Solved

What can I do about an Apparent Virus Shutting Down Programs???

Posted on 2004-03-30
8
768 Views
Last Modified: 2010-04-11
My computer appears to have one or more viruses. I have downloaded and run several of the Symatec virus killers including WormBlast. Yet I still get the NT Authority\System shutdown screen every session. I have learned how to deactivate that, thank goodness.

I have been attempting to run Norton Anti Virus 2004 for several days but the virus (I think) keeps closing the program after only 10-20 seconds. Same thing happens on other antivirus programs.

What can be done? I tried running NAV 2004 in Safe Mode but it wouldn't open.
0
Comment
Question by:mpwineca
  • 4
  • 3
8 Comments
 
LVL 44

Assisted Solution

by:CrazyOne
CrazyOne earned 100 total points
ID: 10718386
What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

first do this

Start > Run services
Double Click on Remote Procedure Call (RPC)
Click the Recovery tab
Set all three failure boxes to "Take No Action"

Then open the task manager Start > Run taskmgr and under the Processes tab look for msblaster.exe and if you find it end the task.

then

Removal tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Download
http://securityresponse.symantec.com/avcenter/FixBlast.exe

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp using TCP port 135. It will attempt to download and run the file Msblast.exe.

You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.

Click here http://securityresponse.symantec.com/avcenter/security/Content/8205.html for more information on the vulnerability being exploited by this worm and to find out which Symantec products can help mitigate risk from this vulnerability

Restarting the computer in Safe mode or ending the Worm process
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."

Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry, http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617 " for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"windows auto update"="msblast.exe"

Exit the Registry Editor.


Now apply the patch
0
 
LVL 11

Accepted Solution

by:
ghana earned 150 total points
ID: 10718443
You have to install the necessary operating system patches to avoid system shutdown:
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

This patch will fix different RPC vulnerabilities that are exploited by the Blaster variants. After that you should search for other viruses on your computer to enable normal operation of Norton AntiVirus.

For example you can try one of the following online scanners to check your computer for viruses:
http://housecall.trendmicro.com
http://www.pandasoftware.com/activescan
0
 

Author Comment

by:mpwineca
ID: 10718627
I have already installed the patch (039) once or twice and I am still getting the NT Shutdown screen. In my last attempt to run Norton, I was given an error message that the Norton installation was now CORRUPT and that I needed to uninstall and reinstall it.

Should I try the Housecall or Panda programs before uninstalling NAV?

Should I turn off System Restore before doing anything more?
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10718660
Click Start, and then click Control Panel.
In Control Panel, click Performance and Maintenance, and then click Power Options.
Click the APM tab.
Check to select the Enable Advanced Power Management Support check box, and then click OK.

WINDOWS XP
SHUTDOWN & RESTART
TROUBLESHOOTING
http://www.aumha.org/a/shtdwnxp.htm

And this MS KB
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308029

"It is Now Safe to Turn Off Your Computer" Error Message When You Try to Shut Down Your Computer
http://support.microsoft.com/default.aspx?scid=kb;en-us;810903


Quoted from the http://www.aumha.org/a/shtdwnxp.htm link

POWERDOWN ISSUES
“Powerdown issues” are quite distinctive from “shutdown issues.” I define a shutdown problem as one wherein Windows doesn’t make it at least to the “OK to shut off your computer” screen. If Windows gets that far, or farther, then it has shut down correctly. However, the computer may not powerdown correctly after that. This is a different problem, and I encourage people reporting these issues to make a clear distinction in their labeling.

When Windows XP won’t powerdown automatically, the APM/NT Legacy Power Node may not be enabled. To enable this, right-click on the My Computer icon, click Properties | Hardware | Device Manager | View. Check the box labeled “Show Hidden Devices.” If it’s available on your computer, there will be a red X on the APM/NT Legacy Node. Try enabling it and see if this resolves the powerdown problem (Tip from Terri Stratton). Or, to check the other side of the APM/ACPI coin, open the Power Options applet in Control Panel. If there is an APM tab, make sure the “Enable Advanced Power Management Support” box is checked. (MSKB 313290)

This should resolve the powerdown issue in most cases. However, other factors can sometimes interfere with correct powerdown functioning. In that case, consider the following tips:
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:mpwineca
ID: 10718721
Thanks, CrazyOne. It is obvious that I am not being successful in defining the problem. I do not have a powerdown or shutdown issue as you define it. I just can't run my programs because they will open for only 10-20 seconds (NAV in particular but REGEDIT is another one that does the same thing, ) then close on their own.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10720323
Then you have a very nasty virus that may require reformating.

try this

Ok Copy the following into notepad and save the file with the REG extension. Then go to where you saved it and double click on it.

REGEDIT4

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:d8,07,00,00

[HKEY_CLASSES_ROOT\exefile\shell]
@=""

[HKEY_CLASSES_ROOT\exefile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{86F19A00-42A0-1069-A2E9-08002B30309D}]
@=""

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10720326
DO this in Safe mode and see if you can run your virus scanner

Also try this

McAffee has utility that is aimed at removing the virus and fixing the registry

Stinger
BackDoor-AQJ, Bat/Mumu.worm, Exploit-DcomRpc, IPCScan, IRC/Flood.ap, IRC/Flood.bi, IRC/Flood.cd, NTServiceLoader, PWS-Sincom, W32/Bugbear@MM, W32/Deborm.worm.gen, W32/Dumaru@MM, W32/Elkern.cav, W32/Fizzer.gen@MM, W32/FunLove, W32/Klez, W32/Lirva, W32/Lovgate, W32/Lovsan.worm, W32/Mimail@MM, W32/MoFei.worm, W32/Mumu.b.worm, W32/Nachi.worm, W32/Nimda, W32/Sdbot.worm.gen, W32/SirCam@MM, W32/Sobig, W32/SQLSlammer.worm, W32/Yaha@MM
http://vil.nai.com/vil/stinger/
0
 

Author Comment

by:mpwineca
ID: 10725917
Thanks for all the comments. I ran both HouseCall and Stinger. Turns out I had the AGOBOT worm virus. Cleaned it out. Reinstalled the patches from Microsoft but the problem is still present. Still get the NT AUTHORITY/SYSTEM shutdown warning.

In addition, I am now unable to use my printer. When I hit the PRINT command I get an error message that states:

"RPC Server Unavailable. Cannot run iKernel.exe."

What next??
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now