A problem that resembles msblast

I have an odd problem.

I just installed XP Pro onto my computer, and I was planning on getting all of the critical updates and what-not today. Before I could get around to it, though, a dreadful thing happened. I got the message that's common with the msblast worm. You know, the one about the RPC error and the system's going to shutdown and there's nothing you can do about it. Yeah, that one.

Well, anyway, after I rebooted my computer manually (I'm not about to let that damned worm reboot MY computer. I did it myself before the countdown could finish ) I went to the symantec website and got their FixBlast application. I ran it, and it found nothing. So, unsure of what it might be, I tried to run AVG Antivirus. This is where it got weird. Before I could even start a system scan, AVG just closed. It didn't stop responding or anything like that, it just closed. The same thing with Norton AV 2004.

I've tried to install patches, and run other updates, but it seems like everything I try to do that will get rid of this problem just gets closed with no warning. It's almost as if the virus/worm/whatever is keeping me from fixing it.

Does anyone have any experience with something like this? I'm really at a loss as of what to do...I mean, I could format and reinstall, but that's kind of a last resort.

If you need any other info, just ask.

[edit]

FYI, regedit is another app that closes without warning. Figures...I can't even delete it's registry keys.

 

I didn't know this before looking into this just now, but the Welchia/Nachi worm exploits the same vulnerability, producing similar symptoms. Prolly explains why the Blaster removal tool didn't find anything!

Symantec removal tool: http://www.symantec.com/avcenter/FixWelch.exe
Info on tool: http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

Hope this takes care of it for ya

 

Thanks alan!

I'm running the McAfee AVERT Stinger right now, but I'll try that fix when it finishes. Stinger may work though because it also fixes Nachi. I don't know if it's a particular variant, but it is listed.

I've been infected with Welchia before, but I didn't know that it took advantage of the same things that blast does. hmmm...learn something new everyday.

 

Yeah, exactly. Strange that Symantec didn't create one tool for both worms, considering the symptoms can be the same

Oh here's the MS article on Nachi: http://support.microsoft.com/default.aspx?kbid=826234

 

Okay...Apparently Welchia isn't on my computer...At least that's what the tool says.

I read the documentation you posted, and I didn't find svchost.exe or dllhost.exe in windows/system32/wins. Actually, there wasn't anything in that folder. :\

 

Odd... so you got the same "RPC...Windows is shutting down...NT Authority... yada yada" message as with Blaster, eh?

If you have the MS Security Update CD you could try installing SP1 and critical updates, dunno if that would help at this point.

Maybe it's some new worm? I'll head over to Symantec to do some reading...

[Edit] Have you got any unfamiliar processes running in Task Manager or strange new msconfig/startup entries?

 

Interesting that you mentioned that. I just looked at my task manager and noticed a well disguised svchost.exe...err, well, it's actually like this: SVCH0ST.exe *note* that's not the letter O, it's the number 0. Damn 1337 freaks.

I ended the process and it popped back in 3 times before it finally died. It surprised me that it didn't initiate a shutdown...

Other than that I don't see any thing else out of the ordinary.

 

OK, that gives us something to go on, what folder is that file in?

 

I did a complete reinstall the other day. I was doing the Update and all of a sudden. I got the message that my comp was gonna shut down. So I quick ran taskman and saw "teekids.exe" running. Then I ran msconfig and disabled it from startup. I did it before it rebooted. When it rebooted, I reinstalled Avast, ran it, went online and updated it, and deleted what it found. No recurrences.

Forgot all about that crap.

 

Every time a try to install Norton, AVG, or PCchillin half way throu settup closes levving all the settup prosseses running and iv wated for an hour to see if it was doing anything.. Iv ben using this http://housecall.trendmicro.com/ donno if it has any thing to do with your prob.

 

It's Gott. I'm posting from my g/f's computer.

As a sort of update, this is what happened today:

I decided a clever little loophole would be to boot into windows 2k, and run an AV program to see if it could detect anything on the XP partition. Luckily enough, it did. It found the SVCH0ST.exe (along with some other superfluous crap) and fixed/deleted it. I don't exactly remember what it did, but it's in the log file that I saved. Unfortunately, I'm having monitor troubles right now, so I'll have to get back to you guys tomorrow sometime with more info on the log files and other things concerning the current status of my efforts. I thank all of you for taking the time to help me, though! I really appreciate it.

If we could still give REP, you better believe I'd be handing it out. I don't come in here often to ask for help, but when I do, I like to know that people are going to be quick to assist me. I really appreciate it.

 

I hate to revive a thread from the second page, but I figured I'd let the people that helped me in on my current state of affairs.

Okay, the monitor troubles ended up driving me more crazy than the virus I had (a little more on the problem I was having in a bit) so I ended up doing a few partition adjustments and re-installing XP again.

The partition adjustment consisted of deleting an old 2k partition, and expanding my XP partition to encompass the space taken by 2k. I now have 2 partitions; 13 gigs for my OS and crucial system files, and things pertaining to the operation of my computer, and 62 gigs for mp3's, games, videos, etc. Guess where my priorities are.

Now, on to the monitor problem. My monitor problems go back to the discussion between myself and fw190. My problem is obvious, and I have no doubt that the procedure outlined by fw190 is the way to cure it, but the only problem was getting the damn monitor open...I almost took a baseball bat to it. No lie.

Anyway, the monitor used to just distort the picture, and shut off for about five seconds. But since I brought it up to school with me, it worked for a day, and decided to not even come on at all the next. This posed a significant problem for me because I had no idea how I was going to change the resolution that fit my 17" monitor (1280x1024) back to a resolution that I could use on my 15" (1024x768). It was out of sheer frustration that I said screw it and re-installed XP.

So, right now I'm installing the most recent updates and service packs for XP, and rocking on a completely fresh install. It feels nice.