New Blaster Variant?

[Bob Adkins]

I've got a tough one here! It acts like MS Blaster, but with an evil twist.

Norton originally hit on 3 or 4 viruses, and the woman disinfected them.
When things kept fouling up, she called me.

Occasionally, the infamous "NT Authority" bogus dialog pops up and shuts the
system down. The usual MS problem solving tools auto-close, preventing much
investigation. RegEdit, MSConfig, etc shut down within 10 seconds of
launching WinXP. IE works fine. Norton AntiVirus launches with the system,
then shuts down after a minute or so.

Done so far:

Firewall: ON

Installed Nod32, and it did not hit on anything.

Trojan Remover, nothing.

AVERT Stinger, nothing.

Norton scanners for several viruses including Blaster, Swen, Klez, etc.
Nada!

Patch: The MS patch for Blaster exploit would not install, because it shut
down before it finished. Finally got it to install in Safe Mode. MS Blaster
Cleanup patch shut down early, refused to install even in safe mode. "File
in use" error.

Ran BitDefender scanner and newest def, nothing.

All adware and Spyware removed with SpyBot and Ad-Aware, and re-tried.

All BHO's removed.

Any ideas about this nasty boy would be appreciated!

Bob

 

[David H. Lipman]

Bob:

Have you installed the patch for the RPC/RPCSS Buffer Overflow Vulnerability that is
addressed by Microsoft Security Bulletin MS03-39 http://support.microsoft.com/?kbid=824146
?

Do you have the following directory ?
%windir%\$NtUninstallKB824146$

Dave



|
| I've got a tough one here! It acts like MS Blaster, but with an evil twist.
|
| Norton originally hit on 3 or 4 viruses, and the woman disinfected them.
| When things kept fouling up, she called me.
|
| Occasionally, the infamous "NT Authority" bogus dialog pops up and shuts the
| system down. The usual MS problem solving tools auto-close, preventing much
| investigation. RegEdit, MSConfig, etc shut down within 10 seconds of
| launching WinXP. IE works fine. Norton AntiVirus launches with the system,
| then shuts down after a minute or so.
|
| Done so far:
|
| Firewall: ON
|
| Installed Nod32, and it did not hit on anything.
|
| Trojan Remover, nothing.
|
| AVERT Stinger, nothing.
|
| Norton scanners for several viruses including Blaster, Swen, Klez, etc.
| Nada!
|
| Patch: The MS patch for Blaster exploit would not install, because it shut
| down before it finished. Finally got it to install in Safe Mode. MS Blaster
| Cleanup patch shut down early, refused to install even in safe mode. "File
| in use" error.
|
| Ran BitDefender scanner and newest def, nothing.
|
| All adware and Spyware removed with SpyBot and Ad-Aware, and re-tried.
|
| All BHO's removed.
|
| Any ideas about this nasty boy would be appreciated!
|
| Bob

 

[Bob Adkins]

Bob:

Have you installed the patch for the RPC/RPCSS Buffer Overflow Vulnerability that is
addressed by Microsoft Security Bulletin MS03-39 http://support.microsoft.com/?kbid=824146
?

Do you have the following directory ?
%windir%\$NtUninstallKB824146$

Thanks for the reply!

I installed the patch, but I did not check to see if it stuck. I'm pretty
confident it went in OK.

Thanks again!

Bob

 

[Heather]

Thanks for the reply!

I installed the patch, but I did not check to see if it stuck. I'm pretty
confident it went in OK.

Bob.....if you want to check to see that all patches and fixes are
installed OK.....download the Belarc Advisor from the following
site.......I found that two of mine hadn't and redownloaded them. It
also gives you a ton of information on all the installed programs,
hardware and so on.

http://www.belarc.com/free_download.html

Cheers......Heather

 

[Bob Adkins]

Bob.....if you want to check to see that all patches and fixes are
installed OK.....download the Belarc Advisor from the following
site.......I found that two of mine hadn't and redownloaded them. It
also gives you a ton of information on all the installed programs,
hardware and so on.

http://www.belarc.com/free_download.html

Nice program. Works fine on my computer, but not the infected one. It shuts
down in about 10 sec. Not quite enough time to finish.

This must be a new virus. I've never heard of anything like this.

Bob

 

[chip_y2kuk]

could be this although Symantec didn't have it discovered until 3rd of
February this month doesn't mean it wasn't around before then I guess

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.k.worm.html

also there is a useful part that may help you with your shutdown problem
under the removal instructions on the above page

 

[Randy]

I just installed XP on my computer and within about an hour (before I
could install any patches) I had so many different things going
wrong... Just like you were saying in the orig message... It ended up
being this:

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.ao.html

It kept shutting down patch processes before they were done, the only
thing that worked was to keep on trying to download the latest datfile
from Norton, until i finally could keep the download open long enough
to complete (Couldnt download the definitions in Safe mode with
network, for some reason). Then I went into safe mode and did the V
Scan of the whole HD and it found this gaobot thing in 4 system files.

Anyways, it was a nightmare... thankfully Norton got rid of it once i
got the current definitions downloaded. This thread was a help too,
as I thought it was blaster and in fact found blaster had gotten to my
computer too..... So, in all, I had a new hard drive, did the
fdisk/format c, then put XP on it, and I got all this stuff right away
without surfing or even checking email... proves like it says that the
firewall/patches are very important and that you dont even have to
surf to get a virus.