Hi guys,
I am currently facing a major problem:
Folling a "WTF?" shout of my colleague's, I found that his computer showed all signs of a W32/Blaster infection.
An infection that should be utterly impossible despite his Windows Firewall being deactivated because he is running
a) Windows XP SP3, latest patches
b) McAfee Total Protection 8.1 + AntiSpyware-Module, up-to-date
c) all this in a network over a fine router (DrayTek Vigor) with activated firewall
d) in a network with McAfee total protection + all the jazz including HIPS.
Oh, and running Firefox of course, although I'm not really sure whether he was in the internet at that point. I doubt it and even if, he was most probably only logged into a customer's CMS.
I cannot yet determine the virus source but it happened while he was working with a PDF.
Although the PDF is from a very trusted source, I cannot outrule that PDF to be the source, in light of the recently detected possible security holes with PDFs.
I am so fixed on the Blaster thing because of the symptoms:
Message "system must be shut down due to ... RPC". 1 minute countdown, then automatic forced restart.
Computer up 30 seconds or so, without even logging on, same message. Endless loop.
It took only ~ 5 minutes, then suddenly - without ANYONE working there, two other computers were affected. Same thing, only that it was not RPC in the message but DCOM.
On these latter two computers, I deactivated system restore, ran Hijack This (and found suspicious entries), as well as Avert Stinger, latest version.
The Stinger found ZILCH!
McAfee finds ZILCH!
Oh, by the by: the one colleagues computer ist really, really heavily infected it seems: HJT shows dozens of svchost entries with literally all active services listed and run by "unknown user".
And I cannot deactivate system restore due to some error. I strongly assume that virus to block access there.
Now what?
I won't get past nuking that colleagues machine, but what I definitely cannot get past is HOW THE FRIGG THIS CAN HAPPEN? And what kind of new Blaster this may be. I first thought of it may be hidden in one of these unspeakable HP updates, but the third affected is a Fujitsu.
Anyone has any ideas?
This will be a loooong night...
![[hairpull]](/data/assets/smilies/hairpull.gif "[hairpull] [hairpull]")
[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell
I am currently facing a major problem:
Folling a "WTF?" shout of my colleague's, I found that his computer showed all signs of a W32/Blaster infection.
An infection that should be utterly impossible despite his Windows Firewall being deactivated because he is running
a) Windows XP SP3, latest patches
b) McAfee Total Protection 8.1 + AntiSpyware-Module, up-to-date
c) all this in a network over a fine router (DrayTek Vigor) with activated firewall
d) in a network with McAfee total protection + all the jazz including HIPS.
Oh, and running Firefox of course, although I'm not really sure whether he was in the internet at that point. I doubt it and even if, he was most probably only logged into a customer's CMS.
I cannot yet determine the virus source but it happened while he was working with a PDF.
Although the PDF is from a very trusted source, I cannot outrule that PDF to be the source, in light of the recently detected possible security holes with PDFs.
I am so fixed on the Blaster thing because of the symptoms:
Message "system must be shut down due to ... RPC". 1 minute countdown, then automatic forced restart.
Computer up 30 seconds or so, without even logging on, same message. Endless loop.
It took only ~ 5 minutes, then suddenly - without ANYONE working there, two other computers were affected. Same thing, only that it was not RPC in the message but DCOM.
On these latter two computers, I deactivated system restore, ran Hijack This (and found suspicious entries), as well as Avert Stinger, latest version.
The Stinger found ZILCH!
McAfee finds ZILCH!
Oh, by the by: the one colleagues computer ist really, really heavily infected it seems: HJT shows dozens of svchost entries with literally all active services listed and run by "unknown user".
And I cannot deactivate system restore due to some error. I strongly assume that virus to block access there.
Now what?
I won't get past nuking that colleagues machine, but what I definitely cannot get past is HOW THE FRIGG THIS CAN HAPPEN? And what kind of new Blaster this may be. I first thought of it may be hidden in one of these unspeakable HP updates, but the third affected is a Fujitsu.
Anyone has any ideas?
This will be a loooong night...
[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell
