Solved

What can I do about an Apparent Virus Shutting Down Programs???

Posted on 2004-03-30
8
778 Views
Last Modified: 2010-04-11
My computer appears to have one or more viruses. I have downloaded and run several of the Symatec virus killers including WormBlast. Yet I still get the NT Authority\System shutdown screen every session. I have learned how to deactivate that, thank goodness.

I have been attempting to run Norton Anti Virus 2004 for several days but the virus (I think) keeps closing the program after only 10-20 seconds. Same thing happens on other antivirus programs.

What can be done? I tried running NAV 2004 in Safe Mode but it wouldn't open.
0
Comment
Question by:mpwineca
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 44

Assisted Solution

by:CrazyOne
CrazyOne earned 100 total points
ID: 10718386
What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

first do this

Start > Run services
Double Click on Remote Procedure Call (RPC)
Click the Recovery tab
Set all three failure boxes to "Take No Action"

Then open the task manager Start > Run taskmgr and under the Processes tab look for msblaster.exe and if you find it end the task.

then

Removal tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Download
http://securityresponse.symantec.com/avcenter/FixBlast.exe

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp using TCP port 135. It will attempt to download and run the file Msblast.exe.

You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.

Click here http://securityresponse.symantec.com/avcenter/security/Content/8205.html for more information on the vulnerability being exploited by this worm and to find out which Symantec products can help mitigate risk from this vulnerability

Restarting the computer in Safe mode or ending the Worm process
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."

Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry, http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617 " for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"windows auto update"="msblast.exe"

Exit the Registry Editor.


Now apply the patch
0
 
LVL 11

Accepted Solution

by:
ghana earned 150 total points
ID: 10718443
You have to install the necessary operating system patches to avoid system shutdown:
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

This patch will fix different RPC vulnerabilities that are exploited by the Blaster variants. After that you should search for other viruses on your computer to enable normal operation of Norton AntiVirus.

For example you can try one of the following online scanners to check your computer for viruses:
http://housecall.trendmicro.com
http://www.pandasoftware.com/activescan
0
 

Author Comment

by:mpwineca
ID: 10718627
I have already installed the patch (039) once or twice and I am still getting the NT Shutdown screen. In my last attempt to run Norton, I was given an error message that the Norton installation was now CORRUPT and that I needed to uninstall and reinstall it.

Should I try the Housecall or Panda programs before uninstalling NAV?

Should I turn off System Restore before doing anything more?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 44

Expert Comment

by:CrazyOne
ID: 10718660
Click Start, and then click Control Panel.
In Control Panel, click Performance and Maintenance, and then click Power Options.
Click the APM tab.
Check to select the Enable Advanced Power Management Support check box, and then click OK.

WINDOWS XP
SHUTDOWN & RESTART
TROUBLESHOOTING
http://www.aumha.org/a/shtdwnxp.htm 

And this MS KB
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308029

"It is Now Safe to Turn Off Your Computer" Error Message When You Try to Shut Down Your Computer
http://support.microsoft.com/default.aspx?scid=kb;en-us;810903


Quoted from the http://www.aumha.org/a/shtdwnxp.htm link

POWERDOWN ISSUES
“Powerdown issues” are quite distinctive from “shutdown issues.” I define a shutdown problem as one wherein Windows doesn’t make it at least to the “OK to shut off your computer” screen. If Windows gets that far, or farther, then it has shut down correctly. However, the computer may not powerdown correctly after that. This is a different problem, and I encourage people reporting these issues to make a clear distinction in their labeling.

When Windows XP won’t powerdown automatically, the APM/NT Legacy Power Node may not be enabled. To enable this, right-click on the My Computer icon, click Properties | Hardware | Device Manager | View. Check the box labeled “Show Hidden Devices.” If it’s available on your computer, there will be a red X on the APM/NT Legacy Node. Try enabling it and see if this resolves the powerdown problem (Tip from Terri Stratton). Or, to check the other side of the APM/ACPI coin, open the Power Options applet in Control Panel. If there is an APM tab, make sure the “Enable Advanced Power Management Support” box is checked. (MSKB 313290)

This should resolve the powerdown issue in most cases. However, other factors can sometimes interfere with correct powerdown functioning. In that case, consider the following tips:
0
 

Author Comment

by:mpwineca
ID: 10718721
Thanks, CrazyOne. It is obvious that I am not being successful in defining the problem. I do not have a powerdown or shutdown issue as you define it. I just can't run my programs because they will open for only 10-20 seconds (NAV in particular but REGEDIT is another one that does the same thing, ) then close on their own.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10720323
Then you have a very nasty virus that may require reformating.

try this

Ok Copy the following into notepad and save the file with the REG extension. Then go to where you saved it and double click on it.

REGEDIT4

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:d8,07,00,00

[HKEY_CLASSES_ROOT\exefile\shell]
@=""

[HKEY_CLASSES_ROOT\exefile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{86F19A00-42A0-1069-A2E9-08002B30309D}]
@=""

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10720326
DO this in Safe mode and see if you can run your virus scanner

Also try this

McAffee has utility that is aimed at removing the virus and fixing the registry

Stinger
BackDoor-AQJ, Bat/Mumu.worm, Exploit-DcomRpc, IPCScan, IRC/Flood.ap, IRC/Flood.bi, IRC/Flood.cd, NTServiceLoader, PWS-Sincom, W32/Bugbear@MM, W32/Deborm.worm.gen, W32/Dumaru@MM, W32/Elkern.cav, W32/Fizzer.gen@MM, W32/FunLove, W32/Klez, W32/Lirva, W32/Lovgate, W32/Lovsan.worm, W32/Mimail@MM, W32/MoFei.worm, W32/Mumu.b.worm, W32/Nachi.worm, W32/Nimda, W32/Sdbot.worm.gen, W32/SirCam@MM, W32/Sobig, W32/SQLSlammer.worm, W32/Yaha@MM
http://vil.nai.com/vil/stinger/
0
 

Author Comment

by:mpwineca
ID: 10725917
Thanks for all the comments. I ran both HouseCall and Stinger. Turns out I had the AGOBOT worm virus. Cleaned it out. Reinstalled the patches from Microsoft but the problem is still present. Still get the NT AUTHORITY/SYSTEM shutdown warning.

In addition, I am now unable to use my printer. When I hit the PRINT command I get an error message that states:

"RPC Server Unavailable. Cannot run iKernel.exe."

What next??
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question