Page 1 of 2 12 LastLast
Results 1 to 15 of 21

Thread: blaster worm

  1. #1
    Lounger
    Join Date
    Feb 2003
    Location
    Minneapolis, Minnesota, USA
    Posts
    26
    Thanks
    0
    Thanked 0 Times in 0 Posts

    blaster worm

    One of the W2k machines on my home network has the blaster worm. I have been to both Symantic and Microsoft sites to learn how to fix it and downloaded the patch from MS and the fix executable from Sym. However, my machine will not boot at all. I went into bios to make sure it said to boot from the "a" drive first and inserted a Windows 95 boot disk. The system ignores it, tries to boot W2000 and just before it opens the OS, it restarts. Any ideas?

  2. #2
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Vienna, Wien, Austria
    Posts
    5,009
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    If you REALLY wish to boot into your existing configuration, have you tried pressing F8 - to see if you can boot into safe mode?

    Presumably, you HAVE disconnected it from all other machines.

    I would recommend reinstalling Windows 2000, performing an incremental back up of the data since your last backup - on a separate disk - and then formatting the hard drive. Then doing a completely clean reinstall.

    HTH
    Gre

  3. #3
    Lounger
    Join Date
    Feb 2003
    Location
    Minneapolis, Minnesota, USA
    Posts
    26
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    I have tried F8 and I select safe mode, but it still reboots before the OS starts. I have disconnected the pc from my network and internet. I would like to know how I could back up the data if I cannot even get to a command prompt? I cannot boot from a diskette, because the system bypasses it (and yes, I set bios to boot from floppy).

    However, your email makes me think I could try to get into command mode from F8. Since I have W2000 installed with NTFS file system, dos commands are unlikely to do any good, but maybe if I can get to a C or A prompt, I can run the fix. I will also see if I can boot using a bootable CD. And then I'll write in case one of these things work.

    Lisa

  4. #4
    Lounger
    Join Date
    Feb 2003
    Location
    Minneapolis, Minnesota, USA
    Posts
    26
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    I tried using a W2000 boot CD, but it didn't work. In bios, I have a 5 1/4" floppy assigned to drive b. I disabled that. I put W98 bootable CD into the SCSI CD-ROM drive and told bios to boot to SCSI first. I got the following messages:
    A bootable CD-ROM is detected in your CD-ROM drive.
    The boot secions on your bootable CD-ROM are:
    0. Default Entry.
    Your CD-ROM drive is inserted as drive A: (Oh). The original drive A: has become drive B:
    Startup continues until it gets to "Verifying DMI Pool Data" and then it hangs.

    So I set bios to boot from CD-ROM, A, C. I insert the W98 boot CD in the ide CD-ROM drive and W95 boot disk in drive A.
    The system goes through the start up of W98, then says there are no operating system files and gives me an A: prompt.
    I type dir.
    I get a directory that is similar to a Win95 boot disk, but not. It starts with all kinds of ASPI stuff. So I put in diskette with fixblast.exe and I get "bad command or filename." So I add fixblast to the W95 boot up disk and run it but get the same. Clearly it's not really reading drive A.
    If I try to switch to drive B, it says "not ready reading drive b" then abort,retry,fail.
    When I hit abort, it says "current drive is no longer valid" and I have to restart.
    I continue to boot from this CD and alternately select "Use CD to start Win98, Use CD to start windows, Start windows without CD. It always leads me to an A prompt. Only trying to switch to drive B causes above restart. The only other switch letter that works is D, but then if you type dir or any or command, it says it can't read from the drive.

    So, in drive "A" it has a few commands available - fdisk, and extract. (it won't accept "edit" or format"). fdisk appears to be normal, but I wasn't ready to remove the partition yet. However, it does recognize that there is a 20GB NTFS partition on the system.
    The only extractable file is ebd.cab, so I extract it (it won't allow me put in a destination drive, so I don't know where it extracts to. However, it shows that it has extracted 12 files, including edit, format, debug and scandisk. I try to run one of these but they don't work. If I do dir, I'm back to the original directory, so I can only read the 12 files after extracting them. So I try a directory switch to every variable of ebd.cab that seems reasonable, but it says there's no such directory.

    I'm a little out of my depth in using DOS commands (I used to, but it's been a long time). Anybody have any more ideas?

    Lisa

  5. #5
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Vienna, Wien, Austria
    Posts
    5,009
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    Before we go into more detail, can we have a little bit more perspective: <UL><LI>It appears that the machine is Win2K with one NTFS partition. Is this correct?<LI>Is there enough free space on your your hard drive to install a very small version of W9x?<UL><LI>If no, you will have to resize your existing NTFS partition - to give yourself enough room to attempt installing another OS. There are not too many NTFS tools available but there is a "general" list here as well as searching Google. <LI>if yes - which seems unlikely from your report - then you should install W9x there; subsequently using that as a basis for reinstalling Win2K. The A drive is not recognising your OS because it is on an NTFS partition. Have you not tried navigating to the setup.exe and running that. A W98 boot disk gives you an "extra" drive so D becomes E. It can be necessary to use a number of "CD" commands to get to the right directory. (If you can't remember, SETUP will tell the setup.exe to run.)[/list]<LI>How long has it been since you backed up the data on this machine?<LI>BTW do you mean ASCII by "ASPI"?[/list]HTH
    Gre

  6. #6
    Lounger
    Join Date
    Feb 2003
    Location
    Minneapolis, Minnesota, USA
    Posts
    26
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    HTH,
    Hi, and thanks for your response.
    RE: the machine is Win2K with one NTFS partition. Is this correct? Yes
    RE: enough free space on your your hard drive to install a very small version of W9x? Yes, but I thought that it would not be possible to add a partition to an existing drive without losing the data on the drive.
    RE: Have you not tried navigating to the setup.exe? I cannot navigate anywhere except by using the commands the worm has made available to me which are limited. The only other drive the machine will allow me to switch to is D, but then it will not actually read d. The A prompt is not even reading what is actually on drive A or any other drive for that matter. CD commands don't work either.
    RE: How long has it been since you backed up the data on this machine? This machine does not contain any of my personal data. I set it up for my roommates to use so they could get on the internet, do whatever computing they want without having to ask to use my computer. So it is their data that would be lost. I doubt if either of them back anything up. They are not computer savy. They probably have little stored on the machine, but it was for their sake that I was attempting to recover it.
    RE: BTW do you mean ASCII by "ASPI"? No, it is ASPI .I have a scsi card attached to the computer, which might be why it lists those things in the A prompt. However, it is my impression that what comes up at A prompt are simply things the creator of the worm put their to frustrate people. Whenever I get somewhere with any command, ultimately I will get slightly mocking error messages which are unlikely to have been created by Microsoft (unless they've given up on political correctness).

    At this point, I am going to clean the drive and start over. On my network, the two workstations (PC and laptop) have the patch and also have had the "fix" run on them (plus everything available from Symantec since I use Norton anti-virus, systemworks and firewall), so I think they're safe from infection. I don't know about the server, however. It is W2000 server with the built-in firewall. I may first go to Symantec and purchase some other protection for it, but the worm never infected that machine in the first place. Maybe it isn't vulnerable. I don't know. There's not much running on it. I'm essentially using it as a router and a host for my website. Since it was my son who helped me a lot in setting it up (he is more savy with network administration), I don't feel I can make educated decisions about it's viulnerability and he is currently out of town.

    Anyway, my idea was, if everything seems safe, I would disconnect the hard drive from the machine in question, plug it into my ide port (removing the 80 GB drive that holds all my data - the OS runs on a 20GB) and then from Windows, format it since it should show up as a secondary drive. Do you think this is too risky?

    Lisa

    BTW, a clever relative of mine has created "Goetzinger's Observation" which is "Before you can do anything, you first have to do something else."

  7. #7
    Gold Lounger
    Join Date
    Feb 2003
    Location
    Wardrobe Malfunction Junction, Derry
    Posts
    2,953
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    Lisa--

    If you take a look at these links, you can easily blast blaster off. But first you have to stop your computer from shutting down and restarting so you can go get the tools--hard to do when it keeps restarting and counting down to the boot screens.

    Here's How to Keep Your Computer from Restarting:

    Go to the dos prompt by putting "cmd" or "command" in the run box you hit with the Windows and "r" key combo:

    Type this one word command:

    "shutdown -a" Lose the quotes; space after shutdown, and hyphen before a--that'll keep you up in Windows which is always a helpful thing.


    In addition to the helpful suggestions above, see Lounge XP Thread XP:Stop Blaster Countdown/Remove Blaster Tools 10 Comprehensive Links 16 August 2003.

    The main thing I have seen on friends' computers I have fixed many of whom were away during July 16 when MS implored people to put on the critical buffer overrun patch, is that there computer is restarting before they can go to the ubiquitous sites that have blaster removal tools.

    hth,

    SMBP

  8. #8
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Vienna, Wien, Austria
    Posts
    5,009
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    Lisa, HTH = "Hope This Helps" <img src=/S/grin.gif border=0 alt=grin width=15 height=15>!!!!!<UL><LI>Since you report that the data is not significantly valuable, it may very well not be worth the candle of exploring any further but:<UL><LI>You should definitely be able to add another partition. You wouldn't be disturbing the existing partition in the slightest. <LI>There may be mileage to be found by detaching the SCSI drive and seeing where you get to on A from there.[/list]<LI>If the machine still responds to FDISK, I would suggest your safest bet would be to delete the partition and try to do a completely clean install without moving the hardware anywhere else. If your CD is not bootable, you can still use the utility in the BOOTDISK subfolder to set up 4 standard floppies.<LI>Good luck! <img src=/S/thumbup.gif border=0 alt=thumbup width=15 height=15>[/list]"Clever" is a word that makes me nervous, but I definitely like your friend's outlook. <img src=/S/starstruck.gif border=0 alt=starstruck width=15 height=15> There's also the old adage of: "Don't forget to pack your parachute!"
    Gre

  9. #9
    Gold Lounger
    Join Date
    Feb 2003
    Location
    Wardrobe Malfunction Junction, Derry
    Posts
    2,953
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    Lisa--

    Hold on. Don't wipe your drive clean if you haven't already--you sure don't need to do that. I respect and appreciate all I just read on this thread, but your original problem was the MSBlaster.exe worm.

    I just waded through this thread. If you follow the simple directions to keep your computer from shutting down, you don't need all that stuff on the thread with respect due everyone and you don't need to know how to use dos and you don't need to use the 3 lifelines extended in the F8 so-called Windows Advanced Options Screen which if you ever need to use it I explained in detail on this thread F8 and the Windows Advanced Options Screen 3 Lifelines--System Restore, Last Known Good, and the Recovery Console.

    </u>What is Discussed You Don't Need to Touch to Remove Blaster from The Machine that would take hours of your time and lose your data possibly wow!</u>

    1) F8 and the Windows Advanced Options Screen---don't need it.
    2) Safe Mode with a Command Prompt--Excellent idea when you can't boot but you don't need it in the Remove Blaster situation here.
    3) Boot CD's of any shape, or stripe--don't need 'em for this task.
    4) Tweaking the bios. You don't need to go there for this.
    5) Dos Commands--Fun; terribly useful and Bill's Basis for Starting Microsoft and Windows, and full of legendary history, but you don't need them here.
    6) NTFS partition backdrop--not needed for this.
    7) Reinstalling Windows to fix MSblaster.exe problems--thankfully not needed.
    8) ASCII--intetersting but not needed.
    9) Reconfiguring your partitions--great discussions on doing this by Wylly Wylly and others but not needed here.
    10) Wiping and Loading to fix blaster problem--not necessary.

    Please just follow the links I provided and you can stop the restart and fix blaster. Then you have time to contemplate how you want to configure your NTFS partitions with some great help on the lounge and some great past threads on the Windows XP and this section that will help you.

    SMBP

  10. #10
    Lounger
    Join Date
    Feb 2003
    Location
    Minneapolis, Minnesota, USA
    Posts
    26
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    Nice idea, but I never get to windows before it restarts. I also cannot get a "real" command prompt.

  11. #11
    Lounger
    Join Date
    Feb 2003
    Location
    Minneapolis, Minnesota, USA
    Posts
    26
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    SMBP,
    I went to all of your links and none of them has any advice on how to remove the worm without the ability to get into Windows. I did follow some links from your links and still no business, but I left a message on another forum. If you hear of anything, please let me know.
    Thanks.
    Lisa

  12. #12
    Lounger
    Join Date
    Feb 2003
    Location
    Minneapolis, Minnesota, USA
    Posts
    26
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    Thanks.
    I'll try removing the scsi and see what happens and, if it doesn't work, I'll delete the partition. I'm worried about that "fdisk" command thought because I don't know from whence it comes. I'm not reading it from any of my drives so maybe it's a trick of the worm. However, I have little to lose at this point. I'll let you know what happens.
    Thanks again.

  13. #13
    Gold Lounger
    Join Date
    Feb 2003
    Location
    Wardrobe Malfunction Junction, Derry
    Posts
    2,953
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    Lisa--Sorry--

    I didn't know if you were in Windows, but now that I know you need to get there, your best bet is probably far and away what you mentioned--to use Safe Mode With A Command Prompt. Tap F8 and choose Safe Mode with a Command Prompt if it will let you then follow the directions in the links in this thread in Posts 284723 and 284948 and the links in Post 284537 this thread.

    Are you able to tap F8, and select Safe Mode With a Command Prompt? I don't know what you mean by "real command prompt"--Lisa. What do you get when you tap F8--do you get the black and white screen shown in the links in the threads above that has an option for Safe Mode, Safe Mode With Command Prompt, Last Known Good Configuration. LNG would be a second choice as a life raft to Windows to Safe Mode with a Command Prompt.

    Those would be my two something else's right now in "Goetzinger's Observation."

    Ed-Added SMBP : What I was hoping was to get into Safe Mode with a Command Prompt via F8 and then to hold it there with "shutdown -a" and then to run the system restore command just to get back into Windows. Then once in Windows, I'll be glad to link you the tools to get rid of blaster. The links are already there for you on the other threads. With a number of worms, formatting doesn't always rid you of them--even with special tools.

    SMBP

  14. #14
    Lounger
    Join Date
    Feb 2003
    Location
    Minneapolis, Minnesota, USA
    Posts
    26
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    When I F8, I do get the option screen for safe mode, etc. If I choose the command prompt option, I get a step by step of what is loading (on the black and white screen), but before entering safe mode or a command prompt, it reboots.

    I have not yet tried Last Known Good Configuration because in the past, it always led me into a computer hell from whence my only return was formatting the drive.

    What I mean by not a "real command prompt" is that the only way I can get any command prompt at all is when I use the W98 bootable CD. Then, it begins W98, then says there's no OS data on the CD and ends in an A prompt that I would call not a real prompt because the files it lists when I type "dir" are not files that are on my C drive, CD-ROM, or any floppy I pop into the A drive. It only allows 2 commands - fdisk and extract and you can read above to see what that does.

    Still in a quandry, but grateful for any ideas!
    Lisa

  15. #15
    Gold Lounger
    Join Date
    Feb 2003
    Location
    Wardrobe Malfunction Junction, Derry
    Posts
    2,953
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: blaster worm

    Lisa--

    Thanks for the quick followup. It seems that you get well on your way to Safe Mode but that you can't reach Safe Mode with a Command Prompt because you're being aborted and rebooted by the worm before you get up there. The step by step of what is loading always happens normally. That's a prelude to reaching safe mode, and unfortunately you're not being allowed to. And I understand what you're seeing on the 98 CD--and you described it exactly right--it's not a real command prompt. The "dir" command usually displays files and folders in a directory.

    I read and reread your posts and unkumunka's and now I understand where you are headed. I only wish I knew of a way to use tools to deal with Blaster from outside Windows--that is impossible I'm afraid.

    Last Known Good--shouldn't lead to hell-- it often leads to just not working-- the problem has always been it won't work much of the time, and that you lose configuration changes you made since the last start--I know, not a major problem for you in the context of getting to Windows now.

    I don't think there is anything you can do with the Recovery Console, but I wonder if it's possible having done it a few times, but not in the face of MSBlaster.exe--to boot from your 2000 CD and do a parallel install to have a stable windows system from which to go after Blaster. I'm seeing that you indicate you don't have much to lose in the way of data--I always feel the pressure to save it for someone.

    Now that I understand you just can't get into Safe Mode, I appreciate what unkamunka is trying to get done with you.

    You may want to check out Parallel Install's at these sites:
    www.windowsreinstall.com
    266465: HOW TO: Perform a Parallel Installation of Windows 2000


    Once you do get an installation back, I'd do a search for MS Blaster.exe, then follow all the directions from
    PSS Security Response
    MS Security Technet's Blaster Response Page
    Symantec's Blaster Info or any antivirus site you want in sync with what you use.
    Any info from these 3 Windows experts that is appropriateResponse to Blaster from Kelly Theriot; Doug Knox; Mike Kolitz

    Thanks for the good detailed update. Look forward to seeing what happens.

    SMBP

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •