The patch seems to work for me. This worm is a huge problem. I read somewhere that it attacks Windows 2000 and Windows XP users.

0

I ran the Microsoft.com patch suggested on Aug. 11th by Leighton, but it cured only the existence of the nasty dialogue box I got whenever I logged on to the Internet ("svchost.exe has generated errors and will be closed..."). I still can't copy-&-paste, nor do a Search for Files & Folders from the Start menu, nor go into Display, Add/Remove Programs from Control Panel, etc. Can anyone help?

0

I have the same problem. the fixblast and the patch from the microsoft removed the bug but I lost the "search function" "windows installer" and "click-to-open-new page function on IE". This worm is notorious. Any one can tell what to do next to fix the problem? I downloaded the win2k sp2 and ID cummulative sp. neither of them solved the problem.

0

I just ran the patch, so who knows how long it will last. I also had the cut and paste problem along with everything in my tool bar at the bottom not working. I could not close my internet connection unless I exited from Outlook and it gave me the disconnect prompt or I unplugged the line from the jack. The only way I could reconnect with my dialup was to go through Outlook and let it prompt me to connect or shut down and come back up. I also have had the cut and paste issues. Did anyone else have trouble accessing their C drive to check for the msblast file associated with the worm? Until I ran the patch nothing was visible in my C drive, not even the message that says click to show files. I am wondering if this is part of the worm to keep you from finding and deleting the file. I need to double check that this is the one to get rid of, but am pretty sure. It is in the WINDOWS SYSTEM32 directory. The file in mine says it was created on August 11.

0

I have the same exact problem with svchost.exe being killed by the worm (which uses svchost.exe to attempt to send copies of itself to random ip addresses thus overloading that part of windows which apparently is necessary for a lot of functions on windows). The invisible parts of the hard drive indicate that the worm is still on board. It will hide from you whatever directory a copy of it resides in, this almost always is going to be your winnt\system32 directory along with others. I used the patch, fixed the registry entry by hand, deleted a copy of the virus by hand, and reinstalled win2k and still the virus is somehow present. To test for the virus' presence, simply try to visit www.windowsupdate.com and if you aren't allowed to go there, you know who's stopping you. This is an unbelievable pain in the rumpous. I can't believe that MS isn't providing an ACTUAL solution to this problem. If after patching, deleting, using the symantic blaster remover AND reinstalling a fresh copy of windows and the virus still remains then SOMBODY is NOT doing their job at MS symantic or both. I am completely outraged, my computer is useless.

0

I had no trouble getting to the windows update page, but I was connected so slowly that it was going to take 3 HOURS to install the latest service pack. This is why computers get infected! Those of us who don't have access to high speed get stuck tying up our phone line for ridiculous amounts of time just to get a safety net! I have seen conflicting information on whether you should patch first and de-bug second if you think you are already infected. I did the patch first with no problem, although I read that may not be the case for everyone.

0

Neither the symantec fix or the microsoft patch is going to work. I formatted my machine reinstalled Windows 2000, ran the fix, installed Sp3, ran the microsoft patch. Everything seemed to be solved for few hours. But today morning I realized that the virus is not going to stop. Eventhough, it gets removed from your machine, you get infected again when you get connected to the internet. Now instead of getting the svchost.exe error, I'm getting explorer.exe error with the same cut/copy/paste issues and all other dump. Dialup users and other who get directly connected to the internet have no choice, the virus seems to come thru the connected port. You need to have a firewall setup to avoid this. Windows 98 users seems to be unaffected. MS pls do something!!!!

0

We have this problem too -- won't let me connect to the internet long enough to download the SP2 update that I have to do, BEFORE I can run the blaster fix! Any ideas?

0

I ran symantec's "fix blast" and it determine the worm was not on my computer. I still get the program error message, though.

0

Seems to work, give it a shot MANUAL REMOVAL INSTRUCTIONS Terminating the Malware Program This procedure terminates the running malware process from memory. Open Windows Task Manager, press CTRL+SHIFT+ESC, and click the Processes tab. In the list of running programs, locate the process: MSBLAST.EXE Select the malware process, then press the End Process button. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager.

0

I've run the FIXBLAST.exe, applied the latest Win 2k service pack, and all seems ok. I would suggest, however, downloading and installing a Firewall. I'm giving ZONEALARMS a go (on the basis that its a freebee!), unless anyone else has another recommendation?

0

I'm also having this problem but there's somenthing important to let everyone aware. My machine's been offline for more than one month and I started receving those errors since Aug, 11! I guess it was allocated waiting for a specific date to run! I didn't tried yet to solve this problem...

0

Hi Guys Half the people I know have been hit with this thing - me included. I'll try Leighton's patch (lucky I have another computer to handle downloads). Anyone any info on what will kill this thing DEAD? I'd be happy to contribute to an assassination fund to whack the SOB that put this about (I jest not!)

0

I've had this problem pop up over the last few days with Norton Firewall installed and running before dialup. Half of my connections refuse to disconnect, and I have to pull the cord out of the wall or reboot. I also had the firewall throw up alerts for TFTP (Trivial File Transfer Protocol), which I had never heard of until Tuesday. I hear port 69 might be used by that, but I'm flailing in the dark on that one. I permitted access until it drove me crazy, and then blocked it, but it neither cured it or made it worse - just seems a weird coincidence that's all. Thanks Phil.

0

I'm like Leon. I ran the fixblast and it claims I don't have the virus. Then went in to manually remove the malware like Playmaker said but it isn't listed. I still get the svchost.exe error. I have three machines and they all have this problem which started on August 11th. It only comes up after being connected to the internet for about 40 minutes and then if I stay connected it keeps telling me the same error. Copy & paste don't work and the only way to disconnect from the internet is to unplug the phone line. When I start up the pc I check for the virus msblast in the processes and it doesn't show up. I have also tried to search for any occurance of this file on my hard drives and there isn't any. Did Microsoft make thier own virus? Need real help fast.

0

I just want to say that I too am having real problems, and am working on a fix. I get the shutdown of svchost.exe either immediately or a couple of minutes after booting up my PC. My internet connection is constantly on (cable modem) and I cannot find blaster anywhere on my pc. I have no explorer-like access to my c drive, no cut&paste, applications will not start (like my movie player) outlook will not allow me to send an email (out of memory - yeah sure.) I am using win 2K (is everyone who gets this?) and it started a few days ago (aug 11th sounds about right - new terrorism 8/11!!) I feel that whatever this virus is, it might be exploiting a serious problem with win2K. Is it possible that this virus does not have to be ON my system, but is just EVERYWHERE on the net, pinging EVERY machine?? So that even a clean install will be corrupted within seconds of making an internet connection? I am going to do a complete install, and re-build my system firewall first (shut down), then virus checker, then.. internet access. I will let you know how I get on. Good luck everyone.

0

Does one have to download Service Packs in order? Must I install serivce pack 2 before I can install service pack 4 or is it an all in one type of thing? I feel like I have the virus, copy paste and svchost problems, but I've downloaded a fit tool and it didn't find the virus.

0

Hey there, well I am in the same position as the rest of you. I have formatted and reloaded my o/s, installed the latest virus definitions, installed a firewall and still as soon as I installed broadband I was hit by the SVCHOST error. Apparently you can configure your TCP/IP settings to block the port the worm infects. I found the link through ntlworld.com. I am now going to restore my PC to W98 until there seems to a surefire fix. Thanks for all of the advice.

0

Hi there i had the same prob than all of u. But i finally got rid of the worm. http://iblnews.com/news/noticia.php3?id=84368, I follow the intructions in this page, using regcleaner was so easy. i also got the fixblast.exe. Everything working properly now. Hope u have luck

0

Thanks to all for your help on this item. I was about to give up on it... I used the link given by Ana (repsonse number 25) - the site is in Spanish - and was able to download and install the fix. It all looks good now. The site is in Spanish. I also used the link given by Leighton (response number 5) on another computer and it also fixed the problem. That site is in english. Thanks again to all.

0

opps..sorry...so it was so easy for me cause i am from Spain... it says that the worm W32/Blaster adds an entry in the regedit in order to asure its authomatic execution when we restart the operative system: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "windows auto update"="msblast.exe" To eliminate the worm: 1.- first use the Windows duty administrator Ctrl+ Alt+ Supr to end upp the execution of the MSBLAST.exe process 2.- Delete this MSBLAST.exe from windows system directory 3.- Use the regedit to delete the entry add in that registry: (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Auto Update). 4.- Restart the computer Aditionally there are some programs to do that automatically : ftp://ftp.f-secure.com/anti-virus/tools/f-lovsan.zip http://vil.nai.com/vil/stinger http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html Have fun

0

In Response # 5 you said the patch is on the microsoft website. I am oon your site with you link but don't know which one to down load? Can you please advise me? Thanks a lot. Sam

0

i am haveing same prob as all of you i am running windows 2000 but i do not have msblast.exe in my task manager box is there anouther name for it please help i am going mental

0

I encountered these problems on our two laptops both with Windows 2000 one of which had svc. pack 2 installed. On the one with svs. pack 2 installed I installed the windows patch and I was able to find msblast and remove it manually as well as use regedit to edit the registry. On the other one I could not find it to delete it using windows explorer however I downloaded stinger from the address given in mesage 27 and it found msblast in \winnt\system32 and removed it. However this machine is still vulnerable as I cannot install the windows patch until I install the service pack upgrade and I do not have the bandwidth at home to download it. good luck, Eugene.

0

i too cant find anything called msblaster.exe running on my system. but the svchost problem continues. also, i ran the symantec's 'fixblast.exe', to find and get rid of the worm; but it couldnt find the worm. the fixblast.exe by symantec had worked for some of my friends. seems like i got a variant of this worm. help!!

0

This thing is a pain in the ass. My gateway 2000 server generates this error the instruction at "......"referenced memory at "......" could not be read click ok to terminate the program cancel to debug. when you hit cancel svchost.exe comes up when hit ok more error messages pop up then the cut and paste does not work. In Yahoo mail you can not delete messages. Internet connection still functions. if you log in it takes forever to load personal profile apply settings sometimes the system hangs. unplugging and rebooting seems to work for a while. The problem deminished significantly when you return to a last good configuration.

0

hi there, i encountered the same problem I get a svchost message error but using all the anti virus i have on hand and where useless, they cant find anything. I m running win 2000 and i need to get service pack 2 to tun patch but while i m downloading it i get error messages and cant run it. what can i do ,i m going nuts. thanx - gracias

0

...continued Also my firewall Tiny Personal Firewall detected various applications that have been replaced I rescently upgraded tgo latest service pack and though this was from upgrade so I accepted the change the pop ups were anoying anyway. maybe this was my mistake. Also the Trivial TCP protocol was detected by my firewall which I too never heard of except to find that it is a security breach. I blocked the affected ports the problem is now not getting any worse. Since I just learned that this is a worm will attempt the patch and fix. Although not sure if I need the 64bit or 32bit patch for my XP machines which could be vulnerable to this thing. Also used software Spybot Search and destroy to scan my system found all kinds of "GATOR" type software that sends out info. ran the fix to clean the registry settings.

0

must be a ton of people trying to download the patch getting page cannot displayed from microsoft. I'll bet more people have this problem and are not reporting it. to message 33 you need to download on another machine.

0

We are all of us with and in same "problem" I have no more....it seems the Blaster. I have not MSBLAST.exe running.... bUT STILL SAME PROBLEMS ;-) I cannot download the patch ...site busy sure

0

Hi all, I got tangled up with a friends puter that had this problem. I was in a situation where reinstallin o/s was not an option. I did what you said to do (took me 3 days to get to microsoft site to d/l the service pack ) but i was finally able to do it. i installed the patch as well. I was able to use her emergency boot disk to restore the registry? so all is well with her system now. This is my first time working on win 2000 I can honestly say i think i'll stick to my dinosaur 98 se. thanks to all your suggestions i was able to tech this thing out. I think symantec lied when it said this was easy to remove. May you always walk in beauty. Little_Eagle

0

Hello, I'm french, from Paris, get the exact same problem !!! As it was said, the virus began running in august the 11th. Didn't remember something ? I have a suggestion. I am a web developper. In some computer languages, like in Java, the months start with 0 (for january) and end with 11 (for december). Maybe the a..h... who made this f...... virus made a mistake. If he wanted it to start in september the 11th, exactly 2 years after the biggest terrorist attack, he could have written 2003-08-11... What do you think about that ? Don't want to do paranoia, but the coincidence is surprising, isn't it ? I still have this f...... virus, trying different things that was said on this forum. I'll be back to tell u more, -David- PS: sorry for my bad english ;-)

0

First I want to say thank you to everyone who posted up the helpfull suggestions.. I think this bug was gonna drive me nuts.. ((Not that she isn't already folks)) But here's what I did: First I got the Win update mentioned in Responce 5.. I had to type the addy in.. damn copy and paste.. then I check out the manual removal in step 2.. the MS file mentioned wasn't there.. then to be sure, I ran the worm fix mentioned in Responce 27, and everything came up clean there too.. I'm gonna bookmark this site though, as bookmarks do work, and if this crap continues, I'll just have to repeat the last step.. thanks for everything guys!

0

lol, didnt expect this many ppl to respond. i strted this topic a few days ago. i did what was said with the MS patch and FIX blast. worked like a charm. no more messed up media player, copy & paste, e-mail...horrible. thanks eveyrone!!!

0

I had the same problem, had msblaster.exe in system32 folder, deleted manually but the problem persists. But.... I reinstalled Win2000 on a new motherboard/repartitioned, reformatted disk with only Norton Antivirus and modem driver(scanned by Norton) and connected to my ISP and the same problems reappeared. Can't disconnect my dialup Can't cut and paste Can't access windows update Regularily sends out emails(or something) that Norton happily scans This is a virgin windows installation but within minutes of connecting to my ISP, same problems. I haven't tried MS patch yet, couldn't access it last night, will load from floppy made at work (behind hardware firewall, no problems yet) and re-reinstall windows on a re-reformatted disk. I may think twice about using the same ISP again, but we'll see. This svcks Pete

0

Here's what I did and it seemed to work,..since none of the patches, fixes etc..seemed to work for me at all. --> I found the msblast.file but couldn't delete it, so I renamed it something weird, like msblastyoustink.exe123. Then I rebooted. Then immediately I renamed my svchost.exe file something weird also (scvhost123.exe123 or something like that) and then deleted the msblastyoustink.exe123 file. Then I reloaded my OS. On reboot, I got a new svhost.exe and then deleted the one with the wierd name. Before I went back online though I loaded Zonealarm, which is free. And so far so good. Everything that didn't work before, now works, EXCEPT for "click-to-open-new page function on IE". If anyone can help me with that I'd appreciate it. For those of you that can't find the msblast.exe file,...I would try renaming the svchost.exe file and then reload your OS like I did. Good luck all

0

I'm runningn Win2000. I add the classic symptoms of this virus. The strange svchost.exe error, and unable to cut and paste. SOLUTION: I went to microsoft.com.....their homepage and downloaded and installed the patch from their homepage. Then I followed the helpful tips here: http://www.sophos.com/support/disinfection/blastera.html It worked! I don't have any more problems on my computer. Thank you Sophos!!!!!!!!!!! and MS!!!

0

I also have this problem to a certain extent. I have a broadband connection with NTL. If I boot up with the modem connected I am lumbered within seconds but if I boot up first log into win 2000 and then plug the modem in all is fine none and I mean none of the symptoms appear!! So is there a week point in the boot sequence or is it that you are vulnerable at the point when you log onto the modem?

0

To All: Thanks for your suggestions. I seemed to have eliminated this pest by installing the firewall. Prior to installing the firewall I looked for, but could not find, the worm. Also had great difficulty downloading patches, alerts, upgrades, etc. Since the firewall installation, i am able to download. Good luck to everyone and thanks again.

0

what kind of firewall do you recommend. where can i get a good one at?

0

I downloaded Norton's personal firewall. I don't remember the link, but I'm sure if you go to Norton's site you'll find information there. good luck

0

Thanks for your help I downloaded the patch from microsoft as well as their tool to make sure that I did not miss any computers not patched. Found two of my servers unpatched one was a file server on a non routable ip it was not affected by this worm I disconnected it from the network repatched it then did the same on the other server that worked 24h+ no svchost errors. The Symantic scanner did not work for me it created an error while scanning a separate hard disk I don't know. I use Tiny Personal Firewall great product this would have been worse if I did not have it. I've reconsidered keeping the 2000 machine as a gateway too many ports to worry about you don't know which are used by the system and which are sources for attack. I am considering placing a router with a built in firewall before the server and keep the software firewall to keep me informed via pop-up who is accessing what even on my internal network. This worm just attacks ip addresses from the internet it does not matter if you reinstall your os One the worm knows there is an open IP you are vulnerable even down the road when you need to temporary turn off you firewall. Hope this helps, download the patch it works. Thanks for you input in helping me solve this problem.

0

Hello everyone, Thanks for all of your help. I have one computer that has recovered from the worm (downloaded patch and ran Symantec's FixBlast - see link to their site below) and another one that still exhibits some of the same problems but the worm is nowhere to be seen, and the registry is clean... However we are working on downloading all relevant updates and will see if that makes a difference. Symantec's web page describing the problem and how to fix it is very good: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html You don't need to be a subscriber to use their fix. I would add one thing to the solution given by Symantec: If you have any problem getting the patch from the Windows Update site, download and apply the RPC patch directly from Microsoft using the appropriate link: a) Windows 2000 http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe b) Windows XP http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe c) WindowsNT http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE Happy recovery!

0

hi all i've a different variant of svchost problem: 1.on searching registry i found that i've msblast.exe on: registry key:\..internetexplorer\url or sth, like that couldnot remeber exactly rather than on \..microsoft\windows\autorun 2.fixblast and stinger couldnot detect it 3.i've NOT got msblast.exe on system32 folder or on running task list either i;m more confused as people say i've to fix the bug before applying patches. but how can i fix it?

0