MSBlast: All the symptoms, but no evidence.

[Warpspasm]

Here's a weird one. I have all of the symptoms of the MSBlast worm, but I can't find the process running or any file called MSBLAST.EXE or anything in the registry! I'm not sure what the heck is going on now.

Also, according to MS, the patch is for XP Service Pack 1. I don't have or want SP1. I tried running the patch on my non service packed system and it seems to have gotten through without any problems. Think this will cause any problems?

 

[Toejam31]

I don't see anything about the patch being specifically for Windows XP with SP1 already installed. I'm not running SP1 on all my systems either, and the patch installed without any problems.

<A HREF="http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en" target="_new">Blaster Worm: Critical Security Patch for Windows XP</A>

I'd suggest that you install a firewall and see if that takes care of any further problems, such as the freeware version of <A HREF="http://www.zonelabs.com/store/content/home.jsp" target="_new">ZoneAlarm</A>. I'd also update the anti-virus program, run a full scan on the system <i>and</i> also scan for spyware, with an application like <A HREF="http://www.safer-networking.org/" target="_new">Spybot</A> and/or <A HREF="http://www.lavasoftusa.com/" target="_new">Adaware</A>.

Toey

<A HREF="http://forums.btvillarin.com/index.php?act=ST&f=41&t=328&s=91c282f2e5207e99b7a652ee13b3512a" target="_new"><font color=green>My System Rigs</font color=green></A>
___________________________________________

<A HREF="http://forums.btvillarin.com/" target="_new"><b><font color=purple>BTVILLARIN.com</font color=purple></b></A> - <i><font color=orange>Your Computer Questions Answered</font color=orange></i>

 

[Bardic]

From what I've read, the worm doesn't have any coding to determine if you are running Win2000 or WinXP so it has to guess.

If it guesses right, your system will become infected with MSBlaster and won't give any warning. If it guesses wrong then it sends the wrong commands, and RPC closes and your computer restarts.

and another problem with this virus is that it will try to infect machines that are already infected which gives more chances of guessing wrong and alerting the user to a problem.

So you probably were hit a couple of times and it kept guessing wrong. If you had stayed connected longer, one of the times it would have been right and you would be infected.

 

[Lucas1223a]

I have the same problem how did you fix it?

 

[BigRat]

try using this program from Symantec

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

can someone help make it clickable please

I fixed it once manually and it came back, then I used that program and it seemed to work though now thanks to blaster my svchost is in a mess. Anyone got any suggestions on how to fix this?

:redface: :frown: :lol: :tongue:

 

[Boilermaker]

<A HREF="http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html" target="_new">clickable</A>

 

[Lucas1223a]

I have used that tool already and it did not remove or fine the blaster virus. I still have all the same symptoms of the virus on my comp need help from anyone

 

[jihiggs]

have you restarted? that tool doesnt seem to work unless you have restarted once.

wpdclan.com cs game server - 69.12.5.119:27015

 

[NateKingCole]

How does this virus spread?? I just got my system today. Not even 8 hours old and I'm infected? I havn't done anything except install Kazaa.

 

[ego533]

The virus spreads through a Windows vulnerability in the Remote Procedure Call service (through TCP port 135). Basically, all you have to do is be connected directly to the internet. If your computer has an IP that is not exposed directly to the internet, you should be okay unless a computer in that same subnet also has the virus.


After ensuring that the virus is not on your computer, make sure you download and run the patch for the RPC vulnerability. If this is not applied, you will continually get the virus.


There are other viruses that take advantage of this also (Backdoor.Hale for Norton) and you may be infected with one of these.


One fairly sure way to check if one of these virii has infected your computer is to go to the registry key, HKLM\Software\Microsoft\Ole and make sure that the key "EnableDCOM" has the data value 'Y'. If it has 'N' you may be infected.
I'm not an expert so I may have some of this wrong.


I agree that the best thing to do is simply get the latest virus definitions for your Anti-Virus programs and run a full system scan.

 

[NateKingCole]

Ok I got rid of the virus a while ago, but I went to run windows update and it denied me, saying my cd key was invalid. Is this due to the virus?

Rig:
XP Barton 2500+, A7N8X- Deluxe, 1GB OCS pc3200 (2.5-3-3-7)
Volcano 7+ with OCZ ultra II paste, XP professional, ATI 9600 pro
Antec 400W w/ 4 case fans installed.

 

[wolverinero79]

A.) Get SP1a (it's free after all and has tons of good things to keep you secure)

B.) What do you mean you have all the symptoms? Maybe your network is worm saturated and it continues to try to attack your system (which will still cause slowness)? Other than that...

I'm just your average habitual smiler =D

 

[SirStu]

In all the time I had Windows 98SE running NAV, I was never infected with a virus. The other day I installed XP Pro, and decided to have a quick browse on the net before I got the chance to set up my security and download any patches.

To my complete surprise, within about five seconds of connecting via ADSL, I was shutdown by the RPC. XP is one seriously compromised OS. Annoying as it is to download them, thank god for patches.