Re: Have Virus - Need Help
- From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
- Date: Mon, 10 Apr 2006 14:27:53 -0400
From: "Michael Fischer" <MichaelFischer@xxxxxxxxxxxxxxxxxxxxxxxxx>
| I'm running Windows XP SP2 and every time I log on I receive NT SYSTEM
| AUTHORITY message and the machine reboots in one minute. In researching how
| to fix it (still haven't been able to) I now know how to stop the shutdown or
| fool it by changing the clock and have the timer run longer, but no tools
| (whether from Microsoft or Kelley's Korner or wherever I got the tool
| installed in AV-CLS or anywhere else I've found anything) detect a virus. I
| did find a registry entry where
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows
| auto update" = "msblast.exe". I removed that registry entry and one for
| mslaugh.exe. I could not find files named msblast or mslaugh anywhere on the
| PC. Anybody have any ideas?
They are certauinly indications of the Lovsan/Blaster worm that uses TCP port 135 to infect
a PC through a vulnerability in RPC/RPCSS DCOM.
However if you are running WinXP SP2 you should'nt be getting this via a TCP port 135
exploitation attempt.
The following is the pertinent patch -- KB828741
http://www.microsoft.com/downloads/details.aspx?FamilyId=D488BBBB-DA77-448D-8FF0-0A649A0D8FC3&displaylang=en
If you get a NT SYSTEM AUTHORITY shutdown message and you are connected to the internet,
disconnectr form the Internet. If you get the message and you are NOT connected to the
Internet then it is NOT a TCP port 135 explouiatation attempt but something has gone awry
with the RPC/DCOM sub-system.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
.
- Prev by Date: Re: Preventing access to Network ID Page (Preventing Admins from Changing Named/Removing from Domain)
- Next by Date: Re: Removed Norton
- Previous by thread: Re: Have Virus - Need Help
- Next by thread: Re: Have Virus - Need Help
- Index(es):
Relevant Pages
|
