Solved MS Blaster/Nacchi will not uninstall

Del / Dimension 5150
October 25, 2012 at 07:50:36
Specs: Windows XP Pro, 1 gb
I downloaded and ran the latest MS Malicious Software Removal Tool; no problem.

However, Secunia advises that I still have installed on my XP pro PC, the MS Blaster/Nacchi in C:\windows\System 32\blastcln.exe version 5.1.2600.5512, which is out of date.

I tried Add/Removal function but the Blaster/Nacchi does not appear.

I tried windows explorer but could not find the file.

I found the file using "Everything" software but every time I delete the Blaster, it immediately reappears. I did manage to delete the backup file in C:\i386 but I cannot get rid of the file in System 32.

Can anyone help please using simple terminology?

bobevan


See More: MS Blaster/Nacchi will not uninstall

Report •


✔ Best Answer
October 27, 2012 at 00:48:46
"Alternatively set Secunia to ignore the program"
Yep, that's what I did, worked on two XP comp's since my last post, all the same.


#1
October 25, 2012 at 11:02:10
Please ignore - response not applicable.

Report •

#2
October 25, 2012 at 15:19:52
I just checked for it on my XP install & it is in the same place as yours.

Googling tells us, it should not be removed.

blastcln.exe is a Windows process associated with Microsoft® Windows® Operating System from Microsoft Corporation. Blastcln.exe checks for Blaster worm infection and a Nachi infection in memory. If it finds an infection, it either ends the worm process, or it stops and deletes the service, or both.

Secunia is telling you it is out of date, which means you probably hav'nt installed SP3 or you hav'nt got the latest MS updates.


Report •

#3
October 25, 2012 at 15:32:38
Good response Johnw - I've editted out my #1.

Report •

Related Solutions

#4
October 25, 2012 at 15:45:27
Thanks Derek.

Report •

#5
October 25, 2012 at 21:59:07
Thank you for your responses.

I am afraid that I do have MS updates on auto update and have run a custom update. SP3 is also installed. I have run the latest version of the MS Malicious Software Removal Tool.

I have run security checks with KIS 2012 Security and up to date Malwarebytes, which similarly confirm ed that there is no threat from the file.

I understand that the file is normally removed with later updates and I did read somewhere that MS said that if it was left over it could be removed manually but it did not say how.

I have two PCs networked and the issue persists on both.

Any further ideas please anyone?

bobevan


Report •

#6
October 25, 2012 at 23:47:46
I just downloaded the PSI version, installed & ran on the XP Pro computer, with the same blastcln.exe version 5.1.2600.5512

The Secunia PSI protects against software vulnerabilities
https://psi.secunia.com/

Got the same result as you.

I think it is probably a false positive.

http://i.imgur.com/4Bpig.gif


Report •

#7
October 26, 2012 at 08:38:44
I gather Secunia does heuristic scans, hence it reports things that have a similar structure or behaviour to viruses. That fits with Johnw's suggestion that this could well be a false positive, although I've not been able to find anything definite about blastcln.exe in this respect.

Always pop back and let us know the outcome - thanks


Report •

#8
October 26, 2012 at 23:21:04
Ok here the fix:

Remove the backup file first.

Reboot your pc into safemode.
log on to your account.
Do a search for the File: blastcln
Set up the search results as follows.
Click on All files and folders.
where it says: (All or part of the file name) type in blastcln
where it says: (Look in) select My Computer
where it says: (More advanced options put a check mark in:
Search system folders
Search hidden files and folders
Search subfolders
Click on search.
After the search has finished. Delete all files found. Then empty the recycle bin.
Reboot
Run a PSI full scan.
You'll have no more problems with MSRT Blaster/Nachi and Secunia

Alternatively set Secunia to ignore the program.

I would be good if MS reolved this issue that only seems to occur with XP machines in future updates but I will not hold my breath on that happening.

bobevan


Report •

#9
October 27, 2012 at 00:48:46
✔ Best Answer
"Alternatively set Secunia to ignore the program"
Yep, that's what I did, worked on two XP comp's since my last post, all the same.

Report •

#10
November 9, 2012 at 08:11:57
I am having the problem.
What looks promising is: "Alternatively set Secunia to ignore the program"
How do I set Secunia to ignor the program?

Report •

#11
November 9, 2012 at 09:44:40
heterophenom

See page 7 of this pdf guide:
http://secunia.com/gfx/pdf/Secunia%...

Strangely, although it was found in Google I had quite a job to get the direct URL to it using IE. Whatever, I managed to work it out using Firefox.

Always pop back and let us know the outcome - thanks


Report •

#12
November 12, 2012 at 09:46:27
Thanks Derek,
I found the Edit Ignor Rule and opened the box.

Got: Rule name: Microsoft Removal Tool: Blaster/Nachi
Rule Path: C:\WINDOWS\System32\blastcln.exe
With:Entering C:\backup\ excludes everthing found in this path.

I entered: C:\backup\WINDOWS\System32\blastcln.exe
OK

Running PSI still reported the program.
Tried two more times, still same result.

Am I entering in the right place? There appears nowhere to enter except the box.


Report •

#13
November 12, 2012 at 12:55:44
The inclusion of C:\backup in the path looks odd - best remove that rule somehow, although I doubt it does anything.

I haven't got Secunia on-board but I found this:
http://techfleece.com/2011/05/24/ho...
Ignore rules information is given about two thirds down the page.

It seems to me that the mention of c:\backup\ and backup is simply to give you an example "IF it was "backup" which you were trying to exclude".

I think you are supposed to just enter the path (target) to blastcln.exe, in your case:
C:\WINDOWS\System32\blastcln.exe
You then give the rule a name in the top box and hit the OK button.

There is also an alternative procedure given, where Secunia makes the rule for you (complete with a name) and if you are happy with the name you just hit OK.

Always pop back and let us know the outcome - thanks


Report •

#14
November 12, 2012 at 14:04:15
"Am I entering in the right place? There appears nowhere to enter except the box"
Open Secunia, right click on bBlaster/Nacchi, select > Ignore.

Report •

#15
November 12, 2012 at 15:05:58
Success. The http://techfleece.com/2011/05/24/ho... showed a different place to click and a rescan of PSI did not flag up the program.
Thank you.

Report •

#16
November 12, 2012 at 15:22:19
Well done and thx for popping back to let us know.


Report •

#17
November 13, 2012 at 04:55:09
Hi Johnw,
If you are still having the problem - try:
Open PSI 2.0 and display results.
Find the program you want to ignor
Click on the + to expand
Observe that there are now two yellow Folder Icons
The first has a red spot
Move the pointer onto the folder with the red spot
"Ignor program" should appear.
A left click should then stop the program appearing.
Rescan and confirm

Report •

#18
November 13, 2012 at 09:04:37
heterophenom

I don't think Johnw has any problems. In #14 he was simply quoting something you had said earlier, then telling you (briefly) how to do it.


Report •

#19
November 13, 2012 at 09:41:49
"I don't think Johnw has any problems"
Thanks Derek.

heterophenom

All I did to fix mine, was as per my post #9

Screenshot 1 shows the message you get when you right click on any program you want Secunia to ignore.
http://www.softpedia.com/progScreen...

Note: I am using the latest version PSI 3.0
http://www.softpedia.com/get/System...


Report •


Ask Question