Re: How do I recover?

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 08/12/03 

Date: Tue, 12 Aug 2003 12:08:39 -0700
To: Omer Hayden <orhayden@fedex.com>

Hi folks,

FIRST THINGS FIRST...I know you don't have a lot of time
before your RPC window pops up and shuts you down, but
because you will be disconnecting from the internet for
part of this procedure, read this fast and REMEMBER!

1) UNPLUG YOUR MODEM. This should allow you free time
to make some changes to your computer.

2) When you are not connected to the internet, go
to "Control Panel," "Performance and
Maintenance," "Administrative Tools," open "Services,"
right click on "Remote Procedure Call,"
click "Properties," click the "Recovery" tab, at "First
Failure," "Second Failure," and "Subsequent Failures,"
select "Take No Action."

3) Turn on your modem and reconnect to the internet.

4) You've probably run out of time reading this before
your computer has rebooted, so get back to this message
and read from step 5 on. At this stage, you are still
infected with the msblast virus, but your computer will
not reboot on you.

5) This virus is very clever and has disabled several
buttons on the web and on your computer that would
otherwise allow you to disable it, so you've got to go
around the back door.

6) From support.microsoft.com, download:
 WindowsXP-KB823980-x86-ENU.exe
(this is for XP; there is a Windows 2000 version
also...try a search on the Microsoft Support
website...plugging in this file name should bring you to
the same page as the security patches for the other
Windows versions).

7) Download and install.

8) Reboot.

9) Now you should be able to have a little more
functionality in your computer. If you havent' done so
already, enable your firewall:
"Control Panel," then "Network and Internet Connections,"
then "Network Connections," right click on your active
internet connection, select "Properties," click on
the "Advanced" tab, and check the box enabling firewall
protection.

10) Now let's kill the virus. Go to:
  http://housecall.trendmicro.com/housecall/start_corp.asp
It's a free antivirus detection and cleanup program.

11) Run the program (this takes a long time). The
program should detect the msblast virus; it states that
it is non-cleanable. Click the "delete" button to delete
the virus.

12) To be sure, run the Search program from your Start
menu. Search for "msblast.exe" Include all hidden files
and folders in your search. If you have been successful,
no files will appear.

13) Congratulations! You're cured! Now download all the
security patches and updates that Microsoft bugs you
about everytime you boot your computer...I have been
ignoring it for months and this is what happened.

(Hey Mr. Gates, you can pay me by cash, check, or charge
for consulting services offerred. You're welcome.)

Let me know how it works out for you! Good luck!

Paul
(A Graduate Student who managed to figure it out without
spending ridiculous money on tech support fees...this
goes out to my peeps)

Omer Hayden wrote:

> I got the worm yesterday. It was causing my machine to
> shut down about 5 minutes after startup. I went to the MS
> site and downloaded Service Pack 1 for my windows xp. In
> the middle of installing the patch I got the countdown
> warning and the system shut down again before the install
> was complete. Now my computer turns on for 10 to 15
> seconds, starts the start up routine, shuts off and begins
> again.
> My question is: How do I recover from this? 

--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your
patches. Demand better security from vendors and hold them
responsible. Use what you have, and make sure you know how
to use it properly and effectively."
~Rain Forest Puppy
http://www.wiretrip.net/rfp/txt/evolution.txt