Regardless of what MS seems to indicate, your message does not convey
any of the normal signs/symptoms of MSBlast. What have you done
recently that may have changed something in your computer
configuration (either hardware OR software)?
It's prolly an RPC-vulnerable NT system that has no infection present,
but keeps getting kicked over whever any infected PCs on the same
network tries to infect it. The Internet is the world's largest
network and it is *always* infected with something, usually with
everything! Certainly, it is full of Lovesan/Blaster. Nachi/Welchia
and several other RPC infectors.
RPC infectors attack by overrunning an unchecked buffer within the RPC
service. The offset required to align the attacking code properly is
different for Win2000 vs. XP, so that attack packets crafted for the
one OS will fail (typically by crashing the RPC service) on the other.
Lovesan is said to throw out 4 XP attacks for every one Win2000
attack, which makes life particularly hard for Win2000 users, who have
it bad enough as it is; they need 100M+ of SP2 before they can install
the 1M patch, and they have no built-in firewall. It's actually
better to be successfully attacked by a properly-aligned attack packet
(esp. if av catches and kills the malware); however, Win2000 users may
find that 80% of the attack traffic crashes the PC immediately.
Out of everything in your original post, the only thing that counts
against these attacks being the cause is that you use a firewall. I'd
expect a firewall to block this attack traffic from reaching the RPC
service, but this may differ on configuration, or fail if some other
current or previous malware attack disabled the firewall.
Certainly, all that stuff about being clean of multiple virus scans,
or running av software, is completely irrelevant. Sequence:
1) RPC attacker attempts to overrun buffer
- if blocked by firewall, OK
- if RPC defect is fixed, OK
- else if packet matches OS, infection beachhead made
- else if packet mis-matches OS, crashes service
- if RPC "Recovery" set to restart PC, PC restarts
- if general system crash and PC set to restart, PC restarts
- else RPC may continually respawn itself
- if successful, slow
- if fails, then odd flakiness and functionality defecits
2) RPC attack code is running, typically pulls down malware body
- at this point, av may recognise and kill the in-memory code
- or may recognise/kill the malware body when created as file
- or may recognise/kill the malware body when run as file
3) RPC malware now active, tries to spread
- increased outgoing traffic, esp. Nachi/Welchia
- firewalls may notice this
- your LAN may notice impact of increased traffic
4) Some RPC malware has additional payloads
- SDBot.RPC.A and a Lovesan variant are RATs
- all that follows RAT infection; open-ended consequences
You must fix the defective RPC code, and keep the fix on hand to be
re-applied should you ever need to "just re-install Windows", as even
a "repair" install will undo the patch. Meantime (and in addition),
use firewall, and set PC not to restart on crashes or RPC failures.
--------------- ----- ---- --- -- - - -
Dreams are stack dumps of the soul