To remove the W32.Blaster.Worm (also known as MSBlast or LovSan) from an infected machine, you must isolate the system, stop the active process, use a dedicated removal tool, and patch the critical security flaw. The Blaster worm exploits a vulnerability in the Windows Remote Procedure Call (RPC) service, famously triggering a 60-second countdown before abruptly forcing your PC to reboot.
The step-by-step guide below details how to stop the reboots and completely clean your system. Phase 1: Stop the Auto-Reboot Cycle
The worm triggers unexpected system shutdowns via the RPC service. You must override this behavior to ensure your PC stays on long enough to perform the cleanup.
Cancel the countdown: When the “System is shutting down” warning appears, quickly press Windows Key + R, type cmd, and press Enter.
Execute abort command: Type shutdown -a in the command prompt and hit Enter. This immediately terminates the shutdown sequence. Configure RPC Recovery:
Open the Run dialog box (Windows Key + R), type services.msc, and press Enter.
Right-click Remote Procedure Call (RPC) (do not select the RPC Locator) and choose Properties.
Navigate to the Recovery tab and change the settings for First failure, Second failure, and Subsequent failures to Restart the Service or Take No Action. Click Apply. Phase 2: Isolate and Terminate the Worm w32/blaster worm – help! – Malware Finding and Cleaning
Leave a Reply