[thelist] The New Worm - need some help to clean it

patrick pms at stoutstreet.com
Mon Aug 11 21:33:35 CDT 2003 

tom,
also hunt up the registry:
1) Delete msblast.exe (usually found at: winnt\system32\msblast.exe)
2) delete the Registry key: 
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\windows 
auto update" . That key should contain the "msblast.exe" process, and is 
what starts it up again on reboot.

Tom Dell'Aringa wrote:

>--- Michael Pemberton <mpember at phreaker.net> wrote:
>  
>
>>Are you running an NT based OS? (NT / 2K / XP)
>>What is the name of the process? (???.exe)
>>    
>>
>
>The process is msblast dot ee ex ee. I am runing WinXP Home edition
>(sorry I failed to mention that). One thing that I don't know, is it
>32 or 64 bit version? There are 2 patches (which are almost
>impossible to download with the worm causing massive packet loss). 
>
>  
>
>>Do you have a copy of ERD Commander from Winternals?  If not, then
>>Safe mode Command prompt may be enough.
>>    
>>
>
>DOn't have it never heard of it...
>
>  
>
>>Try locating the file and deleting it.
>>    
>>
>
>DOesn't help, re-spawns after reboot. 
>
>I will try the 14 step list just posted. I have also downloaded
>ZoneAlarm which is blocking the port 135 etc attacks which is mainly
>keeping the PC up at least - so if you get this and you don't have ZA
>- do that first and it will at least allow you to work a bit.
>
>If anyone knows - MS site suggest disabling DCOM, what effect might
>this have on other services? Anyway I have tried that. The link after
>the 14 point list merely leads to that suggestion and the download of
>the patch which I think I already have/installed and has NOT cleaned
>the machine.
>
>I hope you all don't mind these posts, the suggestions have helped
>and hopefully if someone comes across this my work can save them some
>time.
>
>Tom
>
>=====
>http://www.pixelmech.com/ :: Web Development Services
>http://www.DMXzone.com/ :: Premium Content Author / JavaScript / Every Friday!
>http://www.maccaws.com/ :: Group Leader
>[Making A Commercial Case for Adopting Web Standards]
>
>"That's not art, that's just annoying." -- Squidward
>  
>

-- 

patrick sanders
http://www.stoutstreet.com
web sites that fit

More information about the thelist mailing list