Jump to content
Sign in to follow this  
Bri

Troubleshooting Bri's PC

Recommended Posts

I have only noticed 1 very odd message on any of my computers in nearly 7 years and it happened last fall.

I wish I could say something similar, but I get them all the time ..

I have only found one message in my relative inexperience with computers that I cannot find an innocent explanation for and I have typed it below. I cannot figure out how to copy/ paste it (I think it is an HTML file and it is a pic of the error message caused by the blasterworm released in August found on a Microsoft security page).

<<System Shutdown

This system is shutting down. Please save all

work in progress and log off. Any unsaved

changes will be lost. This shutdown was

initiatd by NT Authority\SYtem

Time before shutdown: 00:00:21

Message

Windows must now restart because the

Remote Procedured Call (RPC) service

terminated unexpectedly>>

Share this post


Link to post
Share on other sites

In this context, does your "message" still mean "e-mail" ??? In this case, I'm thinking that "message" = "pop-up" ... this goes way back, and in a corporate LAN system, this was a means for the SysAdmin, IT, whatever to kick a warning out to all the conneted systems/users that the mainframe/file server was going down .. Microsoft left this port and service running wide open in XP, and somebody noticed ...

This where the 'normal' firewall mode would come into play, keeping internal traffic internal, external traffic external ... but those clueless home users connected directly to the net through clueless ISPs ... thus begat the MsBlaster saga (among other historic eents)

Share this post


Link to post
Share on other sites
BTW:  was the port/services stuff of any value to you?

Yes, it confirmed information I had read.

Please correct me if I am wrong but the blaster worm was reported on August 11, 2003 and symptoms included the message I posted previously. I would assume by August 12, 2003 that Norton anti-virus scanned for it. I bought a computer in late september which came with a 30 day free trial of norton anti-virus (which I IMMEDIATELY subscribed to, although I did not install a firewall and I IMMEDIATELY updated the virus definations). I also ran a virus check once a week. I only had the computer about 4 weeks and ran a virus scan (after updating the definitions first) every week for the first 2 weeks. I ran a virus scan at least 10 times the last 2 weeks before....well, before another coincidence that involved the erasure of my hard drive. I set up the computer myself, net-worked it to my older computer (that had up to date virus protection) and installed only registered software. The only places I can pinpoint as a vulnerable area lie in the questions I have asked already.

Again, I would happily accept an innocent explanation for what I have seen but I have not found the resources yet that point to it, any suggestions? Not to mention my spam problem is related <g>

Share this post


Link to post
Share on other sites

How about ... the RPC exploits are not virus things.

Virus, Trojan, ilk are files, either stand alone, encrypted, encapsulated within another file

Anti-virus tools will usually find them based on their characteristics being identified and appropriate data being fed into the database update files ... and there's the rub, anti-virus tools are reactionary ... after the fact

Your example started with a computer bught here, anti-virus tool bought then (noting that the software may have been in the distribution channle for how many months?) .. ok, you said you went with subscibing and updating, so you're caught up to say within a month of the never-ending virus building lowlifes ... the update released today is the result of the last two weeks of work .. so you're never really current ...

The exploits you mention aren't virii ... which is why an anti-virus tool doesn't see / catch them. Another area would be what is known as spy/scumware. The most famous of these has to be Kazaa .. installing Kazaa also installed a number of other "usefull tools" (items resulting in monetary kickbacks to the Kazaa owners for all those installations) ... Folks founf out that even if they decided that Kazaa was bad, removing it did not remove all that excess baggage .. only Kazaa got removed. A class acton suit was threatened, so Kazaa changed the EULA (End User Licensing Agreement), clearly stating that by accepting the EULA, all this other garbage would be loaded .. solved the legal issues, theoreticall advised users of what was going to happen, but of course, who reads all that legal garbage?

Though some would classify some of that extra stuff as being in the same class as a virus, that it was addressed in the EULA, and the user had to accept the install as part of the installation of the main program, it was a decision by the anti-virus folks that these apps would not be recognized as virii ...

Have I gotten close to answering the question I'm not sure I've understood yet?

Share this post


Link to post
Share on other sites

Have I gotten close to answering the question I'm not sure I've understood yet?

sigh, I am so sorry I am dense but I swear I am trying. I know what a spybot is, I am familiar with Kazaa and others. You are saying that installing kazaa on one system can lead to an infection on another networked with it and the spybot can throw the EXACT same error message that I have previously typed?

and I am not sure where I mentioned a virus, I will go back and read as I could have just misstated. I am talking about worms/backdoor trojans when I speak of anything which I now (hangs head) pretty sure I never mentioned originally

Edited by Bri

Share this post


Link to post
Share on other sites

ahhh, went back and found the virus references in the second page. Sorry, but it is not ALL my fault, look up MY Doom and count how many times it is refered to as a virus or a worm (and then a backdoor).

Share this post


Link to post
Share on other sites

I'm not going to target Kazaa as the source ... one of their affiliates was Gator, who has sent lawyers after folks that claimed that Gator was one of those bad word type apps <g>

What I will say ... there once was a day when I brought a customer's computer in here and screwed up by plugging it onto the wrong LAN segment ... I spent most of the rest of that day cleaning up my own machines.

The majority of the recent virii are very much aware of networked connections, and remember that the Internet is nothing more than a humongous network ..

Share this post


Link to post
Share on other sites
count how many times it is refered to as a virus or a worm (and then a backdoor)

virus as it's floating around as a file

worm as it's in the process of installing and spreading

backdoor once it's installed and running ...

??? better?

Share this post


Link to post
Share on other sites

I know the differences, I am not talking about a virus. Does a spybot or a virus throw that same error message? If so, I will happily go look at any sites that can help verify this if you will kindly tell me where

Share this post


Link to post
Share on other sites

are you talking of a current infection / situation? if so, does this link help, or am I way off target?

http://www.google.com/search?hl=en&ie=UTF-...ectedly&spell=1

and here's a link by a guy I trust, having dealt with him daily over in the Microsoft support groups;

http://www.mvps.org/sramesh2k/HTML/RPC_Exp...SBlast_Worm.htm

Edited by Wazoo

Share this post


Link to post
Share on other sites

I will certainly go look at these links, but I can only say again I do not believe I was infected at the critical time I am speaking of with the blaster worm and combined with a whole lot of other things I am still highly interested IN WHAT ELSE WILL THROW the type of error message I have seen. I swear AGAIN I have searched for another answer to my conclusions, I cannot find one.

I feel as if I am caught between the rock and the hard place and typing is such a slow way of communication (not to mention the people that like to watch the sites such as these). Thank you Wazoo for trying to help, I am sorry I cannot state it any clearer than I have managed so far.

Truly, any link to the error message I have already posted (besides the blasterworm) would be most helpful to see

Share this post


Link to post
Share on other sites

Not as an attachment, but hidden content can be present.  The people disecting one of the current worms think that it was hidden in a porn picture for it's original spread.  But just downloading the picture did not cause it to be activated.

They know that something else needed to extract and activate it, but the last time I looked, they had not determined what..

the porn pic was an Html?

and please, where can I find a place discussing this exact topic?

Edited by Bri

Share this post


Link to post
Share on other sites

No, I have been trying to think of a way to phrase my question and I will try again to be more accurate.

Please bear in mind I am still talking about the IE message concerning the shutdown of my computer. I bought a computer in late september and as soon as I was able to log into the net I updated the Microsoft software. I then immediately went to Norton and updated the virus definitions. Since I have never had a "world-wide" (not to mention the run-o-mill type) virus/worm/trojan/backdoor ever found on any computer I have ever owned (I am going to allow for one I have forgotten to be accurate, I have owned computers for 10 years now) I was relatively unaware of the names of the newest occurances of said crud. I know when I created my throwaway box; I "know" the few I gave the address to; I know the first site that caused me to create the address and I know when the porn spam started. Coincidences.......among others.....and because of the timespan of all these events which includes the release of the blaster worm compared to the message I have received in relation to all....... I am still totally lost on what happened.

I can pinpoint 4 times exactly that I opened that computer up to things I can not even comprehend (yet). 3 times involve jpegs (not porn) and one time involved an http link to a site that had 3 button links to advertising for realty. The links did not exist after a very brief time. I have read a lot of the blaster links you kindly provided and have found nothing I was unaware of to this point.

My questions remain within my last two posts and do not deal in any way with copywrited etc. material of my own (although that has been another path I have watched for a time, seems to be quite the catagories of odd people running around).

My first question now is "what causes a message like that other than the blaster worm" keeping in mind all your links correspond with my reading. If I am to understand all the posts and warnings I would assume that with updated virus/microsoft in the month of sept/oct 2003 I would be protected from the blaster. I also assume from the posts that even if I had downloaded it somehow that a Norton scan in late sept/early oct would have pinpointed it on my system.

My second question is "where do I find information regarding the the early dissection of the MY doom virus that seems to point to a porn pic and was the pic thought to be a Jpg or an html or bitmap or etc? Thank you Wazoo, I know I am a pain but dang, it is really hard to get someone to actually have a conversation with and has decent links to information :-)

Share this post


Link to post
Share on other sites

Actually, the interesting item on that last link was the ad pitch for Stegnosis, which carried the description that tied to your (at that time) last question, dealing with WB8TYW's posting (which you quoted) .. the embedding of other file data within a graphic. The write also went along with my previously mentioned need of software at both ends .. embedding the data and extracting the data ...

I can pinpoint 4 times exactly that I opened that computer up to things  ...... My first question now is "what causes a message like that other than the blaster worm"  .... with updated virus/microsoft in the month of sept/oct 2003 I would be protected from the blaster

If we focus on msblaster, you don't/didn't/can't get it from a web page .. the only link there would be that your IP showes up that web server's logs as a visitor .. which may have then been used, but ...

With updates, you "could" have been protected ... but you could also have been "infected" with something else that changed your system settings, and was not in the anti-virus database as a known "virus" ... again, not all bad things are considered virii ...

Note that a lot of these things are discovered exploits, data made available somewhere, sometimes even the Microsoft security patch gets reverse engineered to see what they fixed (on the assumption that only a small percentage of computers out there ever actually get updated) ... sample code gets posted somewhere to demonstrate the exploit, other's snag that code and start modifying it, and the next thing anybody knows, there's a dozen different versions of the virus/worm/exploit floating around the web, and the latest anti-whatever tools might only know of a half-dozen of them.

The best official documentation on how this specific one worked is found at http://support.microsoft.com/?kbid=823980 ... notice even this description floats from msblaster to naachi ... the variation theme from the above ...

you'll also note down at the bottom of that document that Microsoft recommends the use of a firewall above and beyond the application of the security patch.

seems to point to a porn pic and was the pic thought to be a Jpg or an html or bitmap or etc

you'd have to ask WB8TYW for his cite ... (I know, you did, but ... ) tying any of to the msblaster thing, I'm not aware of that one ...

The msblaster came in over the net, nailing exposed and unprotected mchines right and left. TechTV had a guy calling in, describing his attempts at fixing his system .. so upset, that he'd re-formatted, re-installed Windows, then went to go get all the patches and security updates, but before he could get all those downloaded, he was infected again (three or four times, as I recall) ... basically, no firewall, ports 135-139 and/or 445 open to the world, and services running to accept the RPC calls coming in ...

Your last question "what else could cause the message" I tried to answer with the Google search on your error messge ... If no one else has posted that it came from anything other than the RPC exploit via the ms-blaster, then I'm kind of left that you're looking down a long, lonely country road at this point ... sorry .. this type of exploit is pretty much old news .. well excepting those either recently buying or looking to buy their first computer .. (why it's still floating around) ...

Edited by Wazoo

Share this post


Link to post
Share on other sites

Bri,

The source of that error message could just have been some glitch that caused the RPC service to terminate unexpectedly. Goodness knows, Microsoft's software isn't perfect.

Re the porn and other links popping up, I suggest you use a firewall, Spybot Search&Destroy, and Ad-aware to research possible spyware or adware on your PC.

Share this post


Link to post
Share on other sites

I do not remember which virus was the one that they traced to a porn file. It was a picture, not HTML. Probably a jpeg file.

There have been so many of these stupid things out lately that I have lost track of which one does exactly what.

A google search might find it. The infected porn file found on a adult newsgroup is the earliest timestamp of a file that was found with the virus inside of it at the time I read the report.

The newsgroup posting was traced to a dialup internet account, and it was determined that the poster had a remote control program running on that machine, so there the trail appeared to stop.

As my system is not vulnerable to those things, I do not track them that closely except out of habbit. 3 Years ago I had responibilities for keeping such things under control for a large network.

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites

Like you, keeping up with them is one thing, remembering all the old ones, something else ... though that LeadingEdge, Model D, that was dropped off a few weeks back with the Stoned virus sure brought back some old memories <g>

Share this post


Link to post
Share on other sites
is this in the ballpark of your last question?

http://www.wdvl.com/Authoring/Graphics/Theft/protect.html

The only reason I discounted this is because because the Steno software only worked bmp to gif, no jpeg support. Of course, it is always possible someone found a way around this.

I do not remember which virus was the one that they traced to a porn file. It was a picture, not HTML. Probably a jpeg file.

This is definately a path I will attempt to follow.

The source of that error message could just have been some glitch that caused the RPC service to terminate unexpectedly. Goodness knows, Microsoft's software isn't perfect.

Yes, a definate possibility.

Re the porn and other links popping up, I suggest you use a firewall, Spybot Search&Destroy, and Ad-aware to research possible spyware or adware on your PC.

I have been doing all of this for a while now, thanks

If we focus on msblaster, you don't/didn't/can't get it from a web page .. the only link there would be that your IP showes up that web server's logs as a visitor .. which may have then been used, but ...

With updates, you "could" have been protected ... but you could also have been "infected" with something else that changed your system settings, and was not in the anti-virus database as a known "virus" ... again, not all bad things are considered virii ...

Yes, I suspect something unknown. I am not focused on the blaster in and of itself, it is just a very small part of a much larger pattern I have been studying over a period of months now.

Your last question "what else could cause the message" I tried to answer with the Google search on your error messge ...

I read 3 pages of links and intend to go back and search some more but I have seen nothing yet that I did not already know.

If no one else has posted that it came from anything other than the RPC exploit via the ms-blaster, then I'm kind of left that you're looking down a long, lonely country road at this point

again, I am not really interested in the blaster, I truly believe that it is not the culprit. The settings change you mentioned earlier is a thought I had not had and it is a much appreciated insight. It has been a long country road for many months now but I love games and I love mysteries even more and I cannot stand to not know the ending. Believe it or not I have not even touched 98% of the total story with in this forum. Aren't you glad I am not the talkitive type (rofl).

If one runs a search on a topic and then takes a link from the search results to the website and Microsofts Word Processor attempts to connect to the web on its own (stopped by a firewall of course) what would be a few of the reasons for this?

And I forgot, I did have the windows XP firewall enabled on the wiped computer. I hate those stupid pop-ups and it does a good job of stopping that particular type. I had heard that this particular firewall is nearly useless to so many things so I have never factored it into the equation.

I tried to do the multiple quote thing, I still dont quite get it apologies if I did not do it correctly.

Share this post


Link to post
Share on other sites

ohhh, I think I know where I messed up in the quote thing, sorry again I messed it up

and Bingo WB8, you just confirmed a long held suspicion on several fronts, thanks

Edited by Bri

Share this post


Link to post
Share on other sites
The only reason I discounted this is because because the Steno software only worked bmp to gif

another item I only offered as an example, not your specific solution ...

again, I am not really interested in the blaster,

Google search I provided was not for "msblaster" .. it was your "message opo-up content" .. that the Google results are all pointed to msblaster is not my fault.

Believe it or not I have not even touched 98% of the total story with in this forum. Aren't you glad I am not the talkitive type (rofl).

perhaps this why answering your quesions has been so hard thus far ..??

Actually, I keep waiting for the hammer to come down, as this is so far away from "help with the SpamCop reporting tools"

If one runs a search on a topic and then takes a link from the search results to the website and Microsofts Word Processor attempts to connect to the web on its own (stopped by a firewall of course) what would be a few of the reasons for this?

first obvious is that you clicked on a link that went to a ".DOC" file, which would have invoked Word to read it, (filling the gaps on your system configuration.) .. just as going to a ".PDF" file would try to invoke Adobe's Acrobat Reader program (again, another generalized statement)

Edited by Wazoo

Share this post


Link to post
Share on other sites

I apologize again, I have already admitted before I believed I was in the wrong help section but no-one told me I should stop or move so I remained in the thread I started as it pertains to the original reason I asked for help. I also apologize for not having a question that is simply answered, I would again thank all that raised many points that have been extremely helpful.

I do not need to be told twice to hush, in fact, I would have dropped the thread if no one had answered for future any future references ;-)

Share this post


Link to post
Share on other sites

Nobody said "hush" ... if you think that there's anything anyone else can offer, I'll just make a note to JeffG to move all this over to the Lounge ... thereby taking it out of this Specific Forum ... you just need to tie down the issue you say you've been investigating for a year, so we don't keep missing the mark on questions and answers ....

Share this post


Link to post
Share on other sites

I have now split the Topic into one about "Troubleshooting Bri's PC".

Edited by JeffG

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×