virus/worm......need to transfer data...pls help

S

sphilip

virus/worm......need to transfer data...pls help

i have a win2k pro with sp4 workstation on my LAN, we have
norton AV 2003.....which failed to quarantine/delete a
trojan infection.......

im unable to detect which trojan it is cos my computer
gives me the following messages everytime i start the
workstation.

"The System process c:\winnt\system32\services.exe
terminated unexpectedly with status code 128. the system
will shutdown & restart"

"the system is shutting down. please save all work in
progress and log off. any unsaved changes will be lost.
This shutdown was initiated by NT AUTHORITY\SYSTEM"

for which the shut down time is 1 minute.

"svchost.exe has generated errors and will be closed by
windows. you will need to restart the program."

can anyone please advice me on how i can detect & remove
this virus?

or how i can change this restart period from 1 min to 10
mins so that i can transfer some imp data?

i searched for the above errors in google and performed
all modification mentioned at most sites but to no avail.

pls help.
 
B

Bill James

Most likely a Sasser infection. When the shutdown notice comes up, click Start, Run, enter SHUTDOWN -A, click OK, to abort the shutdown. Your AV might have been disabled by this infection, and you might need something like the Stinger tool to remove it, SHUTDOWN -A. By the way, if that system did get infected with Sasser, you are running way behind on installing Critical Windows patches.

--

Bill James
Microsoft MVP - Shell/User

Windows VBScript Utilities » www.billsway.com/vbspage/
Windows Tweaks & Tips » www.billsway.com/notes_public/
 
D

Dase Man

okay i keep seeing this posted as a solution, but what i can tell is
that if the shutdown is caused by c:\winnt\system32\lsass.exe then
maybe it's sasser or blaster

BUT if it's c:\winnt\system32\services.exe then it's SOMETHING ELSE!

in fact, when it's c:\winnt\system32\services.exe, the shutdown
message comes up RIGHT AWAY, so you CANNOT GET INTO WINDOWS TO RUN
SHUTDOWN -A, because there is no time! it never makes it into
windows.
 
G

Guest

Dase Man you are exactly correct. I just re installed Win2k on a machine that
was giving me all kinds of problems. Then during the windows update process
(applying all the patches) on a normal system reboot i get the same message.
This shutdown was initiated by NT AUTHORITY\SYSTEM". I cannot load windows to
try anythign else. Other posts suggest using stinger, but stinger only works
under windows and i can't load windows. Is there a DOS based stinger like
tool to get rid of this?
Thanks
gary
 
D

David H. Lipman

From: "G Hustis" <[email protected]>

| Dase Man you are exactly correct. I just re installed Win2k on a machine that
| was giving me all kinds of problems. Then during the windows update process
| (applying all the patches) on a normal system reboot i get the same message.
| This shutdown was initiated by NT AUTHORITY\SYSTEM". I cannot load windows to
| try anythign else. Other posts suggest using stinger, but stinger only works
| under windows and i can't load windows. Is there a DOS based stinger like
| tool to get rid of this?
| Thanks
| gary
|
| "Dase Man" wrote:
|

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

Please repost in one of those News Groups for the /* *best* */ advice.
 
D

Dave Patrick

These may help.

http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx



--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Dase Man you are exactly correct. I just re installed Win2k on a machine
that
| was giving me all kinds of problems. Then during the windows update
process
| (applying all the patches) on a normal system reboot i get the same
message.
| This shutdown was initiated by NT AUTHORITY\SYSTEM". I cannot load windows
to
| try anythign else. Other posts suggest using stinger, but stinger only
works
| under windows and i can't load windows. Is there a DOS based stinger like
| tool to get rid of this?
| Thanks
| gary
|
| "Dase Man" wrote:
|
| > okay i keep seeing this posted as a solution, but what i can tell is
| > that if the shutdown is caused by c:\winnt\system32\lsass.exe then
| > maybe it's sasser or blaster
| >
| > BUT if it's c:\winnt\system32\services.exe then it's SOMETHING ELSE!
| >
| > in fact, when it's c:\winnt\system32\services.exe, the shutdown
| > message comes up RIGHT AWAY, so you CANNOT GET INTO WINDOWS TO RUN
| > SHUTDOWN -A, because there is no time! it never makes it into
| > windows.
| >
| >
| >
| > > Most likely a Sasser infection. When the shutdown notice comes up,
| > > click Start, Run, enter SHUTDOWN -A, click OK, to abort the shutdown.
| > > Your AV might have been disabled by this infection, and you might need
| > > something like the Stinger tool to remove it, SHUTDOWN -A. By the
way,
| > > if that system did get infected with Sasser, you are running way
behind
| > > on installing Critical Windows patches.
| > >
| > > --
| > >
| > > Bill James
| > > Microsoft MVP - Shell/User
| > >
| > > Windows VBScript Utilities www.billsway.com/vbspage/
| > > Windows Tweaks & Tips www.billsway.com/notes public/
| > >
| > > | > > > virus/worm......need to transfer data...pls help
| > > >
| > > > i have a win2k pro with sp4 workstation on my LAN, we have
| > > > norton AV 2003.....which failed to quarantine/delete a
| > > > trojan infection.......
| > > >
| > > > im unable to detect which trojan it is cos my computer
| > > > gives me the following messages everytime i start the
| > > > workstation.
| > > >
| > > > "The System process c:\winnt\system32\services.exe
| > > > terminated unexpectedly with status code 128. the system
| > > > will shutdown & restart"
| > > >
| > > > "the system is shutting down. please save all work in
| > > > progress and log off. any unsaved changes will be lost.
| > > > This shutdown was initiated by NT AUTHORITY\SYSTEM"
| > > >
| > > > for which the shut down time is 1 minute.
| > > >
| > > > "svchost.exe has generated errors and will be closed by
| > > > windows. you will need to restart the program."
| > > >
| > > > can anyone please advice me on how i can detect & remove
| > > > this virus?
| > > >
| > > > or how i can change this restart period from 1 min to 10
| > > > mins so that i can transfer some imp data?
| > > >
| > > > i searched for the above errors in google and performed
| > > > all modification mentioned at most sites but to no avail.
| > > >
| > > > pls help.
| >
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Help with virus on 2000 machine 3
.NET update and virus-like symptoms? 6
Microsoft .NET Framework update leads to virus-like symptoms? 1
Help!!! - Computer Continually Restarts when I plug-in USB drive 4
Event error pls help 1
lsass.exe error 2
Virus on 2000 machine 2
Symantec "FixBlast" says No Blaster Worm found... but.... 11

Top