WinXP/MSBlaster Worm probs

[kernow]

ohh,

My bosses laptop has two funny processes running

MSBLAST.EXE
MSLAUGH.EXE

now, ok, I've installed the winxp hotfix, I reboot, and find these two processes are STILL there,

oh for fucks sake.

anyway, I can end the processes no problem, but obviously this hot"fix" is supposed to stop them running at all.

anything else I should do?

I'm mildly panicking you could say...

 

[kernow]

uhh, I again, at the fact I merely deleted the two service names and accompanying .pf files

now the processes don't run on boot, because they can't.. ahem

did I tackle this correctly?

why am I asking you?

should I leave my technician job in shame?

will J-Lo and Ben marry?

 

[Phoenix Down]

The problem is that if the patch is installed after the computer is infected it won't do anything to stop the processes because it sees it as a normal program by then. The patch only keeps the worm from entering the computer.

As far as removal your suggestion may be ok, but to really clean it you probably should try downloading the Symantec tool (a lot of times for big outbreaks they have an .exe that you can just download and run rather than installing virusscan software)

This link has the tool to download: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Hope that helps.

 

[samuraiX]

Run some sort of antivirus software. Dont forget to turn off system restore. It can hide there sometimes. Also, you may have to find it in the registry and remove the value from there as well. The info should be somewhere on Symantec's website. have fun..

 

[beelzebubble]

as long as you are still connected to the net they will get back on there... you need to disconnect and then remove them.. after that youll prolly need a firewall..

that is what i had to do.. the only way i could stop them getting back on was to disconnect the net.

hope that helps

 

[NeoSneth]

apply XP fixes
disconnect from internet

run ---> regedit
local machine/software/microsoft/windows/current/run
remove them from the "run" folder

then you need to find if they are hidden somewhere on you machine.

-turn off windows restore.
-remove the windows restore folder.
-turn on "show hidden files"
-go to program files and look for and deleterhidden "Windows Update"

that should clear you up pretty well.
if you still get it, then it's hiding in some danmed compressed file.

 

[Takumaji]

Blaster is a hybrid worm/trojan that enters your system via a vulnerability in DCOM which provides remote procedure calls for certain network apps... exploiting this vuln actually is very easy, even more as a working perl exploit had been leaked on several security mailing lists (Bugtraq, Full Disclosure, etc.) when the worm appeared in August.

Get more info about it here on Symantec's web site, they also have a download link for a small removal tool.

Afterwards, go and download the latest XP security patches or simply use XP's auto update feature to patch the buggy DCOM and other holes.

 

[Metal Fatigue]

when I had it it was hiding in a fonts folder but you couldnt see it, I believe I removed it DOS mode, deleted that directory or something.