Reply
Mon 11 Aug, 2003 05:20 pm
This may be disjointed. That is at the crux of my problem.
I can log on to my computer but, whatever site I'm on, after a couple of minutes, I get a pop-up saying that, and this is the full quote:
(oops, it just popped up, agin. In 20 seconds, I' gone
Is that the text? Please come back and re-post it.
Thanks, Craven...I beat the clock by a micro-second. Here is the full text:
This system is shutting down. Pls save all work in progess and log off...
back in a sec
Hmmm.. Sounds like someone is playing with the latest Windows RPC Vulnerability....
It does indeed sound that way. Update your Anti Virus Program, Update your OS and turn on a firewall (because this exploit opens some ports for attacks).
Murray S posted a great thread about this:
W32.Blaster.Worm
The full message is- if I can get it in: This system is shuttting down. Please save all work in progress and log off. Any unsaved changes will be lost. The shutdown was initiated by NT AUTHORITY/SYSTEM.
Message: Windows must now restart because the Remote Procedure Call RPC) service terminated unexpectedly.
Then it's pretty certain that you have the virus Murray warned about. In his thread there is a plethora of advice.
He gave two links that contain removal instructions:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
and
http://vil.nai.com/vil/content/v_100547.htm
Thanks. I've got no idea what y'all are talking about but I sure that one of the kids doing yardwork on the property will. -rjb-
Real Nasty Virus
Howdy RJB:
What it means is that you got bit by a REAL nasty virus..
The links Craven gave you are a couple of av sites with removal instructions as well as how to update Windows/IE so it doesn't get you again !!
Murray
One final stupid question. How can one go through the removal process when the virus keeps turning off the computer?
Need This First
Get the following first.. you should be able to stay on long enough to get it.. install it next time on..
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
Murray
Quick Patch
RJB:
If the machine can boot at all do this quick patch:
Do this in Safe Mode !!
(Do not access the Internet yet)
First open task manager, find and end the process 'msblast.exe'
Second, delete the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Find the value windows auto update
if its value in the right panel is C:\windows\system32\msblast.exe delete the key.
Finally, delete the file c:\windows\system32\msblast.exe
reboot.
Murray
Here is the full write-up with removal instructions. Print them out:
MSBlast W32.Blaster.Worm :: history and removal instructions
Thanks. I printed and one of the kids doing my yardwork should be able to figure it out. -johnboy-
You might want to keep the URL off the thread too because it has a link to a removal tool that you'll want to download.
But really, you should try to do this yourself:
Just down load this program to a place that you will remember (e.g. your desktop):
http://securityresponse.symantec.com/avcenter/FixBlast.exe
Then go offline and run the program. Then get backonline and update your antivirus deffinitions and then do a full scan.
That's the bulk of it and the rest is just to be sure.
Craven: I printed out your nine page article on Blaster. It was quite interesting although, of course, most of it went over my head.
Believe it or not there are a few things that I am very good at. Computers are not one.
So I ran the Symantec fix this afternoon. Three times. It takes 8 minutes. I got the message that "W32...has been successfully removed!" But five minutes later it was back.
I have never downloaded programs nor do I open attachments to e-mails from strangers. So where is it lurking? IT''S BACK!!!
Follow the manual instructions. Read them and get links to some of the steps and print them (e.g. turning off system restore).
It should not be too difficult to complete the manual steps as long as you read everything first and pay attention to each step.
Many viruses make backup copies of themselves and hide in other directories... They run another process that checks for the main copy, if it's missing.... they recopy themselves to remain working. so your best bet is to find ALL instances of the registry keys and delete them... and to find ALL files that exectue the worm and remove those as well.
It's also possible that someone has installed a trojan on your machine and can control it remotely....
Not a Virus
USAF:
This was a worm NOT a virus and it behaves a tad differently.. Doen't attach to other files.. keeps to itself and simply reeks havoc on whatever system it gets into !!
Murray
For what it's worth Murray, I was not able to find msblaster in tasks. To shorten the time involved, I first enabled the XP firewall as you mentioned elsewhere. In desperation, I made the Symantic URL a favorite to save another few seconds. Time to complete the dial up connection varied from one attempt to another, but I was ultimately successful.
Maybe some of these stunts will help someone else.
Stumble It!
Tweet This
Bookmark on Delicious
Share on Facebook
Share on MySpace