Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 288
  • Last Modified:

NT authority/system is shutting down your PC (services.exe error...)

We seem to be infected with some kind of virus which is shutting down all Windows 2000 PC's and servers that have sp3 or less installed, with the above error. We cannot install sp4 on our e-mail server for other reasons (long story). We have tried many virus removal tools incluuding sasser worm and msblaster worm removal tools to no avail. WE DESPERATELY NEED HELP!
0
Roy Sidebottom
Asked:
Roy Sidebottom
  • 2
  • 2
  • 2
1 Solution
 
centrepcCommented:
Try running stinger

http://vil.nai.com/vil/stinger/

But without aplying any of the patches to keep from getting the virus back I am not sure this will help much.  If you figure out what virus you have please post and we can lookup what port the virus is trying to run on and you should be able to shutdown those ports.  

It would be better to run stinger in safe mode then shutdown the suspected ports and then reboot.  

You should have all ports shutdown anyways except for what is needed on you mail server.

Is your mail server running on a public IP or are you forwarding the ports to a private IP.  Any server on a public ip is impossible to keep clean even with all of the latest patches and security updates.

0
 
Roy SidebottomIT TechnicianAuthor Commented:
hi,
we tried the nai.com/stinger, to no avail. Also, several other removal tools. No virus is detected on the PC's! only tried these tools due to what i was finding on searches on the internet. mail server forwards to a private IP. An external company filters the mail as it comes through. Have only found that SP4 and related security patches rid PC's of this issue, but like i say, we can't apply SP4 to our W2k server due to other issues we then encounter (see other previous exchange question!). Any more ideas anybody??
0
 
centrepcCommented:
A couple of things that may help until you can get a handle on the problem is telling the RPC service not to take any action on failure.  This is done in the properties of the RPC under services.  It may be set to reboot the server on failure.  

Also you can write a batch file that runs shutdown -a and this stops the system from shutting down once in progess.  

You can just schedule it to run every minute and this should stop it everytime it starts to shutdown

This looks like the code red or blaster worm.  Check the processes and make sure this isn't running as a process

Check the registry and make sure nothing is under the run or run once in the hkey local machine or hkey current users
0
Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

 
Jandakel2Commented:
This sounds like it is the blaster worm, and seeing that the blaster worm exploited a vulnerability addressed Post SP4 you sound susceptible.  Here is the Symantec information on it:  http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

If I remember correctly, you need to go to Start>Run>services.msc and than find the RPC server service and change it's behaviour on failure to restart the service, not shutdown.  Once you have done that, follow the directions in the symantec link.  You can always download the necessary windows patches from a good computer (there are two that address this specific vulnerability) and than install them locally on the problem PC's to start out.  Looking at the running processes is a good suggestion also....I believe that blasters was simple as msblast.exe, and another was rpcss.exe or something.  Happy Hunting-
JK
0
 
Roy SidebottomIT TechnicianAuthor Commented:
We have already tried all these fixes folks! We are currently running the fixblast.exe removal tool on all our PC's. Is there anyway of finding out which PC is the 'carrier' of this worm rather than having to trawl thru all PC's/servers on the network.? Our anti virus software (mcafee) was up to date prior to all this happening, worryingly.
0
 
Jandakel2Commented:
Remember the fix removes the virus, but you will remain susceptible until you patch your systems.  If you can use ethereal, that may be an option www.ethereal.com, as it will show the traffic on your network, top talkers, etc.  Remember that if you are in a completely switched environment you will need to either mirror traffic outbound from your network to another port, or place a hub between your exit switch and your gateway and than plug in a laptop with ethereal installed to view everything.  Another approach (not knowing the size of your environment) is to just look at the LED's on your switches.  If one in particular is going crazy, there's a good chance it could be the culprit.  Also, a running the Microsoft Baseline Security Analysis tool will tell you all the machines in your network that are currently not up to speed on their patches.  I've been where you are before, as my network got pummelled with the same virus.  I have since integrated WSUS and it has helped immensely.  It may be a solution still, for you, to push out all the updates to the computers instead of hitting each one.

JK
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now