# Strange Windows XP error



## XGP (Aug 5, 2003)

Hey guys, thanks for reading this.. 
Ive receiced a distresing error message twice today. It reads: 

"This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT Authority/system" 

And then counts down from a minute. This really worries me, if anyone has knowledge concerning this, please enlighten me. 

Your efforts are truley appreciated.


----------



## Guest (Aug 5, 2003)

Welcome to the forums XGP............ 

I'm assuming that your running an activated version of XP.

If a machine is a target of the currently available exploit program
for the MS03-026 vulnerability, it will in some cases pop up a window titled "System Shutdown" with the text:
This system is shutting down. Please save all work in progress
and log off. Any unsaved changes will be lost. This shutdown
was initiated by NT AUTHORITY\SYSTEM

Time before shutdown: 00:00:59

Message:
Windows must now restart because the Remote Procedure Call
(RPC) service terminated unexpectedly


(The machine then reboots in 59 seconds.)

This indicates an unsuccessful exploit attempt on an unpatched
machine. If customers see this message, they should most likely save their work and then disconnect from the network, or else patch the machine immediately after it reboots.


----------



## XGP (Aug 5, 2003)

=D thanks for the welcome...

I found the patch you speak of here:

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

I havnt received the error again... so hopfully this was the dilema.

Thanks for the help


----------



## johnwill (Sep 26, 2002)

After you patch your system, you should IMMEDIATELY install a firewall! With a proper firewall, many of these problems can be avoided.


----------



## dancingwaters (Aug 11, 2003)

*There is just no way to patch it.*

Right now I am on my husbands computer. I came in here and searched found my problem in this thread.. SO I thought ok I patch it. It tooke me three times before I caould actually download it by the time I got to the page it had shut down already. So now I have it downloaded but there is no time to run it before it shuts down it will start running but then the coputer shuts down.


----------



## Swiss Bloke (Aug 11, 2003)

*Remote Procedure call*

I too started getting this message about one hour ago, I've had to log on my work PC to access the web as my home PC keeps shutting down?

How do I get to the download as the microsoft link wants to upgrade the work pc which has a different os!!!

Help.


----------



## dancingwaters (Aug 11, 2003)

*I finally got it..*

I had to start it up in safe mode then I was able to run the patch. It fixed the problem.


----------



## drjohnson (Aug 11, 2003)

I started getting this today - every time I went online, after 3-5 mins, I got the dreaded "This shutdown was initiated by NT AUTHORITY\SYSTEM"

I completely reinstalled my OS, and of course that didn't work, so I searched for the error, and found this thread - including the link to the patch - thanks very much for that.

I've installed the MS patch (I was sweating a bit when it took 90 secs to download - I was dreading getting the message again!!). It seems to be holding up so far (been online now for about 15 mins).

On the firewall issue, I've just enabled the "Internet Connection Firewall" as recommended by MS on their site. Is this sufficient ?

Ta,

Dr J.


----------



## miiamaija (Aug 11, 2003)

*firewall definately a good idea*

I had the same problem and it wouldn't even let me download the security patches, the error message would pop up immediately and restart the computer. Even if I was browsing in the internet to look for solution, it would pop up...  

I ended up going to Mc Afee's website, downloaded Personal Firewall free 30day trial and installed that. After the firewall was in action, I could download the XP updates and install them. 

Later I ran the viruscheck and found "Exploit-DcomRpc" file on C:/windows/system32/msblast.exe 
My virus scan program wasn't able to clean it, so obviously it needed to be deleted.

I don't know whether Mc Afee's firewall is the best on the market, but it was available, free and did the trick for this one... remains to be seen whether I'll keep that one or choose for something else. Any recommendations anyone?

I'm a fire starter.... :winkgrin:


----------



## NacNud (Aug 11, 2003)

Hello, 
I work in the IT Dept. at my compnay and we had this happen to several of our users. The problem we came up against was that the computer would restart before we could install the patch, this even happened in safe mode. After some more searching i finnally found a way to stop the computer from rebooting so that the patch could be installed. When your copmuter comes up go to control pannel -> admin tools -> services and select the remote procedure call (RPC) and go to properties. Click on the Recovery tab and change all of the failure actions from restart computer to restart service. After you apply this your computer will now not restart the next time the problem occurs. This will enable you to have enough time to run windows update and get the patch installed. After you have the patch installed reset the service to restart the comptuer and you should be all set.

-NacNud


----------



## spottslady (Aug 11, 2003)

Oddly enough, I have just started having the same error. Computer been fine up until tonight. Suddenly I am getting NT Authority/System, RPC failed, system shutdown (and a countdown for 60 seconds): Remote Procedure Call (RPC) service terminated unexpectedly.

Anybody got any ideas what the heck this is and why it's suddenly started. I've had 3 reboots in as many minutes!

Seems to happen when I am online.

Many thanks to anyone who can shed some light on this.

I'm using WinXP Home Edition version 2002.


----------



## gary326 (Aug 11, 2003)

I had the same problem too.Heres some info about it ...

http://us.mcafee.com/virusInfo/default.asp?
and...http://www.sotmesc.org/gcms/virii/messages/3074.html


----------



## JayCully (Aug 12, 2003)

a couple of my friends have had the same problem, and i think its caused by msn messenger. one of my friends noticed the msblast.exe process running when he pressed control alt and del, tried deleting it and ending the process but it simply reinstalls. if you read the articles on http://www.mess.be you'll see that its related to msn messenger.


----------



## Villager1 (Aug 12, 2003)

The MSN Messenger site has so much. Can you please let me know more about where to look for the information you found which solved this problem?


----------



## ETaB685 (Aug 12, 2003)

JayCully, you have to delete it out of the registry too.



I'm having the problem too. Here is an email my ISP just sent me.

Greetings,

As you may have heard by now in the news there is a new virus that
is exploiting a security flaw in Windows XP, NT and 2000. The
virus is known as "W32.Blaster.Worm" or "MSBlast." The virus does
not come through email. It is sent to your computer through a Remote
Procedure Call, or RPC, meaning that an infected computer scans
other computers for a certain open port, and then sends itself
through that port. This security flaw is not in Macintosh, Linux or
Unix operating systems. To read more about the security flaw,
please go to
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

To keep from getting this virus, you should go to
www.windowsupdate.com and scan for all patches available for your
computer. After it scans, you should download all the security
patches. This will keep you from getting the virus.

NOTE: If you are infected, you will see an error saying "...NT
authority must shut down your computer in 30 seconds."

BEWARE! Some users who have the virus have reported that while they were
attempting to download the patches from Microsoft, the virus rebooted
their computer. There is little chance of damage from this and it will be
possible to eventually receive the patches from Microsoft even if you are
infected and the virus reboots your computer. Just keep trying to get the
patches.

XP users can prevent this from happening by turning on Internet Connection
Firewall in their connection profile. IF YOU ARE AN XP USER, right click
on your connection icon, left click on Properties, click the Advanced
Tab, and place a checkmark next to "Internet Connection Firewall." This
will allow you to download the patches without the virus rebooting your
machine.

To fix this, you must edit your Windows registry. It is extremely
important that you follow these set of instructions very carefully.
Enter.net is not responsible for any damage to your computer from
following these instructions. If you don't feel competent to perform
this service, you should contact your computer dealer/consultant, or
Enter.Net's in-house service department.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
3. Then click OK. (The Registry Editor opens.)
4. Navigate to the key by clicking on the plus next to each section:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
5. In the right pane, delete the value:
"windows auto update"="msblast.exe"
6. Exit the Registry Editor by click the x in the top right corner.

You should then be able to go to www.windowsupdate.com and get the
patch to keep your computer safe. You should also then go to
http://www.housecall.antivirus.com Click on Scan Now listed under
the Customer Advisory. Press yes to any boxes that pop up. You will
then see the Active Update windows where it is downloading an
updated engine and pattern file. Once this is done, put a checkmark
next to your C: drive and a checkmark next to Auto Clean. Then click
Scan. This will scan your computer for viruses and automatically clean
any that it can. It will also give you the option to delete the
infected files that it was not able to clean. This online virus
scanner is free.

Please make sure to update your antivirus programs and your windows
updates at least twice a month. This will keep your computer updated
against any viruses and security flaws.


----------



## puphdaddy (Aug 12, 2003)

I had the same problem and couldn't download it without getting the boot (or reboot) so I d/ld the file to my laptop (under W2K) and wrote it to disk (executable) and then installed it on my tower (XP).. all is fine now. BTW a firewall is mentioned to help in these situations... any referrals to any good ones out there? thx....PD


----------



## Traceman (Aug 12, 2003)

I have also gotten this Inernet worm. I am able to stay connected by following NacNud's suggestion as to changing the RPC properties from restart computer to restart service. However I cannot download the patch due to a"KB823980 Setup Error" saying "Setup could not verify the integrity of the file Update.inf. Make sure the cryptographic service is running on this computer". Can anyone explain this message and what I can do to fix it.


----------



## Lethal (Aug 12, 2003)

I was able to DL the patch however when i try to install it i get this message:

"Setup could not verify the integrity of the file Update.inf. Make sure the cryptographic service is running on this computer."

is this related to the RPC or is this a new and different problem? how do i fix it? thank you in advance for your anticipated help!


oops!! sorry about the double post


----------



## Sandy55 (Aug 12, 2003)

Lethal, 

I am having exactly the same problem. Any luck?


----------



## jessa_lee (Aug 11, 2003)

*Resolution here!*

In order to get the download and install to work, follow these steps:

Wait until the RPC pops up the "shutting down" message. 
Go to Start >Run 
Type "cmd" to bring up the Command Prompt
Type "shutdown -a" at the prompt and hit enter
This will end the RPC program completely.
Now run the download and install.

This should solve the problem completely 

*smiles* And have a great day!
Ms. Jessa Lee


----------



## Lethal (Aug 12, 2003)

Jessa lee, 

This stopped the RPC but i still got the same message about " the integrity of the file update.inf."


----------



## susanl (Aug 12, 2003)

*Me Too*

I am getting this too, but only when using one ISP, not the other (on the same computer). The ISP that it is happening with (earthlink) is far more advanced than the "hometown" ISP I am using now. 
Any reason for this?
Thanks for any input!
Susan


----------



## wc! (Aug 12, 2003)

I've fixed the problem but I'm wondering why it just started up today? Did it just now get to my machine or did it awake from some sort of hibernation? It just seem strange that there is alot of traffic regarding this particular error today.


----------



## kampai (Aug 12, 2003)

*thank you so much!*

thank you guys. You guys are great.

what day is today? how come this happen..... to most people?


----------



## Pennywise (Aug 12, 2003)

I had this same problem before... When the problem occurred I scanned the hd immediately for virusses with AVG. I did find a worm, called sddrop. I don't know if this worm has to anything with it? Anyway I got the same restart problem, and I installed xp again. Then, during the install, I got a strange error. Something with d:\nt something (i dont remember what the error was precisly). I couldn't make anything from it. But the install went on. Then the startup screen looked a bit weird (I only had a recycle bin, and hurther nothing) So I tried repairing windows with the XP cd. After that, the startup screen was good again, but I still got the same problem and windows xp was very slow. After that 

I recently tried installing Windows 98. Now it doesn't give any more nt authority\system errors... So I'm going to install the patch you were talking about. Hope it works...


----------



## Mickwe (Aug 12, 2003)

*Thanks for helping*

I just want to thank everyone here for helping me diagnose and remove this virus. 

You people are great...saved me time, money, heartache...

The openness of the 'net is what allows these terrible viruses to be created and spread, but also what allows good people to access the victims and help them out.

Sort of like the matter of "free will": God granted the ability to do supreme evil AND good.

Anyway, thanks alot.


----------



## Traceman (Aug 12, 2003)

I had the problem with making sure the cryptographic service is running when trying to download the patch. I was able to find the following fix:
SYMPTOMS
When you install Windows XP Service Pack 1 (SP1), you may receive the following error message: 

Service Pack 1 Setup could not verify the integrity of the file. Make sure the Cryptographic service is running on this computer 
CAUSE
This issue occurs because either Cryptographic Services is set to Disabled for Startup type or there is log file or database corruption in the %Systemroot%\System32\Catroot2 folder. 
RESOLUTION
To resolve this issue, set Cryptographic Services to Automatic for Startup type. If this does not resolve the issue, stop Cryptographic Services, and then rename the %Systemroot%\System32\Catroot2 folder. To do so, follow these steps: 
Start the Administrative Tools utility in Control Panel.
Double-click Services.
Right-click Cryptographic Services, and then click Properties.
Click Automatic for Startup type, and then click Start.
Install Windows XP SP1 again. If the problem persists, go to Step 6.
Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type the following commands, and then press ENTER after each line:
net stop cryptsvc


ren %systemroot%\system32\catroot2 oldcatroot2 


Type exit to close the command prompt, and then install Windows XP SP1 again.

This enabled me to get the patch to finally download. And everything has been ok ever since.


----------



## xpspecial (Aug 12, 2003)

I too was able to download the patch and fix the error, however, I have still run into a slight problem. 

I did the steps within run and msblast.exe was removed from my registry, but when I go to where the virus is supposed to be located, it's still there. I try to delete it by hand, and it comes up with an error saying access denied, that it is copyrighted.

How would I go about deleting it if my computer will not let me delete it? 

Thanks for everyones time and effort, greatly appreciated.


----------



## idiotboy72 (Aug 12, 2003)

I just wanted to say thanks for all the help on this problem, this was the only place I could really find any "useful" information! (And it's also the first time I've used this forum but I'll be sure to return)

I lost far too much sleep over this RPC/ Restarting nonsense but it looks like I wasn't the only one - was this virus a timebomb?

Anyway, cheers again!

iDiOtBoY72


----------



## idiotboy72 (Aug 12, 2003)

xpspecial - I deleted msblast.exe in Safe Mode where I also made the registry changes - this seems to have got rid of it completely now (fingers crossed!!)

Cheers

iDiOtBoY72


----------



## jim_beam89 (Aug 12, 2003)

Is the virus linked to just illegal copies of XP or is it all versions?

Not saying I have an illegal copy.... :angel:


----------



## Fury (Aug 12, 2003)

I've been having a similiar problem. However whenever I try to download the patch it says it's only for Build 2600. I believe I have XP build 2562. Does anyone know how I can fix the problem? Also I have checked the registry and there is no trace of anything to do with msblast, and I can't find msblast.exe anywhere on my system.


----------



## bobby (Aug 11, 2003)

Hi all,


thankx for all ur valuable help. I'm a sys admin in a bpo center in india. suddenly all the systems began to show the rpc msgs. Got the reqd info from this thread to set them in working order.

thanx again.

bobby


----------



## Barry (Aug 12, 2003)

Thanks to everyone for their help. This is my first time on this board, found it on Google, but I will return. 

I had just purchased a new computer and had been online about 30 minutes when this happened! I thought it was the computer and returned it for another one. Was totally shocked and dismayed when the second one came back with the identical error. 

As you can see, I don't know much about computers but am learning. Thanks so much again to everyone!


----------



## Ted Maul (Aug 12, 2003)

I started getting the error message last night. I ran Norton AV, tried AVG, Anti-Trojan, Stinger, FixBlast, checked my start up folder, checked in the registry and in my running processes but I haven't found anything. I downloaded the patch and re-installed my firewall (cos it obviously wasn't configured to stop this) but I find it strange that I haven't been able to find msblast. Has anyone got any ideas as to why I've had the symptoms yet don't appear to have the virus?


----------



## Eric Cheung (Aug 12, 2003)

I have exactly the same problem.
I downloaded the patch, ran it, and the problem is now gone!


----------



## Dmack (Aug 12, 2003)

its good to see a good forum like this where we can come with our problems

i find this on yahoo cus my friends were having this problem and being the good guy that i am  i wanted to find a solution i normally beat viruses and things on my own but this one i coudnt crack. i gave my friends the links and the patch but his comp kept restarting so this thing which someone said worked

Wait until the RPC pops up the "shutting down" message.
Go to Start >Run
Type "cmd" to bring up the Command Prompt
Type "shutdown -a" at the prompt and hit enter
This will end the RPC program completely.

clever people in here :winkgrin: 

hope you other guys fix your stuff im sure there will be more viruses and timebombs coming, especially if u have downloaded msn plus or kazaa lite they have some nice viruses hidden in them

good luck all of you and thanks a load for the help, haha i hope this is happening at my school :angry2:


----------



## lily_my_lovely (Aug 12, 2003)

SPEEDO said:


> *This indicates an unsuccessful exploit attempt on an unpatched
> machine *


I'm not sure mine was an unsuccessful attempt...

I've been getting the RPC terminating/reboot problem on XP for the first time today and thanks everyone for the fantastic support and information to rectify! 

...but before I found this great forum I had a go at recifying myself.

I found that the problem only occured when connected to the internet, but for some strange (and new) reason my PC was connecting to the internet immediately on boot up. Which basically meant my PC was rebooting itself every couple of minutes.

Now usually I don't auto connect (I have to click on internet explorer and choose to connect) so I thought this was odd... I went into Control Panel and Internet Options and changed the Connections setting to 'never dial a connection'.

On the next reboot, I got the folloing message:-

"You (or a program) is trying to connect to spammers.gotdns.com which connection would you like to use to access this data"

EEK! (I thought). Obviously this domain name/address has something to do with the problem/worm/virus but I am now rather nervous that someone is either using my IP address for Spamming or accessing my PC!

Anyone got any ideas what/who spammers.gotdns.com is?

P.S Going to log back into my XP PC now and attempt to download the patch as recommended here! Thanks!


----------



## cheersm8 (Aug 12, 2003)

hello? well. after spending the whole if this day removing/repairing the effects of my pet w32.blaster.worm, with thnx to u guys :| , i now see symantec have written and provided a fix :- http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

wish i had found this at 8.00 am this morning! lol
ps: didn't know how to disable the RPC at the time so i had to download the ms patch using "getright" as i couldn't stay connected long enough to get it all at once!


----------



## adbates (Aug 12, 2003)

I got this same problem last night and I was furious!!! I didn't know what was going on. Finally, I stayed connected long enough to find this forum, and you guys helped me fix the problem. I used NacNud's advice about "restarting the service" and downloaded the patch from Microsoft. It seems to be working right now! Thanks for everyone's help; I appreciate it!


----------



## ebilis (Aug 12, 2003)

Hi, I am new here. I am so glad I found this forum. I had the same NT authority shutdown porblem as everyone else. I received this problem yesterday 8/11/03 at 3:58pm and gave up trying to find the solution online in 1 minute. The shutdown problem goes away after I unplug my network cable from my computer but I still can't surf the net for answers. The weird thing is that this morning, the problem seemed like it was fixed before I downloaded the patch because I know I was online for more than 5 mins finding this forum and downloading the patch. 

Anyway, I downloaded the patch, ran it, removed msblast from the registry and system32 folder and everything is fine now.

Someone here mentioned that about not being able to delete it from the system32 folder. This is because the program is still running. You will first have to go to the Task Manager first and delete it there by hitting ctrl alt del and click the process tab and look for msblast.exe. After that you should be able to delete the .exe file in the system32 folder.

Well, I am happy I found this forum and just want to shout out MANY THANKS to everyone that helped here.


----------



## xpspecial (Aug 12, 2003)

Thanks all for the suggestions. Ebilis, your suggestion about going into the task manager really helped, now I'm finally rid of the problem for good, hopefully.


----------



## CluelessMoi (Aug 12, 2003)

*Is virus realy gone? plugin131_01.trace file found, TFTP files remain...*

Hello,
Thanks so much for all your help on identifying and fixing the problem. I didn't known my Win XP came with a firewall and it was nice to find out :winkgrin: It's now activated.

I first started getting the "unable to open TFTP files" when starting windows, then the dreaded RPC shutdown error. 

I ran AVG 6.0 anti-virus and it found nothing. Then I got TrenMicro's Housecall's virus scan and it found msblast.exe and cleaned it.

I downloaded and installed the vulnerability patches from Microsoft but the problem still remains .... whenever I restart my PC, the same "can't open TFTP 820, TFTP 1776, and TFTP 3900 unknown file type" error messages are still popping up. Does it mean my PC still has the virus somewhere?

I followed previous instructions to go to my Registry and Task Manager's process tab and did not find the virus registry/file there so I thought maybe TrendMicro's virus scan fixed it?? (maybe not???). 

I also checked under the dir c:/Windows/system32
the msblast.exe file is no longer there.

Another doubt I have is that I found a new trace file named plugin131_01.trace in C:/Douments and Settings/(my user name)/plugin131_01.trace

This file was also created at the same time that the msblast.exe was - Aug 11,03 about 10:21 am. 
I deleted it last night but but now it's back to where it was! I know this file is new and it wasn't there before this incidence.
Is this another property of the virus? 

Can someone please tell me what to do with the TFTP error messages, the plugin131_01.trace file and if the W32/Lovsan.worm (msblast.exe) is really gone from my PC? 

Thank you kindly in advance for your help.

CluelessMoi


----------



## Lethal (Aug 12, 2003)

i tried everything regarding the Cryptographic services and nothing seems to work. I still have the same problem, what can it be???


----------



## ebilis (Aug 12, 2003)

Sorry, don't know anything about that TFTP error. But I thought people should know that there is already a website cashing in on the msblast virus. 
I was surfing the web when I my screen went white and the NT authority shutdown message popped up again, and I was almost fooled into thinking I got the problem again except that at the bottom of the dialog box, it says something like Fix detected and click here....which I did and it took me to a website to buy their product for about $30. 
Just thought I should warn others.


----------



## xpspecial (Aug 12, 2003)

I have a question. Though I have removed this virus from my system and I have the patch, could the side effects of 'msblast' still harm my computer.

An example of this I read on CNN..

http://www.cnn.com/2003/TECH/internet/08/12/windows.worm/index.html



> ""MSBlaster" is considered a time bomb. Its code directs infected computers to assault Microsoft's support Web page with a barrage of requests beginning this Saturday.
> 
> This type of attack is referred to as "denial of service." The attacks are also programmed to occur any day from September to December, then the 16th to the 31st of each month starting next year. "


My question is, I guess, is could this happen to me still even though I have the needed patch because my computer was already infected to begin with?

If this can happen to me, then how exactly can I help myself prevent it from happening?


----------



## idiotboy72 (Aug 12, 2003)

Looks like a big problem:

http://news.bbc.co.uk/1/hi/technology/3143625.stm


----------



## Guest (Aug 13, 2003)

And Welcome to Tech Support Forums all of you new members who posted on this thread..................


----------



## lilmisssmith (Aug 13, 2003)

hiya, 
i was chatting to my m8 on msn when he suddenly said:
"ive gotta go now for sum reason!, its couting down! cyaz in a bit"
and i was really confused, so when he came back on i told him to write down exactly what it said and then when he managed to come back on type it out and send it to me so i can c what i can do.
well he came back on and typed this:
remote procidure call service terminated.

and i realised he was either being hacked or had some weird virus. i had heard that a virus was going round on windows xp/2000 and asked which type he had, well it was xp so i came here and found the patch he needed and downloaded it i also found the message submitted by which i saved on notepad and sent it to my m8 as soon as he came bk online i then told him to read it and do exactly what it said but offline. when he came bk online he had done what it said and it seemed to be working. so i then sent him the patch and all was cured! 
but today i have spoken to my other m8 over the fone and she has came up with the same problem, i was wondering if the virus can find its next 'victim' over msn as she was listed in his friends list.
hoping to be able to 'cure' her computers virus later today, hope all your probalems were sorted or get sorted soon,
loadz luv xXhollieXx


----------



## DragoTPE (Aug 13, 2003)

Sorry if i'm new, been hunting around and this is the gist:

Cryptographic service, I can't get it started, actually appears about 30 "services" are disaboled and i can't get to properties.
'

I've manually removed msblas, checked the registry, clean

IS there a "manual" or "dos" method to activate or change service settings?
a log i can change

seems like most of the cahanegs i can do are form dos, and that computer is iscolated on the network(fortunatally)

my second computer was a breeze b/c i hadn't turned it on in a while


----------



## ETaB685 (Aug 12, 2003)

Thanks SPEEDO, you gained about 40 members with this problem.


----------



## DragoTPE (Aug 13, 2003)

2nd comment, i have a dual boot(98) same partition. is it possible to repair the os from outside? just thinking of various ways to control this.

my second recourse is to iscolate it on my network and try an sourced out antivirus


----------



## arlonharrison77 (Aug 13, 2003)

*Seems like you've got it covered*

The virus name is msblast.exe. If you see this on your computer, your infected. It is also known as the Lovsan worm.

This data came from http://www.f-secure.com/v-descs/msblast.shtml

How to get rid of Lovsan worm in 5 minutes: 

1. Boot up the infected computer 

2. If you keep getting the "Shutdown in 60 seconds" dialog, click Start / Run, and execute command 'shutdown -a' 

3. Download and run the Microsoft patch to close the RPC hole. 

Download for Windows 2000 from www.microsoft.com: 
http://www.f-secure.com/dl-w2k/ 

Download for Windows XP from www.microsoft.com: 
http://www.f-secure.com/dl-wxp/ 

4. Download and run F-Secure's F-LOVSAN tool to remove the virus: 
ftp://ftp.f-secure.com/anti-virus/tools/f-lovsan.zip 

5. You're done.

This The virus name is msblast.exe. If you see this on your computer, your infected. It is also known as the Lovsan worm.

This data came from http://www.f-secure.com/v-descs/msblast.shtml

How to get rid of Lovsan worm in 5 minutes: 

1. Boot up the infected computer 

2. If you keep getting the "Shutdown in 60 seconds" dialog, click Start / Run, and execute command 'shutdown -a' 

3. Download and run the Microsoft patch to close the RPC hole. 

Download for Windows 2000 from www.microsoft.com: 
http://www.f-secure.com/dl-w2k/ 

Download for Windows XP from www.microsoft.com: 
http://www.f-secure.com/dl-wxp/ 

4. Download and run F-Secure's F-LOVSAN tool to remove the virus: 
ftp://ftp.f-secure.com/anti-virus/tools/f-lovsan.zip 

5. You're done.

This virus spreads itself by randomly generating IP addressing and attempting to attach itself to one of them. It is not related to KaZaA or MSN or any web site, so don't fear. As someone has pointed out, zonealarm can prevent it from even accessing your computer.


----------



## dnp087 (Aug 13, 2003)

*McAfee delete lovsan worm*

my mcafee virus scan found the worm. i have installed the patch and firewall to prevent the NT AUTHORITY/SYSTEM shutdown so that doesn't happen anymore. My virus scan says i cant clean the file and have to delete it. i cant delete it........................... HOW DO I DELETE THE MSBALST.EXE TO GET RID OF WORM AND ALSO RESTORE THAT FILE??????!!!!!!????


----------



## xmdzx (Aug 13, 2003)

I am still getting the "setup could not verify the integrity of the file Update.inf. Make sure the cryptographic service is running on this computer" error when trying to install the patch. I still cannot update through the Microsoft Update site either. Anyone know what I should do?


----------



## Akito (Aug 14, 2003)

*Answer*

Here are each patches download link....

Windows NT 4 Server & Workstation http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE

Windows NT 4 Terminal Server Edition http://download.microsoft.com/download/4/6/c/46c9c414-19ea-4268-a430-53722188d489/Q823980i.EXE

Windows 2000 http://download.microsoft.com/downl...b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe

Windows XP (32 bit) http://download.microsoft.com/downl...e-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

Windows XP (64 bit) http://download.microsoft.com/downl...-cfc7c5c67df5/WindowsXP-KB823980-ia64-ENU.exe

Windows 2003 (32 bit) http://download.microsoft.com/downl...9390b9/WindowsServer2003-KB823980-x86-ENU.exe

Windows 2003 (64 bit) http://download.microsoft.com/downl...50425/WindowsServer2003-KB823980-ia64-ENU.exe

I'd advise you got to that page first.... 

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/msblaster.asp

Read a little about it just incase...

OMG I read the CNN page....

http://www.cnn.com/2003/TECH/internet/08/13/internet.blaster.reut/index.html

Seems that on Saturday, August 16th that MSBlaster worm will attack THE microsoft download site....which means that after it attacks on Saturday, you won't be able to download the patch!!! I advise people to download them before it's too late!!!

*PREPARE YOURSELF PEOPLE THE WORM HITS THE SITE IN 2 DAYS!!!*


----------



## Lachrymist (Aug 14, 2003)

*4 those getting CRYPTOGRAPHIC Errors*

First let me say, my girlfriends computer got infected. She has XP, and I have to say it suks. Get Win 2000 pro and stay away from all that pretty icon nonsense. Ok now that I vented.

I too ran into the cryptographic non-sense. Nice of Microsoft to put up a side note saying people may have this problem with their stupid patch. What a joke.

Anyways I did all the steps mentioned to start the service, and to rename the corrupted folder in the cmd prompt. Still not success. I found this tech note on microsofts web site that explains how you have to re-register your dll files. Now I have not tried this yet because im at work so I dont know if it works but here is the article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;813444#12


START:
Verify that the Microsoft Cryptographic Services Service Is Started
To verify that the Cryptographic Services service is started (and to start it if it is not): 
Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type net start cryptsvc, and then press ENTER.
Type exit to quit Command Prompt.
back to the top
Register .Dll Files

Re-register the following .dll files:
Softpub.dll
Wintrust.dll 
Initpki.dll
Dssenh.dll 
Rsaenh.dll 
Gpkcsp.dll
Sccbase.dll
Slbcsp.dll 
Cryptdlg.dll

To do so: 
Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type the following lines and press ENTER after each line:
regsvr32 softpub.dll
regsvr32 wintrust.dll 
regsvr32 initpki.dll
regsvr32 dssenh.dll 
regsvr32 rsaenh.dll 
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll 
regsvr32 cryptdlg.dll

Click OK when you receive the message that DllRegisterServer in FileName succeeded.
Type exit to quit Command Prompt.

You should be able to install the patch now. Let me know if this works anyone, because I will have to do it to my girlfriends computy tonight.


----------



## sjjacks (Aug 14, 2003)

*Need help..*

Trying to rid my friends computer of the Blast virus--here's what we've tried..any more suggestions?

1. Ran fixblast, found virus, deleted it.
Tried to install patch from a cd (she couldn't connect online without getting thrown off, I've got Win98 and no problems so I downloaded it and burned it to a cd)
Got error message: 
Could not verify the integrity of the file. Make sure the Cryptographic service is running on this computer.
Figured ok it has a problem with the cd.
Connected to MSN to try to download it. Immediately got virus again and computer restarted.
Figured it had something to do with MSN.

2. Ran fixblast, found virus, deleted it.
Installed our free ISP server on her computer and tried to download the patch from Microsoft. Immediately got virus again and computer restarted.
At a loss and went home to research more online.

3. Figured out we need a firewall. Set up the firewall, connected to MSN and downloaded patch from Microsoft.
Tried to run patch and recieved following error:
Could not verify the integrity of the file. Make sure the Cryptographic service is running on this computer.

4. Decided maybe the cryptographic service has a problem with it.
Did the following to try to fix it:
Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type the following commands (what is within the quotes, excluding the quotes), pressing ENTER after each line: 

1.) "net stop cryptsvc"
2.) "ren %systemroot%\system32\catroot2 oldcatroot2"
3.) "net start cryptsvc"

Worked fine, tried to run the patch we previously downloaded and it got partially through before the error: Could not verify the integrity of the file. Make sure the Cryptographic service is running on this computer.
Thought about it and ran Fixblast again, found virus and deleted it again.
Tried to run the patch again, error again, tried to rename the cryptographic file again, file already exists. 
Decided to take a break and try to find out what to do next.

I would appreciate any feedback.
Thanks in advance.


----------



## pilotlight (Aug 14, 2003)

*Still getting the CRYPTO error*

Ok, here's my deal.

I didn't know at first what the heck this was, so when it first happened, I disabled RPC service and RPC Locator service. It kept happening so I disabled all startup things. Then I went to norton and found out it was a virus. I downloaded the fix for it and it was removed. My computer hasn't shutdown randomly since then.

BUT, My computer is kind of messed up now. Like I can't open properties windows on services (so I can reenable RPC). The Crypto service won't start, and my RPC won't start.

I can't install the MS patch because it says my CRYPTo thing isn't running.

The bottom toolbar is messed up too. It doesn't show programs that are open, and things don't open right. 

It's almost like Windows just isn't all there. I tried turning back on all the startup stuff, and have tried all the things listed here. But to no avail. 

Any help would be hugely appreciated guys.

AH, yes, and one more thing. My computer now starts up/logs in EXTREMELY slow. This all happened at the same time. I think I might have messed it up trying to fix the MSBLAST thing, now I'm stuck.


----------



## kingman (Aug 15, 2003)

*Same Crypto problem. Nothing works*

I'm trying to resurrect a friend's XP machine. I have MS patch on disk as well as a worm removal tool from Symantec. Can't get the patch to install. Same symptoms as sjjacks reports. Tried all the tricks I can find and still can't install patch. Went to windowsupdate and that can't seem to complete either.

I'd greatly appreciate any ideas. My friend's depending on me!!


----------



## aeiron (Aug 15, 2003)

.


----------



## sjjacks (Aug 14, 2003)

*hmm..*

I'm curious to know how you fixed it, whats in the bat file?


----------



## RogerMcc (Aug 15, 2003)

*KB823980 ERROR*

I too had the problem installing the MS fix for the blaster worm, receiving the KB823980 Error - Setup could not verify the integrity of the update.inf. Make sure the cryptographic service is running on this computer.

I confirmed the service was running and that it was starting autobmatically.

I then used the previous post, and stopped the service from running, and renamed the catroot2 folder, restarted the computer, downloaded the fix, and Bob's your uncle.

Thanks all, this will be a forum I will regularly check from now on.


----------



## kingman (Aug 15, 2003)

the bat file posted by aeiron implements the procedures outlined in the post on page 3 by lachrymist. Since the procedure comes from MS, it should be safe.

I won't have time to try this 'till tomorrow. If anyone else has success with it, please post.


----------



## Volt-Schwibe (Jan 12, 2003)

*wow*

more than ever, now i am glad i hate and do not use xp and 2k.

lol

~BoB~


----------



## Volt-Schwibe (Jan 12, 2003)

*oh*

and this is what mess.be had to say about it, and i quote:

"Updated Security threat: beware MsBlast.exe

dwergs says:
Updated: D'z warned me about this earlier on and now Symantec released a security report regarding the W32.Blaster.Worm. 

This worm will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. It will attempt to download and run the file Msblast.exe.

You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:

TCP Port 135, "DCOM RPC" 
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.

To find out whether you're infected, press Ctrl+Alt+Del and verify if the process 'MsBlast.exe' is running. If it is, kill the process MsBlast.exe from the task manager. Next, execute regedit.exe and search for the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Delete "windows auto update"="msblast.exe" from the right pane. 

Final step: delete msblast.exe from either the Windows System and/or System32 folders.

Update #2: Do these instructions stupefy you? D'z was one of the very first to create an auto-cleaner for this worm, and now Symantec released a removal tool.

[Detailed removal instructions: Symantec.com]"

this doesnt say anything at all about this being related to msn, or the msn messenger, or any of ms's products except the fact that it afects windows machines...

so, now i am truly confused about what was said

~BoB~


----------



## sjjacks (Aug 14, 2003)

*Yahooo.....*



aeiron said:


> *Download this batch file I created and run it. Then restart and apply the patch. It will work. I was pulling my hair out also, but found this fix on another board.
> 
> http://users.adelphia.net/~aeiron/Cryptographic Error Fix.bat *


It worked! Problem fixed, patch installed and we are set to go!
THANK YOU!


----------



## Two4trippn (Aug 15, 2003)

First off, let me say thanks to all, as I too got infected using XP Pro this week and was able to cure all (so far) with this forums aid. The combo of the patch, regedit and deleting of msblast.exe from system32 folder did the trick for me. I enabled my firewall, which I swore was running prior to contamnation but it was not so... 
This was my first known virus in 8+ years, running multiple OS's in that span without the aid of AV support. Has anyone had issues with system speed since the patch. My pc seems hungover, could it be any unknown after effects? The only funky thing after the msblast repairs was the need for me to remove my cd burner from device manager, which was recognized only has a cd rom. I have 2 cd burners, but it only effected the one, the D: drive. 
Just thought I'd share and see if this may have been related to an unknown or uncommon side effect and say thanks again for the shared knowledge base.


----------



## Two4trippn (Aug 15, 2003)

Just to update - after run Trend Micro's house call, I removed the following files from windows\system32 folder

dcom.exe
lolx.exe
sysval32.exe
a temp int folder from local settings
the same 3 exe files were also found on the root directory.

Things are purring once again. Thanks to all for the help!


----------



## geekieduckie (Aug 17, 2003)

*cable modem issues*

since i cleared out the virus (thanks so much to the help of EVERYONE in this forum, it saved my life, plus i took all this info up to the best buy i work at and it helped a lot of people), my cable modem has been blinking on and off, working, not working, roughly every five minutes it goes thru this fit. i did everything posted here, plus installed the zonealarm firewall.

i was up at my isp, paying a bill and i asked the girl working there what the deal was, she said that the virus was essentially living within my modem, and that i needed a firewall. 

well, now i have a firewall, and still, no luck.

any ideas? i'm not sure if i've missed something or what...

please feel free to im me via aim @ xdharmaxbumx, i'm generally always online (except when the net blinks out)


thanks!


----------



## Decibel (Aug 17, 2003)

I am having the same exact problem "pilotlight" is having. I don't get the RPC error again but my whole PC is messed up. I can't even cut and paste anymore nor access the links posted here just by clicking on it. I have to type it out manually in the browser window.

Everything that was posted on this thread I have already tried. My cryptographic service simply WILL NOT start up. I have tried the fix.bat as well as manually entering the values in CMD. I only get: System error 1068 has occurred. The dependency service or group failed to start.

Does RPC have something to do with it? I have tried to start it in the services but get error 1058 lol.

Any help is much appreciated. Thanks!


----------



## aeiron (Aug 15, 2003)

Boot into safe mode, then do all the fixes. That's what I've done to get around machines acting just like that. Worked for me.


----------



## tao823 (Aug 15, 2003)

Im having the same problem as decibel and booting in safe mode and trying all the fixes doesnt work either. cryptographic services will not start with the bat file or by manually starting in the cmd. I no longer have the functions of cut and paste and lot of settings have been changed too. Anything i can do?... otherwise im just gonna format c and reinstall xp


----------



## kingman (Aug 15, 2003)

Wanted to thank everybody, especially Lachrymist for the re-register info and aeiron for putting same into a nice typo-saving bat file. Worked like a charm.

Wish we could now solve the problem for those whose Crypto service apparently won't even start.... I don't have a clue. If you go into the services window (services.msc /s from run window)and try to start it, what happens?


----------



## DragoTPE (Aug 13, 2003)

Batch file fails.

manually registering all dll's: works except crypto so no go there

I have a dual boot into windows 98, doesn't help though

msblast is gone now

msblast seems to have come with "some other file" not described as msblast causing all those issues. I noted above some virus potential files that were removed, i will try those next.


----------



## tao823 (Aug 15, 2003)

when i try to get cryptographic services to restart it says: error 1068 dependecy service or group failed to start. Also everything works in the command prompt to re register the dll but starting crypto doesnt work.... grrrrrr.


----------



## DragoTPE (Aug 13, 2003)

Having issues with network, but i'll get those stopped. anyone have luck with :

net stop cryptsvc
ren %systemroot%\system32\catroot2 oldcatroot2
net start cryptsvc

rpc might be the key


----------



## kingman (Aug 15, 2003)

*Error 1068*

I have learned the following:

For Cryptographic services to start, RPC service must be running first. You find this out by opening the services window (run - services.msc /s) then right-clicking on cryptographic services and selecting properties. From there you can find the dependencies. That's what error 1068 means - that a required service the requested service is dependent on isn't running. Since RPC is the service that the worm attacks through, could it be stopped on your computer? I'd go to the services window and check it out. 

If you can't keep RPC running because of the worm, go to the services window, right click on RPC (NOT RPC locator) and select properties, then choose the recovery tab. Under this window, set the three places where "restart the computer" appears and change the settings to "restart the service". This keeps RPC running and may allow you to get Crypto service started. Remember to put the settings back later!!

I'm guessing at all of this, but it's what I'd try next.

Good luck.


----------



## DragoTPE (Aug 13, 2003)

quick comment

not sure if otehrs are aware

for the cryto issues:
i am not abkle to right click and go into properties on any service, only abele to do dos commands.

run - services.msc /s

have to look up that, or another way to run it manually, taht should help though thanks


ADD:
found this under NT
net start rpcss


----------



## LaGiggles (Aug 17, 2003)

*Help*

i need help cuz i keep on gettin that **** shut down thing too an i dont kno what it means. im computer retarted. i talked to my brother an he told me to go to a site but when i was downloadin the thing he told me to download that stupid shut down thing poped up an retsrted the computer. 

it just poped up again **** it plz help me thanks


----------



## Decibel (Aug 17, 2003)

OK I uninstalled Windows XP (previously had Windows ME OS), then reinstalled it. The TFTP308.. window popped up again however. I went into msconfig and unchecked it within the Startup tab and also deleted all directories with the same filename. Checked into the registry and no suspicious files were found under Run. I got all the necessary patches and the fixblast.exe from a separate source (thanks to my friend) and installed all of them. Then I restarted the computer.

Problem seems to gone! Hope this helps anyone here still having problems.


----------



## xpspecial (Aug 12, 2003)

I just have a question about the patch for msblast. I downloaded the msblast patch before my auto windows update could ask me if I wanted to install it, instead, downloading the patch directly from the website itself. It appears in my add/remove programs as KB823980 (If I remember correctly, I think that is the number)

Well anyway, my automatic windows update system finally came up asking me if I wanted to install the patch. Now normally if a patch is downloaded from my automatic windows update (Instead of having to go to the site to download the patches, it lets me know which patches are available to install on my system.) the patch would register in my add/remove files as Q823980.

My question is, since the patch has already been installed previously onto my system, do I have to download the patch again or can I just go ahead and uncheck it because I already have it installed? I mean, I am kind of confused why automatic windows update is asking me if I want to download the patch if it's already installed on my computer. Any help would be greatly appreciated.


----------



## LaGiggles (Aug 17, 2003)

*Nah*

my brother came over and downloaded My FireWall Plus and he did everything to make it set up an everything but then about 10 minutes after he left this thing poped up that asked if I Would Let It Connect To BILL.HACKARMY.TK and i dont even know what that means

i just wanted to know if i should let it connect or press no thanks again 14 old english Dark BLUE


----------



## aeiron (Aug 15, 2003)

For those of you with no luck yet: I have been through nearly 50 machines myself and my dept has seen nearly 300. In my experience I have seen the reason some machines don't fix right away is because they either have multiple viruses or an old version of the fix utility. Norton is now at version 1.04 or 1.0.4 of their fixblast utility (4 revisions) and the same goes for the other fixits. Get them all and run each one to make darn sure you don't have any viruses running. This worm seems to serve as a gateway virus opening the floodgates for multiple viruses to attack your exposed machine. I've seen everything from klez/elkern to Nimda and various other trojans. Two machines have had over 30 viruses. Also, you might have to stop the cryptographic service, delete the contents of catroot2 folder in system32, run cryptographic services again and then run the .bat file. Hope this helps.


----------



## bobmarsh72 (Aug 18, 2003)

*PLEASE HELP!*

I just can't get rid of theis virus!!!

What i have done so far is...

deleted the virus from the registry and from system 32.

done a full virus scan with norton antivirus 2002 with the latest virus updates and nothing is found.

used symantec's fixblast to find the virus but nothing is found.

I have downloaded the patch from microsoft, but when i go to use it, it says that thing about the crytographic service.

So i changed the RPC things to 'restart the service'

Changed the name of catroot2.

Made sure that the cryptographic service is running.

But the patch still won't run.

And the virus is still on my computer even though it cant be found after several scans.

Every now and again Norton finds the virus in system32/TFTP1712 whilst on auto protect, but not during a full system scan, but can't delete it because access is denied. So when i search for the file its not there! So im not able to delete it.

So overall i have deleted all MSBLAST files off my computer and checked with several scans, but the bugger is still on my computer in a file called TFTP1712 which doesn't exist. And im not able to use the patch!

PLEASE HELP!

Simon

[email protected]


----------



## kingman (Aug 15, 2003)

To LaGiggles,
The solution to your problem has already been supplied. I'm pasting the message from NacNud below. Follow his instructions to buy time to get the appropriate download(s). Read through the rest of the posts if you have further problems.
*******************************************

Hello, 
I work in the IT Dept. at my compnay and we had this happen to several of our users. The problem we came up against was that the computer would restart before we could install the patch, this even happened in safe mode. After some more searching i finnally found a way to stop the computer from rebooting so that the patch could be installed. When your copmuter comes up go to control pannel -> admin tools -> services and select the remote procedure call (RPC) and go to properties. Click on the Recovery tab and change all of the failure actions from restart computer to restart service. After you apply this your computer will now not restart the next time the problem occurs. This will enable you to have enough time to run windows update and get the patch installed. After you have the patch installed reset the service to restart the comptuer and you should be all set.

-NacNud


----------



## asinblue (Aug 19, 2003)

*finally fixed*

Many thanks to Lachrymist for the post. Re-registrying the DLLs worked. 

I too was having problems with the re-occurring cryptographique service message, even after renaming the CatRoot2 folder. I did have to reboot to get it to work. I didn't get to even read aeiron's post with his file, but I'm sure it works.

Thanks for everyone's help! Great forum!


----------



## xpspecial (Aug 12, 2003)

bobmarsh72-

You have to go to system32 folder manually to delete TFTP1712 (note for anyone reading this, the file number will be different for each of you. TFTP(different number here.)

When you get into system32 make sure to have your folder set to details (under view on the tabs at the top of the page)

depending on what day the virus entered your system that is the day the TFTP file will have been created.

Everyone has this file under system32 if they got the msblast virus. It is very important that you delete it. This file is what is used to spread msblast to each new computer so as long as you have it in your system it helps to spread the virus to other computers.

IMPORTANT NOTE: Do not confuse the tftp application with the tftp that has the number attached to it, you want to only delete the file, not the application. (the file is directly below the tftp application. DO NOT delete the application, only the file.) (it'll say file if you have details enabled for system32 folder.)

Anyway, it'll take some time to find it, but it's there. I didn't even know I had it until I glanced over your reply bob, I was curious so I went looking.

These instructions were explained to me, and I just wanted to thank the person who was kind enough to help me. So thanks DJ (I know you'll view this thread.  )

Anyway, I hope this helps you all. Please all look for this file, you need to delete it.

Also, to be safe, check your prefetch folder for the virus.


----------



## tao823 (Aug 15, 2003)

this reply is to kingmans post about having to have rpc started in order to restart crypto. I did have a feeling too that that was the problem of why crypto would not start and i have tried to restart rpc too after i installed a firewall however, rpc will not start due to error 1058. Something about this services is disabled bla bla. and seems like it cant be started again after its been stopped.... so still no luck.


----------



## DaveRMT (Aug 18, 2003)

*NT AUTHORITY/SYSTEM Bug*

 

Select Run type "cmd"

then type "shutdown -a"

then press enter

this will stop the message coming up.


----------



## CluelessMoi (Aug 12, 2003)

*Remainance of msblast? A trace file - Pls make it go away*

Hi, I followed the instructions supplied here and got all necessary patches, went thr regedit, task manager, system32 folder to make sure msblast is no longer there, and ran many different virus scans. After TrendMicro first detected and cleaned it, other virus scans found nothing. The RPC shut down error is gone but there are few problems remain:

1)
*********Please also everyone who got this msblast virus, check your directory for a file named plugin131_01.trace *******

C:/Documents and Settings/(Your User Name)/plugin13_01.trace

I found it there after I got msblast, it wasn't there before and the file was created the same day and time when I got the msblast virus.
I delected it countless times since then but it always come back with another copy sitting there. I could only delete it when Internet Explorer is not running otherwise it'll say "can't delete, the file is in use".

Please someone tell me how to get rid of this trace file for good.


2)There are three TFTP(a number attached) error messages pop up everytime the PC is restarted. I went to System 32 as suggested in previous message by Xpspecial, with detail enabled, I only found One TFTP(320- a number that does not match any of the 3 that pops up after restart) file besides the tftp.exe that we are supposed to keep. Where else would do I find the TFTP(number) files that are supposed to be there(somewhere?) and files with the number that matches the ones that pop up after restart?
And should I delete the TFTP320 file I found under systerm32 folder(even tho it's not the same one that pops up after restart)? 

I got the msblast.exe file on Aug 11,03 but this TFTP320 file was created Aug 6,03.

I hate to think that these TFTP and the trace files are hiding somewhere in my PC and opening a door to more attacks whenever the PC is online. :no:   :upset: :dead: 


Thank you kindly in advance for your time.

CluelessMoi


----------



## bobmarsh72 (Aug 18, 2003)

*AT LAST!!!!*

I have had trouble installing the patch for the msblast virus for some time. I managed to download the patch by using "start-run-cmd-shutdown -a",which cancelled the shutdown process and gave me enough time online to get it.

But the only problem was installing it, because i kept on getting the error "KB823980 Setup Error" going on about making sure the crytographic services was running.

I changed the name of catroot2 and made sure the crytographic service was running, still no luck.

Untill i found this website www.updatexp.com/cryptographic-service.html which gave me information that no other did about dll files in the catroot2 folder and how some of the them were corrupt and how to fix it. So any body having trouble installing the patch, that is the place to go.

And finally bingo, i managed to install the patch.

Thank you very much for your help...Ive got rid of the virus at last!

Simon


----------



## Lizubia (Sep 1, 2004)

*Thank you!!*

Thank you for the "shutdown -a" tip. This board is proving to be a great help. :smile:


----------

