[OT] Info on pseudo-BLaster worm or variant?

[Krsqk]

I have had nothing but trouble since I replaced my motherboard and processor. I have all the symptoms of the BLaster worm, except for some (not so) minor exceptions: I did install the BLaster patch; no anti-virus (even Online ones) or anti-trojan picks up any trace of the bug, including Symantec's FixBLast.exe; and there are none of the files or registry entries typically associated with the BLaster bug or any of its variants.

What I did have is something like the following: RPC errors and forced shutdowns when Online, at least until I changed the default setting to "Take No Action"; General Host Process errors, generally five minutes after going Online (but sometimes up to an hour after); inability to copy/paste; IE will not open new windows or open links which are off-site from the current page; Outlook hangs while loading; and a number of other minor annoyances. I have posted for help on www.techguy.org and searched their forums for any related issues. I read that enabling the native Windows firewall might help (I already run McAfee anti-virus and firewall), so I did that.

Since then, my display driver became convinced that its highest setting was 1280x720x32 (nice squished rectangle with fat black bands across the top and bottom of the monitor--this took uninstalling and reinstalling the driver to persuade it to cooperate, and I haven't rebooted since) and the Explorer.exe process has taken a liking to crashing (erases most of the System Tray icons, closes any open "My Computer" windows, and occasionally ends IE) every so often, about as often as I had the "Generic Host Process" errors.

I still can't find anything wrong. I'll post my HijackThis or SpyBot S&D logs if anyone thinks they'll help (already did that at techguy forums). Does anyone have any info on what could possibly be wrong or how to find out?

Thanks in advance,
A very frustrated Krsqk

[Electrum]

Have you tried doing a repair install of Windows? Do you have all the latest drivers for your net chipset & MB?

[Electrum]

By the way, what Windows are you running? If you have ME or 98, you may have an IRQ conflict. When you installed your new MB, did you assign the PCI slots to specific IRQs or leave it at default?
Since the problems started after you hardware upgrade, that's probably where the problem lies.

[Krsqk]

Sorry. Didn't think anyone would need basic information such as what OS I'm running.

I'm running WinXP Home. Everything was left on default settings (auto-detect). The only thing I've done is disable on-board sound/modem/LAN. (The on-board video was better than my old 8MB PCI card, so I kept it. )

Now that I think about it, though, I did have this happen once before my MB and old modem died. This Windows install was a brand new one, though, and on a brand-new HD. I didn't even import settings--that was a pain in the neck Last time I tried it, so I didn't bother with it this time.

I haven't tried a repair install, mainly because the sfc /scannow command didn't find any problems with Windows files.

[ January 18, 2004, 18:13: Message edited by: Krsqk ]

[Electrum]

With XP, IRQ conflicts are all but non existant. The first step would probably to make sure you have all the latest drivers, including for your new MB & Windows all updated. Then make sure your Anti-Virus is up-to-date.

[Atrocities]

Sounds like your OS is having a conflict. Let me guess, you bought an AMD cpu right?

Some installations of windows on AMD MB's and CPU's cause problems like this. If not an AMD, then perphas just a bad OS.

Good luck, we have all been there.

[Krsqk]

Nope, it's a P4 2.0 GHz, and I had WinXP on the previous install. All drivers/virus scans up to date as well. However, between running both the native Windows firewall and ZoneAlarm, as well as three anti-spyware programs, I've managed to keep the errors from happening again yet (1 1/2 days and still counting ). I've had a couple of Explorer crashes, but nothing like it was before.

I just wish I could find out what the error was. I never got a (helpful) response on techguy.org--very disappointing for a site that's always been helpful before.

[Electrum]

I stopped using ZoneAlarm as it was causing to many crashes. I started using Sygate instead.
Go into Control Panel - Administrative Tools - Event Viewer. It will tell you what software is creating the error.

[Ed Kolis]

I'm getting the forced shutdowns too; how DO you stop them? sorry I'd explain more but I have 15 sec levt!!!!

edit: OK, the system rebooted and I'm back... fortunately this hasn't happened too far into any pbw turns!

What I meant to ask is, how do you disable the "shutdown on RPC error"?

More info that might help... I scanned my system with a free virus scanner (AntiVir Free Edition) and it found LoveSan or some such virus; it said the file c:\windows\system\msrc.exe or somesuch (maybe it was system32, or msfc) was infected, and I did find a registry entry (using FreshDiagnose) that was loading that file on startup - dunno if it's a real Microsoft file or not, but I deleted the entry and it hasn't made things any worse. I did recently reformat my c: partition because I was having other troubles which seemed to be a virus, but either I got reinfected Online or from my other partition where I kept most of my data and applications. (Maybe I need more partitions so I can eliminate them one by one instead of all the data/apps/games/etc. all at once... but then it's a pain to resize them when they've already got data... )

[ January 20, 2004, 02:32: Message edited by: Ed Kolis ]

[Krsqk]

1) While disconnected, open Control Panel -> Administrative Tools -> Services.
2) Find the Remote Procedure Call process and right-click on it and select Properties. [Note: there is also a Remote Procedure Call Locator process--the one you want should be right above it.]
3) Select the Recovery tab and change each of the first three drop boxes to "Take No Action." Click OK and exit out to desktop.
4) Go Online to http://securityresponse.symantec.com...oval.tool.html and download the FixBLast.exe BLaster worm removal tool. Follow the instructions for its use (may need to reboot and run in Safe Mode once, then reboot and run again in Normal Mode). Do not forget to disable System Restore before running the utility--future restores may bring back the worm. (Instructions for disabling System Restore available here.)
5) [Optional, but recommended, step]. Enable the Windows firewall (or another firewall, such as ZoneAlarm). This should prevent any remaining worms/trojans from accessing the Internet and allow you to complete your download in (relative) peace.
6) Go to Windows Update and download any security patches/critical updates/hotfixes they have for you.
7) You may also wish to navigate to http://grc.com/freepopular.htm and check out the DCOMbobulate and UnPNP freeware that is available there, as well as many other nifty (and tiny) progs. They tend to disable many security holes M$ left enabled for all us home-based end-Users who want to feel like corporate network administrators and computer programmers all rolled into one.
8) Oh, and once you're finished, go back and restore the original RPC service settings, or at least change it to "Restart Service."

[ January 20, 2004, 04:12: Message edited by: Krsqk ]