I think I've worms

cormie

Hmm, this hasn't happened for years, remember that thing going around the net that would make your computer shut down randomly giving you a minutes notice? Well I got it today, just out of the blue! I was on a live chat thing to a reputable business website and the minute I plugged my Sony Ericsson phone in, the popup came about NT authority and to save my work and shut down. I'm running XP Pro, Service pack 3 and have Avira AV working which didn't pop up anything. Is this actually a system error that the worm years ago used to always activate, or is it a pop up box created by the worm itself?

Any feedback appreciated, I thought I was well protected...

Spear

cormie wrote: »

Hmm, this hasn't happened for years, remember that thing going around the net that would make your computer shut down randomly giving you a minutes notice? Well I got it today, just out of the blue! I was on a live chat thing to a reputable business website and the minute I plugged my Sony Ericsson phone in, the popup came about NT authority and to save my work and shut down. I'm running XP Pro, Service pack 3 and have Avira AV working which didn't pop up anything. Is this actually a system error that the worm years ago used to always activate, or is it a pop up box created by the worm itself?

Any feedback appreciated, I thought I was well protected...

The shutdown one is probably the Blaster worm and it's RPC exploit. You shouldn't be affected by this with SP3 installed.

cormie

I know it's strange, just came out of nowhere. Any ideas why it may have come up?:)

Thomas_S_Hunterson

If it happens again, you should be able to stop it by running "shutdown -a" from the run dialog or command line, assuming you have an administrator account).

alansweeney100

I got that blaster worm three feckin times on my old PC, I remember the third time I got it the 'shutdown -a' trick didn't work for me, think I had to boot into safe mode, can't remember well it was so long ago.
You don't seem too worried cormie, I presume you have removed it.

cormie

I don't know if I removed it? I don't know if it was even the worm, or just some instance I did with attaching my phone when I was doing the live chat that caused the system itself to do it, without any worm being involved? Is that even possible? I just did a full system scan and clean and it didn't show up anything. I've been running SP3 for ages and before that SP2 and haven't seen that popup in about 5 years! I've firewall and antivirus running so I'm confused as to how it could got here if it was a worm? May it be just a combination of different procedures that got windows to bring it up without any worm being involved? Like is it a windows error that can popup for some reason or another or is put on my pc by a worm?

TiGeR KiNgS

could this be the worm?

http://www.dailytech.com/article.aspx?newsid=13981


probably got it from the ''reputable business website'' according to this article

Sherifu

It's Blaster. Annoying little ****er. Messes with RPC. Shutdown -a will see you right.

by8auj6csd3ioq

alansweeney100 wrote: »

I got that blaster worm three feckin times on my old PC, I remember the third time I got it the 'shutdown -a' trick didn't work for me, think I had to boot into safe mode, can't remember well it was so long ago.
You don't seem too worried cormie, I presume you have removed it.

I got it in 2003 when the av was up to date but i did not have the firewall on. Strangley enough i was googling yesterday trying to understand why it got past the av with my slightly more knowledge now. There is a blaster removal tool and answering my own question re av there are different versions aren't there?

cormie

TiGeR KiNgS wrote: »

could this be the worm?

http://www.dailytech.com/article.aspx?newsid=13981


probably got it from the ''reputable business website'' according to this article

:eek: I hope not! I got it while I was on live chat to Ikea! How do I know if I still have it? I haven't applied any patch yet...

TiGeR KiNgS

cormie wrote: »

:eek: I hope not! I got it while I was on live chat to Ikea! How do I know if I still have it? I haven't applied any patch yet...

update windows and

''Microsoft, says that consumers should update its Malicious Software Removal Tool and scan all files for the Conflicker/Downadup worm.''

Ghost Train

can you cancel the shutdown from the command line

shutdown /a

cormie

Arghh, it happened again. Once again it happened when I plugged in my Sony Ericsson This connects to the net for me by the way.

Do I really need to get the windows malicious software removal tool if I have the likes of Avira and Advanced System Care 3? I also downloaded and installed the patch and it's still happening

I forgot about the cancel shutdown thing, must remember next time, which there hopefully wont be:mad:

MunsterCycling

Vote this the best thread title so far this year!


To answer you cormie, yes you should use the malicious software removal tool from M$, its designed to target this exact type of issue.

MC

Effluo

Hey i have a laptop which keeps restarting.


It doesn't give any warning though...

and then it says somethin like windows has incurred a serious problem or some-at...

Could i have worms too? I figured it was it's power supply as i took the battery out, got a new cable for it and it still happened...

I hope i have worms too!

Ghost Train

Effluo wrote: »

I hope i have worms too!

maybe look at the system logs for errors
start->run->type "eventvwr"->press ok

by8auj6csd3ioq

Effluo wrote: »

Hey i have a laptop which keeps restarting.


It doesn't give any warning though...

and then it says somethin like windows has incurred a serious problem or some-at...

Could i have worms too? I figured it was it's power supply as i took the battery out, got a new cable for it and it still happened...

I hope i have worms too!

Do you get a bsod or blue screen of death before the reboot?

Effluo

Of late been getting some seriously funky things happening to my screen.
(i believe they are related to the power issues)

I've had blue screen once or twice and also the screen has gone really really unusual colours, such as browns, reds and pure white. The problems just came about all of a sudden.

Also i should probably note that i recently installed avast on it(cause i heard the problem could have been a virus), when it did a search it found ALOT of viruses! it asked me if i wanted to delete the files infected and i said yes, then it said that some windows system files were also infected and asked if i wanted to delete them not really thinking about it i said yes and now control panel along with alot of stuff is not really working for me...
Please note this was after the laptop started restarting itself!

dubfir

Try running sfc /scannow from the command prompt. It should let you know if any system files are corrupt or missing and whether it could fix the problem.

cormie

Effluo, would you consider a format?

Thanks for the input Munster, would the likes of Avira and Advanced System Care not cover the stuff in the windows malicious software removal tool? I like to keep my computer as bloat free as possible and would prefer not to install it if it just does what the other two do?

MunsterCycling

Just runs the once I believe and then terminates but not a TSR.

Still think this has to be the best thread title of the year so far!!!


MC

cormie

What's a TSR?

MunsterCycling

Old type of program,

http://en.wikipedia.org/wiki/Terminate_and_Stay_Resident

MC

cormie

Thanks again, must give it a go

cormie

I got the Windows Malicious tool thingy anyway, did a full scan and it showed up nothing, although it did show up something in a restore folder, some kinda virus, but I imagine that has been there for a while? Nothing showed up to indicate a blaster worm anyway so I don't even know if I still have it or not because when I scanned with Avira, nothing showed up either but then it happened again...

MunsterCycling

Weird, have you tried any of the online virus scanners?

http://www.google.ie/search?hl=en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=online+virus+scanning&spell=1

Ghost Train

would run malwarebytes, its been very good with a number of recent viruses
http://www.malwarebytes.org/

MunsterCycling

+1 for malwarebytes

by8auj6csd3ioq

cormie wrote: »

Thanks again, must give it a go

Have you tried the symantec blaster removal tool?just in case. Also you could get that problem with software conflict. I had it once with one of the za firewalls. Changed version and it stopped. Have you installed any new programs besides the scanning ones?

cormie

haven't tried any online scans and would really hope my avira and the MS tool are all I need as I spent ages deciding on which AV to go for and if Avira isn't up to it, that's a kick in the teeth

Jack, are you sure the problem can come up with a software conflict? That's what I'm hoping as both times it's happened, it's happened the instant I've plugged my Sony Ericsson into the USB which would lead me to believe it could be some software thingy, or maybe the sony has a virus itself and is showing up on the PC when it's connected?

Can anyone confirm whether the popup thingy, is designed and developed by the blaster worm maker, or if it's made by windows, as in, who actually typed the words "This system is shutting down. Windows must now restart because......." Mr. Microsoft employee, or Mr. Worm maker. It sounds like Mr. Microsoft as the worm guy would surely want to boast about his great achievement and put in some Leet haxor pwned bull****.

Sherifu

cormie wrote: »

Can anyone confirm whether the popup thingy, is designed and developed by the blaster worm maker, or if it's made by windows, as in, who actually typed the words "This system is shutting down. Windows must now restart because......." Mr. Microsoft employee, or Mr. Worm maker. It sounds like Mr. Microsoft as the worm guy would surely want to boast about his great achievement and put in some Leet haxor pwned bull****.

Have you not got rid of it yet?

The way it goes is the worm causes an RPC overflow which triggers a shutdown. The popup thing would be from microsoft. The worm would not be...

by8auj6csd3ioq

cormie wrote: »

Jack, are you sure the problem can come up with a software conflict? That's what I'm hoping as both times it's happened, it's happened the instant I've plugged my Sony Ericsson into the USB which would lead me to believe it could be some software thingy, or maybe the sony has a virus itself and is showing up on the PC when it's connected?

It happened with me anyway with one version of a ZA firewall. Kept getting BSOD and restarting Try using the pc for a day or 2 without the Sony Ericsson and see if there is a change

Can anyone confirm whether the popup thingy, is designed and developed by the blaster worm maker, or if it's made by windows, as in, who actually typed the words "This system is shutting down. Windows must now restart because......." Mr. Microsoft employee, or Mr. Worm maker. It sounds like Mr. Microsoft as the worm guy would surely want to boast about his great achievement and put in some Leet haxor pwned bull****.

Not sure but I think blaster interferes with the remote procedure call and that shuts down windows. I am open to correction

cormie

Aha, so maybe I'm getting an RPC overflow for some other reason then? Maybe just a software conflict with the SE phone and I don't have a virus/worm at all? It's only happened twice, I've been connecting my SE a lot to get online as I'm in the middle of switching BB providers so I've probably connected it to the computer about 40 times over the last few days and it's happened twice.

by8auj6csd3ioq

cormie wrote: »

Aha,

the thick plottens [play on plot thickens - not calling you thick]:)

so maybe I'm getting an RPC overflow for some other reason then? Maybe just a software conflict with the SE phone and I don't have a virus/worm at all? It's only happened twice, I've been connecting my SE a lot to get online as I'm in the middle of switching BB providers so I've probably connected it to the computer about 40 times over the last few days and it's happened twice.

As i said stop using the SE for a day or 2 and see if you can elimiinate it then you will know what it is and casn track it from there .there may be a fix. good luck

cormie

Thanks again, been using the SE every day since and the problem still hasn't cropped up again. I read the info on the new blaster worm and it says it puts itself on USB devices too, what would it attach itself to on the drive? Would it create a hidden file or would it embed itself into another file I wonder?

by8auj6csd3ioq

cormie wrote: »

Thanks again, been using the SE every day since and the problem still hasn't cropped up again. I read the info on the new blaster worm and it says it puts itself on USB devices too, what would it attach itself to on the drive? Would it create a hidden file or would it embed itself into another file I wonder?

I doubt if you have the blaster as it would not let you work away for days as far as i k now. Would n't let me anyway till i removed it with the symantec removal too

cormie

Yeah, hopefully I don't anyway, would love to know what's causing it though to be able to sort it, probably never know though

Sherifu

cormie wrote: »

Thanks again, been using the SE every day since and the problem still hasn't cropped up again. I read the info on the new blaster worm and it says it puts itself on USB devices too, what would it attach itself to on the drive? Would it create a hidden file or would it embed itself into another file I wonder?

Sometimes they'll hide in the recycle bin, check any autorun files on the usb for clues.

cormie

I got rid of the recycle bin ages ago so even if I just press delete without shift, it goes straight to the permanent delete warning dialogue, no recycle bin at all :cool:

I've also disabled all drives to autorun and only personal files and folders on my USB hd so no autorun wini exe bats or anything

alansweeney100

This is the one I ran years ago the third time I got the Blaster worm.

Anti-worm

cormie

This happened AGAIN yesterday with the SONY, but it also happened again today with the RipWave thingymajig from Irishbroadband, happens the second I plug each in. Must be some effect on something to do with a connectiong, definitely not a virus I reckon... I hope

cormie

Just happened again with irishbroadband ethernet I left a program doing something overnight, took about 10 hours total, and then I lost it when this happened

What could each connection be triggering to make this happen I wonder?