Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Shutdown Initiated by NT Authority /System 5
- Thread starter bcastner
- Start date
- Status
- Thread starter
- #42
menny10,
Yes, manarth pointed it out to me five messages up. See the link he provided for manual removal instructions. I offer the alternative of moving the clock ahead to 1/30/2004, rebooting, then setting the clock back to correct date and time, and deleting the two files you found by hand.
Yes, manarth pointed it out to me five messages up. See the link he provided for manual removal instructions. I offer the alternative of moving the clock ahead to 1/30/2004, rebooting, then setting the clock back to correct date and time, and deleting the two files you found by hand.
bcastner,
I'm confused when you said to delete svchost.exe.
Isn't this a valid file? I have both files running on my computer. c:\windows\wins\dllhost.exe and c:\windows\wins\svchost.exe (winxp)actually I think it's in sys32 folder.
This article describes Svchost.exe and its functions.
tav
I'm confused when you said to delete svchost.exe.
Isn't this a valid file? I have both files running on my computer. c:\windows\wins\dllhost.exe and c:\windows\wins\svchost.exe (winxp)actually I think it's in sys32 folder.
This article describes Svchost.exe and its functions.
tav
- Thread starter
- #44
tav1035,
This msblast varient creates two files in c:\windows\wins named svchost.exe and dllhost.exe. These are obviously not the same as the versions found in c:\windows\system32.
The latter files should not be touched, but in point of fact if you managed to delete them (non-trivial) they would immediately be replaced by XP from its cache.
See this note for further details:
This msblast varient creates two files in c:\windows\wins named svchost.exe and dllhost.exe. These are obviously not the same as the versions found in c:\windows\system32.
The latter files should not be touched, but in point of fact if you managed to delete them (non-trivial) they would immediately be replaced by XP from its cache.
See this note for further details:
hi everyone!
The virus attacked my win2k. I applied the patch and ran symantecs removal tool. It removed the virus and could go to work again. The next day my system rebooted and couldnt find the hd. Turned off my computer a started it again with no apparent problem. Suddenly it rebooted again and again and again. I disconnected my internet cable and i could work.
Can anyone help me with this? I scanned my files with Norton Antivirus (updated to august 18) and it couldnt find anything. Ran the removal tool again and didnt find the virus. Searched the registry key and find nothing. Task manager doesnt show msblast.exe running. My cp usage is low (6%). What else can i do?
Enrique
Sorry, English is not my first language.
The virus attacked my win2k. I applied the patch and ran symantecs removal tool. It removed the virus and could go to work again. The next day my system rebooted and couldnt find the hd. Turned off my computer a started it again with no apparent problem. Suddenly it rebooted again and again and again. I disconnected my internet cable and i could work.
Can anyone help me with this? I scanned my files with Norton Antivirus (updated to august 18) and it couldnt find anything. Ran the removal tool again and didnt find the virus. Searched the registry key and find nothing. Task manager doesnt show msblast.exe running. My cp usage is low (6%). What else can i do?
Enrique
Sorry, English is not my first language.
- Thread starter
- #46
New virus?
I was able to successfully rid my computer (running XP home edition) of msblast virus a few days ago. Yesterday I was FTP'ing files to my website and soon after my computer started exhibiting the similar problems from msblast (i.e. continuously rebooting). My computer may have contracted the virus that adds dllhost and svchost but I am not sure.
1) How do I stop TCP port 135? (Network connections -> local area connection properties -> TCP/IP -> Advanced -> Options -> TCP/IP Filtering ? Is this where is it located? The options seem to be for permitting the ports and not excluding them)
2) My computer will not allow me to initiate ICF (internet connection firewall) and an error dialog box pops up.
3) I have tried to rerun the patch from MS and an error dialog box pops up as well and will not install it.
Please help thanks!
Richard
I was able to successfully rid my computer (running XP home edition) of msblast virus a few days ago. Yesterday I was FTP'ing files to my website and soon after my computer started exhibiting the similar problems from msblast (i.e. continuously rebooting). My computer may have contracted the virus that adds dllhost and svchost but I am not sure.
1) How do I stop TCP port 135? (Network connections -> local area connection properties -> TCP/IP -> Advanced -> Options -> TCP/IP Filtering ? Is this where is it located? The options seem to be for permitting the ports and not excluding them)
2) My computer will not allow me to initiate ICF (internet connection firewall) and an error dialog box pops up.
3) I have tried to rerun the patch from MS and an error dialog box pops up as well and will not install it.
Please help thanks!
Richard
- Thread starter
- #48
rlee16,
The port filtering section of TCP/IP properties is for blocking outbound, not inbound, connection on a port.
If you are having problems enabling ICF, you might consider using a free third-party firewall.
With a little google help you should find excellent free firewalls from:
Tiny Personal Firewall
Sygate Personal Firewall
Kerio Personal Firewall
Black Ice Defender
And while it is sort of "hidden", there is still available a freeware Zone Alarm.
I use Kerio, do not much care for Zone Alarm, but very much like all the others listed.
The port filtering section of TCP/IP properties is for blocking outbound, not inbound, connection on a port.
If you are having problems enabling ICF, you might consider using a free third-party firewall.
With a little google help you should find excellent free firewalls from:
Tiny Personal Firewall
Sygate Personal Firewall
Kerio Personal Firewall
Black Ice Defender
And while it is sort of "hidden", there is still available a freeware Zone Alarm.
I use Kerio, do not much care for Zone Alarm, but very much like all the others listed.
- Thread starter
- #50
Go to the Windows Update site and scan for updates. The RPC vulnerability patch does apply to Win2k server.
You might also consider the vulnerability scan tool from Microsoft. It will do a network analysis of vulnerable workstations and servers:
You might also consider the vulnerability scan tool from Microsoft. It will do a network analysis of vulnerable workstations and servers:
- Thread starter
- #52
In your situation you do not need the msblast patch as the payload will not execute even if infected even if the agent manages to secure a valid connection on port 135 UDP.
Just block port 135 UDP inbound from the internet, you can leave it open on the intranet.
Configure the failure options for the RPC service itself to take no action.
Just block port 135 UDP inbound from the internet, you can leave it open on the intranet.
Configure the failure options for the RPC service itself to take no action.
- Thread starter
- #54
For NT workstations, and NT Server:
For NT Terminal Server Edition:
Type Winver on the server to find out the version you should use.
Not also this is still only for Intel processor machines as only they will execute the worm code.
Make certain you are firewalled on the internet side for port 135, and 137-139 TCP and UDP. Your network will stop working if you firewall on the LAN side for these ports.
For NT Terminal Server Edition:
Type Winver on the server to find out the version you should use.
Not also this is still only for Intel processor machines as only they will execute the worm code.
Make certain you are firewalled on the internet side for port 135, and 137-139 TCP and UDP. Your network will stop working if you firewall on the LAN side for these ports.
compgirlfhredi
Technical User
I have sat here and read these posts, then re-read again. Hoping I had missed something...
MS has been pushing this patch like it was a moneymaker since June 16th. Msblast\Lovsan\OpaS\SoBig whichever one you have,if you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations. Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
( reboot a few times, then turn it back on. This will remove all of your previous restore points and start a new batch.) I don't know anything that will remove a virus from a restore archive, and you certainly don't want to take a chance on restoring to one of these by mistake in future. If you disable System Restore, you are then able to disinfect within the restore files.
IF you can not obtain the patch , try this procedure.
Start:\Run\:and enter the command shutdown –a, it will stop the computer from shutting down.( 94% of the time)
I have the patches for 2000 & XP plus the Fixblast.exe on a couple floppies, and I also blocked port 135,4444 and UDP port 69TFTP.
A friend uses SUS and a good distributed AV on his 2000Pro system.
System Update Service Homepage
IIS Lockdown
Microsoft Baseline Security Analyzer
Security Bulletin and links to download the hotfix that fixes the vulnerability this virus exploits
SHIELDS UP!!!
useful quick port scan (135 4444 69 are the ports you want to make sure are closed to make sure you are protected)
MS has been pushing this patch like it was a moneymaker since June 16th. Msblast\Lovsan\OpaS\SoBig whichever one you have,if you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations. Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
( reboot a few times, then turn it back on. This will remove all of your previous restore points and start a new batch.) I don't know anything that will remove a virus from a restore archive, and you certainly don't want to take a chance on restoring to one of these by mistake in future. If you disable System Restore, you are then able to disinfect within the restore files.
IF you can not obtain the patch , try this procedure.
Start:\Run\:and enter the command shutdown –a, it will stop the computer from shutting down.( 94% of the time)
I have the patches for 2000 & XP plus the Fixblast.exe on a couple floppies, and I also blocked port 135,4444 and UDP port 69TFTP.
A friend uses SUS and a good distributed AV on his 2000Pro system.
System Update Service Homepage
IIS Lockdown
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp
Security Bulletin and links to download the hotfix that fixes the vulnerability this virus exploits
SHIELDS UP!!!
useful quick port scan (135 4444 69 are the ports you want to make sure are closed to make sure you are protected)
- Thread starter
- #56
fhredi,
Most of the discussion in this thread was generated on the 11th and early on the 12th of September, when the biggest concern was staying online long enough to download the MS patch.
There were close to 20 threads at one point all dealing with aspects of msblast, including some longer range issues such as you raise above.
You made several good points, let me comment on two of them:
First, when you disable system restore, all restore points are removed. You do not need to turn the machine off and on again several times.
from Help and Support:
"To clear existing restore points
Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
Click to add a check mark beside Turn off System Restore on all Drives, and click Apply.
When you are warned that all existing Restore Points will be deleted, click Yes to continue.
All system restore points are deleted."
Second note, you say it is not possible to for AV programs to remove a virus from a restore set. I do not know if this is true or not, usually they use their quarantine features to prevent the reload rather than a physical remove. This is safe enough.
If I was to program the routine I would approach it by:
. removing the file(s) if they exist from the MRU table
. removing the file entries from the ControlSet001 and any other sets that exist beyound the CurrentControlSet.
These two steps would ensure that even if System Restore were active the files would not be scheduled for replacement by the choice of a restore point. As a guess, this is essentially the "quarantine" process after removing the actual files from affected directories and the cache.
Best.
Bill Castner
Most of the discussion in this thread was generated on the 11th and early on the 12th of September, when the biggest concern was staying online long enough to download the MS patch.
There were close to 20 threads at one point all dealing with aspects of msblast, including some longer range issues such as you raise above.
You made several good points, let me comment on two of them:
First, when you disable system restore, all restore points are removed. You do not need to turn the machine off and on again several times.
from Help and Support:
"To clear existing restore points
Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
Click to add a check mark beside Turn off System Restore on all Drives, and click Apply.
When you are warned that all existing Restore Points will be deleted, click Yes to continue.
All system restore points are deleted."
Second note, you say it is not possible to for AV programs to remove a virus from a restore set. I do not know if this is true or not, usually they use their quarantine features to prevent the reload rather than a physical remove. This is safe enough.
If I was to program the routine I would approach it by:
. removing the file(s) if they exist from the MRU table
. removing the file entries from the ControlSet001 and any other sets that exist beyound the CurrentControlSet.
These two steps would ensure that even if System Restore were active the files would not be scheduled for replacement by the choice of a restore point. As a guess, this is essentially the "quarantine" process after removing the actual files from affected directories and the cache.
Best.
Bill Castner
compgirlfhredi
Technical User
"To clear existing restore points
Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
Click to add a check mark beside Turn off System Restore on all Drives, and click Apply.
When you are warned that all existing Restore Points will be deleted, click Yes to continue.
All system restore points are deleted."
Yes,thats the correct way.(and the one I used). My "idea" was trying to figure a 'quicker' way in case the machine was rebooting itself too quickly if the -a command didn't work
Temporarily turning off System Restore is simply a "precautionary" measure, as 2 out of 7 of the people I have helped with this situation, that did not turn it off, have been reinfected in some way or other ie:can't connect to network, etc. The ONLY thing they had in common was no AV (at the time) and NOT shutting down System Restore prior.
I don't pretend to understand the "logistics" of it, and I realize that 2 out of 7 may not sound like much and of course there was probably other factors involved, but 2 out of 7 was enough to make me think I should post it.
After reading my original post, my apologies, I should have stated this as a precautionary measure only.
Ha! No "PARANOIA" here!!!![[3eyes]](/data/assets/smilies/3eyes.gif "[3eyes] [3eyes]")
( I need a Valium, I guess...)
Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
Click to add a check mark beside Turn off System Restore on all Drives, and click Apply.
When you are warned that all existing Restore Points will be deleted, click Yes to continue.
All system restore points are deleted."
Yes,thats the correct way.(and the one I used). My "idea" was trying to figure a 'quicker' way in case the machine was rebooting itself too quickly if the -a command didn't work
Temporarily turning off System Restore is simply a "precautionary" measure, as 2 out of 7 of the people I have helped with this situation, that did not turn it off, have been reinfected in some way or other ie:can't connect to network, etc. The ONLY thing they had in common was no AV (at the time) and NOT shutting down System Restore prior.
I don't pretend to understand the "logistics" of it, and I realize that 2 out of 7 may not sound like much and of course there was probably other factors involved, but 2 out of 7 was enough to make me think I should post it.
After reading my original post, my apologies, I should have stated this as a precautionary measure only.
Ha! No "PARANOIA" here!!!
( I need a Valium, I guess...)- Thread starter
- #58
And apparantly not enabling a firewall. Even the native XP firewall is sufficient to block the RPC exploit. And apparantly not applying the MS patch, as even if re-infected the RPC vulnerability patch would avoid the deliberate buffer overflow that is at the core of the shutdown issue for msblast.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
