Suspected Virus/Worm Causing PC to Power Off

[Guest]

I may have contracted a virus/worm similar to Blaster. The System Shutdown
notice says that it was initiated by NTAuthority\System. It further says,
"Win must now shutdown because the Remote Procedure Call (RPC) service
terminated unexpectantly." I have attempted to run Norton Antivirus & the
Symantec W32.Blaster Worm Fix Tool 1.0.6.1, but the power will not remain on
long enough to complete the scans. I have also look at the registry for both
the W32.Toxbot & W32.Toxbot B worms, but there are no indications as per the
Symantec web site. How can I keep power from shutting down so I can run
anti-virus cleaners or is there something else I can do? Thanks.

 

[David H. Lipman]

From: "jimr" <[email protected]>

| I may have contracted a virus/worm similar to Blaster. The System Shutdown
| notice says that it was initiated by NTAuthority\System. It further says,
| "Win must now shutdown because the Remote Procedure Call (RPC) service
| terminated unexpectantly." I have attempted to run Norton Antivirus & the
| Symantec W32.Blaster Worm Fix Tool 1.0.6.1, but the power will not remain on
| long enough to complete the scans. I have also look at the registry for both
| the W32.Toxbot & W32.Toxbot B worms, but there are no indications as per the
| Symantec web site. How can I keep power from shutting down so I can run
| anti-virus cleaners or is there something else I can do? Thanks.


When you get the shutdown message ...

Go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/ and install the following patch for the
RPC/RPCSS and DCOM Vulnerabilities that are addressed by Microsoft Security Bulletin
MS04-012 - KB828741
http://support.microsoft.com/default.aspx?scid=kb;en-us;828741
and ...
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
and finally...
http://www.microsoft.com/security/incident/blast.asp

You also need a FireWall.
If you don't patch the PC and not use a FireWall then you will just be re-infected.

I also suggest the installation of ALL MS Critical Updates ASAP.



1) Download the following three items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt484.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode and shutdown as many applications as possible
4) Using both the Trend Sysclean utility and Stinger, perform a Full Scan of your
platform and clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform using both.
6) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) Create a new Restore point

* * Please report back your results * *

 

[Malke]

I may have contracted a virus/worm similar to Blaster. The System
Shutdown
notice says that it was initiated by NTAuthority\System. It further
says, "Win must now shutdown because the Remote Procedure Call (RPC)
service
terminated unexpectantly." I have attempted to run Norton Antivirus &
the Symantec W32.Blaster Worm Fix Tool 1.0.6.1, but the power will not
remain on
long enough to complete the scans. I have also look at the registry
for both the W32.Toxbot & W32.Toxbot B worms, but there are no
indications as per the
Symantec web site. How can I keep power from shutting down so I can
run
anti-virus cleaners or is there something else I can do? Thanks.

You can stop the shutdown by doing Start>Run shutdown -a [enter]

Because some of the Sasser/Agobot worms break av software if your NAV
won't run, from a different known-clean computer get TrendMicro's
Sysclean, burn it to cd-r and then on the infected machine run it in
Safe Mode:

TrendMicro's Sysclean is an extensive antivirus tool which has the
advantage of not needing to be installed. It requires two parts - the
scanning engine and the virus pattern files.

1. Create a new folder on your Desktop or the C: drive named something
useful like "Sysclean".
2. Go here and download the two parts of the program to that folder:

http://www.trendmicro.com/download/dcs.asp - Sysclean
http://www.trendmicro.com/download/pattern.asp - virus pattern files

The pattern files will be zipped - extract them with your unzipper (like
WinZip) or if you have XP, you can just open the folder. You need to
put the extracted files in the Sysclean folder you made.

3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly
tapping the F8 key as the computer is starting up to get to the proper
menu.
4. Go to the Sysclean folder you made and double-click on sysclean.com.
Start the scan. After the scan is finished, look at the log. You may
need to make a note of where any viruses were found if they were not
able to be removed so you can manually delete them.

After your scan with Sysclean, you should be able to update your NAV
definitions and do a thorough scan in Safe Mode.

Malke

 

[Guest]

I got the the same wired message when everytime I try to boot my PC (Win XP
Pro). The messages indicate the shut downs were caused form various reasons:
change from "system.exe -1073741819", DCom to lasse.exe. and windows will
shut down in 60 seconds.

More wired when the shutdown message box appear, all other windows and
applications disappear (only the shut down box on screen with no means to
interact with it). All this happens even before the system finish starting
up. Becuase there is only the shutdown message on screen, I cannot use
start-->run-->shuttdown -a to stop it.

I tried some time (only sometime because the message box may appear just
after I type username and password to login windows) open a command prompt
and wait for the shut down message appear. with the dos windows I can type
"shutdown -a" to stop the shutdown message but the system hangs there.

I have even remove the PC's harddisk and use a USB canndy to plug to another
good computer, and scan it with the newest Northan Anti-virus, but found
nothing.

The PC can boot in safemode and now using sysclean scanning...

 

[Guest]

David,

Thanks for the information. I have just begun to follow the directions &
discovered that the link to Stinger has changed. It is now:

http://vil.nai.com/vil/averttools.asp

jimr

 

[David H. Lipman]

From: "jimr" <[email protected]>

| David,
|
| Thanks for the information. I have just begun to follow the directions &
| discovered that the link to Stinger has changed. It is now:
|
| http://vil.nai.com/vil/averttools.asp
|
| jimr
|
| "David H. Lipman" wrote: |

No change at all. Just an alternate.

 

[Guest]

David,

Something is preventing me from disabling system restore. Each time I
attempt to disable system restore, I get an error message indicating that
there is a problem with one of drives that prevents system restore to be
disabled. It instructs me to restart & try again. Any thoughts on how to
overcome this problem? Thanks.

jimr

 

[David H. Lipman]

From: "jimr" <[email protected]>

| David,
|
| Something is preventing me from disabling system restore. Each time I
| attempt to disable system restore, I get an error message indicating that
| there is a problem with one of drives that prevents system restore to be
| disabled. It instructs me to restart & try again. Any thoughts on how to
| overcome this problem? Thanks.
|
| jimr
| | "David H. Lipman" wrote:

Bypass that part of the instructions.

Patch and then reboot your computer then perform the following...

In addition to what Malke stated...

Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

Open a Command Prompt.

In the Command Prompt type the following...

CHKDSK C: /F

If it replies..
"Chkdsk cannot run because the volume is in use by another process.
Would you like to schedule this volume to be checked the next time the system restarts?
(Y/N)"

Choose - Y

type; EXIT

Reboot the PC.

A full Check Disk will want to be performed, allow it.

When it reboots, perform a defragmentation of the hard disk.

You can get to the Defragmenting program easily by executing; dfrg.msc

Start --> run ->
type; dfrg.msc

 

[Guest]

Malke,

Interesting - when I ran Sysclean in the SafeMode, it found no viruses.
But, the log indicated that either "An error occured while scanning file
........" or "Could not set file for reading on ......" because "Access is
denied." One other thing of interest, even in SafeMode I cannot move files
or execute my Norton virus checker.

I do have a firewall, Netgear Firewall Router; up to date antivirus program,
Norton; & I have installed all Microsoft patches (my system is set to
automatically update).

Any thoughts on how to proceed? Thanks.

jimr

I may have contracted a virus/worm similar to Blaster. The System
Shutdown
notice says that it was initiated by NTAuthority\System. It further
says, "Win must now shutdown because the Remote Procedure Call (RPC)
service
terminated unexpectantly." I have attempted to run Norton Antivirus &
the Symantec W32.Blaster Worm Fix Tool 1.0.6.1, but the power will not
remain on
long enough to complete the scans. I have also look at the registry
for both the W32.Toxbot & W32.Toxbot B worms, but there are no
indications as per the
Symantec web site. How can I keep power from shutting down so I can
run
anti-virus cleaners or is there something else I can do? Thanks.

You can stop the shutdown by doing Start>Run shutdown -a [enter]

Because some of the Sasser/Agobot worms break av software if your NAV
won't run, from a different known-clean computer get TrendMicro's
Sysclean, burn it to cd-r and then on the infected machine run it in
Safe Mode:

TrendMicro's Sysclean is an extensive antivirus tool which has the
advantage of not needing to be installed. It requires two parts - the
scanning engine and the virus pattern files.

1. Create a new folder on your Desktop or the C: drive named something
useful like "Sysclean".
2. Go here and download the two parts of the program to that folder:

http://www.trendmicro.com/download/dcs.asp - Sysclean
http://www.trendmicro.com/download/pattern.asp - virus pattern files

The pattern files will be zipped - extract them with your unzipper (like
WinZip) or if you have XP, you can just open the folder. You need to
put the extracted files in the Sysclean folder you made.

3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly
tapping the F8 key as the computer is starting up to get to the proper
menu.
4. Go to the Sysclean folder you made and double-click on sysclean.com.
Start the scan. After the scan is finished, look at the log. You may
need to make a note of where any viruses were found if they were not
able to be removed so you can manually delete them.

After your scan with Sysclean, you should be able to update your NAV
definitions and do a thorough scan in Safe Mode.

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.

 

[Guest]

Dave,

Interesting - when I ran Sysclean in the SafeMode, it found no viruses.
But, the log indicated that either "An error occured while scanning file
.....(listing of numerous files)..." or "Could not set file for reading on
...(listing of numerous files)...." due to "Access is denied." One other
thing of interest, even in SafeMode I cannot move files or execute my Norton
antivirus program. Additionally, the defrag program will not execute.

I do have a firewall, Netgear Firewall Router; up to date antivirus program,
Norton; & I have installed all Microsoft patches (my system is set to
automatically update).

Any thoughts on how to proceed?

 

[David H. Lipman]

From: "jimr" <[email protected]>

| Dave,
|
| Interesting - when I ran Sysclean in the SafeMode, it found no viruses.
| But, the log indicated that either "An error occured while scanning file
| ....(listing of numerous files)..." or "Could not set file for reading on
| ..(listing of numerous files)...." due to "Access is denied." One other
| thing of interest, even in SafeMode I cannot move files or execute my Norton
| antivirus program. Additionally, the defrag program will not execute.
|
| I do have a firewall, Netgear Firewall Router; up to date antivirus program,
| Norton; & I have installed all Microsoft patches (my system is set to
| automatically update).
|
| Any thoughts on how to proceed?
|
|
| "David H. Lipman" wrote: |

And what about Stinger ?

 

[Guest]

Dave,

I forgot to mention that Stinger did not detect any viruses.

jimr

 

[David H. Lipman]

From: "jimr" <[email protected]>

| Dave,
|
| I forgot to mention that Stinger did not detect any viruses.
|
| jimr
|
| "David H. Lipman" wrote:
|
That means you were not infected with the a worm. Now have you installed the patch
indicated in KB828741 ?

http://support.microsoft.com/default.aspx?scid=kb;en-us;828741

 

[Guest]

Hi David,

Than you for your detailed instruction.

I've done all of your sugestions

I've run the sysclean in safemode.
run stinger and both found no virus.
I've also tried to run the KB835732 and it says my system is patched newer
than the KB835732 and refuse to run it.

The situation is :
1. I set up my computer to download and windows update automatically and
whenever a new update come, I install it. So I am sure my computer is always
patched.
2. I have McAfee enterprise 8.0 and always keep it up-to-date.
3. I have also scan the hardisk using newest Northan Anti-virus and found
nothing.

I think my situation is as same as jimr. I cannot have a full starup before
the system shutdown message came up. even I have chance to run "shutdown -a"
to stop it, the system seems halted most functions (e.g. no network, try to
run most programs causes will end up with not responding).

Is ther any chance there is no virus or worms and the system have a bad
registration or config file. In the end, I have had a chance to run checkdisk
and found no errors.

regards,
Yapeng

 

[Guest]

Hi David,

Than you for your detailed instruction.

I've done all of your sugestions

I've run the sysclean in safemode.
run stinger and both found no virus.
I've also tried to run the KB835732 and it says my system is patched newer
than the KB835732 and refuse to run it.

The situation is :
1. I set up my computer to download and windows update automatically and
whenever a new update come, I install it. So I am sure my computer is always
patched.
2. I have McAfee enterprise 8.0 and always keep it up-to-date.
3. I have also scan the hardisk using newest Northan Anti-virus and found
nothing.

sorry to make it clear, this was down by remove the harddisk and plug it
another computer by using a USB candy box. The anti-virus programs will stop
responding if I ran it with the doom computer.

 

[David H. Lipman]

From: "yapeng" <[email protected]>

| Hi David,
|
| Than you for your detailed instruction.
|
| I've done all of your sugestions
|
| I've run the sysclean in safemode.
| run stinger and both found no virus.
| I've also tried to run the KB835732 and it says my system is patched newer
| than the KB835732 and refuse to run it.
|
| The situation is :
| 1. I set up my computer to download and windows update automatically and
| whenever a new update come, I install it. So I am sure my computer is always
| patched.
| 2. I have McAfee enterprise 8.0 and always keep it up-to-date.
| 3. I have also scan the hardisk using newest Northan Anti-virus and found
| nothing.
|
| I think my situation is as same as jimr. I cannot have a full starup before
| the system shutdown message came up. even I have chance to run "shutdown -a"
| to stop it, the system seems halted most functions (e.g. no network, try to
| run most programs causes will end up with not responding).
|
| Is ther any chance there is no virus or worms and the system have a bad
| registration or config file. In the end, I have had a chance to run checkdisk
| and found no errors.
|
| regards,
| Yapeng
|
| "David H. Lipman" wrote:
| |

Well it is NOT the same as jimr as his error is in RPC/RPCSS and yours is in LSASS.

Since we we will "assume" that the LSASS patch is installed. Disconnect the LAN connection
from the PC and reboot. If there is NO network connection and the NT SYSTEM/SHUTDOWN
message is shown, the source is internal to the OS and is NOT the result f Internet worm
activity.

If you disconnect the LAN connection ffrom the PC and NO NT SYSTEM/SHUTDOWN message is
experienced then the patch was NOT successfully installed and it will have to be removed
from the Control Panel applet "add/remove programs" and the patch should be installed in
Safe Mode to make sure it is installed properly.

 

[Guest]

HI David, thank you for your quick reply.

The system shutdown message will appear when ther is no LAN connection. It
IS come from inside the computer.

Another thing is the system shutdown message can be caused from
"services.exe" "lsass.exe" or DCom.

regards,
Yapeng

 

[Guest]

Hi David:

From: "yapeng" <[email protected]>

| HI David, thank you for your quick reply.
|
| The system shutdown message will appear when ther is no LAN connection. It
| IS come from inside the computer.
|
| Another thing is the system shutdown message can be caused from
| "services.exe" "lsass.exe" or DCom.
|
| regards,
| Yapeng
| "David H. Lipman" wrote:
|

Well you indicated --- "system.exe -1073741819", DCom to lasse.exe" <----- (LSASS.EXE ?)

Is that the EXACT message or are there typos in it ?

sorry for my type, the shutdown message was caused from services.exe, DCOM
or lsass.exe (one of them) when ever I switch on my machine

In any case, that is NOT the NT SYSTEM/SHUTDOWN message that jimr has.

It is possible that non-viral malware is the causitive factor.

Again; when you get the NT SYSTEM/SHUTDOWN message, execute; shutdown -a

and perform the following.

1) Download the following item...

Adaware SE
http://www.lavasoftusa.com/

2) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode
4) Using Adaware SE, perform a Full Scan of your platform and clean/delete
any parasites found.
5) Restart your PC and perform a "final" Full Scan of your platform using Adaware
6) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) Create a new Restore point


If you weren't using that *STUPID* CDO web front-end to the MS News Groups and you were
using a News Client to access the News Server you would see my attachment ! Then you would
see the "exact" error message the Sasser worm creates through LSASS and cause the NT
SYSTEM/SHUTDOWN message.

The following URL will take you to THIS News Group. Hopefully you can use your default
browser, find this thread and see the attachment.

news://msnews.microsoft.com/microsoft.public.windowsxp.security_admin

I've disabled system restore in safemode.

Then, I've try to transfer the latest Ad-aware SE with the newest defination
and made a full scan in safe mode, found some spywares and cookies and delete
them all.

when I restart the system again in normal mode, the shutdown message still
come.

Buy the way, I am using another computer, my computer can not boot in full
thus not able to connect to the Internet.

regards,

 

[Guest]

Dave,

Sorry, I forgot to mention that I got a setup error message when I attempted
to install MS04-012 KB828741 that said:

"Setup has detected that the Service Patch version of this system is newer
that the update you are applying. There is no need to install this update."

Given that nothing you have suggested seems to remedy the problem, it looks
to me like I will have to reinstall WinXP; however, the version that came on
this computer is WinXP Service Pack 1 & the current version on the system is:
Microsoft (R) Windows (R) (Build 2600.xpsp_sp2_rtm. 040803-2158 : Service
Pack 2).

Therefore, the system gives me an error message indicating that the current
version is newer than the one I am attempting to install & that some programs
will not run. Does this mean that if I use the current CD to repair the
system & then apply all of the MS updates that some of my applications will
have to also be reinstalled?

Let me know if you think this is the only thing left to do in order to
restore the system. Thanks.

jimr

 

[David H. Lipman]

From: "jimr" <[email protected]>

| Dave,
|
| Sorry, I forgot to mention that I got a setup error message when I attempted
| to install MS04-012 KB828741 that said:
|
| "Setup has detected that the Service Patch version of this system is newer
| that the update you are applying. There is no need to install this update."
|
| Given that nothing you have suggested seems to remedy the problem, it looks
| to me like I will have to reinstall WinXP; however, the version that came on
| this computer is WinXP Service Pack 1 & the current version on the system is:
| Microsoft (R) Windows (R) (Build 2600.xpsp_sp2_rtm. 040803-2158 : Service
| Pack 2).
|
| Therefore, the system gives me an error message indicating that the current
| version is newer than the one I am attempting to install & that some programs
| will not run. Does this mean that if I use the current CD to repair the
| system & then apply all of the MS updates that some of my applications will
| have to also be reinstalled?
|
| Let me know if you think this is the only thing left to do in order to
| restore the system. Thanks.
|
| jimr
|
| "David H. Lipman" wrote:
||>> Dave,
|>>
|>> I forgot to mention that Stinger did not detect any viruses.
|>>
|>> jimr
|>>
|>> "David H. Lipman" wrote:
|>>

If you are doing a repair/install, you have to slip-stream WinXP SP2 files onto the WinXP
SP1 installation-distribution files to bring the installation-distribution files to SP2
level before a repair/install can be performed.