Solved

Could it be MSBLAST or just Content Watch

Posted on 2006-06-19
40
808 Views
Last Modified: 2012-06-21
I am getting a string of auto shutdowns due to RPC automatic shutdown authorized by NT/system(?). I can't find MSBLAST in my processes so it could be Content Watch.  However, it seems to have disabled my virus protection and system mechanic.  Here is how it started.  CW said my password was invalid when I tried to uninstall and I KNOW it was not. Tried several time. So I just found all the files and deleted/terminated them. Wrong thing to do I guess. Now I keep showing some cwcptray error. I disabled it from startup and now my computer just goes into diagnostic mode and I don't have internet access. How do I get this off my startup list in MSCONFIG (in XP PRO) and get my system stable and running fast again. I was great before. Just got it a month ago and I've got an MSI K8N Diamond motherboard, AMD Dual Core Processor, 4 Gigs (or according to Windows 3 gigs) of RAM. Dual Geforce 7900 GT graphics cards with SLI link. It was great. Now it's all messed up. HELP!! I did some research and think I could have the MSBLAST worm. But I've also read where content watch could cause some of the same problems.  I can't access the internet from that computer now so I'm left with trying to find the answers here at work and go back with a "to do" list which may make solving this issue more difficult.  However, I did spend about 4 hours last night trying to get it fixed in every mode possibles so I should be able to answer most questions not relating to the existence of a specific file.  I even went into regedit to try to delete the file from there but I couldn't find it.  I searched the path it showed in msconfig (and did delete the file).  Nowhere to be found in regedit.  I'm not against reinstalling anything, I just want my speed and stability back.
0
Comment
Question by:abpowell
  • 15
  • 11
  • 7
  • +3
40 Comments
 
LVL 12

Expert Comment

by:gidds99
ID: 16937207
Could it be MSBLAST - if you have been to Windows Update (you have SP2?) in the last year or two you cant have MSBlaster.

(or according to Windows 3 gigs) of RAM - does your MB support 4GB (maybe only 3gb)?

It does sound like a virus may have caused the initial issues.

Have you tried System Restore?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16938158
1. To fix the internet connection on the infected machine download WinsockFix(using another machine and usb flash drive)
Download and run winsockFix:
http://www.majorgeeks.com/download4372.html


2. Let us look at your Hijackthis log.(the log can give us much info)
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either of these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16938163
Since your system is only a month old, I would guess that you don't have too many important files on there yet. If so, I would suggest backing up any useful files (including documents, pictures, email etc.) to a USB device or CD and then doing a clean restore of your system from the system restore CD.

If the manufacturer did not provide a system restore CD, then you'll have to do a resformat and install from the Windows XP CD. But be sure you have the drivers and model numbers for important parts of your PC, namely the video card, network card, audio card etc.

In each of the above cases you'll then have to reinstall applications etc. Backing up personal files first is crucial.

If you'd rather not do that, or don't have the proper restore/install CD's, then we can try to get it working as is. It will be a bit tricky since you have lost network access and have to communicate from the office, but we can try.

I am not very familiar with Content Watch, but you could try calling their tech support and maybe they can walk you through the steps for getting the network working again. If that doesn't work or isn't an option, then I suggest you get LSPfix from http://www.cexx.org/lspfix.htm and run that and see if the network starts to work. Also get Winsock Fix from http://www.spychecker.com/program/winsockxpfix.html in case LSPfix is not able to fix it.

What brand/model PC is this?
0
 

Author Comment

by:abpowell
ID: 16939390
RPGGamerGirl.....I hope you can get me out of this one.  Here you go:

http://www.rafb.net/paste/results/BN9b1I69.html  

and

http://www.hijackthis.de/#anl

I tried reinstalling Windows XP.  Now if I turn my computer on it just cycles off and on.  Goes into Windows, shutsdown and restarts again and again unless I take it to safe mode where now niether one of DVD drives are showing up on my computer or my second internal hard drive.  My external hard drive is showing up however.  I AM LOST!!! HELPPP!!!
0
 

Author Comment

by:abpowell
ID: 16939406
or try this for the hijackthis site

http://www.hijackthis.de/logfiles/eb4ae2e2719c22965c005402fb9df123.html

I can't take much more.  I started all this about a month ago just trying to get a system that would work for home video editing.  I was using Pinnacle Studio.  It still crashes.  It's been one thing after another.  Countless nights up till 2:00 or 3:00.  My wife is about to kill me because I'm spending all my time trying to fix this stupid thing instead of helping with our 6 young kids.  
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 200 total points
ID: 16939487
May I know what was your reason for accepting my answer? You only need to click the "Accept" button when your Question has been answered to solve the problem. If you still have the problem then just leave your Question open, :)

With your permission I will re-open your thread so other experts will still join and help till your problem is solved.


Okay, so you already tried to uninsall ContentWatch and removed its related files right? And you already removed its folder? --> C:\Program Files\ContentWatch

Please fix these entries in Hijackthis:
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\gui\cwcptray.exe
O20 - Winlogon Notify: CwWLEvent - C:\Program Files\ContentWatch\Internet Protection\common\cwplc001.dll (file missing)
O23 - Service: ContentProtect (CwCpSvc20) - Unknown owner - C:\Program Files\ContentWatch\Internet Protection\ContentProtect\cwsvc.exe (file missing)
O23 - Service: ContentProtect (CwCpSvc20) - Unknown owner - C:\Program Files\ContentWatch\Internet Protection\ContentProtect\cwsvc.exe (file missing)


Then, after you've fixed those Hijackthis entries.
Open Hijackthis > Open Misc Tools Section > Open "Delete an NT Service"
In the new window, copy and paste or type this service -->CwCpSvc20
 into the Open field and hit OK

Can you please update us after you've done those?

0
 

Author Comment

by:abpowell
ID: 16941603
I'll give that a go.  

As far as accepting your post, well I'm obviously new at this so I didn't know what to do.  I was working with the content of your post so I awarded you the points.  Your post was the most helpful.  You do have my permission to open up the thread.  

A question on the posted log of my computer.  Does that pose any type of security risk to put that out there?
0
 

Author Comment

by:abpowell
ID: 16941619
Also you seemed the most knowledgable, I just looked at the hall of fame on here.  WOW.  You are good.  Thanks for all your help.
0
 

Author Comment

by:abpowell
ID: 16942157
That probably would have worked if I hadn't tried to fix things myself earlier.  Fixed all those items in HiJackthis.  Still continuous loop on startup. (shutdown-restart......)  Still no disk drives showing up.  This probably happened when I reinstalled windows I thought I had all the drivers reinstalled too.  I've tried inserting the disk but still nothing.  I get a green light like its trying to read but nothing happens.  Also, my second hard drive still not showing up either.  I've also tried "add new hardware" but the computer did find them and I couldn't figure out how install the drives manually when windows asks for a disk but doesn't even recognize your disk drives.  ???  

Overall, still at the same spot as yesterday
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16942201
Thanks for the compliments! that's so nice of you,  :)

>>A question on the posted log of my computer.  Does that pose any type of security risk to put that out there?<<
No, because what's mainly showing in the log are programs installed in your pc, almost everyone has same programs in their pc (the only security risk entries if it can be considered that) is where you saved hijackthis.exe and the 017 entry. And even if 017 entries are showing e.g. below:(it's very minimal)
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFD8E9F0-FF70-461D-8AAC-6E16F95D0E3C}: NameServer = 203.134.64.66,203.134.65.66
that tells them who's your ISP. I noticed you took off yours :)
(also that site where you uploaded the log only keeps the log for few days)


The Hijackthis link that I always give installs and runs hijackthis.exe in the program files folder so it won't show your "user profile"
Here is an example of an improper running folder in XP/2000 that shows the user's name:
C:\Documents and Settings\Alex de Luca\Local Settings\Temp\HijackThis.exe
C:\Documents and Settings\Michael\Desktop\Programs\HijackThis.exe
C:\Documents and Settings\Gilbert Sullivan\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
0
 

Author Comment

by:abpowell
ID: 16943359
I didn't take off my ISP on purpose.  Probably another symptom of trying to reinstall windows xp.  Not all my hardware/drivers are showing up.  I did not uninstall first I just ran install again.  A lot of programs ask whether you want to uninstall or repair the files when you do that so I assumed windows would do the same.  It didn't, but it also didn't act like it would be a problem (except for my video drivers dual GeForce 7900 GTOC with SLI link) because they were not Windows certified or something like that.
0
 

Author Comment

by:abpowell
ID: 16943372
BTW....should I take this out of Virus and into another section?   I couldn't find Idiot Newbies on the list so if so please suggest which section.
0
 
LVL 6

Assisted Solution

by:Wooky Jack
Wooky Jack earned 20 total points
ID: 16945729
Try starting fresh.  Unplug everything and then plug in your main hd and one dvd burner or rom.  Boot up and see what happens.  If nothing appears to be wrong turn the machine off and plug in one other device.  Keep doing this until you run into the continuous boot problem.  I believe one of your hard drives might be failing..most likely one of your slaves could be causing this problem.  Let me know how that goes.

-thephalanx
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16947542
Since this problem is more like hardware/software than viruses, you might like to close this one and post a new Question on other Topic Areas like XP etc.

Closing Questions:
http://www.experts-exchange.com/help.jsp#hs5

Or you could also post a 20 pts pointer in other Topic Area pointing to them to here.


Here's EE sitemap:
http://www.experts-exchange.com/siteMap.jsp
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 100 total points
ID: 16947684
It doesn't seem like a hardware issue. Most likely the network access is blocked because of attempts to manually disable Content Watch.

Are you able to boot into Safe Mode?
What about Safe Mode with Networking?

If you can boot into either of those modes then try the LSPfix I suggested in my first post.
It should restore your network access.
0
 

Author Comment

by:abpowell
ID: 16950903
R-K - I tried the LSPFix and Winsock fix.  Problem still there.  I can start in safe mode and safe mode with network access.

 I don't know if this tells you anything but windows shuts down when the initial "Windows XP Screen" comes up and the blue "bar", that goes back and forth to tell you windows is working, get about 3/4 away across the first time across.  

Everything appears to boot correctly but then when that blue bar gets moving windows shuts down, restarts, etc......

I had everything backed up too but now I cannot access many backup files.  I was able to "recover" over 120 *.exe files.  They are now sitting in my external hard drive.  I was going to try to post that list but I can't figure out how to copy just the text of the list.  It's too large for a screen shot and any attempt to copy tries to copy the file.  

Most of the files look like A031974 but, I've also recovered winlogon, a few setup files, ntbackup, regedit, mobsync, services, rundll32 and others that look important but I don't to run anything that will mess things up any further.  I obviously got here by doing things I shouldn't have because I don't know what I'm doning.  I will be working from home today so I can communicate via my laptop.  While working on my desktop.

Also, when looking at startup in msconfig it looks like I'm missing a lot of files.  Is that what the repairs above are about.?  

0
 
LVL 15

Expert Comment

by:venom96737
ID: 16951132
OK to start if it starts shutting down and you get the timer quickly goto start then run and type shutdown -a to abort the shutdown or start run cmd then in the box type shutdown -a.  To keep it from shutting down after that goto start run type services.msc scroll down to remote procedure call (rpc) double click it and goto the recovery tab from there change all the failures to take no action and press ok.  Now you will no longer restart and have time to find the problem.  Run this patch just to see if your just not updated http://www.microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en  Next step look in the event log for any clues all the files you are stating you found in you system folder are system files and should be left alone.  Next check your device manager for some clues.  Your computer will not connect to the internet until you fix this rpc error
0
 
LVL 15

Accepted Solution

by:
venom96737 earned 130 total points
ID: 16951197
OK i just seen the content watch statement which appears to be an internet content protection software that you tried to remove manually hmmm ok theres the problem.  call content watch tech support
For Technical Support:
Call 1 (800) 485-4008 or email us at support@contentwatch.com

and explain the situation in detail and ask them what registry changes this software makes and all locations it installs to
0
 
LVL 15

Expert Comment

by:venom96737
ID: 16951207
I would be willing to bet it adds a service that is messing with your rpc because it cant find the exe files its looking for because you deleted them.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:abpowell
ID: 16951279
The RPC shutdown is not the problem right now.  I can't even get back to that point.  I messed things up even worse trying to fix that originally.   I have found backup registries, should I try to restore?
0
 
LVL 15

Assisted Solution

by:venom96737
venom96737 earned 130 total points
ID: 16951314
heres how you check for that goto start run msconfig and go under the services tab at the bottom check the box that says hide all microsoft services and if anything left on there refers to content watch uncheck it.  Or you could list here what remains and i can advise from there.
0
 
LVL 12

Assisted Solution

by:gidds99
gidds99 earned 50 total points
ID: 16951320
I think you should consider re-installing Windows (or at least try a repair).
0
 
LVL 15

Expert Comment

by:venom96737
ID: 16951344
OK slow down so what is it doing now going straight into safe mode goto start run and under the general tab make sure it is set to normal startup and then press ok and reboot this should get you back into regular windows.  Then do what i said about the services thing.
0
 
LVL 15

Expert Comment

by:venom96737
ID: 16951350
oops sorry start run msconfig and under the general tab
0
 
LVL 15

Expert Comment

by:venom96737
ID: 16951360
before reinstalling or repairing I think i can get you back going
0
 
LVL 15

Expert Comment

by:venom96737
ID: 16951389
try to find that service and what do you mean your missing alot of files those repairs just set the registry back to default settings how are you missing files?? why are you moving files out of the system folder??? can you get to safe mode Please explain what you can and cannot do right now.
0
 

Author Comment

by:abpowell
ID: 16951412
I used hijack this to remove all remaining references to content watch
0
 
LVL 15

Expert Comment

by:venom96737
ID: 16951425
ok well what you did not get was the service it used as i stated can you access safe mode?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16951439
>>I would be willing to bet it adds a service that is messing with your rpc because it cant find the exe files its looking for because you deleted them.<<

Yes, files were already missing from the ContentWatch services and startup, that's why it was showing those errors and fixing the relevant entries in hijackthis would've removed the error.

abpowell,
Try reinstalling ContentWatch and let's hope it fixes it.
0
 
LVL 15

Expert Comment

by:venom96737
ID: 16951443
rpg what im getting at is all he has to do is disable the service and all should be well again you see what i mean
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16951458
OOps, so many posts I missed to read sorry.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16951514
>>rpg what im getting at is all he has to do is disable the service and all should be well again you see what i mean<<
Didn't he already did that?
Fixing those 023 ContentWatch service will stop and disable the service, and Hijackthis deleted the NT service -->"CwCpSvc20"

In my second post.
0
 
LVL 15

Expert Comment

by:venom96737
ID: 16951537
sometimes hijack this is unable to disable or delete a service the bar freezing the boot is the time when drivers and services are being loaded thats why i was going to have him check in msconfig to be sure that the service was gone.
0
 

Author Comment

by:abpowell
ID: 16952692
Well I tried to reinstall ContentWatch.  But I need an internet connection to do so.  Aren't I supposed to be able to get access in Safe Mode?  Anyway, it reinstalled some files but not all.  However, I now the two showing back up in startup and one in processes.  I'm not sure I ever delected the processes file.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16952746
When you start in "Safe Mode with Network Access", does your network not work?
0
 

Author Comment

by:abpowell
ID: 16952915
Redid same deletes from HiJackThis as above......

MSCONFIG shows nothing from ContentWatch or Content Protect anymore

Where to now?
0
 

Author Comment

by:abpowell
ID: 16953005
I can't figure out how.  I'm running my laptop off the wireless router so I know the connection is there but something is not right because I cannot connect.
0
 

Author Comment

by:abpowell
ID: 16953370
I just got off the phone with content protect tech support.  They were able to help me get everything off there were still some files remaining.  They also took me through the correct uninstall path so everything should have been fine....Except, I've messed up something esle along the way....still no solution

0
 

Author Comment

by:abpowell
ID: 16954223
Thanks all I've moved the thread over to OS for my new problems

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21892986.html

Please come visit and help me finish this thing off.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now