I've cleared the virus and rebooted, and checked again that it really is gone (yes no sign of it) - but I am still getting the W2000 error of svchost.exe getting errors and being closed down which causes all sorts of follow up problems.

I've just downloaded and installed the W2000 patch so maybe that will do the trick, but what I do not get is

1, how / where I got the virus in the first place (I am on a dial-up) - does it have to be email? and

2, why I am still getting the svchost errors (maybe the patch really will have fixed that though I suspect it doesn't work quite so nicely as that)

ayj

ahahahaha, still plugging away half wit? If you want to be more believable (so the FTC doesn't laugh in your face a second time) I suggest making up SEVERAL fake names on that board and have them all agree with each other.

The way you are going about it is amateurish at best.

at least your making posts at night to keep us all thinking you're here more than just the weekend.
:1orglaugh

How's that FTC investigation coming along? Will we be seeing the end of SI anytime soon? :1orglaugh

Anyways, to the topic at hand. I got an email from my ISP about this exploit, and a warning from my brother. Stupidly, i gave it the "i'll sort it out tommorrow" attitude. So i try to use my computer this morning. Within a minute or two of connecting to the internet, my computer shuts down. So i restart, same thing. Again and again. Luckily, i back up all my shit just in case anything like this happens. Anyways. Got my brother over to fix it all up, which he did. But yeah, when you get these warnings, update that shit ASAP. Not pleasant what these things can do.

dude that shit is pretty fucked up... my aunt just bought a new HP pc from best buy and it came infected with that virus... I went over and set up her computer for her cable modem.. and as soon sa I put it online I stated getting that shut down message... Best Buy did the intial set up for her, and I assume they infected it when they set it up... but it's pretty bad when you buy a PC from a national chain store and it comes ifeced with a virus.

why don't you like the mac jeff?

thank you very much :thumbsup

I posted this on another forum but here is my message.

For windows XP

After being on the phone with MS techs for over an hour they finally found the solution.

After many reboots.

Enable your XP firewall, this will stop more attacks on your system.

Check your systems for "msblast.exe" -- if you have this file you going to know about it damn soon.

If you do, do this.

1. Get the MS update NOW - credical update 823980
Its about 1.3MB in size.

Go to regedit > HKEY_LOCAL_MACHINE > software > Microsoft > windows > currentversion > run >

If you see a entry called "msblash.exe" delete it.
EXIT

Press Crtl + Alt + Del -- windows task manager will popup, find msblast.exe and right click > "End Process".

Load Windows Explorer > Search C:\windows\ for "msblast.exe" -- there should be 2 files. Delete them both.

If you don't do the MS update of the patch then these files will come back.

If you have it you are given 60 seconds and it will shut down you machine.

This worm is new and it's launch date is the 12th, but it's out now at a computer near you.

Hope this helps someone. :D

Thanks for the patch, I think it worked.

DH

I hate to beat this with a dead horse, I did all of that last night, i did the patch, I deleted out the reg key and the msblast.exe file from windows/system32/ and any other file associated with it.

However, it takes awhile, but it spawns a new name, when it pops up the RPC crash box, i go to the processes tab and I see cmd.exe running.

Then norton finds the virus again, except this time its called like TFT53495 or something like that...

I'm at work right now, and i'm trying to get my girlfriend to run through some more steps, I used to connect to my computer at home from work....but that'll stop now since i configured the firewall at home (just now did that)

Any updates on this for permanent fixes?

My computer at home seems to be seriously fucked over now. Time for a new computer anyway..

Home is running XP Pro.

Download this utility. It tells you what programs are using ports
http://www.webattack.com/get/activeports.shtml

I used it to find that msblast.exe was connecting to a lot of UDP ports yesterday. So I deleted the file and did the registry fix.

Hope that helps!

50 fucking worms! :BangBang:

Me too! Well, it didn't fuck up my harddrive, but so many things stopped working that worked the day before.

-Media Player would open a file, and crash
-Some hyperlinks wouldn't open in some pages (none on GFY)
-My mouse software was buggering up (buttons wouldn't work)
-Windows update wouldn't launch
-fonts were screwed up in Hotmail etc.
-Add/remove programs wouldn't start
-control panel/administrative tools/services - I couldn't right click on anything to change settings, no menu would pop up
-computer would hang on start up
-computer would hang once I got past the password login page
-couldn't start up in safe mode...

And on, and on!

So, I reinstalled Windows 2k, put the machine behind a linksys, and everything works 1005 now!

Ugh! Unfortunately we were among the very first people hit, and when I went looking to find out wtf was wrong with my computer, nobody even acknowledged that there was a problem yet. Everyone now knows what to do because there are sites on it etc, but if you let it go too long, it kills your harddrive. My system wouldn't even see that there was a drive c there. We had to take the hardrive out of the computer, put it into another system as a slave and run recovery software on it. It was a very tedious process :(

Oh I should also mention that it has a keystroke logger, and if you have an ftp program installed it will log into a remote system for further instructions, as well as installing new and wonderful things on your system.

Thats the only thing I cant fix. Everything is gone, rebooted countless times, cleaned and recleaned. I am pretty damn sure there is nothing left.

Everything else is fine except I cant get links to open in explorer.

Right now am using Opera, I think I like it. Im gonne stick with it for awhile.

I gave up trying to fix things last night, and just reinstalled Windows 2k. Everything works good now, although I am not patched. So I will sit behind a linksys instead. (the patches fucked up my computer even more)

That one scares me. I am behing a Linksys now, so I am not worried about intrusions. But I am worried about things going out.
Do you know the name of the keystroke logger?
Nothing is unusual in Active Ports, maybe I caught msblast.exe in time.

Or Mozilla.. Mozilla is nice and fast.

\



I'm behind a Linksys too.. fortunately I was lucky because I didn't have an FTP program installed, but I changed all my bank info just in case. I shouldn't even have gotten infected, but my router power cycled and reset to default and that is what allowed the worm to get in :( It sucked!!

I deleted the registry entry and the msblast file but still got the shutdown error. A few minutes ago I have installed the MS patch. Will see if it works.

LadyMischief..... I running ws_ftp, do u suggest I reinstall? i had the worm but was able to kill it yesterday and download the patch successfully.

do you know the names of the new files being installed?

thanks

I just went through the joy of downloading all of Microsoft's patches after doing a fresh install of XP.

Over 100 MB's for service pack 1, and I'm on dialup. And then there's still another 30 MB or so of patches after that.

It'll be another day before I get all my programs installed again.

Fuck you Microsoft.

I think TFTP is what you have to worry about, not ws_ftp.
I am still trying to figure out how to disable TFTP. That is one of the culprits.....:BangBang:

My computer shuts down every 2min. This worm sucks!

PATCH FOR WINDOWS XP

CLICK HERE FOR MORE INFO

I haven't read all the responses, but I can tell you this...It is self replicating and requires no user interaction. You don't have to open an email. If you don't have the patch it will get you no matter what you do or don't do.

It's proven to me because the only thing I have done in the last 4 days is surf. No e-mail, no nothing. Still was infected.

normal thing, it transfers itself by a corrupted udp packet on port 135 and directly affects the RPC, but hey, even if you have the patch, you're still infected, gotta remove it :thumbsup

I posted how to completely remove it on the first page of the thread