Cannot remove blast worm

ufukeskici · October 3, 2008, 12:51am

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Dieselman743 · October 3, 2008, 1:03am

Download and install Malware Bytes Anti Malware. Also are you using IE? If so switch to Firefox.

http://www.malwarebytes.org/

Quads · October 3, 2008, 1:28am

You mean this dialog??

undefined

There are a few variants.

Look for this registry entry and delete

"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows automation = (one of the file names below)"

"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update =(one of the file names below) "

"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Inet Xp.. =(one of the file names below) "

"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig =(one of the file names below) "

"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Nonton Antivirus =(one of the file names below) "

"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Nonton Antivirus =(one of the file names below) "

"HLKM\Software\Microsoft\Windows\CurrentVersion\Run\www.hidro.4t.cXm =(one of the file names below) "

Remove any of the files below on your PC

msblast.exe, penis32.exe, wuaumgr.exe, teekids.exe, root32.exe,msconfig35.exe, mspatch.exe, mslaugh.exe, enbiei.exe

Cheers

Quads

[edit: Broke AutoGenerated link, Actual reg key ended in .com not .cXm .]

Message Edited by Allen_K on 10-02-2008 09:35 PM

reese_anschultz · October 3, 2008, 1:47am

ufukeskici, do you have a Norton product installed? If so, which one and what year?

Also, you need to install Windows updates as soon as you possibly can because Microsoft fixed the blaster vulnerability years ago and there's no reason that anybody should still be getting exploited by this.

Quads · October 3, 2008, 5:09am

reese_anschultz wrote:
ufukeskici, do you have a Norton product installed? If so, which one and what year?

Also, you need to install Windows updates as soon as you possibly can because Microsoft fixed the blaster vulnerability years ago and there's no reason that anybody should still be getting exploited by this.

That's what I thought, though ufukeskici already stated he had XP Service Pack 3 installed so the fix 'should' already be included, as far as I know.

Fascinating

Thanks

Quads

reese_anschultz · October 3, 2008, 5:33am

I forgot that he said xp sp3 was installed. He should be protected from Blaster.

ufukeskici · October 3, 2008, 10:49am

@Quads,

That's exactly what I get.

I have symantec antivirus 10.1.5.5000 version 2.10.2008 rev 4

I had sp2 before threat i installed sp3 after threat.

i tried spybot s&d, malware and adware but nothing happened. they couldn't find anything!

Floating_Red · October 3, 2008, 10:52am

ufukeskici wrote:
@Quads,

That's exactly what I get.

I have symantec antivirus 10.1.5.5000 version 2.10.2008 rev 4

I had sp2 before threat i installed sp3 after threat.

i tried spybot s&d, malware and adware but nothing happened. they couldn't find anything!

Please buy N.I.S. 2009 from the symantec Online Store as soon as possible.

Tony_Weiss · October 3, 2008, 5:46pm

ufukeskici wrote:
I have symantec antivirus 10.1.5.5000 version 2.10.2008 rev 4

If you would like to discuss Symantec enterprise products (like Symantec AntiVirus 10) please visit https://forums.symantec.com/. These Norton forums are specifically for consumer product discussion. I apologize for this inconvenience.

Quads · October 3, 2008, 8:12pm

Hi

That soves that, it infected an SP 2 system before it got upgraged to SP 3

One of the Files and the Registry entries should be there, What I mean by "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update =(one of the file names below) " is for instance replace the brackets etc with one of the file names. Like

"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update = msblast.exe "

Quads

ufukeskici · October 4, 2008, 6:24pm

I checked the regedit but couldn’t find any registry value called “windows auto update”…

Quads · October 4, 2008, 7:22pm

did you try searching for the other registry entries, Plus searching for the files listed on your hard drive that I stated earlier on??

Quads

ufukeskici · October 4, 2008, 8:10pm

no files like them.

Quads · October 5, 2008, 1:53am

Can I ask what advised you that you had the blaster worm?? Seeing has you the removal tools and manual searching did not find anything.

You could for now change the RPC recovery settings so that the PC won't restart.

And specifically block the port(s) with your firewall.

Quads

Quads · October 6, 2008, 2:19am

Did you fix the Problem??

Do you know how to change the RPC etc??

Quads

ufukeskici · October 6, 2008, 5:51am

I just changed the RPC. But I do not know if I have still that virus or not.

Quads · October 6, 2008, 6:54am

Hi

You can also block specifically port 135 in your firewall settings which is the port that the RPC group of trojans/ worms use.

Quads

Cannot remove blast worm

Announcements