a&dcat

New to this forum.

For the second time in just a few days, a window has appeared telling me that a "shutdown has been ordered by the NT AUTHORITY\SYSTEM. DCOM Server Process Launcher terminated unexpectedly" and gives me 60 seconds to save and close any programs I might have running.

Can anyone tell me what might be happening?

System XP Pro, sp3, etc etc.

a&dcat

Sprogget

You have a virus which is attempting to shut the system down before anti virus removes it. Just google NT AUTHORITY\SYSTEM. DCOM Server Process for a jost of solutions.

FullOppositeRudder

I haven't seen this myself, but a Google search on the error message you've quoted brings a variety of possible causes. The most commonly reported "cure" seems to come from a scan of the system for malware. I suggest you Google the error message and look at the options it canvasses where others have encountered the problem.

Apparently you can disable the one minute shutdown timer thusly :
That should give you a little more time to see what options you can work through.

Good luck

FOR

Tarq57

I suggest you try MBAM (free version.) Very good demand scanner/cleaner.

What AV, firewall, and browser do you use?

Blues&twos

I think this should be "shutdown /a" rather than "shutdown -a".

Or is that just in command prompt? I've never tried it direct from the Run.. box.

Saab Dastard

It is "shutdown -a".

SD

a&dcat

Thankyou all for your suggestions.

I have Malwarebytes installed and ran its scanning yesterday. The computer even shutdown in the middle of this process.

When I was able to get it to scan it showed 12 problems which I promptly deleted. Computer still shutdown. It also reported it had blocked two IP addresses, didn't recognise either. Any way of checking an IP address to see who/where it comes from?

I restarted on the Internet this morning. Within 15 minutes the computer shutdown twice!

I then disconnected the internet connection.

I then scanned with MBAV for over an hour, NO shutdowns, NO errors either?

I downloaded Firefox 3.6 yesterday but I don't believe that this caused the problem as it was shutting down prior to this. I also use IE7.

I use ZA for firewall and AVG both fully paid for and registered.

Am about to reconnect to the internet. Will let you know what the result is.

a&dcat

Tarq57

I understand the paid for version of AVG includes a firewall? If this is the case definitely check to make sure it is off, as it would conflict with ZA big time.
Any chance of seeing the MBAM scan report?

hellsbrink

Whois - IP Address - Domain Name Lookup

Amongst others, there's a shedload of sites out there which will do the same thing out there, but they all use the whois database

a&dcat

Malwarebytes' Anti-Malware 1.44
Database version: 3623
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

24/01/2010 17:24:01
mbam-log-2010-01-24 (17-24-01).txt

Scan type: Quick Scan
Objects scanned: 126040
Time elapsed: 10 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersio n\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersio n\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersio n\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127 ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8 cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6 cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (CWINDOWS\system32\userinit.exe,CWINDOWS\system32\sdra64 .exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
CWINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
CDocuments and Settings\XXXXXXX XXXXXXX\My Documents\downloads\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
CWINDOWS\Temp\8.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
CDocuments and Settings\XXXXXXX XXXXXXX\Local Settings\Temp\~TM13.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
CDocuments and Settings\XXXXXXX XXXXXXX\Local Settings\Temp\~TM3D.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
CDocuments and Settings\XXXXXXX XXXXXXX\Local Settings\Temp\~TME.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
CWINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
CWINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
CDocuments and Settings\XXXXXXX XXXXXXX\Application Data\wiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.

Tarq57

This is a trojan/backdoor usually installed using a rootkit. It's potentially serious, depending on the particular version, which I am not eductaed enough to deduce.
One of it's assigned names is "banker trojan", another includes the title "infostealer", so it would be in your interests to change any passwords, especially to banking sites.


Check your AVG quarantine, also the firewall log of blocked connections. It is likely (hopefully) that the firewall should have prevented this thing from connecting outbound, unless you approved it.

I'd also run a disk cleanup using ATF Cleaner (This one runs from the folder it is downloaded to; no install required.) Tick everything except "cookies" and "history" and run it by clicking "empty selected.

MBAM is usually pretty good at this sort of thing.
Reboot, update MBAM, run another quick scan, if anything malicious found, please post back.

a&dcat

Hi Tarq57

So far, so good.

Computer running on the INET for 5 hours now and NO SHUTDOWN!!

Just ran the ATF program, no problems, updated MBAM and reran scan, no problems.

Looks like it might now be OK.

No logs on firewall (ZA only) I do keep getting a message from MBAM telling me it has blocked the following 91.212.226.60 an IP somewhere in Holland!

Will let you know if anything happens again.

Thanks for your help.

a&dcat

Tarq57

That seems to be good news.
No guarantees, but on the face of it, with MBAM not detecting a repeat offender (this variant apparently sometimes re-installs itself despite cleaning) it would appear you're clean.

It appears you downloaded the trial of MBAM (the green download button rather than the blue free version) if it is blocking stuff. IIRC correctly it is a one-time payment to purchase ongoing protection using this program once the trial is up.

I would consider hardening your system. The use of Firefox as a browser, with the noscript and adblockplus extensions would help hugely. IE is insecure, even the latest patched version of IE8. IE7 is even less secure.

Consider installing a Hosts File. It will need updating from time to time. Will block known bad sites.

Check your software is up to date with either an online (OSI) or intallable (PSI) Software inspector (free) from Secunia. I'll bet there is software that is out of date on board. Flash, Java and Adobe especially represent a big hole if left unpatched.

Go well.

Bushfiva

Actually, that IP seems to be in Russia, Luxembourg or China at the moment, and passes through the (in)famous as5577.net, probably hosting d45648675.cn. So if MBAM is actively blocking that address, your system may not be clean yet. Have you ever downloaded a scanner called Windows Protector?

Keef

Er - 'scuse me butting in, but there are a couple of "Bad" entries in that MBAM log. I don't like having them, even if corralled. My inclination would be to run Regedit (all the usual caveats apply) and remove them altogether.

Totally concur with "Don't use IE, install Firefox with Adblock Plus and NoScript".

hellsbrink

Regarding all you really need to know about that IP address, lookee here:-

MalwareURL

Not going to post all that is on that link, suffice to say it is not a good deal to have your PC connecting to any of his addresses (91.212.226.0 - 255)