NO WORM...But All the same problems

[Chris P.]

I have the same problem with the RPC shutting down the computer as everyone
else is having. Exactly the same symptoms; Started monday, online when I am
on the internet through dial-up, and can't install the patch.

Now, I tried all the steps the people suggested. Starting stopping
services,renaming the catroot2, using the msblast vb tool from the Kelly
website. I also use the McAfee tool "Stinger" and the Symantec tool. Not one
found the worm and I am having the same problems as everyone else. The only
thing different is it happens on the dial-up internet connection only. I
took the computer to my house and connected it to my network which has cable
internet and no RPC shutdowns or anything. Only I still can't update the
WindowsXP at all. The person's computer I am trying to fix was never updated
since she got the computer 2 years ago. I tried everything I know and I know
a good deal.

What do I do now???
Chris

 

[Frank]

Have you tried scanning using software via the internet. I have found that
if the antivirus software has been effected the tools you download to find
viruses also will not work properly.
I had a similar problem with the nimda virus where I had the systems but all
the tools would not find it. I then went to
http://housecall.antivirus.com/housecall/start_corp.asp and completed a scan
and it was able to find it.

 

[Steve Nielsen]

Another possible alternative is to DL the fixblast.exe on a non-infected
machine, save it to a floppy, boot in Safe Mode or at least disconnected
from the `net, then run the tool from the floppy disk.

Steve

 

[Steve Nielsen]

That's because mblast.exe is still on your machine and running.

go here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Under Removal Instructions (near the end of the page) pay particular
attention to steps 3 4 and 5.

Re-infection happens particularly fast in some cases so make sure one of
the first things you do is install the patch to help prevent that.

Steve

 

[Chris P.]

Steve,

I appreciate your help but if you read my original post I done all that
before. I have 4 good machines that I been using to DL patches and tools and
then putting them on floppies and cds for the "supposedly" infected machine.
There is no evidence the worm is in this computer all the registry keys,
files and such are not on the computer. I know a good deal about computers I
get my B.S. in Comp.Sci. after next semester so i know what i am doing, but
this is stumping the hell out of me. I can't install any patch SP1, SP1a,
the worm patch vulnerability, nothing. I get the cryptography service error.
I did everything i read about that problem and i can't get that one
resolved. This shows all the same problems as the other people with the
virus only this cimputer has no virus in it and that I am sure of because of
research i done just to see where this worm/virus resides on the computer
and which keys it edits.

I am dumbfounded,
Chris

 

[Malke]

Steve,

I appreciate your help but if you read my original post I done all
that before. I have 4 good machines that I been using to DL patches
and tools and then putting them on floppies and cds for the
"supposedly" infected machine. There is no evidence the worm is in
this computer all the registry keys, files and such are not on the
computer. I know a good deal about computers I get my B.S. in
Comp.Sci. after next semester so i know what i am doing, but this is
stumping the hell out of me. I can't install any patch SP1, SP1a, the
worm patch vulnerability, nothing. I get the cryptography service
error. I did everything i read about that problem and i can't get that
one resolved. This shows all the same problems as the other people
with the virus only this cimputer has no virus in it and that I am
sure of because of research i done just to see where this worm/virus
resides on the computer and which keys it edits.

I am dumbfounded,
Chris

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

(snip)

And you took the machine off the network, went into Safe Mode and
disabled System Restore before you started the repair work? Ran the
repair tool, did a full virus scan (using a current av program with
updated definitions) in Safe Mode? And are still having problems? If
yes, then it is quite odd, but in that case just format the hard drive
and reinstall Windows. Something else is messed up and why fool around
any more.

Malke

 

[Steve Nielsen]

The crashing of RPC donest indicate that you *have* the worm, only that it
is trying to infect you. The crashes are casused by the random data that the
worm sends in order to cause an over flow.

Which indicates the vulnerable port is still open, doesn't it?

Steve

 

[Steve Nielsen]

I did read your entire post and did not see you mention the patch ever
being installed in the original post, just the cleanup tools being used.
That's why I wrote what I did.

Since the problems seem associated witht the dialup networking, have you
tried removing the dialup configuration and re-configuring it? I don't
know - I am at a loss, too.

FWIW, I have been a tech since the early 80s and a network admin for
over 10 years, guess what? I *still* get confused! Especialy after a 15
step process being repeated 15 times

Steve