HELP! Removal of Blaster worm from friends computer!!!

$iljanus · Post by **$iljanus** » Mon Dec 27, 2004 1:43 am

Currently talking with friend over phone to try to take off blaster worm. Finally able to access task manager but she couldn't find msblast.exe under the processes list.

Tried to get to the run command prompt but not able to type in commands like "shutdown -a" or "dcomcnfg.exe" to shut down the Distributed COM service which supposedly stops the rebooting.

What can we do to stop the rebooting long enough to apply the MS patch and/or run McAfee with the latest virus def., etc.

THANKS!

Edit: Got off phone. No luck and will try again tomorrow. We were not able to access the various drives on the computer, even in safe mode. We had downloaded a patch from MS onto a flash drive but was not able to find it after rebooting. In fact, none of the drives were visible.

The damn machine also takes forever to load up and I suspect that all the stuff that we need to load doesn't load in time to make changes, such as being able to write commands in the run command prompt or even seeing drives.

Does this virus have a different name in the task manager process screen other than msblaster.exe? I've seen the other variants but the different "exe" names weren't visible in the task manager either.

Update: My friend was on the phone with MS last night. Said that her startup file was corrupted and was rather surprised that she was having difficulties even in safe mode. Suggested that it's probably different than blaster, perhaps a new variant. She's going to be talking with the MS operating system folks next. Something tells me there's a reinstall in her future.

JSHAW · Post by **JSHAW** » Mon Dec 27, 2004 9:34 am

You should be able to find the "removal tool" for Blaster on Symantec's website.

Here's the link - follow the instructions -
http://securityresponse.symantec.com/av ... .tool.html

$iljanus · Post by **$iljanus** » Mon Dec 27, 2004 9:39 am

JSHAW wrote:You should be able to find the "removal tool" for Blaster on Symantec's website.

Here's the link - follow the instructions -
http://securityresponse.symantec.com/av ... .tool.html

Thanks JSHAW. We actually have a removal tool ready to go on a flash drive. Unfortunately, we cannot access the flash drive nor can we go on the internet to try to download it nor can we access RPC service to stop it from restarting the computer. If I were there, I would yank out the drive and pop it into a spare rig as a slave drive and disinfect it from there. But my friend is at her parent's house for the holidays which is an hour away.

Looking on the CERT site now for possible clues.

JSHAW · Post by **JSHAW** » Mon Dec 27, 2004 10:59 am

How about burning the removal tool onto CD-R and mailing it to the people with the infected pc?

$iljanus · Post by **$iljanus** » Mon Dec 27, 2004 1:14 pm

JSHAW wrote:How about burning the removal tool onto CD-R and mailing it to the people with the infected pc?

No dice. All drives, including CD drives, were not able to be recognized/accessed. They had another computer so access to removal tools wasn't a problem. Not being able to find the usual processes associated with the blaster worm as well as the inability to do the usual things one can do in start up (even in safe mode) leads us to believe that something else is also going on. I'll bet on a different blaster variant since the error message that is associated with blaster remains the same. Ugh.

My friend is driving back home and taking it to a good computer shop we know. If I were closer this morning, I would have taken out the hard drive and installed it on a spare rig I have as a slave, then tried to disinfect it that way. But it's just as easy to let the computer shop do what needs doing as well.

Thanks JSHAW for helping though!

JSHAW · Post by **JSHAW** » Mon Dec 27, 2004 1:19 pm

No problem, I help when and where I can.