Solved

Auto Shutdown... Virus?

Posted on 2003-11-26
14
115,913 Views
Last Modified: 2012-05-04
Ok,

I seem to remember reading this somewhere, but im not sure where. I think it is a virus that will keep shutting down your machine with an error message, but which one???!!! Any help appreciated!
0
Comment
Question by:qwertykeyboard
14 Comments
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 50 total points
ID: 9825533
Dear qwertykeyboard,

MS Blaster

Thanks,
Sunray
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9825541
Well there could be many but the latest I know is MS Blaster

Sunray
0
 
LVL 3

Expert Comment

by:StealthMullet
ID: 9825557
You'll need all the securty updates for windows - if you want to stop the shutdown go to run type shutdown -a  in the run dialog box when it appears. Check symantec's website for a removal tool as well.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9825566
Hi qwertykeyboard,
"svchost.exe" errors with RPC messeges and reboots

OR

"NT Authority...shut down in 1 min"

Soundslike youve got the "Blaster Worm"
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html


This is the hole it exploits
Your computer is being accessed. Download the MS03-026 patch from Microsoft.
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Fixes Available here
http://support.microsoft.com/?kbid=823980

More Links
http://www.cert.org/advisories/CA-2003-19.html

Automatically Remoce the Virus with

http://www.sophos.com/misc/blastsfx.exe

Download and run it, it will create a directory called SOPHTEMP

From Command line type

C:\SOPHTEMP\RESOLVE.COM -DF=BLASTERA.DAT -NOC

How do I remove W32/Blaster-A manually?
To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP:

ensure you have installed Microsoft patch MS03-026 and implemented as many of the steps mentioned above as is feasible.
press Ctrl+Alt+Del
in Windows NT/2000/XP click Task Manager and select the Processes tab
look for a process named msblast.exe in the list
click the process to highlight it
click the 'End Process' (in Windows 95/98/Me 'End Task') button
close Task Manager.
Search for the file msblast.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

in the righthand pane select

windows auto update = msblast.exe

and delete it if it exists.
Close the registry editor.
You should reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.


Which systems are affected?
Windows 95/98/Me and Windows NT/2000/XP are potentially affected
Apple-based workstations, Unix and other platforms (including PDAs and games consoles) cannot be infected with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped there by an infected computer, or it has been executed locally.



How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit. When it finds one it causes the remote computer to use TFTP to download a copy of the worm. This is saved as msblast.exe in the Windows system folder and the registry on that computer is changed so that the worm will be run when the computer restarts.

My computer is continuously rebooting, how can I download RESOLVE?
Often when a computer is infected with W32/Blaster-A it restarts every few minutes, usually with a message similar to "Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly". This prevents the required patches and files from being downloaded.

On Windows XP you may be able to prevent the computer from rebooting by turning on the inbuilt firewall.

To do this:

go to Network Connections
click on your internet connection (LAN or dial-up)
on the lefthand window click 'Change settings of this connection'
click Advanced
click 'Protect my computer.....'
you will probably then be able to download the files you need.
Where possible, download the RESOLVE W32/Blaster-A self-extractor on another computer. Save it to floppy disk and run the self-extractor on the affected computer.

If you cannot download on another computer, disable Distributed COM to prevent this rebooting.

Windows XP

Select Start|Run and type
dcomcnfg.exe.
Select Console Root|Component services.
Open the Computers subfolder.
Right-click on My Computer|Properties.
Click the Default Properties tab.
Deselect 'Enable distributed COM', click Apply then click OK.
Restart the computer.
Set the options back to normal after applying relevant patches

Windows NT/2000

Select Start|Run and type
dcomcnfg.exe.
Select the Default Properties tab.
Deselect 'Enable distributed COM on this computer', click Apply then click OK.
Restart the computer.i
Set the options back to normal after applying relevant patches

From http://www.sophos.com/support/disinfection/blastera.html

Cheers!
0
 
LVL 3

Expert Comment

by:StealthMullet
ID: 9825625
http://www.pcsympathy.com/article161.html

useful article related to the above
0
 

Expert Comment

by:stevecuccia
ID: 9828745
Here's a little tip for stopping the shutdown.  Its definately not a permanant fix but a temporary one at least.  When the shutdown beings open a command prompt and type shutdown -a.  This will abort the shutdown.  Start-->Run-->cmd-->shutdown -a.

Just a tip
0
 

Expert Comment

by:digid50
ID: 10168963
I've encountered the same problem.  It turned out to be a computer virus named Lovesan or Blaster.  There are several options to avoid system shutdown until you can resolve the virus problem.
1.  Got to Start->Control Panel->Administrative Tools->Services->Remote Procedure Call(RPC)->Recovery Tab and choose "Take No Action" for all three choices
You can to to Start->Run, type in shutdown/a, and press Enter
Change the system time back by several hours
Disconnect from the Internet.

Another removal option is:
1. Delete msblast.exe(usually found at c:\windows\system32\msblast.exe)
2. Delete the Windows Registry key: "HKEY_LOCAL_MACHINE\Software\Micorsoft\Windows\CurrentVersion\Run\windows auto update" containing the "msblast.exe".  This is what causes the virus to start on reboot. To edit the Registry, go to Start->Run and put in "regedit"

Hope this helps you. Worked for me.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Expert Comment

by:nrip_cheema
ID: 10189637
Hi qwertykeyboard,

"svchost.exe" errors Or RPC messeges and reboots show that your system is infected by blaster virus.

I had the same problem on my network in a xp machine which was outside of the firewall.
To remove this problem,  Log in as administrator, Install all the security updates on your system from the microsoft site.
        {start-> window updates}

 Download the MS03-026 patch from Microsoft.
          http://www.microsoft.com/security/security_bulletins/ms03-026.asp

However, I have experienced that this patch will only execute if you have the required security updates installed. Therefore it is good to install security updates before you install the patch.

Regards
0
 

Expert Comment

by:mikkydoos
ID: 10214827
Are you error-ing in your browser and getting a shutdown??


If so go to :

My Computer - rightclick(properties), Advanced (tab), Startup and Recovery

Untick the 'Automatically Reboot' checkbox under System Failure.

I had this the other day. Could be this with you too.
0
 

Expert Comment

by:rhg1
ID: 10455679
If this is a spontaneous reboot I guess you have ruled out cpu overheating.  If computer reboots by itself see
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20894067.html
If not please ignore.
rhg1
0
 

Expert Comment

by:katnap
ID: 10557758
I had this exact same problem last week after doing a hard recovery, before I could get my Windows critical updates and NIS program re-installed.  It was the W32.Welchia Worm, which was cleaned after running the removal tool found here....  http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
0
 

Expert Comment

by:sinacetiner
ID: 11423563
also you dont have to fix this problem. when auto shutdown counter starts,
start/run
shutdown -a
this will cancel shutdwon process.
0
 
LVL 1

Expert Comment

by:daniellyh
ID: 11433819
hi sinacetiner,

this only cancel the shutdown at once only.

daniel
0
 

Expert Comment

by:belals
ID: 24410869
I have the same problem , but when  i start windows i just see the shutdown timer for only 2 seconds , so how i can stop shutdown process .. i tried to login safe mode , but could't ...
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Most of the time we are in fix when all of sudden our systems behave weirdly.  Such problems cost time and effort... so it's best to take some preventive actions so that we can avoid such issues or overcome such problems more easily. Preventive M…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now