Another Q on the Worm (Blaster)
I just tried running the "tool", but half way through it gives me an error message and quits, any idea why? I'm running Win2000. I got the tool from someone who listed it here, off sarc. Thank you, Patricia Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Another Q on the Worm (Blaster)
Checking and getting rid of Blaster is relatively easy. The only way of preventing a reinfection is to download the patch - try http://windowsupdate.microsoft.com > Detection > > The worm is very easily detected by users. Pressing > control-alt-delete, then clicking on "Task Manager" and selecting > the "Processes" tab will bring up a list of processes running on the > machine. Clicking on "Image Name" will sort the processes > alphabetically. If there is a process named "msblast.exe" running on > the system, then it has been infected by the worm. I did download the above and it let me install it, so I guess I'm clean. I tried the detection and I have Win2000, so I do not have a Processes tab. Patricia Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Another Q on the Worm (Blaster)
At 10:11 PM 8/12/2003 -0400, you wrote: It ran fine, first time, on both the computers here, both running Win2K :-/ -- Deborah Sorry for top posting before, I forgot! I've tried the exe 3 times now. Patricia Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Another Q on the Worm (Blaster)
On Wed 13 August 2003, 13:06:22 +1000, Patricia wrote: > I've tried the exe 3 times now. Checking and getting rid of Blaster is relatively easy. The only way of preventing a reinfection is to download the patch - try http://windowsupdate.microsoft.com To get rid of it (this is an extract from http://www.zdnet.com.au/itmanager/technology/story/0,229587,20277172,00.htm) > Detection > > The worm is very easily detected by users. Pressing > control-alt-delete, then clicking on "Task Manager" and selecting > the "Processes" tab will bring up a list of processes running on the > machine. Clicking on "Image Name" will sort the processes > alphabetically. If there is a process named "msblast.exe" running on > the system, then it has been infected by the worm. > > Prevention > > The best prevention is to install the patch from Microsoft. Users > who have not yet patched their Windows 2000, NT, and XP systems > should do so. > > Removal > The worm is relatively easy to clean up after detection. > ... it will be necessary to delete the worm's executable file, > msblast.exe. However, its process must be stopped before it can be > deleted. > > Log in with administrator rights, load up the "Task manager" again > as described above. Click on the "Image Name" field under the > "Processes" tab and click once on the "msblast.exe" process. Press > "End Process" to stop it from running. > > The worm's executable file will be found in the system32 directory, > which is a subdirectory of (by default) the "winnt" directory in > Windows 2000 machines, and the "windows" directory in Windows XP > installations. > > Use Windows Explorer to navigate to the system32 directory, locate > the mblast.exe file and delete it. > > Reboot your system. Done! > > The final step, removing the registry key created by the worm, is > optional. It isn't really that important -- the key simply causes > the worm to start every time the system is re-booted, but once the > worm file itself is deleted it's redundant anyway. > > This is done manually by using the registry editor. It is important > to note that making incorrect changes to the registry can have > catastrophic consequences. > > Load the registry editor by clicking on the start button, navigating > to "Run..." and typing in "regedit". Run regedit and navigate to the > following "key". > > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run > > In the right hand section of the registry editor, the following > value will be found: > > "windows auto update"="msblast.exe" > > Delete it. > > Reboot. Done! Good luck. -- Robin Anson Using The Bat! v1.62r on Windows XP 5.1 Build 2600 Service Pack 1 Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Another Q on the Worm (Blaster)
Hi Krister! In message mid:[EMAIL PROTECTED] on Wednesday, August 13, 2003, 6:25:58 AM, you wrote: KE> Wednesday, August 13, 2003, 8:37:33 AM, you wrote: ESoV>> Right click on My Computer and ask for Properties, then click on ESoV>> the tab, "System Restore". Disable it there. Be sure to ESoV>> reenable it when you are done using this tool. KE> Thanks to all who helped me out with this. I didn't find the system KE> restore under the propperties of "My computer" however, it turned out KE> that i have the patch that plugs that hole through wich the worm could KE> come in, so everything is ok here, anyways, thanks a lot for all help! I RE-discovered a few days ago that my System Restore wasn't on. I discovered that the System Restore service (in Control Panel -> Administrative Tools -> Services) would refuse to start, giving an access error. Try it on your system and see what happens; the error message should give you a clue as to what the problem was. For me, it turned out to be a problem with the ACL settings on my system drive. I fixed that with SecEdit: secedit /configure /db mysec /cfg "c:\windows\security\templates\setup security.inf" This re-sets the default security settings. Note that doing this may cause some problems if your file security is messed up (especially if you upgraded from FAT32) and you have worked around it; fixing file security may force you to undo the workarounds. You need to be administrator in order for secedit to run. I think System Restore also requires a certain minimum amount of space on the drive; I don't know what will happen if you're below the minimum. -- --Scott. mailto:[EMAIL PROTECTED] Using The Bat! 1.63 Beta/11 under Windows XP 5.1 Build 2600 Service Pack 1 on an AMD Athlon XP 1900 (1.6G real, 1.9G effective) with 512MB. Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Another Q on the Worm (Blaster)
Hi Deborah, In a message with mid:[EMAIL PROTECTED] On 12 Aug 2003 22:11:15 (my local time 13 aug 2003 04:11:15), you typed: DK>> I had the same thing happen on my Win2K box at work. I ran it at DK>> home a few minutes ago on my WinXP box and it ran fine. Bug? DW> It ran fine, first time, on both the computers here, both running Win2K DW> :-/ I can't run it at all, since i can for the life of me not find the "system restore" thing on my Win XP Pro. Where should i look for it? Cymantec said you should turn it off, but as i said i can't even find it, so i don't know if i've got it. -- -- /Krister mailto:[EMAIL PROTECTED] This mail brought to you by The bat! V2.0 Beta/1, on Windows XP 5 1 build 2600 Pgp keys available here: Mailto:[EMAIL PROTECTED] Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Another Q on the Worm (Blaster)
On Tuesday, August 12, 2003 8:38 PM, you wrote: P> I just tried running the "tool", but half way through it gives me an error P> message and quits, any idea why? I'm running Win2000. I got the tool from P> someone who listed it here, off sarc. I had the same thing happen on my Win2K box at work. I ran it at home a few minutes ago on my WinXP box and it ran fine. Bug? Dave Kennedy Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Another Q on the Worm (Blaster)
Hello Patricia, > I didn't hear much on it until recently, how does one get it, http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547 IIRC the above link should be correct. I got it from TBOT mid:[EMAIL PROTECTED] > is it another OE thing or something else? Again IIRC NO, I believe it randomly scans IPs for an open port 135. -- Best regards, Greg Strong TB! v2.0 Beta/1 on Windows XP Service Pack 1 Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Another Q on the Worm (Blaster)
Hello Patricia, Tuesday, August 12, 2003, 9:05:35 PM, you wrote: P> Must be, well, I hope I don't get it! I installed the patch for it, P> so I should be safe. I didn't hear much on it until recently, how P> does one get it, is it another OE thing or something else? Note: This moderator's interjection is a note to all readers and not just to the person being replied to, even if their post may have instigated this reply. Please don't feel singled out Patricia. This posting violated the list rules regarding top posting. Top posting, i.e., typing all your reply text at the top of your message and following it with all quoted text below, is not encouraged and we actually request that you not do so on this list because a) It makes it difficult to glean context from what you typed at the top of the message and b) It encourages excessive quoting. We would much prefer if you quote just that much of the message to which you're replying, so we know what it is you're referring to, and then below the quotation, type your response. If you're responding to more than one parts of the original, then quote each part separately and follow each part with your response. Now, I know that you may not personally prefer this format and that you may disagree with some of the reasoning here. We very much respect this. However, this is the format that most of the active members here prefer and all members are expected, and are being asked to use the format that will make most of the active membership here comfortable reading. You'll likely get a more responsive group when you post using a style that is comfortable for them to read and understand. Thank you. -- Leif (TB list moderator and fellow end user). Using The Bat! 2.0 Beta/1 under Windows 2000 5.0 Build 2195 Service Pack 3 on a Pentium 4 2GHz with 512MB Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Another Q on the Worm (Blaster)
On Tuesday, August 12, 2003, 10:05:29 PM, Dave Kennedy wrote: DK> I had the same thing happen on my Win2K box at work. I ran it at DK> home a few minutes ago on my WinXP box and it ran fine. Bug? It ran fine, first time, on both the computers here, both running Win2K :-/ -- Deborah Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Another Q on the Worm (Blaster)
Hello Krister, Wednesday, August 13, 2003, 8:20:57 AM, you wrote: KE> i can for the life of me not find the KE> "system restore" thing on my Win XP Pro Settings > System > System Restore. Don't forget to turn the System Restore back on afterwards! -- Regards, Ochrid _ The Bat! vs 2.0 op Windows XP _ Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Another Q on the Worm (Blaster)
> I can't run it at all, since i can for the life of me not find the > "system restore" thing on my Win XP Pro. Where should i look for it? > Cymantec said you should turn it off, but as i said i can't even find > it, so i don't know if i've got it. Start | Control Panel | System | Sytem Restore tab, and then turn it off in there. Another issue is that you may need to run the tool in "Safe Mode" otherwise I found that the virus kicked whilst it was running. In safe mode this will not happen. The only problem is, when I ran this removal tool on an infected Windows XP machine, it ran fine and said it had located and removed the virus, however, it really hadn't and it kept being picked up by NAV and shutting down the machine, at this point the only thing that worked was the MS patch: http://support.microsoft.com/default.aspx?scid=kb;en-us;823980 Hope this helps Steve Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
OT: Another Q on the Worm (Blaster)
Hello Scott, Wednesday, August 13, 2003, 11:25:01 PM, you wrote: SM> I RE-discovered a few days ago that my System Restore wasn't on. I SM> discovered that the System Restore service (in Control Panel -> SM> Administrative Tools -> Services) would refuse to start, giving an SM> access error. Try it on your system and see what happens; the SM> error message should give you a clue as to what the problem was. SM> For me, it turned out to be a problem with the ACL settings on my SM> system drive. I fixed that with SecEdit: Again... Note: This moderator's interjection is a note to all readers and not just to the person being replied to, even if their post may have instigated this reply. Please don't feel singled out Scott. This thread is moving into the Off-Topic realm. Please continue this on TBOT (this message has been CC'd to the TBOT list to maintain threading.) You can subscribe to TBOT by sending a message to: [EMAIL PROTECTED] Thank you. -- Leif (TB list moderator and fellow end user). Using The Bat! 2.0 Beta/1 under Windows 2000 5.0 Build 2195 Service Pack 3 on a Pentium 4 2GHz with 512MB Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Another Q on the Worm (Blaster)
On Wednesday, August 13, 2003, 7:20:57 AM, Krister Ekstrom wrote: > I can't run it at all, since i can for the life of me not find the > "system restore" thing on my Win XP Pro. Where should i look for it? > Cymantec said you should turn it off, but as i said i can't even find > it, so i don't know if i've got it. According to Woody's Windows Watch, you should open the Task Manager and look at the Process list. If you have msblast.exe running then you are probably infected. The removal tool will remove the program from your system - ending the process will stop it until the next reboot. You can find the most recent version of Woody's Windows Watch (WWW #6.14 - Getting Blaster'd) at http://www.woodyswatch.com/windows/archtemplate.asp?6-14 which contains lots of information on Blaster and what you can do. Julian -- Using The Bat! v1.62r on Windows XP 5.1 Build 2600 Service Pack 1 Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Another Q on the Worm (Blaster)
> I can't run it at all, since i can for the life of me not find the > "system restore" thing on my Win XP Pro. Where should i look for it? > Cymantec said you should turn it off, but as i said i can't even find > it, so i don't know if i've got it. Right click on My Computer and ask for Properties, then click on the tab, "System Restore". Disable it there. Be sure to reenable it when you are done using this tool. Elaine Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Another Q on the Worm (Blaster)
Must be, well, I hope I don't get it! I installed the patch for it, so I should be safe. I didn't hear much on it until recently, how does one get it, is it another OE thing or something else? Patricia At 10:05 PM 8/12/2003 -0400, you wrote: On Tuesday, August 12, 2003 8:38 PM, you wrote: P> I just tried running the "tool", but half way through it gives me an error P> message and quits, any idea why? I'm running Win2000. I got the tool from P> someone who listed it here, off sarc. I had the same thing happen on my Win2K box at work. I ran it at home a few minutes ago on my WinXP box and it ran fine. Bug? Dave Kennedy Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Another Q on the Worm (Blaster)
Hello ETM, Wednesday, August 13, 2003, 8:37:33 AM, you wrote: ESoV> Right click on My Computer and ask for Properties, then click on ESoV> the tab, "System Restore". Disable it there. Be sure to ESoV> reenable it when you are done using this tool. Thanks to all who helped me out with this. I didn't find the system restore under the propperties of "My computer" however, it turned out that i have the patch that plugs that hole through wich the worm could come in, so everything is ok here, anyways, thanks a lot for all help! -- Best regards, Kristermailto:[EMAIL PROTECTED] Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Another Q on the Worm (Blaster)
Hello Patricia, Tuesday, August 12, 2003, 9:06:22 PM, you wrote: P> Sorry for top posting before, I forgot! Oops, I had modded your top post before I saw your apology. Ahem, I hate to do this twice in a row to you, but... This moderator's interjection is a note to all readers and not just to the person being replied to, even if their post may have instigated this reply. Please don't feel singled out Patricia. Please include a signature delimiter in your messages. This consists of a , i.e., a '-- ' by itself on a line. This allows your readers, when replying, to quote your text without the signature and list footers since everything below and including the sig delimiter is excluded when quoting. You can easily automate this process by including the sig delimeter in your templates. Thank you. -- Leif (TB list moderator and fellow end user). Using The Bat! 2.0 Beta/1 under Windows 2000 5.0 Build 2195 Service Pack 3 on a Pentium 4 2GHz with 512MB Current version is 1.62r | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html