What can I do about an Apparent Virus Shutting Down Programs???

Posted on 2004-03-30
Medium Priority
Last Modified: 2010-04-11
My computer appears to have one or more viruses. I have downloaded and run several of the Symatec virus killers including WormBlast. Yet I still get the NT Authority\System shutdown screen every session. I have learned how to deactivate that, thank goodness.

I have been attempting to run Norton Anti Virus 2004 for several days but the virus (I think) keeps closing the program after only 10-20 seconds. Same thing happens on other antivirus programs.

What can be done? I tried running NAV 2004 in Safe Mode but it wouldn't open.
Question by:mpwineca
  • 4
  • 3
LVL 44

Assisted Solution

CrazyOne earned 300 total points
ID: 10718386
What You Should Know About the Blaster Worm and Its Variants

first do this

Start > Run services
Double Click on Remote Procedure Call (RPC)
Click the Recovery tab
Set all three failure boxes to "Take No Action"

Then open the task manager Start > Run taskmgr and under the Processes tab look for msblaster.exe and if you find it end the task.


Removal tool


W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp using TCP port 135. It will attempt to download and run the file Msblast.exe.

You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.

Click here http://securityresponse.symantec.com/avcenter/security/Content/8205.html for more information on the vulnerability being exploited by this worm and to find out which Symantec products can help mitigate risk from this vulnerability

Restarting the computer in Safe mode or ending the Worm process
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."

Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry, http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617 " for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:


In the right pane, delete the value:

"windows auto update"="msblast.exe"

Exit the Registry Editor.

Now apply the patch
LVL 11

Accepted Solution

ghana earned 450 total points
ID: 10718443
You have to install the necessary operating system patches to avoid system shutdown:

This patch will fix different RPC vulnerabilities that are exploited by the Blaster variants. After that you should search for other viruses on your computer to enable normal operation of Norton AntiVirus.

For example you can try one of the following online scanners to check your computer for viruses:

Author Comment

ID: 10718627
I have already installed the patch (039) once or twice and I am still getting the NT Shutdown screen. In my last attempt to run Norton, I was given an error message that the Norton installation was now CORRUPT and that I needed to uninstall and reinstall it.

Should I try the Housecall or Panda programs before uninstalling NAV?

Should I turn off System Restore before doing anything more?
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

LVL 44

Expert Comment

ID: 10718660
Click Start, and then click Control Panel.
In Control Panel, click Performance and Maintenance, and then click Power Options.
Click the APM tab.
Check to select the Enable Advanced Power Management Support check box, and then click OK.


And this MS KB

"It is Now Safe to Turn Off Your Computer" Error Message When You Try to Shut Down Your Computer

Quoted from the http://www.aumha.org/a/shtdwnxp.htm link

“Powerdown issues” are quite distinctive from “shutdown issues.” I define a shutdown problem as one wherein Windows doesn’t make it at least to the “OK to shut off your computer” screen. If Windows gets that far, or farther, then it has shut down correctly. However, the computer may not powerdown correctly after that. This is a different problem, and I encourage people reporting these issues to make a clear distinction in their labeling.

When Windows XP won’t powerdown automatically, the APM/NT Legacy Power Node may not be enabled. To enable this, right-click on the My Computer icon, click Properties | Hardware | Device Manager | View. Check the box labeled “Show Hidden Devices.” If it’s available on your computer, there will be a red X on the APM/NT Legacy Node. Try enabling it and see if this resolves the powerdown problem (Tip from Terri Stratton). Or, to check the other side of the APM/ACPI coin, open the Power Options applet in Control Panel. If there is an APM tab, make sure the “Enable Advanced Power Management Support” box is checked. (MSKB 313290)

This should resolve the powerdown issue in most cases. However, other factors can sometimes interfere with correct powerdown functioning. In that case, consider the following tips:

Author Comment

ID: 10718721
Thanks, CrazyOne. It is obvious that I am not being successful in defining the problem. I do not have a powerdown or shutdown issue as you define it. I just can't run my programs because they will open for only 10-20 seconds (NAV in particular but REGEDIT is another one that does the same thing, ) then close on their own.
LVL 44

Expert Comment

ID: 10720323
Then you have a very nasty virus that may require reformating.

try this

Ok Copy the following into notepad and save the file with the REG extension. Then go to where you saved it and double click on it.


"Content Type"="application/x-msdownload"




@="\"%1\" %*"




LVL 44

Expert Comment

ID: 10720326
DO this in Safe mode and see if you can run your virus scanner

Also try this

McAffee has utility that is aimed at removing the virus and fixing the registry

BackDoor-AQJ, Bat/Mumu.worm, Exploit-DcomRpc, IPCScan, IRC/Flood.ap, IRC/Flood.bi, IRC/Flood.cd, NTServiceLoader, PWS-Sincom, W32/Bugbear@MM, W32/Deborm.worm.gen, W32/Dumaru@MM, W32/Elkern.cav, W32/Fizzer.gen@MM, W32/FunLove, W32/Klez, W32/Lirva, W32/Lovgate, W32/Lovsan.worm, W32/Mimail@MM, W32/MoFei.worm, W32/Mumu.b.worm, W32/Nachi.worm, W32/Nimda, W32/Sdbot.worm.gen, W32/SirCam@MM, W32/Sobig, W32/SQLSlammer.worm, W32/Yaha@MM

Author Comment

ID: 10725917
Thanks for all the comments. I ran both HouseCall and Stinger. Turns out I had the AGOBOT worm virus. Cleaned it out. Reinstalled the patches from Microsoft but the problem is still present. Still get the NT AUTHORITY/SYSTEM shutdown warning.

In addition, I am now unable to use my printer. When I hit the PRINT command I get an error message that states:

"RPC Server Unavailable. Cannot run iKernel.exe."

What next??

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…
Free Data Recovery software is an advanced solution from Kernel Tools to recover data and files such as documents, emails, database, media and pictures, etc. It supports recovery from physical & logical drive after a hard disk crash, accidental/inte…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question