P
Papercut
::5th Post::
Okay guys, here it is, hope this helps.
First of all, I would like to say that I DO NOT WORK FOR
MICROSOFT.
I am an ex-computer technician who only wants to help the
world out, any worm creator is merely someone who wishes
to cause havoc.
Any information I give on this post is from personal
experience, I removed this worm from my computer yesterday
without reformatting my hard drive.
Use this information AT YOUR OWN RISK.
Okay, having said that, here's how I removed MSBLAST from
my computer.
Step 1. Turning off RPC
It's difficult to do anything while you only have 60
seconds, so this is a way around the RPC being terminated.
::For users who have their XP cd::
Make sure that you have your IE icon on your desktop
before you do this.
If you have your Windows XP cd, there is what is called a
recovery console. To get to the recovery console, start
your computer with the XP CD in your cd drive, if your
CDROM is a boot option, it will say "Press any key to boot
from CD..." press a key, and the windows setup will begin.
You should eventually see options saying "To install XP,
press ENTER", there's an option on
that screen which reads "To repair a previous installation
of Windows using the recovery console, press R"
(If I remember right, the key is R, it may be different.)
If you get to the recovery console, it looks like a dos
prompt, it will say "Which installation of windows would
you like to repair" with a list above it.
Your installation should be 1 (if it's different, it
should have a number beside it), so put 1 in there, and
press enter. It will then ask for the
administrator password, so put that in and press enter.
You should now be in the recovery console.
Type this command into the recovery console:
DISABLE RpcSs
And press enter. You should get a message that
says "RpcSs has gone from SERVICE_AUTO_START to
SERVICE_DISABLED, you must restart your computer for these
changes to take effect."
Type EXIT in the recovery console and your computer should
reboot, do not boot from CD this time.
:For users who do NOT have their XP cd::
If you do not have your Windows XP cd, there is a way to
turn off RPC from windows.
You first need to stop the shutdown, click start/run, then
type this into the command line:
SHUTDOWN -A
This SHOULD stop the shutdown, although this is also by
word of mouth, I have not personally attempted it.
After of which, go to start/settings/control panel, then
click on Administrative Tools, and enter Component
Services.
Once your in component services, click on "Services (Local"
and find "Remote Procedure Call (RPC)," enter this.
(NOT Remote Procedure call (RPC) Locator.)
Once you're inside the properties for RPC, click on
the "Recovery" tab, and you should see somthing similiar
to this:
First failure: Restart the computer
Second failure: Restart the computer
Subsequent failures: Restart the computer
Change ALL of these to "Take no action," you have now
turned the RPC off.
THIS IS IMPERATIVE: WHEN YOU ARE FINISHED REMOVING THE
WORM, TURN THIS BACK ON. (I'll explain how to turn it
back on near the end of this post.)
Step 2. The removal
Okay, with RpcSs turned off, MSBLAST cannot turn off your
computer (at least that's how it worked for me.)
HOWEVER, your computer will run screwy. For instance, you
wont have a start menu (that's why you need the IE icon on
your desktop.)
You should be able to get on the internet and do what
needs to be done now.
Go to housecall.antivirus.com and follow the instructions
for an online scan of your hard drive. After it's
finished, there should be a virus that comes up along the
lines of W32.MSBLAST.WORM, when the scan is complete, tell
housecall to delete the worm.
We're done with housecall now.
Step 3. The fix
Now that we've removed the worm, we need the fix so it
wont bother us again.
Go to this microsoft site:
http://www.microsoft.com/technet/treeview/?
url=/technet/security/bulletin/MS03-026.asp
Download the patch that corresponds with your version of
windows to your desktop, then install it. This part
should be pretty automatic.
If everything goes as I hope it will, you should be immune
to MSBLAST now.
Step 4. Turning RPC back on
Now that you have the virus removed (hopefully) you need
to turn RpcSs back on.
Get back to the recovery console from the instructions in
step 1, only this time we're going to do the reverse.
Type this command into the recovery console:
ENABLE RpcSs SERVICE_AUTO_START
You should recieve a message saying "RpcSs has gone from
SERVICE_DISABLED to SERVICE_AUTO_START, you must reboot
your computer for these changes to take effect."
Type EXIT into the recovery console and let your computer
reboot.
If all went well, you are home free.
I hope this fix helps with the MSBLAST worm, I hate seeing
this kind of thing happen to everyone.
Okay guys, here it is, hope this helps.
First of all, I would like to say that I DO NOT WORK FOR
MICROSOFT.
I am an ex-computer technician who only wants to help the
world out, any worm creator is merely someone who wishes
to cause havoc.
Any information I give on this post is from personal
experience, I removed this worm from my computer yesterday
without reformatting my hard drive.
Use this information AT YOUR OWN RISK.
Okay, having said that, here's how I removed MSBLAST from
my computer.
Step 1. Turning off RPC
It's difficult to do anything while you only have 60
seconds, so this is a way around the RPC being terminated.
::For users who have their XP cd::
Make sure that you have your IE icon on your desktop
before you do this.
If you have your Windows XP cd, there is what is called a
recovery console. To get to the recovery console, start
your computer with the XP CD in your cd drive, if your
CDROM is a boot option, it will say "Press any key to boot
from CD..." press a key, and the windows setup will begin.
You should eventually see options saying "To install XP,
press ENTER", there's an option on
that screen which reads "To repair a previous installation
of Windows using the recovery console, press R"
(If I remember right, the key is R, it may be different.)
If you get to the recovery console, it looks like a dos
prompt, it will say "Which installation of windows would
you like to repair" with a list above it.
Your installation should be 1 (if it's different, it
should have a number beside it), so put 1 in there, and
press enter. It will then ask for the
administrator password, so put that in and press enter.
You should now be in the recovery console.
Type this command into the recovery console:
DISABLE RpcSs
And press enter. You should get a message that
says "RpcSs has gone from SERVICE_AUTO_START to
SERVICE_DISABLED, you must restart your computer for these
changes to take effect."
Type EXIT in the recovery console and your computer should
reboot, do not boot from CD this time.
:For users who do NOT have their XP cd::
If you do not have your Windows XP cd, there is a way to
turn off RPC from windows.
You first need to stop the shutdown, click start/run, then
type this into the command line:
SHUTDOWN -A
This SHOULD stop the shutdown, although this is also by
word of mouth, I have not personally attempted it.
After of which, go to start/settings/control panel, then
click on Administrative Tools, and enter Component
Services.
Once your in component services, click on "Services (Local"
and find "Remote Procedure Call (RPC)," enter this.
(NOT Remote Procedure call (RPC) Locator.)
Once you're inside the properties for RPC, click on
the "Recovery" tab, and you should see somthing similiar
to this:
First failure: Restart the computer
Second failure: Restart the computer
Subsequent failures: Restart the computer
Change ALL of these to "Take no action," you have now
turned the RPC off.
THIS IS IMPERATIVE: WHEN YOU ARE FINISHED REMOVING THE
WORM, TURN THIS BACK ON. (I'll explain how to turn it
back on near the end of this post.)
Step 2. The removal
Okay, with RpcSs turned off, MSBLAST cannot turn off your
computer (at least that's how it worked for me.)
HOWEVER, your computer will run screwy. For instance, you
wont have a start menu (that's why you need the IE icon on
your desktop.)
You should be able to get on the internet and do what
needs to be done now.
Go to housecall.antivirus.com and follow the instructions
for an online scan of your hard drive. After it's
finished, there should be a virus that comes up along the
lines of W32.MSBLAST.WORM, when the scan is complete, tell
housecall to delete the worm.
We're done with housecall now.
Step 3. The fix
Now that we've removed the worm, we need the fix so it
wont bother us again.
Go to this microsoft site:
http://www.microsoft.com/technet/treeview/?
url=/technet/security/bulletin/MS03-026.asp
Download the patch that corresponds with your version of
windows to your desktop, then install it. This part
should be pretty automatic.
If everything goes as I hope it will, you should be immune
to MSBLAST now.
Step 4. Turning RPC back on
Now that you have the virus removed (hopefully) you need
to turn RpcSs back on.
Get back to the recovery console from the instructions in
step 1, only this time we're going to do the reverse.
Type this command into the recovery console:
ENABLE RpcSs SERVICE_AUTO_START
You should recieve a message saying "RpcSs has gone from
SERVICE_DISABLED to SERVICE_AUTO_START, you must reboot
your computer for these changes to take effect."
Type EXIT into the recovery console and let your computer
reboot.
If all went well, you are home free.
I hope this fix helps with the MSBLAST worm, I hate seeing
this kind of thing happen to everyone.
MSBLAST.EXE process from Task