Solved

LOST THE ABILITY TO COPY, PASTE OR DELETE.

Posted on 2003-11-12
13
2,275 Views
Last Modified: 2008-03-06
I lost the ability to copy files then paste them somewhere else in the system. I also can't delete files. If I can delete a file it is one at a time then the system stalls then the desktop refreshes then I can continue.
I have not added any drivers or programs but did let Norton do an Optization (sp) and noticed this a couple of days later.
I run XP Pro.
Thanks
John
0
Comment
Question by:jdynan
  • 6
  • 6
13 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9733045
It is a worm that causes this problem

What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

first do this

Start > Run services
Double Click on Remote Procedure Call (RPC)
Click the Recovery tab
Set all three failure boxes to "Take No Action"

Then open the task manager Start > Run taskmgr and under the Processes tab look for msblaster.exe and if you find it end the task.

then

Removal tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Download
http://securityresponse.symantec.com/avcenter/FixBlast.exe

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp using TCP port 135. It will attempt to download and run the file Msblast.exe.

You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.

Click here http://securityresponse.symantec.com/avcenter/security/Content/8205.html for more information on the vulnerability being exploited by this worm and to find out which Symantec products can help mitigate risk from this vulnerability

Restarting the computer in Safe mode or ending the Worm process
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."

Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry, http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617 " for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"windows auto update"="msblast.exe"

Exit the Registry Editor.


Now apply the patch
0
 

Author Comment

by:jdynan
ID: 9735915
Thanks for getting back. I will try what you say tomorrow as my email goes home and the problem is at work.
I have only one question on your directions and of course it's the first set of directions:
Start > Run services
Double Click on Remote Procedure Call (RPC)
Click the Recovery tab
Set all three failure boxes to "Take No Action"

I don't understand the Run services and can't find the RPC.

The rest of the instructions seem fine.
Thanks again.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9735925
Umm disregard that for now and we will revist it if need be.
0
 
LVL 7

Expert Comment

by:AlexJ
ID: 9735990

HI
1. First of all its Start->Run->Services.msc   and not Run services

2. do these steps:
  start->Run->MSCONFIG
  click selective startup
  uncheck load startup items
  Hit Apply and Close
  Reboot

If problem goes away, it means one of the startup items which U disabled was the culprit
I know one such program and it is QuickFind Manager

0
 

Author Comment

by:jdynan
ID: 9739477
Thanks to Crazy One and Alex J.

Following the directions I did not find the MsBlaster.exe on the system. Tired the start up Alex suggested by unchecking the 4 blocks but it had no effect.

Sorry to be a  bother but I am trying my best not to reboot the system to correct.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9740384
Did you apply the patch though? You will have to reboot to see any of this stuff works. So how do you know AlexJ's suggestion didn't work? You won't know until you reboot.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:jdynan
ID: 9741071
I did not run the patch but with your prompting I just completed the process.
I turned Sys Restore offDownloaded and ran fixblast.exe and none were found.
During this and the following procedures the sys was rebooted several times.
I reinstalled Norton System Works 2003 and ran all the live updates.
I also ran Anti-Virus and none were found.
Ran Win Doctor and no errors were found.
I have always installed the MS updates when available.
I just ran the latest update after turning System Restore back on.

It really is a strange problem.  I am able to do some copy and pasting but after any, say deleting of files, if I were to try to copy or do another delete the hour glass cursor shows up and after about 20 sec the screen refreshes but I still can't move say programs. I tried to move fixblast.exe from My Documents to another folder as a test and the problem shows up.

I hope that this is more helpful.
Thanks again for listening
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9741208
Umm perhaps we are dealing with some spyware

Check for adware and sypware

spybot here
http://spybot.safer-networking.de/
Download
http://spybot.safer-networking.de/index.php?lang=en&page=download

AdAware
http://www.lavasoftusa.com/

Spycop:
http://www.spycop.com/

BHODemon and Hijack This and Browser Hijack Blaster
http://www.spywareinfo.com/downloads.php?cat=sp#det
BHODemon | Think of BHODemon as a guardian for your Internet browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. This program is my choice for BHO detection and is highly recommended.

Browser Hijack Blaster | Running silently in the background, Browser Hijack Blaster only springs into action when an attempt is made. It watches and protects the following items: IE Homepage, IE Default Page, IE Search Page, BHOs. Whenver one of the above items is changed, or a BHO is added, you are immediately provided with information on the item, along with the option to keep the change, or revert to your previous settings.

Hijack This | Written by a member of our support forums and based on our Hijacked! article, this program scans the locations in your computer system that may be modified by browser hijackers and fixes any problems found. An easy-to-understand tutorial is available at TomCoyote.org.

General and overall information about Spy/Adware
http://www.cexx.org/adware.htm
0
 

Author Comment

by:jdynan
ID: 9741446
You're a trooper to stick with this.
I ran Ad-Aware yesterday and it found 26 "somethings" so they were quarantiened and deleted. No change.
I did just download and install two of your choices BHO and Hack Blaster.
Neither one suggested any changes and BHO only found three items and all were for normal programs I run.
Sorry no smoking gun.
I am starting to feel that my only choice is a reinstall of xp but I always dread that since, even though I partition my drive it's a pain to get back to where I was.

John
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9743766
Try this first

Start > Run sfc /scannow
0
 
LVL 44

Accepted Solution

by:
CrazyOne earned 250 total points
ID: 9743776
And if that doesn't work instead of doing a fesh install try this instead

Repair
How to Perform an In-Place Upgrade (Reinstallation) of Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;315341

Visual aid to the above procedure
http://www.webtree.ca/windowsxp/repair_xp.htm
Click on How To Run a Repair Install

You May Lose Data or Program Settings After Reinstalling, Repairing, or Upgrading Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;312369

Data Loss May Occur After Reinstalling, Repairing, or Upgrading Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;312368
0
 

Author Comment

by:jdynan
ID: 9744015
Thanks I'll try it on Friday and let you know.

0
 

Author Comment

by:jdynan
ID: 9751832
Thanks to Crazy One.
I tried all the suggestions but I fear that whatever caused the condition was above repair. In desperation I rebooted XP which, of course wiped the C drive. It was not a big loss thanks to Partition Magic. At least now I can move files around, good t hing since I have a budget due on Monday that I could not transfer to a floppy to work on this weekend.
You were a trooper and I just wanted to let you know how much I apperciated your attention.

Alex J did his part and I also extend my thanks to his input.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now