homepage Welcome to WebmasterWorld Guest from 54.161.214.221
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

This 53 message thread spans 2 pages: < < 53 ( 1 [2]     
Found a virus on my machine - msblast.exe
This program has hijacked my computer....
Imaster




msg:365752
 7:51 pm on Aug 11, 2003 (gmt 0)

Not sure where to post this, so I selected this forum to get some answers from other experts.

There is some application msblast.exe which has suddenly appeared on my computer (which I noticed via the task manager). I have windows 2000.

Now, I can't open any window by right-clicking on a link & selecting
"open a new window", neither am I able to doan uninstall from the "Control Panel > Add/Remove program", simply because when I click on "Add/Remove program" option in CP, it doesn't display anything. In short, many applications are not responding and I feel like my comps been hijacked.

I tried looking for msblast.exe in google to learn more about it, but can't find anything.

Does anyone have an idea whats happening?

[added] Another potential clue could be the svchost.exe file. Windows suddenly gave an error that this particular file has done an error or some message like that, and now I see this msblast.exe

I can't do a ctrl+c or any basic functions as well[/added]

 

d_fused




msg:365782
 12:52 am on Aug 13, 2003 (gmt 0)

According to Symantec:


Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

More on the topic: Here [securityresponse.symantec.com]

Just install a decent firewall (e.g. Zone Alarm) and keep your computer patched.

d_

aspdaddy




msg:365783
 1:01 am on Aug 13, 2003 (gmt 0)

TheWhippinpost, I would run fixblast anyway, It wont hurt :).

tkteo




msg:365784
 4:28 am on Aug 13, 2003 (gmt 0)

There's a lengthy thread on Mblast/LoveSan at the Techspot forum, if anyone is looking for more info.

Steve Gibson of Gibson Research Corporation has posted tools to test your firewall. Actually, he's done so for year.

cazgh




msg:365785
 8:58 am on Aug 13, 2003 (gmt 0)

How gutted!

Just did ctl-alt-del and had a look at task manager - mblast is first in my list!

Visit Thailand




msg:365786
 9:01 am on Aug 13, 2003 (gmt 0)

cazgh - read some of the previous posts especially post 23.

They should change the title of this page.

jbinbpt




msg:365787
 9:02 am on Aug 13, 2003 (gmt 0)

The CTRL-ALT-DEL will show this thread as the top item. Not the actual worm.

aravindgp




msg:365788
 2:17 pm on Aug 13, 2003 (gmt 0)

Today morning as soon as we opened our Windows XP computers at office, the Blaster Virus, simply put every machine in the network offline.It was switching the power off for every 15 minutes.

Aravind
Ps: Didn't see this post earlier thought it would be in operating systems.

Imaster




msg:365789
 3:36 pm on Aug 13, 2003 (gmt 0)

I don't know if this is because of the msblast virus, but on one of my pc, I can't see the text on most of the sites, including webmasterworld and microsoft.com

I an only see the bullets, images, etc, but no text. But if I open the page source and read it, everything looks fine.

Don't know what is causing this! Anyone...

rcjordan




msg:365790
 5:47 pm on Aug 13, 2003 (gmt 0)

update:

Just stopped by the local computer shop to pick up a new laptop battery. It's a battle zone and they showed me the systems queuing up to get on the work bench ...it looks like a civil war hospital in there.

thistle




msg:365791
 8:10 pm on Aug 13, 2003 (gmt 0)

on 8/11 about noon i came home and attempted to open icq
started get error messages from NT/AUTHORITY/SECURITY
shutting my computer down in 60 seconds
sooo i did a system restore back one day
it stopped the restarts
i contacted a friend on q who told said it was a hack and sent me the microsoft patch link so i downloaded that
then i saw the file msblast.exe through search, files & folders
i called the computer store they said to run the norton worm removal
it did not find the worm
i tried lockdown no luck
sooooo i just deleted the msblast.exe from my harddrive
when the norton worm did not work i followed the manual steps
theres nothing listed in the registry pertaining to the worm
only thing was that one file on the hard drive which i deleted
is this going to be enough to clean my system?

thank you for your help

ovrnoot




msg:365792
 8:41 pm on Aug 13, 2003 (gmt 0)

from what I've heard about this one, for Gods sake DON'T restore. What happens is that it is then in restore and you can't get it out. Get it out first, THEN restore if you must. I'm not sure if this is correct, but it makes sence to me

thistle




msg:365793
 8:44 pm on Aug 13, 2003 (gmt 0)

well its too late
the first thing i did was restore to stop the restarts so i could get online
then i turned off system restore and it deleted all restore points
so it should have wiped the worm out if it was stored in restore

when i ran the ms patch it created its own restore point from what i could tell

is there anything else i need to do?

Imaster




msg:365794
 9:22 pm on Aug 13, 2003 (gmt 0)

Thistle,

I got the virus day before, and I simply did the following steps to get rid of it.

- Got this file and did a scan: [www3.ca.com...] [which almost removed the worm)

- Went to registry using the Run > Regedit & searched for "msblast", and removed the entry.

- Downloaded SP2 [microsoft.com] from Microsoft & did a patch.

- Furthermore, downloaded the RPC patch [microsoft.com] and did another patch as well. {I think you need SP2 (service pack 2) installed before you can install this particular patch.

And that done, my pc's quick as ever :)

Read these articles on how to clean your infected pc:

[zdnet.com.au...]

[webadvantage.net...]

[securityresponse.symantec.com...] [tool for removal]

Perhaps as some sites mentioned, you may not be able to remove the msblast.exe application from task manager, because it may be in use.

The best way to stop it is to download a msconfig substitute program from [mlin.net...] and installing it.

Then go to: Start > Settings > Control Panel > Startup > HKLM/RUN & deselect the msblast.exe (and also deleting that key from there). Then restart your pc and follow other steps as mentioned above.

Lastly, download a good firewall like Zone Alarm Pro from www.zonelabs.com (buy it or crack it) and keep it running.

A Must Read from the Microsoft site: [microsoft.com...]

lasko




msg:365795
 6:27 am on Aug 15, 2003 (gmt 0)

Many of us here at all levels have been effected by the latest virus attack and I have to say the Webmaster World is a great place for advice and support as in the world of computers some times you feel isolated.

Webmaster World is it possible we could have a new forum for all Security, Viruses and Firewall issues.

The ever ending increase of the viruses and hoaxes are making headaches for many.

Just a thought.

Sinner_G




msg:365796
 7:29 am on Aug 15, 2003 (gmt 0)

I'm not sure it is the same virus. What happened to me is that I counldn't do any right-click opening in a new window in IE (Opera working fine though) and wasn't able to drag&drop files on my desktop either (Win2K). The msblast.exe process was nowhere to be found, also not in the registry. Still applying the patch from Microsoft (using Opera, as the page wouldn't open in IE) solved the problem.

5stars




msg:365797
 2:50 pm on Aug 16, 2003 (gmt 0)

<< While viewing this thread, I did a CTRL-ALT-DEL to see if I had this trojan running on my machine >>

I just did a control+Alt+delete and the worm is running on my computer but I see any performance issues at all, or any of the problems I have heard about.

Can anyone tell me why I have it but no symptoms?

Thanks,

Essex_boy




msg:365798
 3:11 pm on Aug 16, 2003 (gmt 0)

I got hit by this, went to my local nationwide chain of PC stores to ask about it.

The advice he gave me was total rubbish and was more harmful than the dam virus! Any way I bought myself a firewall, deleted the thing by hand and that was that.

The shop assistant stated he was wiping the harddrives of 18 customers PC's a day, horrific figure, and totally over board.

Guess theres a lesson there.

Does anyone know where it came from?

pageoneresults




msg:365799
 3:28 pm on Aug 16, 2003 (gmt 0)

I just did a control+Alt+delete and the worm is running on my computer but I see any performance issues at all, or any of the problems I have heard about.

5stars, make sure that when you did the Ctrl+Alt+Del that it was not this topic in IE that you were seeing. Because of the title of this thread, some may mistakenly think that msblast.exe is running on their system when in fact it is your IE browser displaying the title of the page you are viewing. ;)

msblast.exe - Microsoft Internet Explorer

P.S. It also appears that this msblast.exe does not affect older OS like Win98 which I am still running.

5stars




msg:365800
 4:08 pm on Aug 16, 2003 (gmt 0)

Wow do I feel stupid.

Thanks pageoneresults.

I was wondering why when I closed my browser the msblast.exe disappeared.

pageoneresults




msg:365801
 4:11 pm on Aug 16, 2003 (gmt 0)

Wow do I feel stupid.

Nope, I wouldn't go that far! I too thought the same thing before I came to my senses. ;) I even requested a title change as this could happen to anyone not fully functioning on a Saturday morning.

oilman




msg:365802
 5:03 pm on Aug 16, 2003 (gmt 0)

sorry folks - I wasn't really following this thread that close. My apologies for not changing the title sooner. Hopefully we'll head off any potential heart attacks now :)

RoadRash




msg:365803
 5:08 pm on Aug 16, 2003 (gmt 0)

This is the official service of impact email from Microsoft to tech support: Only for XP systems, no SOI on NT / 2000 as i dont deal with that...

Customers not infected by the virus:

1. Educate the customer of the virus and direct the customer to review the Microsoft security bulletin (http://www.microsoft.com/security/security_bulletins/ms03-026.asp) and download the recommended fix.

2. Inform the customer that Microsoft is experiencing a high volume of calls due to this virus and offer online resources to the customer.

3. If the customer wishes to speak to an SP, despite the potential wait time, follow existing call handling procedures per the KB and CRT.

Customers who are infected by the virus:

Inform the customer you can walk them through steps to restore the stability of their system. These steps will:

· Stop the system from rebooting every few minutes

· Patch the system and stop the vulnerability from being exploited again

· Update the customer’s antivirus signature and help to protect them from re-infection and clean any malware resulting from the infection

· It is important that the customer clean their systems using software from their antivirus vendor after applying the fix from Microsoft

1. Extend restart settings

a. Click Start, select Run, and type services.msc.

b. Scroll down and double click Remote Procedure Call.

c. Select the Recovery tab.

d. Click the Restart Computer Options button.

e. Change Restart computer after from one to 30 minutes.

f. Click OK.

g. Click Apply and then click OK on the Remote Procedure Call (RPC) Properties window.

h. Close the Services window.

2. Enable Windows Connection Firewall (ICF)

a. Open the Control Panel, double-click Networking and Internet Connections, and then click Network Connections.

b. Right-click the current Internet or Network connection, and then click Properties.

c. On the Advanced tab, click the check box to select the option to Protect my computer or network.

3. Direct the customer to apply the patch for Security Bulletin MS03-026 by going to one of the following locations:

Option 1

· Connect to [microsoft.com...]

· The customer can download the update through the Windows Update site by selecting the link “Get this and other available Windows updates”

Option 2

· Connect to [microsoft.com...]

· Select “Blaster Worm: Critical Security Patch for Windows XP”

4. Note The above steps will not remove the virus from the customer’s system. Customers should visit a Microsoft Virus Information Alliance partner available at one of the below links:

· Network Associates:
[us.mcafee.com...]

· Trend Micro:
[trendmicro.com...]

· Symantec:
[securityresponse.symantec.com...]

· Computer Associates:
[www3.ca.com...]

jimfernbank




msg:365804
 5:42 pm on Aug 18, 2003 (gmt 0)

I had a client whose system was rebooting every few minutes. I tried following the steps on Microsoft's web site, but couldn't complete them because of the rebooting! The steps above from RoadRash work because the first step stops the rebooting, so you can continue with the remaining steps. Well done RoadRash!

This 53 message thread spans 2 pages: < < 53 ( 1 [2]
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved