Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Biiiig problem: new W32/Blaster? Same symptoms

Biiiig problem: new W32/Blaster? Same symptoms

Biiiig problem: new W32/Blaster? Same symptoms

Hi guys,

I am currently facing a major problem:
Folling a "WTF?" shout of my colleague's, I found that his computer showed all signs of a W32/Blaster infection.
An infection that should be utterly impossible despite his Windows Firewall being deactivated because he is running
a) Windows XP SP3, latest patches
b) McAfee Total Protection 8.1 + AntiSpyware-Module, up-to-date
c) all this in a network over a fine router (DrayTek Vigor) with activated firewall
d) in a network with McAfee total protection + all the jazz including HIPS.

Oh, and running Firefox of course, although I'm not really sure whether he was in the internet at that point. I doubt it and even if, he was most probably only logged into a customer's CMS.

I cannot yet determine the virus source but it happened while he was working with a PDF.
Although the PDF is from a very trusted source, I cannot outrule that PDF to be the source, in light of the recently detected possible security holes with PDFs.

I am so fixed on the Blaster thing because of the symptoms:
Message "system must be shut down due to ... RPC". 1 minute countdown, then automatic forced restart.
Computer up 30 seconds or so, without even logging on, same message. Endless loop.

It took only ~ 5 minutes, then suddenly - without ANYONE working there, two other computers were affected. Same thing, only that it was not RPC in the message but DCOM.

On these latter two computers, I deactivated system restore, ran Hijack This (and found suspicious entries), as well as Avert Stinger, latest version.
The Stinger found ZILCH!
McAfee finds ZILCH!

Oh, by the by: the one colleagues computer ist really, really heavily infected it seems: HJT shows dozens of svchost entries with literally all active services listed and run by "unknown user".

And I cannot deactivate system restore due to some error. I strongly assume that virus to block access there.

Now what?
I won't get past nuking that colleagues machine, but what I definitely cannot get past is HOW THE FRIGG THIS CAN HAPPEN? And what kind of new Blaster this may be. I first thought of it may be hidden in one of these unspeakable HP updates, but the third affected is a Fujitsu.

Anyone has any ideas?

This will be a loooong night...

"We had to turn off that service to comply with the CDA Bill."
- The Bastard Operator From Hell

RE: Biiiig problem: new W32/Blaster? Same symptoms

I suspect that you have been hit by a bad update from mcaffee.  It falsely identifies svchost.exe as being spyware and quarantines it...

Take Care

I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

RE: Biiiig problem: new W32/Blaster? Same symptoms


That explains why none of my AntiVirus/Anti-Malware SW found anything! (The HJT entries were probably side effects).

I will now implement the fix provided by McAfee and report back whether the issue is solved.

Thanks a million!


"We had to turn off that service to comply with the CDA Bill."
- The Bastard Operator From Hell

RE: Biiiig problem: new W32/Blaster? Same symptoms

Update as promised:
The fix by McAfee fixed the problem. All running smoothly again!

Thanks a lot for the input guys. You saved me quite a number of nerves on this.

P.S: First thing I'm doing right now is to deinstall all that unnecessary HP junk, and especially that darned HP updater.
One thing less to gnash teeth about.

"We had to turn off that service to comply with the CDA Bill."
- The Bastard Operator From Hell

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close