System shutdown, against my will

[RSL]

<i>1. Disabling System Restore (Windows XP)</i>

Done.

<i>3. Ending the Worm process
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager</i>

msblast.exe doesn't show up.

<i>4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with W32.Blaster.Worm, click Delete.
</i>

Nothing.

<i>5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)


Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value:

"windows auto update"="msblast.exe"


Exit the Registry Editor.
</i>

No sign of "windows auto update"="msblast.exe" Or anything mentioning msblast.exe.

Doing all this, I wouldn't even thing something was wrong if my computer hadn't been restarting like that. As for the patch not installing, I'm fairly certain that it's not because of the virus, but I haven't been able to figure out what it is.

[eestlinc]

your offending process is called SVCHOST.exe in your case.

I found this lovely thing on my computer when I came home from vacation, so I got to spend the first couple hours at home fixing it.

[Dr Unne]

I think SVCHOST is just a normal Windows process that has to do with your internet connection. Could be wrong though.

I don't know what else to try RSL. From everything I read, the virus shouldn't be starting at all without that registry key, since that's all it does to start itself. Maybe you have a different virus. Or maybe I'm just not reading the right things. Sorry.

[Garland]

Whenever all else fails, you always have your windows restore cd. It'll probably take less time than trying to hunt down the offending file.

[RSL]

Thanks for trying Unne

Seems like I'm the only one having problems fixing this using the methods posted here

[Dr Unne]

Reinstalling Windows would work, yeah. If you could copy the patch to some safe location (a CD or disk), unplug your computer from your internet connection, reinstall Windwows, install the patch from your disk, and plug in your internet cable again, that'd work for sure (pretty much, unless the virus infected the patch file you downloaded, who knows). But you'd also lose everything on your computer. Complete hard drive reformat is the only way to be sure you don't still have a virus hiding somewhere. It'd take longer, but it'd be 100% sure to work.

[eestlinc]

I don't know if you can do this in winXP, but when my win98 computer got very screwy, instead of reformatting, I booted into DOS and deleted my windows directory and then reinstalled windows. This leaves your programs mostly intact.

[Linus]

SVCHost is a natural WinXP process.

I haven't got the worm/virus/msblast.exe thing, and my process list shows at least 1 SVCHost.exe running like all the time.

[Dr Unne]

That works with XP too eestilinc, I used to do it pretty often when I used Windows just beacuse Windows degenerates natually over time, but when you have a virus, you generally don't want to leave your programs intact. If something in c:\program files\ or c:\games\blah\ or whatever has the virus in it, your new Windows install will be instantly corrupted when you run that program. Not that all malicious programs do infect other files on your computer, but some do. Technically I think they call a program that infects another program a "virus" and a program that doesn't infect any other programs but just runs on its own a "worm", and blaster has been called a "worm" so I notice, but I don't know if that's what RSL even has. If I were you RSL I'd do a complete reformat, but that's just me. If I got any virus, ever, I'd do a complete reformat. Saves time and trouble in the long run.

[RSL]

How tricky is a complete reformat? I've never done it before.

At any rate, it'll have to wait until tommorow as I don't want to be up all night messing around with this.

[eestlinc]

svchost is a normal program but it is somehow involved with the problem.

[The Man]

the worm probably screws with it or something

at any rate, i just looked at my active processes and didn't find msblast, and i did a search of my hard drive and didn't find msblast.exe, so i guess i've escaped the problem thus far. fool's gold apparently hasn't, though, since one of our admins has mysteriously been renamed to "msblast.exe." hmm. <img src="http://forums.fools-gold.org/images/smilies/ezpimp.gif">

[Dr Unne]

RSL, it involves backing up ALL data you want to be saved, because it will all be gone. Then somehow booting to DOS, using a boot floppy perhaps, then typing format c:, and waiting for a while, which will leave you with NOTHING on your hard drive. Then booting from the Windows CD and installing Windows. Then reconfiguring all your hardware if you need to. Then reinstalling every program you ever installed. It sucks. But then again, so does Windows. Hope you find a better solution so you don't have to do that.

[crono_logical]

RSL: You're probably not infected then, since there are no traces of the worm on your PC. The reboot thing and the virus are seperate issues, that use the same Windows exploit. Random reboots does not imply the PC is infected, but being infected does imply the PC is unpatched, or was at the time of infection.

As for why the patch will not install, I'm not sure. Are you using the correct one for your OS? Can't think of much else right now.

Microsoft themselves admit that the firewall is a temporary solution to preventing getting infected and getting the reboot errors, just blocking the relevant port numbers is enough, but that doesn't fix the bug exploit in Windows itself.

[Loony BoB]

Okay, not sure if this is of any use to anyone else, but it helped me...

I downloaded the symantec file. Ran through the instructions (ie, deactivating System Restore, opening up commandprompt, doing that weird chktrust -i fileblast thing or whatever and all that crap) and got those errors I was talking about. I checked what file it was stopping at when it got the error (by this time I was doing everything in Safe Mode, btw, following Symantec's instructions), and found it was inside my Temp folder. Funtime! I deleted every last one of my Temporary Internet Files until I narrowed myself down to only having one file remaining, this was under Temp - Content.IE5, in one of those many jumbled folders. I couldn't rename, delete, access properties or anything, but it was still there. I ended up trying something else - opened up command prompt, moved into that directory and ran <b>dir/w</b>, and found only that file. I ran <b>del *.*</b> and it was gone. After that problem, the scan ran smoothly.

The scan took bloody ages, even after deleting all that crap. I can't find all the files that it's going through in my Local Settings folders at all, but after a few hours it finished it's scan and had deleted one file from my computer. I then continued with Symantec's instructions and ran msconfig and removed Safe Mode, restarted and logged into my normal account, and at 6am this morning I started the scan again, as per instructions. The scan was still running when I left for work. Once I go back, I have to ensure that the patch is installed and then I have to reactivate System Restore.

I'll let you know how I get on =P