I moved msblast.exe and the corresponding prefetch file to the recycle bin, then did a virus scan with Norton (updated). It didn´t find a thing. The funny thing is that just minutes before I did the scan, I read a stop-the-presses article where some guy from Symantec talked about this worm and that a up-to-date Norton would find it. Well, dear Symantec-guy, it didn´t. I think I´ll go Panda from now on.

0

Hi Thank you. My nortan antivirus found it. But it is not saying that msblast in prefetch is infected! So I should be able to delete msblast from prefetch with no problem? Is that a file that we need that got infected or is it just an infected file that comes into the computer because of this particular virus? Thanks again

0

I deleted both the msblast.exe file in System32 and the msblast file in the Prefetch folder and I have had no problems.

0

I got infected with msblast.exe yesterday and have experienced the same "symptoms" as those in the previous entries. it managed to get through my Norton Firewall and still evades my "fully updated" Norton Antivirus. I think it is excellent that there are people willing to share information on getting rid of something like this. Unfortunateli, being a total novice in all thing. computing i have dificulty understanding the technical terms. is there anyone out there who can tell me in laymans terms (a complete dummies guide if you like ) how to get rid of this? I wait in anticipation many thanks ....Neil

0

Go to: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html and download their fixblast at: http://securityresponse.symantec.com/avcenter/FixBlast.exe That will take care of your problem. By the way I uptdated NAV 2003 and it got the worm.

0

I also received this worm. Luckily it wasn't as bad as i thought it was. Here is a step by step (layman) version of fixing your problem. First off... open your control panel (Start > Settings > Control Panel) Open Administrative Tools... (if using XP, you must click on Classic View in left toolbar on window) Open Computer Management.... double click on Services and Applications Then, double click on Services. scroll down until you see Remote Procedure Call (RPC) in the list right click this and select Properties. Click on the Recovery tab up top. Use the drop down for First failure, second failure, and subsequent failures to change the selection to Take No Action. This shuts off the RPC and will stop your PC from rebooting all the time. Gives you time to fix your machine. Next download the patch from Microsoft.com @ http://microsoft.com/technet/treeview/default.asp?url=/technet/security/MS03-026.asp Open your windows explorer and navigate to C:\Windows\System32 and find the MSBlast.exe in the directory. Delete it. Next... Go to the directory c:\Windows\Prefetch and delete the MSBatch string there. Now close your Explorer and click on Start > Run Enter regedit and hit ok. navigate through the following folders to locate the MSBlast entry. HKeyLocalMachine\Software\Microsoft\Windows\CurrentVersion\Run Then, without rebooting first, install the Microsoft patch that you downloaded. Now, go back into your Administrative Tools and reset your RPC to the default selection if you wish. (Recommended) Just follow the instructions to turn it off, but select Reboot the Machine. Now reboot and all should be fine. Good luck, Kelly

0

Thank you all for your help!

0

many thanks kelly and gemini 1 forever in your debt With regards neil

0

Hello, I had the MSBLAST.exe worm yesterday, but didn't know it. I thought it was due to something else, so I restored my Windows XP to a previous setting. Today, I saw the news and knew that was what I had. I downloaded the patch and everything, but I can't find anything that has MSBLAST.exe in my computer. Will my restoring it and downloading the patch keep it from re-infecting my computer? I downloaded the worm fix, but I can't find it anywhere after following Kelly's instructions, so I think it's out of my system. The worm fix kept closing in the middle of searching. Is my computer ok? Thanks a lot

0

I think the worm disables and corrupts system files at random.Sometime things work ok and then they go peculiar. I had the symptoms but the worm tool did not find the msblast on my machine and i could not locate it in the reg or anywhere else. i have a dual boot with me and that works fine so it has not migrated across. I think the only answer to this worm now is to reinstall xp.

0

Certain internet sites aren't workingn for me. My start-up page is www.ign.com and that's not working. I hope it's just down, because that's one of my favorite web-sites and I don't want the worm messing other things up, because I don't even know if I still have it. Would re-installing XP work? I don't want to format my disk, so I hope I can just re-install Windows XP

0

I followed Kelly's instructions then used the symantec tool and everything appears to be fine now,(figers crossed!) However before i did this I was having problems with internet sites, I could not visit any webpage from a link from another butwas able to visit the page by entering the address in the address field. Anyway it seems to be ok now. PS. Re: abnormal's message, above "billy gates why do you make this possible ? Stop making money and fix your software!!" the worm apparently contains this text according to symantec

0

Follow the instruction on this link to get rid of this virus http://www.microsoft.com/security/incident/blast.asp

0

I have had a Win 2K SP1 installation that began to act very strange in the last week. A number of browsing functions ceased to work properly, MS Office could not save files, Windows could no longer "cut, copy, or paste" and a few other minor strange things occured. I immediately backed up all files to another partition and installed Win XP Pro SP1 on the same partition as the Win 2K. The XP seems to be working properly but this msblast was there right after the install. I also installed Zone Alarm onto the XP and noticed on bootup that my Zone alarm was catching this "msblast.exe" trying to access the internet. I denied it that but still notice the msblast running in to background. I have followed this forum thread and see the methods to get rid of it but I was wondering if anyone knows if msblast can infect Win 2K? I haven't noticed it running on my win 2K but since this all occured at the same time I have to conclude that the problem with msblast on my XP and the problems on my 2K installation are related. also, I wanted to know if anyone can tell me wether or not it would be safe to save my files that are on the other partition. Could this msblast have infected any of them or is it not that type of virus?

0

Kelly, I followed your instructions to delete the worm (after downloading the patch and updating my Norton, which did find it). Deleting it from the Prefetch file wasn't a problem, but my computer won't allow me to delete anything from the System32 file. I logged on as my husband in case it let him but still no go. Any ideas? Thanks! Melanie

0

Help please. I have followed your instructions above and deleted msblast from the said places. I downloaded the patch but it wont let me install it. It keeps coming up with an error saying KB8223980 set up error - setup has detected that the service pack version of the system installed is newer than the update you are applying to it. I also tried to run fixit and it keeps coming up with an error. Can anyone help me and tell me how to fix this.

0

WindowsXP will not let me simply delete msblast.exe because it says the file is in use. I tried Ctrl-Alt-Del to see if msblast.exe was running, but Ctrl-Alt-Del did not work. I've already installed the Microsoft patch. Any advice on how to delete msblast.exe?

0

Hi Grimey, Did you try running 'taskmgr' from the Start / Run menu ? You should see msblast.exe in the Process list once you get Task Manager running, delete the process, this will them let you remove the file from your hard drive. I renamed it first. Likewise the prefetch file. Zap the little so-n-so's and load in the MS Patch, regedit your Registry File as described above and reboot, hopefully that'll sort you out. ScoobyRed.

0

Hi, I'm a tech support rep in GB working for a large internet company. All ive done today ()and yesterday and the day before! lol) is take calls on this damn worm! Read very carefully! To get rid of the reboot problem simply disable connection (win xp), go to network connections in control panel. right click the connection that you are using (if using usb for a cable modem you will need to establish connection first and wait for Local Area Connection to appear and then go through the next steps very quickly), go to properties, click on advanced then put a tick in 'protect my computer...' and click ok. That will stop the continual reboot process. Once that is done go to http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en this will take you to the ms site containing the patch needed to stop further attacks of this kind. Please be aware that this is the w32.blaster.worm and this worm is polymorphic (it changes!!). It is now remotley accessing pc's and destroying reg files! keep your pc's safe peeps Mike

0

WhooHoo! Within the past three days, Google has picked up 1400 links about msblast.exe, and thankfully this one was first on the list. Free and clear... Thanks all.

0

ok... where to start and with whom... hehe. RusMan.... yes... 2k is also able to contract the worm. And it is completely safe to save any files on any partition. This worm is not to harm, but only to disrupt and make a point. Just another annoyance by our friendly neighborhood hackers...(or crackheads, whichever you prefer). Melanie.... in order for you to delete the MSBlast.exe, it must not be running. and the RPC must not be active to do a Ctrl+Alt+Del. And this is a system specific worm. Not a user specific. In other words... I could log onto your machine and see the same thing you are seeing. Sangi.... I have no idea what to tell you. Contact MS Tech Support and see if anybody else is having the same issue. Sorry. Grimey.... Scoobyred took the words right out of my mouth. Mike.... just a bit of advice... if you disable the RPC as mentioned in my write up earlier on, you will not have to rush to go through the steps. As a tech support employee, you should know better than anyone that some users just aren't that fast. Anyways, just a bit of friendly advice. Kelly

0

I had the virus..and removed it, even thought msblast.exe is gone and i removed the virus, my computer is now acting veryslow and has a very very hard time surfing the internet. help?

0

I don't get it! Am I the only one having a problem with this step?? Everything else went smoothly but I still can't delete it from the System32 file. I deleted it from the Processes and the Prefetch files, RPC is set to Take No Action. Why is it still telling me I don't have access or that it's being used?? Melanie

0

Hi guys, lots of help going on here and thanks for that! I was wondering if there was any possible way other than format to get rid of this thing other than installing the MS patch. So, I'll wait and hope for your help. Thanks again

0

Finally - it's off my computer! Yipee! I deleted it from the HKLM\Software\Micrsoft\Windows\Current Version\Run, it was listed as Windows Auto Update and mentioned msblast.exe to the right. Once I did that and rebooted it let me delete it from the System32 file. Thanks everyone! Melanie

0

For Grimey...If you are using Windows XP then hit Ctrl-Alt-Del and it will bring up the Task Manager. Click on the PROCESSES tab if it is not already in the forefront. In there click where it says IMAGE NAME to put the processes in alphabetical order. Then locate the msblast.exe and HIGHLIGHT it and END TASK on it. THEN go delete the msblast.exe file. Also, go to Start > Run and type in regedit exactly as I have written it and hit ENTER or click OK. Navigate through the following folders by clicking on the + sign in front of each folder until you get to the RUN folder. Higlight it and on the right you will see a bunch of stuff listed with values. Findthe entry on th e right that says windows auto update and has msblast.exe listed there. Highlight and DELETE IT. Close the registry editor and then install the patch and THEN reboot. Not before. The reason it would not let you delete it is because it was in use...that is why it is listed in processes tab of the Windows Task Manager. I am sorry if this is too detailed but I wanted to be very complete. Hope it helps. If not you can email me. HKeyLocalMachine\Software\Microsoft\Windows\CurrentVersion\Run Then, without rebooting first, install the Microsoft patch that you downloaded.

0

Couple of comments - some MSBlast.exe installations seem to deny access to delete the file from System32 folder. However the ClnPoza.zip from ezTrust AV web site did the job fine, if a little slow in its search. Dont forget to empty recycle bin either !!! Despite my PC appearing clean, the EZ Trust AV keeps picking up a Poza signature in the XP C:\systems volume information folder. It must be hidden because I cannot see anything in there - is a possible source for re-infection ??? Does anyone know?? Chz Bazza

0

ok.... I have come across a much easier solution. Now that this worm has caught the attention of the world, Norton has made a Blaster.worm eraser tool. Very simple to use and does all of the steps i posted above for you. ou can download at : http://securityresponse.symantec.com/avcenter/FixBlast.exe The size of the download is only 172kb, so no biggie for 56k users. This should solve all problems.... just remember to set your RPC in services to Take No Action or it will reboot the machine before the tool is done. Also.... this tool takes a little while to run because it scans every file on your system. So be patient, it will complete in due time. Kelly

0

I THOUGHT I had it deleted, but now it is doing what it was doing before... and that is... whenever i try to run regedit or hit ctrl-alt-del, it closes the window almost immediately... is this a windows problem or is this the virus acting up? i used to have msblast.exe on my computer but i went into safe mode and removed it, and it is gone as far as i can tell. someone please help me out and tell me if it's still there. i have run windows updates and patches but i don't think my computer should be stopping me from using regedit or ctrl-alt-del.

0

I would just like to note that I have been surfing the web daily for the past 4 years and not once have I ever had a problem with a virus or worm because..... I'M A MAC USER!!!!!!! No one ever writes anything for macs. I don't need any antivirus protection, unlike you all with your cumbersome windows machines.

0

hey, I've tried EVERYTHING suggested on this thread, including all the patches and files to look in and i can't find a single trace of this file on my computer. My McAfee and patches are having the same luck i am. msblast.exe is no where to be found on my pc... but i still get the countdown and problem with my win32 and RPC!! any other suggestions?!?!? ps. thanks to all of you who take the time to offer your help!

0

Ultimate Vegetarian, As this is a problem that concerns Windows users (and not Mac's as you pointed out), I would ask you to please refrain from wasting space on this thread with pointless Windows bashing. I use Windows and realize its faults and shortcomings. As such I also have a healthy respect for Linux, Mac OS, Unix, BSD, FSCK and other operating systems. Though your are correct that Mac's aren't as afflicted by such issues, you are also correct that it is because most viruses are written for Windows (windows being the ubiquitous OS). This being the case I suggest you keep your Mac (and others) free from this type of infection by leaving your comments out lest they tempt hundreds of thousands of users to purchase Mac's, and thus begin the process of malicious writers from making worms like this for your precious Mac. In short, please leave your negativity out. leave this thread for dealing with the problem at hand because I assure you that this denial of service attack (if succesful) will cause a great deal of havoc on this internet you are so fond of surfing each and every night. RusMan

0

Further to earlier post on ezTrust warning about win-poza worm in SysVolInf folder....message is still popping up. In full it says C:\System Volume Information\_restore-{long code #}\RP36\A0010725.exe is Win-Poza.worm. I have not seen reference to this in any other postings on the worm as yet, but IF the file actually exists (and I cant find it via normal searches incl hidden files, nor is msblaster.exe anywhere else on PC as a file or ref in registry, patch is applied), then this appears to be a latent mutation possibly trying to restore itself. Or is it just a quirk of EZ Trust AV. Presumably the SysVolInf folder contains data relating to the XP Pro System restore process??? Anyone got any bright ideas? Meantime I'll search some more >>> Chow....Bazza

0

Further to earlier post on ezTrust warning about win-poza worm in SysVolInf folder....message is still popping up. In full it says C:\System Volume Information\_restore-{long code #}\RP36\A0010725.exe is Win-Poza.worm. I have not seen reference to this in any other postings on the worm as yet, but IF the file actually exists (and I cant find it via normal searches incl hidden files, nor is msblaster.exe anywhere else on PC as a file or ref in registry, patch is applied), then this appears to be a latent mutation possibly trying to restore itself. Or is it just a quirk of EZ Trust AV. Presumably the SysVolInf folder contains data relating to the XP Pro System restore process??? Anyone got any bright ideas? Meantime I'll search some more >>> Chow.... Bazza

0

Further to my mail yesterday and after reading kelly's fix i have tried the fix today at work (on 12 pc's) all of which already had 'take no action' in all failures (1.2.and subsequent) and were still continually rebooting. The only way of resolving the issue that me and all of my fellow colleagues have found is by activating the xp firewall (as suggested yesterday, which takes about 10-20 seconds depending how quick you are. you have about 1 min max before pc reboots usually so should be plenty of time) on the connection in question and downloading the patch from ms. obviously anything that works is good but the problem now is that there is more than 1 type (morph) of the virus, some of which can infect os's not built on NT technolgy, i.e. win 98, ME Major problems will occur this saturday when the worm unleashes its full fury. The main job of the worm becomes active as of 00:00 saturday morning. this is because the time and date in the script will match your clock settings. From the reports i have heard at work the worm will cause a denial of service to the microsoft update page. It also uses vast amounts of bandwidth to search out more vulnerable pc's and will cause browsing to be extremely slow. (i think the basic idea of the worm is to blast the ms site with vast amounts of data causing it to say bye bye) Its worth contacting your ISP to see what measures are going to be taken (dont blame them though, it isnt there fault) and how it might affect you as a customer. I know NTL (UK) have looked at the possibility of taking off all modems with the virus but then realised that more than 3 million people in the uk, on the ntl network alone are infected. Happy virus hunting Mike

0

Microsoft will give FREE TECH SUPPORT to anyone with security issues. Call 1-800-426-9400 if you cannot solve this issues using the methods on this forum. :)

0

Our ISP sent us the following email: Have you taken the necessary steps to help ensure that your computer is clean and protected from the second phase of the MSBlast.exe virus or LovSan Web Worm? If not, we recommend that you immediately follow our suggested steps below. The MSBlast.exe virus or LovSan Web Worm may enter your computer through a vulnerability in your computer's Microsoft Windows®-based operating system. According to current reports, this virus or worm is designed to cause computers to launch an electronic attack against Microsoft's Windows® help web site on August 16, 2003. If you are using one of the following Microsoft Operating Systems, we recommend that you follow the instructions below to remove or safeguard your computer from the MSBlast.exe virus or LovSan Web Worm. Even if your computer isn't affected now, it could be in the future. Microsoft Windows® NT 4.0 Microsoft Windows® NT 4.0 Terminal Services Edition Microsoft Windows® 2000 Microsoft Windows® XP Microsoft Windows® Server 2003 Please take the time to print out follow the steps outlined below to help ensure that your computer is safe and clear of the MSBlast.exe virus or LovSan Web Worm. Close all open programs and press and hold down the following keys simultaneously: Ctrl (Control), Alt and Delete Click the Task Manager button Select the Processes tab Click the Image Name column to sort the list in alphabetical order Select the msblast.exe file by clicking on it once. Then, click the End Process button. If you do not see msblast.exe in the list of running tasks, please proceed to Step 6 as you should still check your system for the Worm and apply the Microsoft patch. (Some operating systems require that you log in as Owner/Administrator in order to install this patch) Now you can close the Windows® Task Manager screen by clicking the X in the upper right hand corner. Next, determine which operating system you are using. Since Microsoft has different patches to protect each operating system, you will need to know which operating system you have on your computer. Click on the Start button, go up to Run. Type winver and press the Enter key. The window displayed will indicate which operating system is being used (Windows(r) 2000, Windows(r) XP, etc.) Once you have determined your operating system, go to http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp and click on the link for your operating system. Click Download on the right side of the page. Choose Run or Open from this location. Confirm security warning pop-up by clicking Yes. Follow pop-up instructions. Once your computer has finished go to http://securityresponse.symantec.com/avcenter/FixBlast.exe when prompted click Open. When it has finished, you will have successfully checked your system for the MSBlast Worm and installed the patch. Please note: If done incorrectly, some of the steps in this FAQ can cause problems with your Operating System. You should carefully review all terms, policies, and instructions on any of the websites that you visit while following these steps. We thank you for taking the time to ensure that your computer is protected.

0

Hi. Sorry if the answer to this question has already been posted somewhere else...I found this page after doing a google search ["System Volume Information" restore lovsan] and don't have time to read through the whole board, as I am at work. My Windows XP Professional OS is exhibiting the same symptom as "Dr. Bazza's" did (see August 14 posting)--that is, after contracting the Blaster and Lovsan worms, I patched XP and cleaned it (using AVG 6.0 virus protection), but there's still a lovsan worm in one of the "System Volume Information" restore executable files. AVG keeps detecting the presence of the worm in the file, and sends me popup messages telling me to clean it, but the anti-virus program itself doesn't locate the worm when I take AVG's advice and run it. The worm doesn't show up in the system task list (Blaster did), and doesn't seem to be doing anything at the moment. My guess is that the restore file isn't something that is active, nor can it really be cleaned. Is my system in any danger? What should I do? I can't seem to directly access the c:/system volume information directory using Windows Explorer. Any suggestions would be greatly appreciated.

0

Umm...nevermind. I talked to a friend of mine who said it'd be okay to delete the system restoration files. So I went into the system control panel, found the "system restore" window, and erased the existing data. So far, so good...and no more reports of a lurking worm!

0

Can you delete the virus once you have installed the patch ? it is in my system32 folder and by the sound of it, is also in my reg files (HKLM\Software\Microsoft\Windows\CurrentVersion\Run) is it ok if i delete them now? will it destroy my computer? also i have noticed that counter-strike servers won't let me into their games since i have downloaded the patch, is this fixable?

0