New and Nasty Blaster Virus

[df]

My PC has win XP and is seriously infected by a virus that ressemble
Blaster.
The symptoms are however much more severe!

1 - It reboots every 3 min with the NT Authority RPC shutdown.
2 - I ran all the worm finder by Symantec, McAfee, and nothing is
found!
3 - I try to reenable my Firewall on Control/Network Connections, and
all my connections are deleted and I cannot create a new one!
4 - I tried to instal the microsoft patch from a CDrom, and the
installation cannot be launch!!!
5 - All these symptoms are the same even in Safe Mode!
6 - In process manager, I do not see the msblast.exe nor in the
Windows/System32 directory.

What should I do to recover from this?
Please help!!!

Thank you

 

[Steve Nielsen]

Symantec lists 8 variants of Blaster worm and there may be new variants
that have not been "dsicovered" yet. Not all of them drop the file
"mblast.exe" there are other filenames for the worms, too, such as

eschlp.exe & svchosthlp.exe (Blaster.T variant)
penis32.exe (Blaster.B)
mslaugh.exe (Blaster.E)
enbiei.exe (Blaster.F)
mschost.exe (Blaster.K)
mspatch.exe (Blaster.D)
teekids.exe (Blaster.C)

Check this registry key for entries contaning any of these filenames

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

And in C:\Windows\System and C:\Windows\System32 for these files.

In addidion,
W32.Blaster.C.Worm may have been distributed in a package that also
contained a Backdoor Trojan.

The package would have had the following characteristics:

* index.exe (32,045 bytes): Drops the worm and Backdoor components.
It is detected as W32.Blaster.C.Worm.
* root32.exe (19,798 bytes): Backdoor component detected as
Backdoor.Lithium.
* teekids.exe (5,360 bytes): Worm component detected as
W32.Blaster.C.Worm.


Good luck! Keep us informed.

Steve