?
Solved

What can I do about an Apparent Virus Shutting Down Programs???

Posted on 2004-03-30
8
Medium Priority
?
785 Views
Last Modified: 2010-04-11
My computer appears to have one or more viruses. I have downloaded and run several of the Symatec virus killers including WormBlast. Yet I still get the NT Authority\System shutdown screen every session. I have learned how to deactivate that, thank goodness.

I have been attempting to run Norton Anti Virus 2004 for several days but the virus (I think) keeps closing the program after only 10-20 seconds. Same thing happens on other antivirus programs.

What can be done? I tried running NAV 2004 in Safe Mode but it wouldn't open.
0
Comment
Question by:mpwineca
  • 4
  • 3
8 Comments
 
LVL 44

Assisted Solution

by:CrazyOne
CrazyOne earned 300 total points
ID: 10718386
What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

first do this

Start > Run services
Double Click on Remote Procedure Call (RPC)
Click the Recovery tab
Set all three failure boxes to "Take No Action"

Then open the task manager Start > Run taskmgr and under the Processes tab look for msblaster.exe and if you find it end the task.

then

Removal tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Download
http://securityresponse.symantec.com/avcenter/FixBlast.exe

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp using TCP port 135. It will attempt to download and run the file Msblast.exe.

You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.

Click here http://securityresponse.symantec.com/avcenter/security/Content/8205.html for more information on the vulnerability being exploited by this worm and to find out which Symantec products can help mitigate risk from this vulnerability

Restarting the computer in Safe mode or ending the Worm process
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."

Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry, http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617 " for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"windows auto update"="msblast.exe"

Exit the Registry Editor.


Now apply the patch
0
 
LVL 11

Accepted Solution

by:
ghana earned 450 total points
ID: 10718443
You have to install the necessary operating system patches to avoid system shutdown:
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

This patch will fix different RPC vulnerabilities that are exploited by the Blaster variants. After that you should search for other viruses on your computer to enable normal operation of Norton AntiVirus.

For example you can try one of the following online scanners to check your computer for viruses:
http://housecall.trendmicro.com
http://www.pandasoftware.com/activescan
0
 

Author Comment

by:mpwineca
ID: 10718627
I have already installed the patch (039) once or twice and I am still getting the NT Shutdown screen. In my last attempt to run Norton, I was given an error message that the Norton installation was now CORRUPT and that I needed to uninstall and reinstall it.

Should I try the Housecall or Panda programs before uninstalling NAV?

Should I turn off System Restore before doing anything more?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 44

Expert Comment

by:CrazyOne
ID: 10718660
Click Start, and then click Control Panel.
In Control Panel, click Performance and Maintenance, and then click Power Options.
Click the APM tab.
Check to select the Enable Advanced Power Management Support check box, and then click OK.

WINDOWS XP
SHUTDOWN & RESTART
TROUBLESHOOTING
http://www.aumha.org/a/shtdwnxp.htm 

And this MS KB
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308029

"It is Now Safe to Turn Off Your Computer" Error Message When You Try to Shut Down Your Computer
http://support.microsoft.com/default.aspx?scid=kb;en-us;810903


Quoted from the http://www.aumha.org/a/shtdwnxp.htm link

POWERDOWN ISSUES
“Powerdown issues” are quite distinctive from “shutdown issues.” I define a shutdown problem as one wherein Windows doesn’t make it at least to the “OK to shut off your computer” screen. If Windows gets that far, or farther, then it has shut down correctly. However, the computer may not powerdown correctly after that. This is a different problem, and I encourage people reporting these issues to make a clear distinction in their labeling.

When Windows XP won’t powerdown automatically, the APM/NT Legacy Power Node may not be enabled. To enable this, right-click on the My Computer icon, click Properties | Hardware | Device Manager | View. Check the box labeled “Show Hidden Devices.” If it’s available on your computer, there will be a red X on the APM/NT Legacy Node. Try enabling it and see if this resolves the powerdown problem (Tip from Terri Stratton). Or, to check the other side of the APM/ACPI coin, open the Power Options applet in Control Panel. If there is an APM tab, make sure the “Enable Advanced Power Management Support” box is checked. (MSKB 313290)

This should resolve the powerdown issue in most cases. However, other factors can sometimes interfere with correct powerdown functioning. In that case, consider the following tips:
0
 

Author Comment

by:mpwineca
ID: 10718721
Thanks, CrazyOne. It is obvious that I am not being successful in defining the problem. I do not have a powerdown or shutdown issue as you define it. I just can't run my programs because they will open for only 10-20 seconds (NAV in particular but REGEDIT is another one that does the same thing, ) then close on their own.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10720323
Then you have a very nasty virus that may require reformating.

try this

Ok Copy the following into notepad and save the file with the REG extension. Then go to where you saved it and double click on it.

REGEDIT4

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:d8,07,00,00

[HKEY_CLASSES_ROOT\exefile\shell]
@=""

[HKEY_CLASSES_ROOT\exefile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{86F19A00-42A0-1069-A2E9-08002B30309D}]
@=""

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10720326
DO this in Safe mode and see if you can run your virus scanner

Also try this

McAffee has utility that is aimed at removing the virus and fixing the registry

Stinger
BackDoor-AQJ, Bat/Mumu.worm, Exploit-DcomRpc, IPCScan, IRC/Flood.ap, IRC/Flood.bi, IRC/Flood.cd, NTServiceLoader, PWS-Sincom, W32/Bugbear@MM, W32/Deborm.worm.gen, W32/Dumaru@MM, W32/Elkern.cav, W32/Fizzer.gen@MM, W32/FunLove, W32/Klez, W32/Lirva, W32/Lovgate, W32/Lovsan.worm, W32/Mimail@MM, W32/MoFei.worm, W32/Mumu.b.worm, W32/Nachi.worm, W32/Nimda, W32/Sdbot.worm.gen, W32/SirCam@MM, W32/Sobig, W32/SQLSlammer.worm, W32/Yaha@MM
http://vil.nai.com/vil/stinger/
0
 

Author Comment

by:mpwineca
ID: 10725917
Thanks for all the comments. I ran both HouseCall and Stinger. Turns out I had the AGOBOT worm virus. Cleaned it out. Reinstalled the patches from Microsoft but the problem is still present. Still get the NT AUTHORITY/SYSTEM shutdown warning.

In addition, I am now unable to use my printer. When I hit the PRINT command I get an error message that states:

"RPC Server Unavailable. Cannot run iKernel.exe."

What next??
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Loops Section Overview
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question