Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Biiiig problem: new W32/Blaster? Same symptoms 2

Status
Not open for further replies.

MakeItSo

Programmer
Oct 21, 2003
3,316
DE
Hi guys,

I am currently facing a major problem:
Folling a "WTF?" shout of my colleague's, I found that his computer showed all signs of a W32/Blaster infection.
An infection that should be utterly impossible despite his Windows Firewall being deactivated because he is running
a) Windows XP SP3, latest patches
b) McAfee Total Protection 8.1 + AntiSpyware-Module, up-to-date
c) all this in a network over a fine router (DrayTek Vigor) with activated firewall
d) in a network with McAfee total protection + all the jazz including HIPS.


Oh, and running Firefox of course, although I'm not really sure whether he was in the internet at that point. I doubt it and even if, he was most probably only logged into a customer's CMS.

I cannot yet determine the virus source but it happened while he was working with a PDF.
Although the PDF is from a very trusted source, I cannot outrule that PDF to be the source, in light of the recently detected possible security holes with PDFs.

I am so fixed on the Blaster thing because of the symptoms:
Message "system must be shut down due to ... RPC". 1 minute countdown, then automatic forced restart.
Computer up 30 seconds or so, without even logging on, same message. Endless loop.

It took only ~ 5 minutes, then suddenly - without ANYONE working there, two other computers were affected. Same thing, only that it was not RPC in the message but DCOM.

On these latter two computers, I deactivated system restore, ran Hijack This (and found suspicious entries), as well as Avert Stinger, latest version.
The Stinger found ZILCH!
McAfee finds ZILCH!

Oh, by the by: the one colleagues computer ist really, really heavily infected it seems: HJT shows dozens of svchost entries with literally all active services listed and run by "unknown user".

And I cannot deactivate system restore due to some error. I strongly assume that virus to block access there.

Now what?
I won't get past nuking that colleagues machine, but what I definitely cannot get past is HOW THE FRIGG THIS CAN HAPPEN? And what kind of new Blaster this may be. I first thought of it may be hidden in one of these unspeakable HP updates, but the third affected is a Fujitsu.


Anyone has any ideas?

This will be a loooong night...
[hairpull]

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell
 
I suspect that you have been hit by a bad update from mcaffee. It falsely identifies svchost.exe as being spyware and quarantines it...

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.
 
Halluelujah!

That explains why none of my AntiVirus/Anti-Malware SW found anything! (The HJT entries were probably side effects).

I will now implement the fix provided by McAfee and report back whether the issue is solved.

Thanks a million!

MiS

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell
 
Update as promised:
The fix by McAfee fixed the problem. All running smoothly again!

Thanks a lot for the input guys. You saved me quite a number of nerves on this.

P.S: First thing I'm doing right now is to deinstall all that unnecessary HP junk, and especially that darned HP updater.
One thing less to gnash teeth about.
:)

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top