Question

Blaster Worm not being cured by normal Microsoft solution or Symantic's FixBlast

Asked by: Bill_Pardoe

It seems that I have the W32.Blaster worm in that I get the message shortly after I have logged on to the Internet "svchost.exe has generated errors and will be closed by Windows". However, I follow the advice given by Symantic/Norton but find that the Microsoft fix does not work because I have upgraded to W2000 SP4. I assume that the fix is included in SP4.

I run FixBlast from Symantic but it does not find the worm.

I have Version 9.05.15 of Norton Antivirus and it is up-to-date.

I also noticed that Norton was detecting W32.Blaster.C.Worm and it auto deletes it, but when it found W32.Blaster.F.Worm it could not delete it.

Any help would be much appreciated.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-02-19 at 04:56:07ID20890573
Topics

Miscellaneous Security

,

Consumer Firewalls

Participating Experts
6
Points
500
Comments
13

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. RPC service unexpectedly quit and make svchost.exe fail…
    Another try at this system... I have Windows 2000 Professional, Service Pack 4. My RPC service fails 1 sec immediately after connecting to the internet (svchost.exe error), which keeps any more windows or menus to work correctly. Using the Internet is then very restricted. ...
  2. Blaster problem?
    Got XP home edition with Service Pack 1. While dialed up to the 'net, I get RPC failures and a forced reboot. This sounds like a Blaster problem to me. But I've run Symantec's FixBlast (nothing found) and run an up-to-date Panda's antivirus (nothing found). Of course, I ...
  3. Blaster-like Symptoms w/o Finding Blaster
    I've been having a problem with a Windows 2000 PC (actually, it's my mom's). Within 5 minutes or so of booting up, a message appears that svchost.exe has generated errors and has been closed by Windows. After this, many things don't work, and the message re-appears every few ...
  4. svchost.exe error
    After I log into thr internet I get the following SVCHOST.EXE error . instruction at 0x77FCB7EErefererenced memory at 0x7C54144C. memory could not be written. also I'm unable to copy and paste text or files between my computer and any application I've tried all the wendows...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: sunray_2003Posted on 2004-02-19 at 04:56:58ID: 10401893

Check to see if you have the windows update 824146 ..

 

by: sunray_2003Posted on 2004-02-19 at 04:57:33ID: 10401897

 

by: rwb2Posted on 2004-02-19 at 06:08:36ID: 10402523

Depending upon your OS you may need to disable system restore, apply MS patches, run Anti-Virus updates, then run removal program.  RWB

 

by: SunBowPosted on 2004-02-19 at 07:45:48ID: 10403455

If you run a firewall as Microsoft recommends, then you will no longer be the subject of reinfections from any variant. Check out Sygate or ZoneAlarm, they are popular here.  I think the links from SunRay should validate well that the firewall is step #1, before dealing with the virus and the patch.

For the patch, make sure you have admin rights or you'll get the error. If you continue having trouble with MS patch, then remove (disable) RPC, the Remote Contol process of the OS that seems more useful to malware than to users.

For removal, without checking any website, my recollection is that there is only a single file to this series, so all you have to do for any variant is identify the name and remove it from startup. Per Norton, the original strains did not restore, so they often left a few files of that name for garbage collection on some other day.

 

by: SunBowPosted on 2004-02-19 at 08:10:57ID: 10403709



Because of the way the worm works, it may be difficult to connect to the Internet to obtain the patch, definitions, or removal tool before the worm shuts down the computer. There are at least two known ways to work around this, although neither solution works completely all the time.

If you run Windows XP, activating the Windows XP firewall may allow you to download and install the patch, obtain virus definitions, and run the removal tool. This action may also work with other firewalls, although this has not been confirmed.

In many cases, on both Windows 2000 and XP, changing the settings of the Remote Call Procedure (RPC) service may allow you to connect to the Internet without the computer shutting down.

Follow these steps:
a. Do one of the following:
    Windows 2000: Right-click the My Computer icon on the Windows desktop, and then click Manage.  The Computer Management window opens.
    Windows XP: Click the Start button, right-click the My Computer icon, click Manage. The Computer Management window opens.

b. In the left pane, double-click Services and Applications, and then select Services. A list of services appears.
c. In the right pane, locate the Remote Procedure Call (RPC) service.

   CAUTION: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two.

d. Right-click the Remote Procedure Call (RPC) service, and then click Properties.
e. Click the Recovery tab.
f. Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
g. Click Apply, and then click OK.

-----------------------------------------------------------------

3. Ending the Worm process

To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for Enbiei.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

-----------------------------------------------------------------

5. Reversing the changes made to the registry

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"www.hidro.4t.com"="enbiei.exe"

-----------------------------------------------------------------

Note: MS Windows Explorer is also a good search tool, so I use it to search for filenames such as that. It is much quicker than a virus scan. Whoever it is that was "enbiei" has now had their moment of fame, so go ahead and remove it.

 

by: SunBowPosted on 2004-02-19 at 08:31:53ID: 10403918



Because of the way the worm works, it may be difficult to connect to the Internet to obtain the patch, definitions, or removal tool before the worm shuts down the computer. There are at least two known ways to work around this, although neither solution works completely all the time.

If you run Windows XP, activating the Windows XP firewall may allow you to download and install the patch, obtain virus definitions, and run the removal tool. This action may also work with other firewalls, although this has not been confirmed.

In many cases, on both Windows 2000 and XP, changing the settings of the Remote Call Procedure (RPC) service may allow you to connect to the Internet without the computer shutting down.

Follow these steps:
a. Do one of the following:
    Windows 2000: Right-click the My Computer icon on the Windows desktop, and then click Manage.  The Computer Management window opens.
    Windows XP: Click the Start button, right-click the My Computer icon, click Manage. The Computer Management window opens.

b. In the left pane, double-click Services and Applications, and then select Services. A list of services appears.
c. In the right pane, locate the Remote Procedure Call (RPC) service.

   CAUTION: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two.

d. Right-click the Remote Procedure Call (RPC) service, and then click Properties.
e. Click the Recovery tab.
f. Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
g. Click Apply, and then click OK.

-----------------------------------------------------------------

3. Ending the Worm process

To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for Enbiei.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

-----------------------------------------------------------------

5. Reversing the changes made to the registry

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"www.hidro.4t.com"="enbiei.exe"

-----------------------------------------------------------------

Note: MS Windows Explorer is also a good search tool, so I use it to search for filenames such as that. It is much quicker than a virus scan. Whoever it is that was "enbiei" has now had their moment of fame, so go ahead and remove it.

 

by: SunBowPosted on 2004-02-19 at 08:37:02ID: 10403971



Because of the way the worm works, it may be difficult to connect to the Internet to obtain the patch, definitions, or removal tool before the worm shuts down the computer. There are at least two known ways to work around this, although neither solution works completely all the time.

If you run Windows XP, activating the Windows XP firewall may allow you to download and install the patch, obtain virus definitions, and run the removal tool. This action may also work with other firewalls, although this has not been confirmed.

In many cases, on both Windows 2000 and XP, changing the settings of the Remote Call Procedure (RPC) service may allow you to connect to the Internet without the computer shutting down.

Follow these steps:
a. Do one of the following:
    Windows 2000: Right-click the My Computer icon on the Windows desktop, and then click Manage.  The Computer Management window opens.
    Windows XP: Click the Start button, right-click the My Computer icon, click Manage. The Computer Management window opens.

b. In the left pane, double-click Services and Applications, and then select Services. A list of services appears.
c. In the right pane, locate the Remote Procedure Call (RPC) service.

   CAUTION: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two.

d. Right-click the Remote Procedure Call (RPC) service, and then click Properties.
e. Click the Recovery tab.
f. Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
g. Click Apply, and then click OK.

-----------------------------------------------------------------

3. Ending the Worm process

To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for Enbiei.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

-----------------------------------------------------------------

5. Reversing the changes made to the registry

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"www.hidro.4t.com"="enbiei.exe"

-----------------------------------------------------------------

Note: MS Windows Explorer is also a good search tool, so I use it to search for filenames such as that. It is much quicker than a virus scan. Whoever it is that was "enbiei" has now had their moment of fame, so go ahead and remove it.

 

by: chicagoanPosted on 2004-02-19 at 09:14:30ID: 10404339

we got it sunbow! lol

From SOPHOS:

To remove W32/Blaster-F manually on Windows 95/98/Me and Windows
NT/2000/XP:


ensure you have installed Microsoft patch MS03-026.


press Ctrl+Alt+Del


in Windows NT/2000/XP click Task Manager and select the
Processes tab


look for a process named enbiei.exe in the list


click the process to highlight it


click the 'End Process' (in Windows 95/98/Me 'End Task')
button


close Task Manager.

Search for the file enbiei.exe in the Windows system
folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following
registry entry. The removal of this entry is optional in Windows
95/98/Me. Please read the warning about editing the registry.



At the taskbar, click Start|Run. Type 'Regedit' and press
Return. The registry editor opens.


Before you edit the registry, you should make a backup. If in doubt,
contact your network administrator. Incorrect editing of the
Windows Registry can cause system failure.


Locate the HKEY_LOCAL_MACHINE entry:


HKLM\Software\Microsoft\Windows\CurrentVersion\Run

and remove any reference to any file you deleted.



Close the registry editor.


You should reboot your computer and repeat the above process to
ensure all traces of the worm have been removed from your
system.

 

by: SunBowPosted on 2004-02-19 at 14:38:43ID: 10407428


Because of the way the worm works, it may be difficult to connect to the Internet to obtain the patch, definitions, or removal tool before the worm shuts down the computer. There are at least two known ways to work around this, although neither solution works completely all the time.

If you run Windows XP, activating the Windows XP firewall may allow you to download and install the patch, obtain virus definitions, and run the removal tool. This action may also work with other firewalls, although this has not been confirmed.

In many cases, on both Windows 2000 and XP, changing the settings of the Remote Call Procedure (RPC) service may allow you to connect to the Internet without the computer shutting down.

Follow these steps:
a. Do one of the following:
    Windows 2000: Right-click the My Computer icon on the Windows desktop, and then click Manage.  The Computer Management window opens.
    Windows XP: Click the Start button, right-click the My Computer icon, click Manage. The Computer Management window opens.

b. In the left pane, double-click Services and Applications, and then select Services. A list of services appears.
c. In the right pane, locate the Remote Procedure Call (RPC) service.

   CAUTION: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two.

d. Right-click the Remote Procedure Call (RPC) service, and then click Properties.
e. Click the Recovery tab.
f. Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
g. Click Apply, and then click OK.

-----------------------------------------------------------------

3. Ending the Worm process

To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for Enbiei.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

-----------------------------------------------------------------

5. Reversing the changes made to the registry

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"www.hidro.4t.com"="enbiei.exe"

-----------------------------------------------------------------

Note: MS Windows Explorer is also a good search tool, so I use it to search for filenames such as that. It is much quicker than a virus scan. Whoever it is that was "enbiei" has now had their moment of fame, so go ahead and remove it.

 

by: SunBowPosted on 2004-02-19 at 14:39:50ID: 10407442

(footer: I've had trouble all day getting the server access, and those comments to 'take')

 

by: Joseph_MoorePosted on 2004-02-19 at 21:51:09ID: 10409817

Just to add a comment to this, Bill_Pardoe, you said in your post that "I have upgraded to W2000 SP4. I assume that the fix is included in SP4"
Surprise! The patch that prevents the DCOM/RPC exploit that Blaster uses (Security Update MS03-039) is a POST SP4 patch. It came out AFTER SP4 for Win2K did. It will be included in SP5, but that is not out.
So, even with SP4 on, you still need to get and apply the patch. Go with the links sunray included to get the patch.

 

by: SunBowPosted on 2004-02-20 at 14:41:23ID: 10416711

I agree. I hadn't enough caffeine to remember well, thought I'd leave that to others, since it sounded recent. What I recall is that the patch would work on SP-3 and SP-4, but was at least at first unreliable on SP-2.  Probably unreliable for some other configurations as well.  I remember it was also superceded, so you'd best get the most recent one, due to all the other exploits.

I believe though, that after this much time it was included in a roll-up of patches.  In any case, if you want to connect to internet, do please upgrade to install patches to all of the weekly vulnerabilities, we are getting real tired of people not doing this and hitting us with increasing maladies - so much that some businesses (I was in one) can and will unplug you from internet, even if you are in a major company.  That kind of power no longer helps. If you (anyone) are identified as contributing to the RPC malware traffic, you may find that traffic censored, as well as any other traffic you attempt, including eMail, etc.

I just visited Symantec site, and while it lists version F as a minor problem, it still calls the original a MAJOR threat, beware.

 

by: clw56Posted on 2004-02-20 at 19:47:17ID: 10417898

A handy little helpful hint when dealing with the shutdown that Blaster causes: go to Run, type in shutdown -a  (this will abort the shutdown)    Go ahead and remove worm as above, and install the patch.  
Then restart, and update the AV, and run a scan of the whole computer.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...