Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

windows 2000 cut/paste and drag/drop not working after a few minutes of use

Posted on 2003-11-09
7
563 Views
Last Modified: 2010-04-13
I am currently experiencing problems with my windows 2000 sp3 cut and paste/ drag and drop.

Everytime I reboot everything is fine but after a few minutes of use the cut and paste and drag and drop capabilities no longer work.

Any help would be greatly appreciated.
0
Comment
Question by:lqtox
  • 3
  • 2
  • 2
7 Comments
 
LVL 44

Accepted Solution

by:
CrazyOne earned 100 total points
ID: 9712504
I think you may have a variant of the blaster worm

first do this

What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

Start > Run services
Double Click on Remote Procedure Call (RPC)
Click the Recovery tab
Set all three failure boxes to "Take No Action"

Then open the task manager Start > Run taskmgr and under the Processes tab look for msblaster.exe and if you find it end the task.

then

Removal tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Download
http://securityresponse.symantec.com/avcenter/FixBlast.exe

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp using TCP port 135. It will attempt to download and run the file Msblast.exe.

You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.

Click here http://securityresponse.symantec.com/avcenter/security/Content/8205.html for more information on the vulnerability being exploited by this worm and to find out which Symantec products can help mitigate risk from this vulnerability.

...


technical details

When W32.Blaster.Worm is executed, it does the following:

Creates a Mutex named "BILLY". If the mutex exists, the worm will exit.

Adds the value:

"windows auto update"="msblast.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

Calculates the IP address, based on the following algorithm, 40% of the time:

Host IP: A.B.C.D

sets D equal to 0.

if C > 20, will subtract a random value less than 20.

Once calculated it will start attempting to exploit the computer based on A.B.C.0 and count up.

NOTE: This means the Local Subnet will become saturated with port 135 requests prior to exiting the local subnet.

Calculates the IP address, based on many random numbers, 60% of the time:

A.B.C.D

set D equal to 0.

sets A, B, and C to random values between 0 and 255.

Sends data on TCP port 135 that may exploit the DCOM RPC vulnerabilty to allow the following actions to occur on the vulnerable computer:

Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.

NOTE: Due to the randomness with how it constructs the exploit data, it may cause computers to crash if it sends incorrect data.

Listens on UDP port 69. When it recieves a request, it will send back the Msblast.exe binary.

Sends the commands to the remote computer to connect back to the infected host and download and run the Msblast.exe.

If the current month is after August, or if the current date is after the 15th it will perform a denial of service on "windowsupdate.com"

With the current logic, the worm will activate the Denial of Service attack on the 16th of this month, and continue until the end of the year.

The worm contains the following text which is never displayed:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

...

Restarting the computer in Safe mode or ending the Worm process
Windows 95/98/Me
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."

Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry, http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617 " for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"windows auto update"="msblast.exe"

Exit the Registry Editor.


Now apply the patch
0
 
LVL 1

Author Comment

by:lqtox
ID: 9712543
Thanks for the fast response.  But unfortunately I wasn't able to find any presence of the blaster worm ... any other ideas? Thanks.
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9712549
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 49

Expert Comment

by:sunray_2003
ID: 9712551
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9712566
Well have you applied the patch? the problem your are having is indicative of the Blaster or one of its variants

Also try this

Start > Run sfc /scannow
0
 
LVL 1

Author Comment

by:lqtox
ID: 9716590
Hi,

Thanks for the links sunray.  

Crazyone, I applied the patch and also ran sfc and rebooted.  Looks like the problem may be solved :)  Thanks!
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9716630
You are welcome. :)
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 2003 Terminal Server licenses 3 357
Windows 2000 Sever Lab Setup 1 684
Domain dunctional level. 4 323
removing broke domain controller...then upgrading to MS Win 2K12 6 399
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
ConnectWise and their customers need to ensure critical alerts automatically reach the right person at the right time. MSP superheros efficiently respond to these alerts key is providing automatic, intelligent alerting that generates a complete audi…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question