unable to remove W32.Baster

A

A Brown

Well, I got blaster virus in my system today. But I am unable to stop or
remove it.

When I click ctrl+Alt+Del to get to Windows Task manager, there is NO
MSBlast or anything like it in the "Process".
However, in the "Application" there is a "System Shutdown". I am unable to
stop it by "end process".
I ran the Symantec's fixblast.exe tool 1.0.6.1 and it did NOT find the
virus.
I ran the Microsoft W32.MSBlaster patch, it did NOT fix or stop the virus.
I run services.msc and found "Remote Recovery Call (RPC)"., but I when I
right click, no "properties".
I am able to start this RPC, but the Blaster still keep ticking.

When I boot from XP CD disc to recovery console, I am unable to access any
other folder such as "Documents and Settings" to look or remove for this
virus. Can you tell me where and how?

Appreciate your help.
 
T

taff

Well, I got blaster virus in my system today. But I am unable to stop or
remove it.

When I click ctrl+Alt+Del to get to Windows Task manager, there is NO
MSBlast or anything like it in the "Process".
However, in the "Application" there is a "System Shutdown". I am unable to
stop it by "end process".
I ran the Symantec's fixblast.exe tool 1.0.6.1 and it did NOT find the
virus.
I ran the Microsoft W32.MSBlaster patch, it did NOT fix or stop the virus.
I run services.msc and found "Remote Recovery Call (RPC)"., but I when I
right click, no "properties".
I am able to start this RPC, but the Blaster still keep ticking.

When I boot from XP CD disc to recovery console, I am unable to access any
other folder such as "Documents and Settings" to look or remove for this
virus. Can you tell me where and how?

Appreciate your help.
Click to expand...

Try stinger from Mcafee. It is a free download from
http://vil.nai.com/vil/stinger/
Start in safe mode by pressing F8 on startup. It will find and delete
the virus which could be one of many.

Taff...........



www.sounds-pa.com | www.thecomputerworkshop.com
 
D

David H. Lipman

Do what taff has indicated and when you do that also install following patch for the
RPC/RPCSS Buffer Overflow Vulnerability that is addressed by Microsoft Security Bulletin
MS03-39 http://support.microsoft.com/?kbid=824146

Please read: http://www.microsoft.com/security/incident/blast.asp

You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected.

I also suggest the installation of *ALL* MS Critical Updates ASAP.

Dave




| Well, I got blaster virus in my system today. But I am unable to stop or
| remove it.
|
| When I click ctrl+Alt+Del to get to Windows Task manager, there is NO
| MSBlast or anything like it in the "Process".
| However, in the "Application" there is a "System Shutdown". I am unable to
| stop it by "end process".
| I ran the Symantec's fixblast.exe tool 1.0.6.1 and it did NOT find the
| virus.
| I ran the Microsoft W32.MSBlaster patch, it did NOT fix or stop the virus.
| I run services.msc and found "Remote Recovery Call (RPC)"., but I when I
| right click, no "properties".
| I am able to start this RPC, but the Blaster still keep ticking.
|
| When I boot from XP CD disc to recovery console, I am unable to access any
| other folder such as "Documents and Settings" to look or remove for this
| virus. Can you tell me where and how?
|
| Appreciate your help.
|
|
 
R

Robert Moir

A said:
Well, I got blaster virus in my system today.
Click to expand...

Given that all the evidence you presented says otherwise, you might help us
to help you better by saying why you think you have blaster - because it
seems to me you've done all the stuff that would normally sort it out, if
that was the case.


--
 
A

A Brown

Rob, because the 60 second "System Shutdown" panel is exact and identical
with W32.MSBlaster we had in August. That was fixed with Symantic's
fixblast.exe.
 
R

Robert Moir

A said:
Rob, because the 60 second "System Shutdown" panel is exact and
identical with W32.MSBlaster we had in August. That was fixed with
Symantic's fixblast.exe.
Click to expand...

Does it happen when you are not connected to the network/internet?

That system shutdown panel is not something generated by a virus by the way,
its the computer telling you it *has* to restart because of a problem with a
crucial system component.

As such, while its obviously a good symptom of blaster, it can mean a
non-virus related problem as well.

--
 
A

A Brown

Rob, we discounted all the network connection cables. It still counts down
60 seconds and shut down.
 
D

David Robbins

fixblast only removes it, it doesn't patch it to prevent reinfection. you
have to install the ms patch for that. if it is blaster you should be able
to bring up the task manager immediatelly after booting and kill the msblast
process. it could also be nachi or welchia (i think thats the other name),
but those use a different task name. there is also a command to abort the
shutdown, open the run window or a cmd window and do 'shutdown /a'. if it
really is broke then rpc stuff won't work, but at least it gives you a
chance to search for the worm and fix it.
 
A

A Brown

David, we disconnected all the network cables. Unable to run MS patch
because it takes more than 60 seconds to scan the system, before the Shut
Down clock counts to zero. Unable to run any command to abort the shutdown.
There is NO process in the task manager to END process. The is only "Shut
Down" application which did nothing when click end process.
 
T

taff

David, we disconnected all the network cables. Unable to run MS patch
because it takes more than 60 seconds to scan the system, before the Shut
Down clock counts to zero. Unable to run any command to abort the shutdown.
There is NO process in the task manager to END process. The is only "Shut
Down" application which did nothing when click end process.
Click to expand...
Have you tried starting in safe mode ??

Taff...........



www.sounds-pa.com | www.thecomputerworkshop.com
 
D

David Robbins

the patch does not get rid of the blaster once it is on the system, you need
one of the removal tools to take it off then the patch to stop it from
coming back.

if shutdown/a doesn't stop the shutdown then you will have to work fast to
get to the services control panel and disable the rpc service before it
shutsdown, then on the next boot it hopefully won't start so it can't shut
you down. you can also try to change the settings on the service recovery
tab so that it doesn't restart the computer on failure. this must not be
the same blaster i fought last year, on that one if the machine was booted
with the network cable unplugged the machine did not shutdown.
 
R

Robert Moir

A said:
Rob, we discounted all the network connection cables. It still counts
down 60 seconds and shut down.
Click to expand...

I'm not so sure you've "got" blaster at all.

Have you tried a repair install of Windows XP, booting off the CD rather
than windows, obviously?
 
D

Dwight Stewart

A Brown said:
David, we disconnected all the
network cables. Unable to run
MS patch because it takes more
than 60 seconds to scan the
system, before the Shut Down
clock counts to zero. Unable to
run any command to abort the
shutdown. There is NO process
in the task manager to END
process. The is only "Shut
Down" application which did
nothing when click end process.
Click to expand...


The instructions for killing the Blaster worm are located here:

http://www.microsoft.com/security/incident/blast.asp

The exact sequence of steps, starting with the firewall, is important.
Turning on the firewall will delay the worm from starting, giving you time
to complete the other steps. But, even with that, it may take you two or
three attempts to download and install the patch. Make sure you're
disconnected from any outside computer (the web, networks, etc) during this
whole process. Once you get to the last step (removing the worm), make sure
to also turn off System Restore in the System properties control panel (and
back on again once the worm is gone). If you don't turn off System Restore,
it may automatically reinstall the worm (starting everything all over
again).


Dwight Stewart (W5NET)

http://www.qsl.net/w5net/
 
D

David H. Lipman

Microsoft Knowledge Base Article - 833330
A tool is available to remove Blaster worm and Nachi worm infections from computers that are
running Windows 2000 or Windows XP

http://support.microsoft.com/?kbid=833330

Dave



| Well, I got blaster virus in my system today. But I am unable to stop or
| remove it.
|
| When I click ctrl+Alt+Del to get to Windows Task manager, there is NO
| MSBlast or anything like it in the "Process".
| However, in the "Application" there is a "System Shutdown". I am unable to
| stop it by "end process".
| I ran the Symantec's fixblast.exe tool 1.0.6.1 and it did NOT find the
| virus.
| I ran the Microsoft W32.MSBlaster patch, it did NOT fix or stop the virus.
| I run services.msc and found "Remote Recovery Call (RPC)"., but I when I
| right click, no "properties".
| I am able to start this RPC, but the Blaster still keep ticking.
|
| When I boot from XP CD disc to recovery console, I am unable to access any
| other folder such as "Documents and Settings" to look or remove for this
| virus. Can you tell me where and how?
|
| Appreciate your help.
|
|
 
D

David H. Lipman

Microsoft Knowledge Base Article - 833330
A tool is available to remove Blaster worm and Nachi worm infections from computers that are
running Windows 2000 or Windows XP

http://support.microsoft.com/?kbid=833330

Dave



| Well, I got blaster virus in my system today. But I am unable to stop or
| remove it.
|
| When I click ctrl+Alt+Del to get to Windows Task manager, there is NO
| MSBlast or anything like it in the "Process".
| However, in the "Application" there is a "System Shutdown". I am unable to
| stop it by "end process".
| I ran the Symantec's fixblast.exe tool 1.0.6.1 and it did NOT find the
| virus.
| I ran the Microsoft W32.MSBlaster patch, it did NOT fix or stop the virus.
| I run services.msc and found "Remote Recovery Call (RPC)"., but I when I
| right click, no "properties".
| I am able to start this RPC, but the Blaster still keep ticking.
|
| When I boot from XP CD disc to recovery console, I am unable to access any
| other folder such as "Documents and Settings" to look or remove for this
| virus. Can you tell me where and how?
|
| Appreciate your help.
|
|
 
C

Carey Frisch [MVP]

Thank you for alerting us to that excellent tool!
I'll be referring folks to it often!

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

---------------------------------------------------------------------------------------------------


| Microsoft Knowledge Base Article - 833330
| A tool is available to remove Blaster worm and Nachi worm infections from computers that are
| running Windows 2000 or Windows XP
|
| http://support.microsoft.com/?kbid=833330
|
| Dave
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Turn off system restore, to remove W32.Silly 2
AVG and my virus 3
W32/Backdoor.NPQ 2
W32.Weird Virus 5
w32.alcra.c 6
help regarding w32 virus 2
Virus wont let me run certain programs 7
New Blaster Virus? 3

Top