Blaster Worm or another problem?

[Tony Sadler]

My PC keeps shutting down. I get an error message
saying:"Generic Host Process for Win32 has encountered a
Problem. Please tell Microsoft about this".
Microfoft's link indicates a potential Blaster Worm
infection BUT I run a firewall all the time. My antivirus
software is always up to date. i have tried four different
anti virus products all of which tell me there is no virus
present. I have downloaded a tool for removal of the
blaster worm and all its known variants and still I am
told there is no virus. Microsoft's direct link still says
its the most likely cause. My PC has shut itself down 6 or
7 times this evening. Can anyone please help?
Thanks.

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

Try a repair install as the "fixes" for this often leave behind remnants:

Assuming your system is set to boot from the CD-ROM drive and you have an
actual XP CD as opposed to a recovery CD, boot with the XP
CD in the drive and perform a repair install as outlined below. If the
system isn't set to boot from the CD or you are not sure, you need to enter
the system's BIOS. When you boot the system, the first screen usually has
instructions that if you wish to enter set press a specific key, when you
see that, do so. Then you will have to navigate to the boot sequence, if
the CD-ROM drive is not first line, set it first in the boot sequence. Save
your settings and exit with the XP CD in the drive. The system will reboot.

NOTE, while a repair install should leave your data files intact, if
something goes wrong during the repair install, you may be forced to start
over and do a clean install of XP. If you don't have your data backed up,
you would lose your data should that eventuality occur.

Boot from the CD. If your system is set to be able to boot from the CD, it
should detect the disk and give a brief message, during the boot up, if you
wish to boot from the CD press any key.

Once you have pressed a key, setup should begin. You will see a reference
asking if you need to load special drivers and another notice that if you
wish to begin the ASR (Automatic Recovery Console) depress F2. Just let
setup run past all of that. It will continue to load files and drivers.

Then it will bring you to a screen. Eventually, you will come to a screen
with the option to (1) setup Windows or (2) Repair Windows Installation
using the Recovery console.

The first option, to setup Windows is the one you want and requires you to
press enter. When asked, press F8 to accept the end user agreement. Setup
will then search for previous versions of Windows. Upon finding your
version, it will ask if you wish to Repair your current installation or
install fresh. Press R, that will run a repair installation. From there
on, follow the screens.

If you only have a recovery CD, your options are quite limited. You can
either purchase a retail version of XP will allow you to perform the above
among other tools and options it has or you can run your system recovery
routine with the Recovery CD which will likely wipe your drive, deleting all
files but will restore your setup to factory fresh condition.

 

[NobodyMan]

My PC keeps shutting down. I get an error message
saying:"Generic Host Process for Win32 has encountered a
Problem. Please tell Microsoft about this".
Microfoft's link indicates a potential Blaster Worm
infection BUT I run a firewall all the time. My antivirus
software is always up to date. i have tried four different
anti virus products all of which tell me there is no virus
present. I have downloaded a tool for removal of the
blaster worm and all its known variants and still I am
told there is no virus. Microsoft's direct link still says
its the most likely cause. My PC has shut itself down 6 or
7 times this evening. Can anyone please help?
Thanks.

Regardless of what MS seems to indicate, your message does not convey
any of the normal signs/symptoms of MSBlast. What have you done
recently that may have changed something in your computer
configuration (either hardware OR software)?

 

[cquirke (MVP Win9x)]

Regardless of what MS seems to indicate, your message does not convey
any of the normal signs/symptoms of MSBlast. What have you done
recently that may have changed something in your computer
configuration (either hardware OR software)?

It's prolly an RPC-vulnerable NT system that has no infection present,
but keeps getting kicked over whever any infected PCs on the same
network tries to infect it. The Internet is the world's largest
network and it is *always* infected with something, usually with
everything! Certainly, it is full of Lovesan/Blaster. Nachi/Welchia
and several other RPC infectors.

RPC infectors attack by overrunning an unchecked buffer within the RPC
service. The offset required to align the attacking code properly is
different for Win2000 vs. XP, so that attack packets crafted for the
one OS will fail (typically by crashing the RPC service) on the other.

Lovesan is said to throw out 4 XP attacks for every one Win2000
attack, which makes life particularly hard for Win2000 users, who have
it bad enough as it is; they need 100M+ of SP2 before they can install
the 1M patch, and they have no built-in firewall. It's actually
better to be successfully attacked by a properly-aligned attack packet
(esp. if av catches and kills the malware); however, Win2000 users may
find that 80% of the attack traffic crashes the PC immediately.

Out of everything in your original post, the only thing that counts
against these attacks being the cause is that you use a firewall. I'd
expect a firewall to block this attack traffic from reaching the RPC
service, but this may differ on configuration, or fail if some other
current or previous malware attack disabled the firewall.

Certainly, all that stuff about being clean of multiple virus scans,
or running av software, is completely irrelevant. Sequence:

1) RPC attacker attempts to overrun buffer
- if blocked by firewall, OK
- if RPC defect is fixed, OK
- else if packet matches OS, infection beachhead made
- else if packet mis-matches OS, crashes service
- if RPC "Recovery" set to restart PC, PC restarts
- if general system crash and PC set to restart, PC restarts
- else RPC may continually respawn itself
- if successful, slow
- if fails, then odd flakiness and functionality defecits
2) RPC attack code is running, typically pulls down malware body
- at this point, av may recognise and kill the in-memory code
- or may recognise/kill the malware body when created as file
- or may recognise/kill the malware body when run as file
3) RPC malware now active, tries to spread
- increased outgoing traffic, esp. Nachi/Welchia
- firewalls may notice this
- your LAN may notice impact of increased traffic
4) Some RPC malware has additional payloads
- SDBot.RPC.A and a Lovesan variant are RATs
- all that follows RAT infection; open-ended consequences

You must fix the defective RPC code, and keep the fix on hand to be
re-applied should you ever need to "just re-install Windows", as even
a "repair" install will undo the patch. Meantime (and in addition),
use firewall, and set PC not to restart on crashes or RPC failures.

--------------- ----- ---- --- -- - - -

Dreams are stack dumps of the soul