Here are the steps I recommend for removing the MSBLASTER worm. This worm does not affect Windows 95, 98, or ME. It only affects Windows versions in the NT family, such as Windows 2000, Windows XP, and Windows Server 2003.
Print out these instructions NOW. Due to the virus, you may not be able to keep your computer booted or stay on line. Click on your browser’s Print icon before reading the next line, please. Click here to bookmark this page so you can return quickly if you are thrown off.
The currently identified virus filenames are:
- MSBLAST.EXE (for variant A)
- PENIS32.EXE (for variant B)
- TEEKIDS.EXE (for variant C)
- MSPATCH.EXE (for variant D)
- MSLAUGH.EXE (for variant E)
- ENBIEI.EXE (for variant F)
Optional but recommended: Disconnect from the Internet. If you are on a network, disconnect from the network. This removes various risks both to your computer and to other computers.
REMOVING THE WORM (Variants A, B & C)
- If your Windows 2000 or XP computer is rebooting too often to take the steps below, change the following defaults. Click Start | Run, and type SERVICES.MSC. At right, right-click on Remote Procedure Call (RPC) (but not on the similar Remote Procedure Call Locator) and select “Properties.” On the Recovery tab, set the First Failure, Second Failure, and Subsequent Failure boxes to “Restart the Service.” Click “Apply” after each of them, and “OK” when finished.
- Disable the running virus: Press Ctrl+Alt+Del and click “Task Manager.” Select the “Processes” tab. Click the top of the “Image Name” column to sort the column. Find and select the virus file, then click “End Process.”
- If the process won’t end, see Note 1 below.
- If Task Manager won’t open, see Note 2 below.
- If you found MSPATCH.EXE, then you have variant D and need to take a further step. Click Start | Search | For Files & Folders (or press Win+F). Search your C: drive for DLLHOST.EXE. DLLHOST.EXE is a normal Windows file, so don’t just jump in and delete it! Right-click on the file and seelct Properties. The normal size of this file in Windows is 5 KB or 6 KB. If the virus has infected it, the size will be about 10,240 KB. If this is what you find, jump to Finish Removing the Worm (Variant D) below.
- Delete the virus itself: Click Start | Search | For Files & Folders (or press Win+F). Search the entire hard drive for the known virus file names. When the search is complete, delete all copies found.
- Remove the Registry entry that allows it to run: Launch the Registry Editor. (If you don’t know how to do this, get help.) Find the following key:
In the right pane, delete any of the following that may be present. (The entry you find will correspond to the version(s) of the worm that infected your system):
- "windows auto update"="msblast.exe"
- "windows auto update"="penis32.exe"
- "Microsoft Inet Xp.."="teekids.exe"
- "Nonton Antivirus"="mspatch.exe"
- "windows automation"="mslaugh.exe"
- Reboot the computer. The virus has been removed. Emergency measures are complete. Steps 7 and 8 below protect against contracting it again.
IMPORTANT NOTE: MS-MVP Kelly Theriot has a script to automate the above processes. You may wish to download it from http://www.kellys-korner-xp.com/regs_edits/msblast.vbs. (Credit for this goes to MVPs Kelly Theriot, Doug Knox, Bill James, and Mike Kolitz.) It will be especially useful if you are uncomfortable manually editing the Registry and have no one to walk you through it.
FINISH REMOVING THE WORM (Variant D)
- Disable services: Click Start | Run (or press Win+R), type CMD, and click “OK” (or press Enter). Type each of the following two lines (each of which should give you a confirmation):
- NET STOP "Network Connections Sharing"
- NET STOP "WINS Client"
- Reboot the computer to terminate the services.
- Remove the Registry entries that allows it to run: Launch the Registry Editor. (If you don’t know how to do this, get help.) Find the following key:
In the left pane, under Services (which is probably a big list), delete these subkeys:
Next, restore network and Internet connection if disabled. Before you do so, though, it is advantageous to engage some sort of firewall protection so that you don’t become reinfected in the short time before you complete the important Step 7 below. If you don’t already have firewall software installed, you’re in a bit of a Catch 22 situation and should probably just plow ahead with Step 7 below. However, Windows XP and Server 2003 both have a built-in firewall that can be engaged before you reconnect to the Internet, and Windows 2000 has other available protection:
- Windows XP users should following the instructions here for engaging the native firewall.
- Windows Server 2003 users should follow these instructions instead.
- Windows 2000 should block TCP port 4444, TCP Port 135, and UDP Port 69 as described here.
Going forward, unless your computer is on a network already protected by a firewall, or behind a router, you really do need some sort of firewall protection. I recommend a personal firewall that filters both inbound and outbound traffic.
After reconnecting to the network, continue:
- Download and install the Microsoft patch. The current patch version is numbered KB824146 and is based on Microsoft Security Bulletin MS03-039. You can get this patch by running Windows Update. However, Windows Update may be unavailable or overburdened, or you may not want to take the time to have Windows Update examine your system for all uninstalled elements. In that case, use the direct download links below for your version of Windows. NOTE: If you aren’t on the latest Service Pack version, you may have to install it before this update will install. Also, Microsoft keeps moving these links around, so please excuse if some of them are broken.
Save the download to your Windows desktop. When it is downloaded, click on it to install. You must have local admin rights to install this.
- Update and run your antivirus program. Here are some useful links on the worm by leading antivirus sites:
- Double check that it worked. There’s always a chance that you became reinfected along the way. (This virus is very sneaky!) When you’re done, reboot the computer and then check Task Manager again to see if the virus is present.
Note 1: IF THE VIRUS WON’T DISABLE IN TASK MANAGER
You have to stop it from launching at startup, and then reboot. Specifically, apply Step 5 above, then reboot.
Note 2: IF TASK MANAGER WON'T OPEN
MS-MVP Kelly Theriot has identified this problem as resulting from a “MSConfig”=“MSCONFIG35.EXE” entry in the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Registry key. Delete the entry.