me with this worm:

On "August , 30"(today) After being sure I have my firewall on (just XP's),
I connected to the internet via my dial up modem and directly ran my McAfee
to get
the latest version of virus signatures. After downloading the signature and
applying them suddenly the "Generic Host Processor for Win 32" encountered a
problem and closed . Then the dirty Msblast caused my computer to restart ;
The window appeared was the same which was shown on
Microsoft web site and was saying:

" Windows is shutting down. Please save all your work in progress....
..........This shutdown was initiated by NT AUTHORITY\SYSTEM"

Oh God! after logging on after that restart I directly turned the system
restoreoff in all drives, ran my ZoneAlarm (Which was turned off at the
moment of disaster) and connected to internet to make sure I
have the latest updated from MacAfee.Well it was up ot date. Then I
disconnected and ran my Antivirus.....No worm was detected, nothing,
in no drive , nothing.....

And now each time I connect to the internet this message appears by
ZoneAlarm:
"Generic Host Processor for Win 32 wants to connect to internet.
Do want to allow this program access the...." And I choose "no" ofcourse.
.....Then after this the
same message appears again! I again choose "NO"....then it does not do any
thing....

I have problems updating my windows XP, and I am sure my McAfee is up to
date , but can't detect any thing .
Well , What can I do know?...Till now I am writing this no message from the
worm has appeared,(about 45 minutes after the restart)
When will it appear again? And what can I Do? How can I remove it from my
computer? Shall i install XP again and format all drives?


(PS: My XP is installed on D: . My dead 98 is installed on C, but I can not
format the drive C in XP now, because a message says: "Windows can't format
this drive.Be sure it is not in use or no window from it is open.."
Although no window is open and no program uses that drive...I have also
checked Task Manager, but no Msblast.exe process was there..although I saw
some new processes.......Also checking my XP firewall.. it was off!.. I am
sure I didn't turn it off...)

Any Help is Much Regarded

PS.2 : I have ran my MacAfee 6 times from that incident occurred but nothing
yet......

 

[Nicholas]

Perform a "clean install" of Windows XP, get rid of ZoneAlarm and
install a good, comprehensive security program.

The Windows XP CD is bootable and contains all the tools necessary
to partition and format your drive. Follow this procedure and allow
Windows XP to partition and format your drive:

1. Open your BIOS and set your CD Drive as the first bootable device.
2. Insert your Windows XP CD in the CD Drive and reboot your computer.
3. You'll see a message to boot to the CD....follow the instructions.
4. The setup menu will appear and you should elect to delete the existing
Windows partitions, then create a new partition(s), then format the primary
partition (preferably NTFS) and proceed to install Windows XP.

5. Clean Install Windows XP
http://michaelstevenstech.com/cleanxpinstall.html

[Courtesy of Michael Stevens, MS-MVP]

6. After installing Windows XP, be sure and visit the support website
of the manufacturer of the computer to download and install any
available Windows XP compatible drivers, such as video adapter
and audio drivers.

7. It would be best to physically disconnect all your peripheral hardware
devices, except for you mouse and keyboard, before installing XP.
After XP is installed, visit the support website of the manufacturer
of each hardware device to obtain the latest drivers or software
designed to work with Windows XP.

Consider purchasing and installing a good,
comprehensive internet security package, such as:

Norton Internet Security 2003
http://www.symantec.com/sabu/nis/nis_pe/

Includes:
.. Norton AntiVirus - protects your PC from viruses
.. Norton Personal Firewall - defends against hackers
.. Norton Privacy Control - keeps your personal information private
.. Norton Intrusion Detection - detects and blocks online security breaches
.. Norton Spam Alert - filters unwanted e-mail
.. Norton Parental Control - keeps your children safe on the Internet from porn



--
Nicholas

------------------------------------------------------------------------


| Dear XP experts,
|
| please help me with this worm:
|
| On "August , 30"(today) After being sure I have my firewall on (just XP's),
| I connected to the internet via my dial up modem and directly ran my McAfee
| to get
| the latest version of virus signatures. After downloading the signature and
| applying them suddenly the "Generic Host Processor for Win 32" encountered a
| problem and closed . Then the dirty Msblast caused my computer to restart ;
| The window appeared was the same which was shown on
| Microsoft web site and was saying:
|
| " Windows is shutting down. Please save all your work in progress....
| .........This shutdown was initiated by NT AUTHORITY\SYSTEM"
|
| Oh God! after logging on after that restart I directly turned the system
| restoreoff in all drives, ran my ZoneAlarm (Which was turned off at the
| moment of disaster) and connected to internet to make sure I
| have the latest updated from MacAfee.Well it was up ot date. Then I
| disconnected and ran my Antivirus.....No worm was detected, nothing,
| in no drive , nothing.....
|
| And now each time I connect to the internet this message appears by
| ZoneAlarm:
| "Generic Host Processor for Win 32 wants to connect to internet.
| Do want to allow this program access the...." And I choose "no" ofcourse.
| ....Then after this the
| same message appears again! I again choose "NO"....then it does not do any
| thing....
|
| I have problems updating my windows XP, and I am sure my McAfee is up to
| date , but can't detect any thing .
| Well , What can I do know?...Till now I am writing this no message from the
| worm has appeared,(about 45 minutes after the restart)
| When will it appear again? And what can I Do? How can I remove it from my
| computer? Shall i install XP again and format all drives?
|
|
| (PS: My XP is installed on D: . My dead 98 is installed on C, but I can not
| format the drive C in XP now, because a message says: "Windows can't format
| this drive.Be sure it is not in use or no window from it is open.."
| Although no window is open and no program uses that drive...I have also
| checked Task Manager, but no Msblast.exe process was there..although I saw
| some new processes.......Also checking my XP firewall.. it was off!.. I am
| sure I didn't turn it off...)
|
| Any Help is Much Regarded
|
| PS.2 : I have ran my MacAfee 6 times from that incident occurred but nothing
| yet......
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|

 

[DL]

You might care to check www.symantec.com for info on what files may be
appended/altered. Precise removal info is also available. You could also
initiate an online scan at this site, ensure McAffee is not running when
doing so.
Presumably the McAfee site has similar facilities/info, but I dont use it
so....
Zonealarm should co-exist with XP firewall, so perhaps it should be
configured to start on logon?
Re: dead C, Format frm DOS....?
Format/Reinstall is a last resort
PS some people get upset at cross posting
David

 

[Frank Saunders MS-MVP, IE/OE]

A script to disinfect:
http://www.kellys-korner-xp.com/regs_edits/msblast.vbs

MSBlaster lets you remain online long enough to download it.

 

[Joybell]

Do it in this order: Activate the XP Firewall, PHYSICALLY
DISCONNECT from the internet, disable RPC notification,
reconnect and downloaded the MS security patch again and
the virus removal (Norton or other) tool, PHYSICALLY
DISCONNECT from the internet again, DISABLE SYSTEM
RESTORE, and run the patch and the tool.

It is important to physically disconnect (unplug phone
line) and to disable System Restore because the worm can
restore itself. Turn on System Restore again when you are
done, and re-enable the RPC notification.

 

[T O M M Y]

following my first message :

Dear XP experts :


I recently visited http://www.kellys-korner-xp.com/xp_qr.htm#rpc
Then I followed the instruction....set the new setting for "Remote
Procedure Call (RPC)/Recovery/First Failure/Restart the crevice...Then
downloaded the script , it found no Msblast in windows registry. Then I
downloaded the patch, it did not open because of a trouble.

Can this be a new kind of Msblast? As I mentioned , my MacAfee did not find
any thing
and there was no msblast.exe in Task Manager.

Please help....

 

[John Shelton]

The script does not try to detect the virus, it only changes the registry
that the virus changed. You are still required to update the RPC
protection. I have taken care of the problem on many PC's and especially
ones that have McAfee. McAfee is my biggest source of income because it
sucks big time. It has missed soooo many viruses.
Go to http://www.symantec.com/avcenter/ and look for the removal tools.
Follow the directions especially the part of booting in safe mode to do the
scan. If you still can't stay online due to timing out then Start>Run and
type "shutdown -a" without quotes.

John Shelton

 

[Jupiter Jones [MVP]]

Tommy;
Did you install the patch?
Without the patch and if you have an issue with your firewall, your
chances of getting Blaster any variety go way up:
http://www.microsoft.com/downloads/...6C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

 

[Jupiter Jones [MVP]]

Tommy;
Try these one at a time.
Please post back with the solution that resolved it for you.

1. Perform Disk Clean-up checking all boxes except "Compress old
files"
Start/All Programs/Accessories/System Tools/Disk Clean-up

2. Go to Internet Options in the Control Panel:
Delete Cookies
Delete Files (check box "Delete all offline content")
Clear History

3. Reboot, login to an Administrator account.
Double click My Computer.
Double click C drive.
Double click Windows file.
Double click System32 file.
Right click catroot2, click rename, type "catroot2old"
ENTER
Otherwise:
Start the Administrative Tools utility in Control Panel.
Double-click Services.
Right-click Cryptographic Services, and then click Properties.
Click Automatic for Startup type, and then click Start.

4. If Cryptographic Services is already set to Automatic, disable it,
reboot, then go back and set to Automatic.
Reboot

5. Start/Run
Type "msconfig" ENTER
Select "Normal Start-up"
Click OK, follow prompts and reboot

6. Start/Run
Type "cmd" ENTER

a.
Type "net stop cryptsvc" ENTER.
Type "net start cryptsvc" ENTER.
b.
Type "regsvr32 softpub.dll" ENTER.
Type "regsvr32 wintrust.dll" ENTER.
c.
Type "regsvr32 initpki.dll" ENTER.
Type "regsvr32 dssenh.dll" ENTER.
d.
Type "regsvr32 rsaenh.dll" ENTER.
Type "regsvr32 cryptdlg.dll" ENTER.

e.
Type "regsvr32 gpkcsp.dll" ENTER
Type "regsvr32 sccbase.dll" ENTER
Type "regsvr32 slbcsp.dll" ENTER

Close the box and install the patch.

7. Otherwise:
Check for missing/damaged System files:
Start/Run
Type "cmd" ENTER
Type "sfc /scannow" ENTER
Have Windows XP CD nearby.
Reboot when completed.

--
Jupiter Jones [MVP]
An easier way to read newsgroup messages:
http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp
http://dts-l.org/index.html

 

[Pat]

This may sound too simple an suggestion, but have you
downloaded the removal tool from Mcaffee site?
Have you gone to their site, temporarily turned off you
antivirus software and run a virus scan online at their
site?

If not then try it. You can also visit the symantec site
and do the same things, all for free!!

 

[T O M M Y]

Dear Jupiter :

I did all you said and went through all instructions,step by step,....All
command prompt dlls
were successful. But unfortunately the problem still exists. Again the same
message appears when running the service patch. I checked all file systems
and found no problem. The only thing is that I did not rename catroot2
folder, instead performed the next step you said about " Cryptographic
Services ".

Well, I don not know what I should do now. I have also problems updating my
XP. Each time a message says: " The page you are trying to view cannot be
displayed because the server it resides on does not respond. Please try
again later "
And I try again..but nothing.

However I went to XP's update web page. It said the page shall be updated
now, I accepted , but the update failed like other updates.

Regards

 

[T O M M Y]

Greetings,
dear Jupiter any many thanks for all your guidances :

Recently I visited http://www.updatexp.com/cryptographic-service.html and
followed its instruction for the famous error message when trying to install
the patch. The thing I made was changing System32\Catroot2 to Catroot2old
(the thing you said and I skipped for security!) . Then successfully the
patch was installed.

Now I have questions :

1)As I checked my System32 folder again, I saw both "catroot2" and
"catroot2old" folders beside each other.Well actually I renamed the first
and did NOT create a new folder. DoI have to make any changes there?

2) I have set Remote Call .....First failure to " Restart the service".. Do
I have to set it to the previous setting?

3) And now with the patch installed am I secured from the dirty msblast worm
and is it enough to only use XP's firewall when stepping into Internet ?


Many Thanks for all Helps...

Hope you enjoy your life.

<Good Luck>

 

[T O M M Y]

Yes
that was the whole problem..
Thanks

Rename catroot2 and see if you can get the updates.

updating
http://www.microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-

 

[T O M M Y]

Dear Frank Saunders, I made changes to Catroot2, then with my MacAfee on
,the patch was installed successfully.

Thanks for all helps from MVPs and other valuable angels.

Best Regards

<T O M M Y>