Sign in with
Sign up | Sign in
Your question

Suspected Virus/Worm Causing PC to Power Off

Last response: in Windows XP
Share
Anonymous
March 10, 2005 7:47:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I may have contracted a virus/worm similar to Blaster. The System Shutdown
notice says that it was initiated by NTAuthority\System. It further says,
"Win must now shutdown because the Remote Procedure Call (RPC) service
terminated unexpectantly." I have attempted to run Norton Antivirus & the
Symantec W32.Blaster Worm Fix Tool 1.0.6.1, but the power will not remain on
long enough to complete the scans. I have also look at the registry for both
the W32.Toxbot & W32.Toxbot B worms, but there are no indications as per the
Symantec web site. How can I keep power from shutting down so I can run
anti-virus cleaners or is there something else I can do? Thanks.
March 10, 2005 8:27:10 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

jimr wrote:

> I may have contracted a virus/worm similar to Blaster. The System
> Shutdown
> notice says that it was initiated by NTAuthority\System. It further
> says, "Win must now shutdown because the Remote Procedure Call (RPC)
> service
> terminated unexpectantly." I have attempted to run Norton Antivirus &
> the Symantec W32.Blaster Worm Fix Tool 1.0.6.1, but the power will not
> remain on
> long enough to complete the scans. I have also look at the registry
> for both the W32.Toxbot & W32.Toxbot B worms, but there are no
> indications as per the
> Symantec web site. How can I keep power from shutting down so I can
> run
> anti-virus cleaners or is there something else I can do? Thanks.

You can stop the shutdown by doing Start>Run shutdown -a [enter]

Because some of the Sasser/Agobot worms break av software if your NAV
won't run, from a different known-clean computer get TrendMicro's
Sysclean, burn it to cd-r and then on the infected machine run it in
Safe Mode:

TrendMicro's Sysclean is an extensive antivirus tool which has the
advantage of not needing to be installed. It requires two parts - the
scanning engine and the virus pattern files.

1. Create a new folder on your Desktop or the C: drive named something
useful like "Sysclean".
2. Go here and download the two parts of the program to that folder:

http://www.trendmicro.com/download/dcs.asp - Sysclean
http://www.trendmicro.com/download/pattern.asp - virus pattern files

The pattern files will be zipped - extract them with your unzipper (like
WinZip) or if you have XP, you can just open the folder. You need to
put the extracted files in the Sysclean folder you made.

3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly
tapping the F8 key as the computer is starting up to get to the proper
menu.
4. Go to the Sysclean folder you made and double-click on sysclean.com.
Start the scan. After the scan is finished, look at the log. You may
need to make a note of where any viruses were found if they were not
able to be removed so you can manually delete them.

After your scan with Sysclean, you should be able to update your NAV
definitions and do a thorough scan in Safe Mode.

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.
Anonymous
March 10, 2005 11:25:10 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "jimr" <jimr@discussions.microsoft.com>

| I may have contracted a virus/worm similar to Blaster. The System Shutdown
| notice says that it was initiated by NTAuthority\System. It further says,
| "Win must now shutdown because the Remote Procedure Call (RPC) service
| terminated unexpectantly." I have attempted to run Norton Antivirus & the
| Symantec W32.Blaster Worm Fix Tool 1.0.6.1, but the power will not remain on
| long enough to complete the scans. I have also look at the registry for both
| the W32.Toxbot & W32.Toxbot B worms, but there are no indications as per the
| Symantec web site. How can I keep power from shutting down so I can run
| anti-virus cleaners or is there something else I can do? Thanks.


When you get the shutdown message ...

Go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/ and install the following patch for the
RPC/RPCSS and DCOM Vulnerabilities that are addressed by Microsoft Security Bulletin
MS04-012 - KB828741
http://support.microsoft.com/default.aspx?scid=kb;en-us;828741
and ...
http://www.microsoft.com/technet/security/bulletin/ms04...
and finally...
http://www.microsoft.com/security/incident/blast.asp

You also need a FireWall.
If you don't patch the PC and not use a FireWall then you will just be re-infected.

I also suggest the installation of ALL MS Critical Updates ASAP.



1) Download the following three items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt484.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
3) Reboot your PC into Safe Mode and shutdown as many applications as possible
4) Using both the Trend Sysclean utility and Stinger, perform a Full Scan of your
platform and clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform using both.
6) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) Create a new Restore point

* * Please report back your results * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Related resources
Anonymous
March 11, 2005 10:51:08 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

David,

Thanks for the information. I have just begun to follow the directions &
discovered that the link to Stinger has changed. It is now:

http://vil.nai.com/vil/averttools.asp

jimr

"David H. Lipman" wrote:

> From: "jimr" <jimr@discussions.microsoft.com>
>
> | I may have contracted a virus/worm similar to Blaster. The System Shutdown
> | notice says that it was initiated by NTAuthority\System. It further says,
> | "Win must now shutdown because the Remote Procedure Call (RPC) service
> | terminated unexpectantly." I have attempted to run Norton Antivirus & the
> | Symantec W32.Blaster Worm Fix Tool 1.0.6.1, but the power will not remain on
> | long enough to complete the scans. I have also look at the registry for both
> | the W32.Toxbot & W32.Toxbot B worms, but there are no indications as per the
> | Symantec web site. How can I keep power from shutting down so I can run
> | anti-virus cleaners or is there something else I can do? Thanks.
>
>
> When you get the shutdown message ...
>
> Go to; Start --> Run
> enter; shutdown -a
>
> This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
> Stinger: http://vil.nai.com/vil/stinger/ and install the following patch for the
> RPC/RPCSS and DCOM Vulnerabilities that are addressed by Microsoft Security Bulletin
> MS04-012 - KB828741
> http://support.microsoft.com/default.aspx?scid=kb;en-us;828741
> and ...
> http://www.microsoft.com/technet/security/bulletin/ms04...
> and finally...
> http://www.microsoft.com/security/incident/blast.asp
>
> You also need a FireWall.
> If you don't patch the PC and not use a FireWall then you will just be re-infected.
>
> I also suggest the installation of ALL MS Critical Updates ASAP.
>
>
>
> 1) Download the following three items...
>
> McAfee Stinger
> http://vil.nai.com/vil/stinger/
>
> Trend Sysclean Package
> http://www.trendmicro.com/download/dcs.asp
>
> Latest Trend signature files.
> http://www.trendmicro.com/download/pattern.asp
>
> Create a directory.
> On drive "C:\"
> (e.g., "c:\New Folder")
> or the desktop
> (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
>
> Download SYSCLEAN.COM and place it in that directory.
> Download the Trend Pattern File by obtaining the ZIP file.
> For example; lpt484.zip
>
> Extract the contents of the ZIP file and place the contents in the same directory as
> SYSCLEAN.COM.
>
> 2) Disable System Restore
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
> 3) Reboot your PC into Safe Mode and shutdown as many applications as possible
> 4) Using both the Trend Sysclean utility and Stinger, perform a Full Scan of your
> platform and clean/delete any infectors found
> 5) Restart your PC and perform a "final" Full Scan of your platform using both.
> 6) Re-enable System Restore and re-apply any System Restore preferences,
> (e.g. HD space to use suggested 400 ~ 600MB),
> 7) Reboot your PC.
> 8) Create a new Restore point
>
> * * Please report back your results * *
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
>
>
>
Anonymous
March 11, 2005 2:29:05 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

David,

Something is preventing me from disabling system restore. Each time I
attempt to disable system restore, I get an error message indicating that
there is a problem with one of drives that prevents system restore to be
disabled. It instructs me to restart & try again. Any thoughts on how to
overcome this problem? Thanks.

jimr

"David H. Lipman" wrote:

> From: "jimr" <jimr@discussions.microsoft.com>
>
> | I may have contracted a virus/worm similar to Blaster. The System Shutdown
> | notice says that it was initiated by NTAuthority\System. It further says,
> | "Win must now shutdown because the Remote Procedure Call (RPC) service
> | terminated unexpectantly." I have attempted to run Norton Antivirus & the
> | Symantec W32.Blaster Worm Fix Tool 1.0.6.1, but the power will not remain on
> | long enough to complete the scans. I have also look at the registry for both
> | the W32.Toxbot & W32.Toxbot B worms, but there are no indications as per the
> | Symantec web site. How can I keep power from shutting down so I can run
> | anti-virus cleaners or is there something else I can do? Thanks.
>
>
> When you get the shutdown message ...
>
> Go to; Start --> Run
> enter; shutdown -a
>
> This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
> Stinger: http://vil.nai.com/vil/stinger/ and install the following patch for the
> RPC/RPCSS and DCOM Vulnerabilities that are addressed by Microsoft Security Bulletin
> MS04-012 - KB828741
> http://support.microsoft.com/default.aspx?scid=kb;en-us;828741
> and ...
> http://www.microsoft.com/technet/security/bulletin/ms04...
> and finally...
> http://www.microsoft.com/security/incident/blast.asp
>
> You also need a FireWall.
> If you don't patch the PC and not use a FireWall then you will just be re-infected.
>
> I also suggest the installation of ALL MS Critical Updates ASAP.
>
>
>
> 1) Download the following three items...
>
> McAfee Stinger
> http://vil.nai.com/vil/stinger/
>
> Trend Sysclean Package
> http://www.trendmicro.com/download/dcs.asp
>
> Latest Trend signature files.
> http://www.trendmicro.com/download/pattern.asp
>
> Create a directory.
> On drive "C:\"
> (e.g., "c:\New Folder")
> or the desktop
> (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
>
> Download SYSCLEAN.COM and place it in that directory.
> Download the Trend Pattern File by obtaining the ZIP file.
> For example; lpt484.zip
>
> Extract the contents of the ZIP file and place the contents in the same directory as
> SYSCLEAN.COM.
>
> 2) Disable System Restore
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
> 3) Reboot your PC into Safe Mode and shutdown as many applications as possible
> 4) Using both the Trend Sysclean utility and Stinger, perform a Full Scan of your
> platform and clean/delete any infectors found
> 5) Restart your PC and perform a "final" Full Scan of your platform using both.
> 6) Re-enable System Restore and re-apply any System Restore preferences,
> (e.g. HD space to use suggested 400 ~ 600MB),
> 7) Reboot your PC.
> 8) Create a new Restore point
>
> * * Please report back your results * *
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
>
>
>
Anonymous
March 11, 2005 4:46:49 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "jimr" <jimr@discussions.microsoft.com>

| David,
|
| Thanks for the information. I have just begun to follow the directions &
| discovered that the link to Stinger has changed. It is now:
|
| http://vil.nai.com/vil/averttools.asp
|
| jimr
|
| "David H. Lipman" wrote: |

No change at all. Just an alternate.

--
Dave
Anonymous
March 11, 2005 6:05:09 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "jimr" <jimr@discussions.microsoft.com>

| David,
|
| Something is preventing me from disabling system restore. Each time I
| attempt to disable system restore, I get an error message indicating that
| there is a problem with one of drives that prevents system restore to be
| disabled. It instructs me to restart & try again. Any thoughts on how to
| overcome this problem? Thanks.
|
| jimr
| | "David H. Lipman" wrote:

Bypass that part of the instructions.

Patch and then reboot your computer then perform the following...

In addition to what Malke stated...

Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

Open a Command Prompt.

In the Command Prompt type the following...

CHKDSK C: /F

If it replies..
"Chkdsk cannot run because the volume is in use by another process.
Would you like to schedule this volume to be checked the next time the system restarts?
(Y/N)"

Choose - Y

type; EXIT

Reboot the PC.

A full Check Disk will want to be performed, allow it.

When it reboots, perform a defragmentation of the hard disk.

You can get to the Defragmenting program easily by executing; dfrg.msc

Start --> run ->
type; dfrg.msc


--
Dave
Anonymous
March 12, 2005 11:51:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Malke,

Interesting - when I ran Sysclean in the SafeMode, it found no viruses.
But, the log indicated that either "An error occured while scanning file
........" or "Could not set file for reading on ......" because "Access is
denied." One other thing of interest, even in SafeMode I cannot move files
or execute my Norton virus checker.

I do have a firewall, Netgear Firewall Router; up to date antivirus program,
Norton; & I have installed all Microsoft patches (my system is set to
automatically update).

Any thoughts on how to proceed? Thanks.

jimr

"Malke" wrote:

> jimr wrote:
>
> > I may have contracted a virus/worm similar to Blaster. The System
> > Shutdown
> > notice says that it was initiated by NTAuthority\System. It further
> > says, "Win must now shutdown because the Remote Procedure Call (RPC)
> > service
> > terminated unexpectantly." I have attempted to run Norton Antivirus &
> > the Symantec W32.Blaster Worm Fix Tool 1.0.6.1, but the power will not
> > remain on
> > long enough to complete the scans. I have also look at the registry
> > for both the W32.Toxbot & W32.Toxbot B worms, but there are no
> > indications as per the
> > Symantec web site. How can I keep power from shutting down so I can
> > run
> > anti-virus cleaners or is there something else I can do? Thanks.
>
> You can stop the shutdown by doing Start>Run shutdown -a [enter]
>
> Because some of the Sasser/Agobot worms break av software if your NAV
> won't run, from a different known-clean computer get TrendMicro's
> Sysclean, burn it to cd-r and then on the infected machine run it in
> Safe Mode:
>
> TrendMicro's Sysclean is an extensive antivirus tool which has the
> advantage of not needing to be installed. It requires two parts - the
> scanning engine and the virus pattern files.
>
> 1. Create a new folder on your Desktop or the C: drive named something
> useful like "Sysclean".
> 2. Go here and download the two parts of the program to that folder:
>
> http://www.trendmicro.com/download/dcs.asp - Sysclean
> http://www.trendmicro.com/download/pattern.asp - virus pattern files
>
> The pattern files will be zipped - extract them with your unzipper (like
> WinZip) or if you have XP, you can just open the folder. You need to
> put the extracted files in the Sysclean folder you made.
>
> 3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly
> tapping the F8 key as the computer is starting up to get to the proper
> menu.
> 4. Go to the Sysclean folder you made and double-click on sysclean.com.
> Start the scan. After the scan is finished, look at the log. You may
> need to make a note of where any viruses were found if they were not
> able to be removed so you can manually delete them.
>
> After your scan with Sysclean, you should be able to update your NAV
> definitions and do a thorough scan in Safe Mode.
>
> Malke
> --
> MS MVP - Windows Shell/User
> www.elephantboycomputers.com
> In Memoriam - MVP Alex Nichol
> The world is diminished without him.
>
Anonymous
March 12, 2005 12:23:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave,

Interesting - when I ran Sysclean in the SafeMode, it found no viruses.
But, the log indicated that either "An error occured while scanning file
.....(listing of numerous files)..." or "Could not set file for reading on
...(listing of numerous files)...." due to "Access is denied." One other
thing of interest, even in SafeMode I cannot move files or execute my Norton
antivirus program. Additionally, the defrag program will not execute.

I do have a firewall, Netgear Firewall Router; up to date antivirus program,
Norton; & I have installed all Microsoft patches (my system is set to
automatically update).

Any thoughts on how to proceed?


"David H. Lipman" wrote:

> From: "jimr" <jimr@discussions.microsoft.com>
>
> | David,
> |
> | Something is preventing me from disabling system restore. Each time I
> | attempt to disable system restore, I get an error message indicating that
> | there is a problem with one of drives that prevents system restore to be
> | disabled. It instructs me to restart & try again. Any thoughts on how to
> | overcome this problem? Thanks.
> |
> | jimr
> | | "David H. Lipman" wrote:
>
> Bypass that part of the instructions.
>
> Patch and then reboot your computer then perform the following...
>
> In addition to what Malke stated...
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
>
> start --> settings --> control panel --> internet options --> delete files
>
> Open a Command Prompt.
>
> In the Command Prompt type the following...
>
> CHKDSK C: /F
>
> If it replies..
> "Chkdsk cannot run because the volume is in use by another process.
> Would you like to schedule this volume to be checked the next time the system restarts?
> (Y/N)"
>
> Choose - Y
>
> type; EXIT
>
> Reboot the PC.
>
> A full Check Disk will want to be performed, allow it.
>
> When it reboots, perform a defragmentation of the hard disk.
>
> You can get to the Defragmenting program easily by executing; dfrg.msc
>
> Start --> run ->
> type; dfrg.msc
>
>
> --
> Dave
>
>
>
Anonymous
March 12, 2005 4:32:51 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "jimr" <jimr@discussions.microsoft.com>

| Dave,
|
| Interesting - when I ran Sysclean in the SafeMode, it found no viruses.
| But, the log indicated that either "An error occured while scanning file
| ....(listing of numerous files)..." or "Could not set file for reading on
| ..(listing of numerous files)...." due to "Access is denied." One other
| thing of interest, even in SafeMode I cannot move files or execute my Norton
| antivirus program. Additionally, the defrag program will not execute.
|
| I do have a firewall, Netgear Firewall Router; up to date antivirus program,
| Norton; & I have installed all Microsoft patches (my system is set to
| automatically update).
|
| Any thoughts on how to proceed?
|
|
| "David H. Lipman" wrote: |

And what about Stinger ?

--
Dave
Anonymous
March 12, 2005 4:32:52 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave,

I forgot to mention that Stinger did not detect any viruses.

jimr

"David H. Lipman" wrote:

> From: "jimr" <jimr@discussions.microsoft.com>
>
> | Dave,
> |
> | Interesting - when I ran Sysclean in the SafeMode, it found no viruses.
> | But, the log indicated that either "An error occured while scanning file
> | ....(listing of numerous files)..." or "Could not set file for reading on
> | ..(listing of numerous files)...." due to "Access is denied." One other
> | thing of interest, even in SafeMode I cannot move files or execute my Norton
> | antivirus program. Additionally, the defrag program will not execute.
> |
> | I do have a firewall, Netgear Firewall Router; up to date antivirus program,
> | Norton; & I have installed all Microsoft patches (my system is set to
> | automatically update).
> |
> | Any thoughts on how to proceed?
> |
> |
> | "David H. Lipman" wrote: |
>
> And what about Stinger ?
>
> --
> Dave
>
>
>
Anonymous
March 12, 2005 7:38:14 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "jimr" <jimr@discussions.microsoft.com>

| Dave,
|
| I forgot to mention that Stinger did not detect any viruses.
|
| jimr
|
| "David H. Lipman" wrote:
|
>> From: "jimr" <jimr@discussions.microsoft.com> >>

That means you were not infected with the a worm. Now have you installed the patch
indicated in KB828741 ?

http://support.microsoft.com/default.aspx?scid=kb;en-us;828741

--
Dave
Anonymous
March 12, 2005 8:47:08 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "yapeng" <yapeng@discussions.microsoft.com>

| Hi David,
|
| Than you for your detailed instruction.
|
| I've done all of your sugestions
|
| I've run the sysclean in safemode.
| run stinger and both found no virus.
| I've also tried to run the KB835732 and it says my system is patched newer
| than the KB835732 and refuse to run it.
|
| The situation is :
| 1. I set up my computer to download and windows update automatically and
| whenever a new update come, I install it. So I am sure my computer is always
| patched.
| 2. I have McAfee enterprise 8.0 and always keep it up-to-date.
| 3. I have also scan the hardisk using newest Northan Anti-virus and found
| nothing.
|
| I think my situation is as same as jimr. I cannot have a full starup before
| the system shutdown message came up. even I have chance to run "shutdown -a"
| to stop it, the system seems halted most functions (e.g. no network, try to
| run most programs causes will end up with not responding).
|
| Is ther any chance there is no virus or worms and the system have a bad
| registration or config file. In the end, I have had a chance to run checkdisk
| and found no errors.
|
| regards,
| Yapeng
|
| "David H. Lipman" wrote:
| |

Well it is NOT the same as jimr as his error is in RPC/RPCSS and yours is in LSASS.

Since we we will "assume" that the LSASS patch is installed. Disconnect the LAN connection
from the PC and reboot. If there is NO network connection and the NT SYSTEM/SHUTDOWN
message is shown, the source is internal to the OS and is NOT the result f Internet worm
activity.

If you disconnect the LAN connection ffrom the PC and NO NT SYSTEM/SHUTDOWN message is
experienced then the patch was NOT successfully installed and it will have to be removed
from the Control Panel applet "add/remove programs" and the patch should be installed in
Safe Mode to make sure it is installed properly.

--
Dave
Anonymous
March 12, 2005 8:47:09 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HI David, thank you for your quick reply.

The system shutdown message will appear when ther is no LAN connection. It
IS come from inside the computer.

Another thing is the system shutdown message can be caused from
"services.exe" "lsass.exe" or DCom.

regards,
Yapeng
"David H. Lipman" wrote:

> From: "yapeng" <yapeng@discussions.microsoft.com>
>
> | Hi David,
> |
> | Than you for your detailed instruction.
> |
> | I've done all of your sugestions
> |
> | I've run the sysclean in safemode.
> | run stinger and both found no virus.
> | I've also tried to run the KB835732 and it says my system is patched newer
> | than the KB835732 and refuse to run it.
> |
> | The situation is :
> | 1. I set up my computer to download and windows update automatically and
> | whenever a new update come, I install it. So I am sure my computer is always
> | patched.
> | 2. I have McAfee enterprise 8.0 and always keep it up-to-date.
> | 3. I have also scan the hardisk using newest Northan Anti-virus and found
> | nothing.
> |
> | I think my situation is as same as jimr. I cannot have a full starup before
> | the system shutdown message came up. even I have chance to run "shutdown -a"
> | to stop it, the system seems halted most functions (e.g. no network, try to
> | run most programs causes will end up with not responding).
> |
> | Is ther any chance there is no virus or worms and the system have a bad
> | registration or config file. In the end, I have had a chance to run checkdisk
> | and found no errors.
> |
> | regards,
> | Yapeng
> |
> | "David H. Lipman" wrote:
> | |
>
> Well it is NOT the same as jimr as his error is in RPC/RPCSS and yours is in LSASS.
>
> Since we we will "assume" that the LSASS patch is installed. Disconnect the LAN connection
> from the PC and reboot. If there is NO network connection and the NT SYSTEM/SHUTDOWN
> message is shown, the source is internal to the OS and is NOT the result f Internet worm
> activity.
>
> If you disconnect the LAN connection ffrom the PC and NO NT SYSTEM/SHUTDOWN message is
> experienced then the patch was NOT successfully installed and it will have to be removed
> from the Control Panel applet "add/remove programs" and the patch should be installed in
> Safe Mode to make sure it is installed properly.
>
> --
> Dave
>
>
>
Anonymous
March 12, 2005 8:47:10 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi David:

"David H. Lipman" wrote:

> From: "yapeng" <yapeng@discussions.microsoft.com>
>
> | HI David, thank you for your quick reply.
> |
> | The system shutdown message will appear when ther is no LAN connection. It
> | IS come from inside the computer.
> |
> | Another thing is the system shutdown message can be caused from
> | "services.exe" "lsass.exe" or DCom.
> |
> | regards,
> | Yapeng
> | "David H. Lipman" wrote:
> |
> >> From: "yapeng" <yapeng@discussions.microsoft.com> >>
>
> Well you indicated --- "system.exe -1073741819", DCom to lasse.exe" <----- (LSASS.EXE ?)
>
> Is that the EXACT message or are there typos in it ?
sorry for my type, the shutdown message was caused from services.exe, DCOM
or lsass.exe (one of them) when ever I switch on my machine
>
> In any case, that is NOT the NT SYSTEM/SHUTDOWN message that jimr has.
>
> It is possible that non-viral malware is the causitive factor.
>
> Again; when you get the NT SYSTEM/SHUTDOWN message, execute; shutdown -a
>
> and perform the following.
>
> 1) Download the following item...
>
> Adaware SE
> http://www.lavasoftusa.com/
>
> 2) Disable System Restore
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
> 3) Reboot your PC into Safe Mode
> 4) Using Adaware SE, perform a Full Scan of your platform and clean/delete
> any parasites found.
> 5) Restart your PC and perform a "final" Full Scan of your platform using Adaware
> 6) Re-enable System Restore and re-apply any System Restore preferences,
> (e.g. HD space to use suggested 400 ~ 600MB),
> 7) Reboot your PC.
> 8) Create a new Restore point
>
>
> If you weren't using that *STUPID* CDO web front-end to the MS News Groups and you were
> using a News Client to access the News Server you would see my attachment ! Then you would
> see the "exact" error message the Sasser worm creates through LSASS and cause the NT
> SYSTEM/SHUTDOWN message.
>
> The following URL will take you to THIS News Group. Hopefully you can use your default
> browser, find this thread and see the attachment.
>
> news://msnews.microsoft.com/microsoft.public.windowsxp.security_admin
>
> --
> Dave
>
>
>
I've disabled system restore in safemode.

Then, I've try to transfer the latest Ad-aware SE with the newest defination
and made a full scan in safe mode, found some spywares and cookies and delete
them all.

when I restart the system again in normal mode, the shutdown message still
come.

Buy the way, I am using another computer, my computer can not boot in full
thus not able to connect to the Internet.

regards,
Anonymous
March 13, 2005 1:13:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave,

Sorry, I forgot to mention that I got a setup error message when I attempted
to install MS04-012 KB828741 that said:

"Setup has detected that the Service Patch version of this system is newer
that the update you are applying. There is no need to install this update."

Given that nothing you have suggested seems to remedy the problem, it looks
to me like I will have to reinstall WinXP; however, the version that came on
this computer is WinXP Service Pack 1 & the current version on the system is:
Microsoft (R) Windows (R) (Build 2600.xpsp_sp2_rtm. 040803-2158 : Service
Pack 2).

Therefore, the system gives me an error message indicating that the current
version is newer than the one I am attempting to install & that some programs
will not run. Does this mean that if I use the current CD to repair the
system & then apply all of the MS updates that some of my applications will
have to also be reinstalled?

Let me know if you think this is the only thing left to do in order to
restore the system. Thanks.

jimr

"David H. Lipman" wrote:

> From: "jimr" <jimr@discussions.microsoft.com>
>
> | Dave,
> |
> | I forgot to mention that Stinger did not detect any viruses.
> |
> | jimr
> |
> | "David H. Lipman" wrote:
> |
> >> From: "jimr" <jimr@discussions.microsoft.com> >>
>
> That means you were not infected with the a worm. Now have you installed the patch
> indicated in KB828741 ?
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;828741
>
> --
> Dave
>
>
>
Anonymous
March 13, 2005 4:22:39 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "jimr" <jimr@discussions.microsoft.com>

| Dave,
|
| Sorry, I forgot to mention that I got a setup error message when I attempted
| to install MS04-012 KB828741 that said:
|
| "Setup has detected that the Service Patch version of this system is newer
| that the update you are applying. There is no need to install this update."
|
| Given that nothing you have suggested seems to remedy the problem, it looks
| to me like I will have to reinstall WinXP; however, the version that came on
| this computer is WinXP Service Pack 1 & the current version on the system is:
| Microsoft (R) Windows (R) (Build 2600.xpsp_sp2_rtm. 040803-2158 : Service
| Pack 2).
|
| Therefore, the system gives me an error message indicating that the current
| version is newer than the one I am attempting to install & that some programs
| will not run. Does this mean that if I use the current CD to repair the
| system & then apply all of the MS updates that some of my applications will
| have to also be reinstalled?
|
| Let me know if you think this is the only thing left to do in order to
| restore the system. Thanks.
|
| jimr
|
| "David H. Lipman" wrote:
|
>> From: "jimr" <jimr@discussions.microsoft.com>
>>
|>> Dave,
|>>
|>> I forgot to mention that Stinger did not detect any viruses.
|>>
|>> jimr
|>>
|>> "David H. Lipman" wrote:
|>>
>>>> From: "jimr" <jimr@discussions.microsoft.com> >>
>>
>> That means you were not infected with the a worm. Now have you installed the patch
>> indicated in KB828741 ?
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;828741
>>
>> --
>> Dave
>>


If you are doing a repair/install, you have to slip-stream WinXP SP2 files onto the WinXP
SP1 installation-distribution files to bring the installation-distribution files to SP2
level before a repair/install can be performed.

--
Dave
Anonymous
March 13, 2005 4:22:40 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave,

You've got me there. How do I "slip-stream" SP2 along with the CD of WinXP
SP1? Thanks.

jimr

"David H. Lipman" wrote:

> From: "jimr" <jimr@discussions.microsoft.com>
>
> | Dave,
> |
> | Sorry, I forgot to mention that I got a setup error message when I attempted
> | to install MS04-012 KB828741 that said:
> |
> | "Setup has detected that the Service Patch version of this system is newer
> | that the update you are applying. There is no need to install this update."
> |
> | Given that nothing you have suggested seems to remedy the problem, it looks
> | to me like I will have to reinstall WinXP; however, the version that came on
> | this computer is WinXP Service Pack 1 & the current version on the system is:
> | Microsoft (R) Windows (R) (Build 2600.xpsp_sp2_rtm. 040803-2158 : Service
> | Pack 2).
> |
> | Therefore, the system gives me an error message indicating that the current
> | version is newer than the one I am attempting to install & that some programs
> | will not run. Does this mean that if I use the current CD to repair the
> | system & then apply all of the MS updates that some of my applications will
> | have to also be reinstalled?
> |
> | Let me know if you think this is the only thing left to do in order to
> | restore the system. Thanks.
> |
> | jimr
> |
> | "David H. Lipman" wrote:
> |
> >> From: "jimr" <jimr@discussions.microsoft.com>
> >>
> |>> Dave,
> |>>
> |>> I forgot to mention that Stinger did not detect any viruses.
> |>>
> |>> jimr
> |>>
> |>> "David H. Lipman" wrote:
> |>>
> >>>> From: "jimr" <jimr@discussions.microsoft.com> >>
> >>
> >> That means you were not infected with the a worm. Now have you installed the patch
> >> indicated in KB828741 ?
> >>
> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;828741
> >>
> >> --
> >> Dave
> >>
>
>
> If you are doing a repair/install, you have to slip-stream WinXP SP2 files onto the WinXP
> SP1 installation-distribution files to bring the installation-distribution files to SP2
> level before a repair/install can be performed.
>
> --
> Dave
>
>
>
Anonymous
March 13, 2005 5:58:34 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "jimr" <jimr@discussions.microsoft.com>

| Dave,
|
| You've got me there. How do I "slip-stream" SP2 along with the CD of WinXP
| SP1? Thanks.
|
| jimr
|
| "David H. Lipman" wrote:
|
>> From: "jimr" <jimr@discussions.microsoft.com> >>


Let us assume that an i386 directory does NOT exist on the hard disk. Copy the directory
tree i386 off of the WinXP CDROM to the root of drive "C:" ( c:\i386 ) .

Download the FULL WinXP SP2 executable...
http://www.microsoft.com/downloads/details.aspx?FamilyI...

When you have the ~266MB EXE file (such as WinXP-SP2.exe ) execute it with the following
switch parameters...
-u -s:c:\ (e.g., WinXP-SP2.exe -u -s:c:\ )
That will slip-stream the c:\i386 directory with WinXP SP2.

You can then burn a bootable CDROM with the C:\i386

However, I have yet to make a bootable WinXP CDROM so my knowledge falls oof there.

You could download the WinXP Floppy disk set...

Windows XP Professional Utility: Setup Disks for Floppy Boot Install
http://www.microsoft.com/downloads/details.aspx?FamilyI...


Just make sure you select "repair a system" when you actually run the WinXP installation
process.

--
Dave
Anonymous
March 13, 2005 9:53:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave,

Someone else suggested that I purchase XP Pro w/SP2 Upgrade (price from
Insight is $80 +shipping). They thought that this upgrade version should
install & keep my data/files intact. I guess the rationale is that XP Pro is
an upgrade from the XP version. Do you think that this will work? Thanks.

jimr

"David H. Lipman" wrote:

> From: "jimr" <jimr@discussions.microsoft.com>
>
> | Dave,
> |
> | You've got me there. How do I "slip-stream" SP2 along with the CD of WinXP
> | SP1? Thanks.
> |
> | jimr
> |
> | "David H. Lipman" wrote:
> |
> >> From: "jimr" <jimr@discussions.microsoft.com> >>
>
>
> Let us assume that an i386 directory does NOT exist on the hard disk. Copy the directory
> tree i386 off of the WinXP CDROM to the root of drive "C:" ( c:\i386 ) .
>
> Download the FULL WinXP SP2 executable...
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
> When you have the ~266MB EXE file (such as WinXP-SP2.exe ) execute it with the following
> switch parameters...
> -u -s:c:\ (e.g., WinXP-SP2.exe -u -s:c:\ )
> That will slip-stream the c:\i386 directory with WinXP SP2.
>
> You can then burn a bootable CDROM with the C:\i386
>
> However, I have yet to make a bootable WinXP CDROM so my knowledge falls oof there.
>
> You could download the WinXP Floppy disk set...
>
> Windows XP Professional Utility: Setup Disks for Floppy Boot Install
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
>
> Just make sure you select "repair a system" when you actually run the WinXP installation
> process.
>
> --
> Dave
>
>
>
Anonymous
March 14, 2005 12:57:39 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "jimr" <jimr@discussions.microsoft.com>

| Dave,
|
| Someone else suggested that I purchase XP Pro w/SP2 Upgrade (price from
| Insight is $80 +shipping). They thought that this upgrade version should
| install & keep my data/files intact. I guess the rationale is that XP Pro is
| an upgrade from the XP version. Do you think that this will work? Thanks.
|
| jimr
|
| "David H. Lipman" wrote: |

That's up to you. I won't comment pro or con to it.

--
Dave
Anonymous
March 14, 2005 7:15:14 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Sun, 13 Mar 2005 18:53:01 -0800, jimr wrote in
microsoft.public.windowsxp.security_admin:

> Dave,
>
> Someone else suggested that I purchase XP Pro w/SP2 Upgrade (price from
> Insight is $80 +shipping). They thought that this upgrade version should
> install & keep my data/files intact. I guess the rationale is that XP Pro is
> an upgrade from the XP version. Do you think that this will work? Thanks.
>
> jimr
>
> "David H. Lipman" wrote:
>
>> From: "jimr" <jimr@discussions.microsoft.com>
>>
>>| Dave,
>>|
>>| You've got me there. How do I "slip-stream" SP2 along with the CD of WinXP
>>| SP1? Thanks.
>>|
>>| jimr
>>|
>>| "David H. Lipman" wrote:
>>|

<snip>
There is a very good guide at the Microsoft Software Forum Network on
how to do this. It will require access to a clean computer to make the
CD though. http://unattended.msfn.org/


--
jda^fx
!