Looks like someone is trying a mass hack tonight via the the RPC service vulnerability. Make sure you're all patched up!

The patch is here (http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp)

My machine just got attacked.

You'd think I would have d/led that patch already, wouldn't you? But no...

I got hit it a week ago. The amount of people getting hit seems to have drastically increased since then. In one forum I go to over 20 people have gotten it, and we have maybe 60 active members.

The stuff you get infected with are easy enough to get rid of though, at least once you know the basics of virus removal and have a good AV.

More info. (http://vil.nai.com/vil/content/v_100547.htm)

... and more... (http://reuters.com/newsArticle.jhtml?type=technologyNews&storyID=3259106)

Do not download this patch. It has totally screwed up my computer.

I hop ethis gets through. I have two accounts on my computer. The account I used to download and run th epatch is no longer allowing me access to the outside world in any way. And on the other account I am using right now, it has a system shutdown message which only allows me to use the ocmputer for one minute. I am typing fast as I can.

This sytem is shutton down,. Please save ll work in progress and log off. This shutdown was initiated by NT autority/system

Computer reboots all by itself. I log back on, and I get a one minute warning it is going to reboot again.

And yes, I have restored my computer to a point prior to patch. I tried three restore points, all the way back to two weeks ago.

Windows XP.

Here I go, rebooting itself again. MOTHERF***ER!!!!!

Luke T.
See Wolverines info. Looks like you got blasted.

Originally posted by Luke T.
This sytem is shutton down,. Please save ll work in progress and log off. This shutdown was initiated by NT autority/system

This sounds like the worm, not any problem caused by installing the patch. :eek:

Go to start/run and type in msconfig then click ok

Click the Startup tab

If you see anything that says msblast.exe (there are possibly other alaises also), chances are you're infected with this critter.

Symantec has additional info and a removal tool (and additional removal instructions) now posted on this page. (http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html)

I read once that it's very difficult to block your RPC port unless you have firewall software, but I found an easy way (if you know enough to do it). If you have Internet Connection Sharing on the computer that's connected to the Internet (you can enable it just to do this if you want), you can use the Advanced settings to forward port 113 to a non-existant address.

David

Originally posted by Luke T.
Computer reboots all by itself. I log back on, and I get a one minute warning it is going to reboot again.

And yes, I have restored my computer to a point prior to patch. I tried three restore points, all the way back to two weeks ago.

Windows XP.

Here I go, rebooting itself again. MOTHERF*CKER!!!!!

Luke, Sounds like you have the patch but the msblast is still on your system.

Delete/stop running msblast then install patch.

Originally posted by Luke T.
Computer reboots all by itself. I log back on, and I get a one minute warning it is going to reboot again.

And yes, I have restored my computer to a point prior to patch. I tried three restore points, all the way back to two weeks ago.

Windows XP.

Here I go, rebooting itself again. MOTHERFU*KER!!!!!

I had the same thing happen on Win XP. I went into the network control panel and enabled the firewall protection from the Advanced tab, that seemed to stop it. Either I just got lucky, or this hack relies on a remote proc call sent from outside and the firewall blocks it.

Originally posted by Luke T.
I hop ethis gets through. I have two accounts on my computer. The account I used to download and run th epatch is no longer allowing me access to the outside world in any way. And on the other account I am using right now, it has a system shutdown message which only allows me to use the ocmputer for one minute. I am typing fast as I can.

This sytem is shutton down,. Please save ll work in progress and log off. This shutdown was initiated by NT autority/system


My wife was on the computer last night when she suddenly started getting this warning and getting kicked off. I guess now I know why. I guess I know what I'll be messing around with when I get home from work today. Bastards.

Hey Bluegill! I caught Heide Howe last night here in St. Louis coffeehaus. Louisville's own.

She rocks! Well, she folks anyway...

Originally posted by bignickel
Hey Bluegill! I caught Heide Howe last night here in St. Louis coffeehaus. Louisville's own.

She rocks! Well, she folks anyway...

Howdy! Heidi Howe (heh heh) hired my sister-in-law (I ran out of H-words, darn it) to film some of her concerts, but I've never seen her. She gets pretty good press. I suppose I should try to see one of her shows.

So I guess you and I practically know one another [waves];)

Getting rid of the virus has proven more difficult than I thought. I also think it is too strange a coincidence that it didn't kick in until the moment I tried to get the patch from Microsoft to work.

I still can't get the patch to work. But I got the virus remover that Wolverine linked from Symantec to work.

But that didn't work right away. I had files on my computer that were unrelated to the virus which were corrupted and would not delete. This caused the virus remover to halt and quit when it came across them.

I finally had to go into DOS and manually delete them, then I got the virus remover to finally work.

The Microsoft patch still won't run.

If I were to get my hands on the hacker who wrote this virus, I would turn Islamic for a few minutes and break his face, pull off his ears, cut out his tongue, break his knees, and cut off his hands one finger at a time. With a dull, rusty butter knife and no anethesia.

Let him try and write code as a deaf, dumb, fingerless cripple.

Luke T.
Rename the catroot2 file in windows\system32 then try again.

Originally posted by mummymonkey
Luke T.
Rename the catroot2 file in windows\system32 then try again.

huh?

And before you do anything...

Turn off system restore....(Thats if you got it on in the first place)


DB

Go to Desktop and click on F3 if infected there will be two files one a jvs the other exe, to get rid go to www.bigblackglasses.com they have a script to download to clean up the desktop. Then go to www.microsoft.com and download the patch. Use the one referring to RPC. Run the patch then shutdown and restart the computer