It started some time ago with an occasional "illegal operation" box. I'd just click on "close" and then shutdown finished.

Then a couple of nights ago, the same box appeared but I couldn't get it to go away--clicked on it a dozen times. So I pulled the plug to shut off. Next morn startup showed "shutdown not complete" and ScanDisk runs to check for problems.

Last night at SD, "illegal operation" again plus a box called "NSPR:Event Receiver" with three options: Wait--End Task--Cancel. I clicked on ET but that locked me up tight. Soooo...pulled the plug. This morning when I turned the juice on my machine started right up but with the "improper SD" screen.

Dell PII @ 700; 98SE; 512 RAM (I think); ran my virus and ad-ware programs and found nothing--haven't run Spybot though.

Just did the Ctrl-Alt-Del and the NSPR is not there now.

Any ideas?

Try System Restore. Restore to a point before the problem arose. Let us know if that worked.

Try System Restore. Restore to a point before the problem arose. Let us know if that worked.

Hmmm...on the MS help I found System files: restoring---is that it?

Restoring system files is a good step - if you've haven't defragged in awhile, you should run that as well.

98/98SE were notorious for shutdown difficulties. From Microsoft:

Windows 98 Second Edition Shutdown Supplement (http://www.microsoft.com/windows98/downloads/contents/WURecommended/S_WUFeatured/Win98SE/Default.asp)

BTW, System Restore started with Windows Me. You don't have it. About all 98SE offered was System File Checker that allowed restoring corrupted files from the CD.

Yep I had that same problem on my old laptop. Soooo glad I got a new one for Christmas :-)

BTW, System Restore started with Windows Me. You don't have it. About all 98SE offered was System File Checker that allowed restoring corrupted files from the CD.__Doctor Doom

That's why you're the man. :)

This is good reason why I run Windows XP Professional (Service Pack 2) on my current computer, despite the fact I had to shell out US$140 for an OEM copy of the program. :thumb:

Windows XP handles errors FAR more gracefully than previous versions of Windows, that's to be sure.

I've always had good luck with windows XP, even given my current problems which seem to be a RAM problem... XP def runs more smoothly than other win versions... Remember 3.1 hehehe

Windows XP handles errors FAR more gracefully than previous versions of Windows, that's to be sure.Me was the last version of Windows that was based on the 9x kernel (the core of the operating system that interfaces software and hardware), and was essentially an upgrade of 98SE. The major change was finally eliminating the DOS "real mode" operation. From Me on, the Command Prompt option replaced pure DOS. Because programs could no longer run in real mode with the inevitable conflicts, the system was inherently more stable.

2000 and XP use the NT kernel, and XP eliminated the 16/32-bit kernel in favor of pure 32-bit. It also alleviated the infamous "DLL hell" (http://www.desaware.com/tech/dllhell.aspx) that plagued earlier (9x) versions.

As Ray noted, XP is far more user-friendly with errors and crashes. XP runs each program in its own space. Because a program plays in its own sandbox, if it takes a dump, it goes down by itself rather than blue-screening the machine and losing everything. Once in a great while XP has a brain fart, but it's a rare occurence.

Remember 3.1 heheheYep. I used it. Essentially it was a Graphical User Interface (aka GUI) for DOS 6.22, to eliminate the DOS command line (e.g., C:\>copy filename.txt C:\storage). 3.1/3.11 (and the Workgroups versions with networking) were primitive by today's standards (ala Atari games vs xBox), but they were a blessing when they came out.

I got this email from my ISP last Thur--this may be my problem:


Valued *.Net Customer,
This afternoon, a new '0-day' (meaning brand new and previously unknown)
exploit was announced by several major antivirus companies.

In short: it's possible to put a virus into a kind of image file (a "Windows
MetaFile" or WMF) that shouldn't normally be able to have a virus in it. You
can get infected just by *looking* at an otherwise normal image or webpage
with vulnerable software, such as Internet Explorer for Windows. Even a
1 by 1 pixel transparent GIF can carry the malicious code.

Security advisories:

http://www.microsoft.com/technet/security/advisory/912840.mspx
http://secunia.com/advisories/18255/
http://www.securityfocus.com/bid/16074/

The payload seems to be some sort of spyware. If you observe new program that
just showed up on your PC called "SpyAxe", or if you notice a red X in your
Taskbar, you may be infected. Some versions of this exploit may actually
disable the Task Manager, so that you cannot end task. Sometimes, an access
of this file will spontaneously trigger the Windows Picture and Fax viewer;
you observe that program starting to open, that's a red flag indicating
possible infection.

** Internet Explorer ** is extremely vulnerable to this exploit.

Mozilla / Firefox / Opera are not vulnerable from 'infection on viewing', but
if you 'save as' this file with one of these browsers, you can get infected.

Also, Google Desktop automagically indexes all files on computers, and it
will trigger any exploits hidden in a file that has been saved to the
computer. Disabling Google Desktop for the time being is a good idea, no
matter what the browser.

Anti-Virus (AV) companies are rolling out fixes today as they can manage. This
exploit may be tricky and may circumvent some protections in major AV
software such as Mcafee or Norton AV. ClamAV and AVG are being mentioned a
lot as solid defenses against this new exploit.

Visit http://free.grisoft.com/ to download AVG - free for personal use.

Arkansas.Net is providing this information as a courtesy to its customers.
However, we are not an anti-virus software vendor nor are we staffed to
repair virus infections on personal computers. You are encouraged
to keep your system secure by always running Microsoft Updates in a timely
manner and by installing and maintaining a good anti-virus program such as
AVG anti-virus - http://free.grisoft.com

If you have any questions or comments please e-mail support@*.net

Fascinating. The fact that the exploit exists does not mean that anyone has made use of it, much less than anyone has been exposed to it, but safe is infinitely better than sorry.

I got this email from my ISP last Thur--this may be my problem:

That email is why I run the current version of AVG Anti-Virus Free Edition--that program works very well on tracking and stamping out viruses. :thumb:

That email is why I run the current version of AVG Anti-Virus Free Edition--that program works very well on tracking and stamping out viruses. :thumb:

Very true, Ray. AVG is a great anti-virus program and it is free, self-updating and you don't have to re-boot for the changes to take affect. Only once has that been required.

I too had a shut-down problem on XP Pro for awhile. Turns out my puter shut itself down due to overheating. I added a dab of heat transfer gel between the CPU and the cooling assembly and the problem is solved.

Antivirus won't really help you with the WMF problem because it isn't a virus, worm or trojan at all. It's a flaw in Windows that allows remote or embedded code execution. All your antivirus can do is detect the signature and warn you that it's happening in some rare instances. It can't really stop it from happening because the code itself can be anything and can be changed in seconds by whomever wrote it. Basically it's an open window into your system at this point. Microsoft plans to release an official patch for this on the 10th, but an unofficial patch that has been fully regression tested is available now as a .msi installer at http://isc.sans.org/diary.php?storyid=1010. There's also a very good discussion of this issue at http://www.isc.sans.org/diary.php?date=2006-01-03.

It gets even better. Some real genius delinquent developed a little utility that can be used to drop whatever malicious code a person wants into a WMF exploit in a few seconds with a couple of clicks and a command line entry, with no prior skill or knowledge required. Hacking For Dummies: 101. They think that's why so many exploits showed up so quickly in the last 48 hours, and they expect it to get much worse. I blame Microsoft, partially because they've just sat on their butts while this has happened even though they've long known of the problem and even though any idiot could have predicted this would happen if they did nothing, and partially because it's just plain fun to blame Microsoft sometimes. Must be my mean streak. But I have to say that this kind of thing happens every time there is an unpatched vulnerability and they just seem to sit back and watch the fireworks. If they don't respond, the hackers do, and I'm amazed they're apparently too stupid to realize that.

Maybe they read my post, cuz they just released a patch. Go here:

http://go.microsoft.com/fwlink/?LinkId=58471 (http://go.microsoft.com/fwlink/?LinkId=58471)

The link to the security bulletin is also in this thread (http://www.freeconservatives.com/vb/showthread.php?p=368902#post368902). It includes links to the download pages for the various Windows versions. It will be pinned for now.

The payload seems to be some sort of spyware. If you observe new program that

I ran my Spybot and cleaned out some things and since I've not had a problem with shut down. FWIW

In order for this exploit to be used against someones comp do they have to download an attachment or anything of the such? Or can a hacker just find you and download spyware or a worm, ect to your comp?

Once the exploit is accomplished, they have access to the computer and can do what they want with it.

Executive Summary:

This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin.

Note: This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

[snip]

Vulnerability Details

Graphics Rendering Engine Vulnerability - CVE-2005-4560:

A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted attachment in e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Mitigating Factors for Graphics Rendering Engine Vulnerability - CVE-2005-4560:

• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. Also, Web sites that accept or host user-provided content or advertisements, and compromised Web sites, may contain malicious content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail or Instant Messenger request that takes users to the attacker's Web site.

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919) (http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx)

CVE reference: CVE-2005-4560


Description:
A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error in the handling of Windows Metafile files (".wmf") containing specially crafted SETABORTPROC "Escape" records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails. This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. opening a folder containing a malicious image file).

The vulnerability can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.

NOTE: Exploit code is publicly available. This is being exploited in the wild. The vulnerability can also be triggered from explorer if the malicious file has been saved to a folder and renamed to other image file extensions like ".jpg", ".gif, ".tif", and ".png" etc.

The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows 2000, Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are also affected.Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution (http://secunia.com/advisories/18255/)

Exploits for the Windows Metafile vulnerability are coming 'fast and furious', say experts, as businesses are warned to educate their users

Hackers are stepping up their attempts to exploit the WMF vulnerability that was discovered within Microsoft Windows last year, experts warned on Tuesday.

Security experts say the vulnerability is potentially very dangerous as conventional antivirus software and IDS signatures do not recognise malicious code that exploits it.

Exploit code is hidden within seemingly normal JPEG, GIF, or Bitmap files which can be spread through emails or instant messages. These files can also be embedded within a Web page, and security vendor Websense has warned that users need only visit a compromised or fake website to be attacked.

"The sites number in the hundreds, and they're still coming out fast and furious," said Dan Hubbard, senior director of security and research at Websense. "The potential for a major outbreak is there. There's no patch from Microsoft, and there are a number of kits online that allow easy exploit building."Hackers take advantage of Windows WMF flaw (http://news.zdnet.co.uk/internet/security/0,39020375,39245555,00.htm)

This isn't a "Gee, will I find the time to get around to it?" type thing. If one is running XP, it's a "DO IT NOW!" necessity.

http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

The ms patch is now available, but not an auto update.

stat

The ms patch is now available, but not an auto update.
It is now. It came out with the regular January updates that were released yesterday.