NT authority/system is shutting down your PC (services.exe error...)
We seem to be infected with some kind of virus which is shutting down all Windows 2000 PC's and servers that have sp3 or less installed, with the above error. We cannot install sp4 on our e-mail server for other reasons (long story). We have tried many virus removal tools incluuding sasser worm and msblaster worm removal tools to no avail. WE DESPERATELY NEED HELP!
ASKER
hi,
we tried the nai.com/stinger, to no avail. Also, several other removal tools. No virus is detected on the PC's! only tried these tools due to what i was finding on searches on the internet. mail server forwards to a private IP. An external company filters the mail as it comes through. Have only found that SP4 and related security patches rid PC's of this issue, but like i say, we can't apply SP4 to our W2k server due to other issues we then encounter (see other previous exchange question!). Any more ideas anybody??
we tried the nai.com/stinger, to no avail. Also, several other removal tools. No virus is detected on the PC's! only tried these tools due to what i was finding on searches on the internet. mail server forwards to a private IP. An external company filters the mail as it comes through. Have only found that SP4 and related security patches rid PC's of this issue, but like i say, we can't apply SP4 to our W2k server due to other issues we then encounter (see other previous exchange question!). Any more ideas anybody??
A couple of things that may help until you can get a handle on the problem is telling the RPC service not to take any action on failure. This is done in the properties of the RPC under services. It may be set to reboot the server on failure.
Also you can write a batch file that runs shutdown -a and this stops the system from shutting down once in progess.
You can just schedule it to run every minute and this should stop it everytime it starts to shutdown
This looks like the code red or blaster worm. Check the processes and make sure this isn't running as a process
Check the registry and make sure nothing is under the run or run once in the hkey local machine or hkey current users
Also you can write a batch file that runs shutdown -a and this stops the system from shutting down once in progess.
You can just schedule it to run every minute and this should stop it everytime it starts to shutdown
This looks like the code red or blaster worm. Check the processes and make sure this isn't running as a process
Check the registry and make sure nothing is under the run or run once in the hkey local machine or hkey current users
This sounds like it is the blaster worm, and seeing that the blaster worm exploited a vulnerability addressed Post SP4 you sound susceptible. Here is the Symantec information on it: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
If I remember correctly, you need to go to Start>Run>services.msc and than find the RPC server service and change it's behaviour on failure to restart the service, not shutdown. Once you have done that, follow the directions in the symantec link. You can always download the necessary windows patches from a good computer (there are two that address this specific vulnerability) and than install them locally on the problem PC's to start out. Looking at the running processes is a good suggestion also....I believe that blasters was simple as msblast.exe, and another was rpcss.exe or something. Happy Hunting-
JK
If I remember correctly, you need to go to Start>Run>services.msc and than find the RPC server service and change it's behaviour on failure to restart the service, not shutdown. Once you have done that, follow the directions in the symantec link. You can always download the necessary windows patches from a good computer (there are two that address this specific vulnerability) and than install them locally on the problem PC's to start out. Looking at the running processes is a good suggestion also....I believe that blasters was simple as msblast.exe, and another was rpcss.exe or something. Happy Hunting-
JK
ASKER
We have already tried all these fixes folks! We are currently running the fixblast.exe removal tool on all our PC's. Is there anyway of finding out which PC is the 'carrier' of this worm rather than having to trawl thru all PC's/servers on the network.? Our anti virus software (mcafee) was up to date prior to all this happening, worryingly.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://vil.nai.com/vil/stinger/
But without aplying any of the patches to keep from getting the virus back I am not sure this will help much. If you figure out what virus you have please post and we can lookup what port the virus is trying to run on and you should be able to shutdown those ports.
It would be better to run stinger in safe mode then shutdown the suspected ports and then reboot.
You should have all ports shutdown anyways except for what is needed on you mail server.
Is your mail server running on a public IP or are you forwarding the ports to a private IP. Any server on a public ip is impossible to keep clean even with all of the latest patches and security updates.