Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Auto Shutdown... Virus?

Posted on 2003-11-26
Medium Priority
Last Modified: 2012-05-04

I seem to remember reading this somewhere, but im not sure where. I think it is a virus that will keep shutting down your machine with an error message, but which one???!!! Any help appreciated!
Question by:qwertykeyboard
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 49

Accepted Solution

sunray_2003 earned 200 total points
ID: 9825533
Dear qwertykeyboard,

MS Blaster

LVL 49

Expert Comment

ID: 9825541
Well there could be many but the latest I know is MS Blaster


Expert Comment

ID: 9825557
You'll need all the securty updates for windows - if you want to stop the shutdown go to run type shutdown -a  in the run dialog box when it appears. Check symantec's website for a removal tool as well.
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

LVL 57

Expert Comment

by:Pete Long
ID: 9825566
Hi qwertykeyboard,
"svchost.exe" errors with RPC messeges and reboots


"NT Authority...shut down in 1 min"

Soundslike youve got the "Blaster Worm"

This is the hole it exploits
Your computer is being accessed. Download the MS03-026 patch from Microsoft.

Fixes Available here

More Links

Automatically Remoce the Virus with

Download and run it, it will create a directory called SOPHTEMP

From Command line type


How do I remove W32/Blaster-A manually?
To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP:

ensure you have installed Microsoft patch MS03-026 and implemented as many of the steps mentioned above as is feasible.
press Ctrl+Alt+Del
in Windows NT/2000/XP click Task Manager and select the Processes tab
look for a process named msblast.exe in the list
click the process to highlight it
click the 'End Process' (in Windows 95/98/Me 'End Task') button
close Task Manager.
Search for the file msblast.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
Locate the HKEY_LOCAL_MACHINE entry:

in the righthand pane select

windows auto update = msblast.exe

and delete it if it exists.
Close the registry editor.
You should reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.

Which systems are affected?
Windows 95/98/Me and Windows NT/2000/XP are potentially affected
Apple-based workstations, Unix and other platforms (including PDAs and games consoles) cannot be infected with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped there by an infected computer, or it has been executed locally.

How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit. When it finds one it causes the remote computer to use TFTP to download a copy of the worm. This is saved as msblast.exe in the Windows system folder and the registry on that computer is changed so that the worm will be run when the computer restarts.

My computer is continuously rebooting, how can I download RESOLVE?
Often when a computer is infected with W32/Blaster-A it restarts every few minutes, usually with a message similar to "Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly". This prevents the required patches and files from being downloaded.

On Windows XP you may be able to prevent the computer from rebooting by turning on the inbuilt firewall.

To do this:

go to Network Connections
click on your internet connection (LAN or dial-up)
on the lefthand window click 'Change settings of this connection'
click Advanced
click 'Protect my computer.....'
you will probably then be able to download the files you need.
Where possible, download the RESOLVE W32/Blaster-A self-extractor on another computer. Save it to floppy disk and run the self-extractor on the affected computer.

If you cannot download on another computer, disable Distributed COM to prevent this rebooting.

Windows XP

Select Start|Run and type
Select Console Root|Component services.
Open the Computers subfolder.
Right-click on My Computer|Properties.
Click the Default Properties tab.
Deselect 'Enable distributed COM', click Apply then click OK.
Restart the computer.
Set the options back to normal after applying relevant patches

Windows NT/2000

Select Start|Run and type
Select the Default Properties tab.
Deselect 'Enable distributed COM on this computer', click Apply then click OK.
Restart the computer.i
Set the options back to normal after applying relevant patches



Expert Comment

ID: 9825625

useful article related to the above

Expert Comment

ID: 9828745
Here's a little tip for stopping the shutdown.  Its definately not a permanant fix but a temporary one at least.  When the shutdown beings open a command prompt and type shutdown -a.  This will abort the shutdown.  Start-->Run-->cmd-->shutdown -a.

Just a tip

Expert Comment

ID: 10168963
I've encountered the same problem.  It turned out to be a computer virus named Lovesan or Blaster.  There are several options to avoid system shutdown until you can resolve the virus problem.
1.  Got to Start->Control Panel->Administrative Tools->Services->Remote Procedure Call(RPC)->Recovery Tab and choose "Take No Action" for all three choices
You can to to Start->Run, type in shutdown/a, and press Enter
Change the system time back by several hours
Disconnect from the Internet.

Another removal option is:
1. Delete msblast.exe(usually found at c:\windows\system32\msblast.exe)
2. Delete the Windows Registry key: "HKEY_LOCAL_MACHINE\Software\Micorsoft\Windows\CurrentVersion\Run\windows auto update" containing the "msblast.exe".  This is what causes the virus to start on reboot. To edit the Registry, go to Start->Run and put in "regedit"

Hope this helps you. Worked for me.

Expert Comment

ID: 10189637
Hi qwertykeyboard,

"svchost.exe" errors Or RPC messeges and reboots show that your system is infected by blaster virus.

I had the same problem on my network in a xp machine which was outside of the firewall.
To remove this problem,  Log in as administrator, Install all the security updates on your system from the microsoft site.
        {start-> window updates}

 Download the MS03-026 patch from Microsoft.

However, I have experienced that this patch will only execute if you have the required security updates installed. Therefore it is good to install security updates before you install the patch.


Expert Comment

ID: 10214827
Are you error-ing in your browser and getting a shutdown??

If so go to :

My Computer - rightclick(properties), Advanced (tab), Startup and Recovery

Untick the 'Automatically Reboot' checkbox under System Failure.

I had this the other day. Could be this with you too.

Expert Comment

ID: 10455679
If this is a spontaneous reboot I guess you have ruled out cpu overheating.  If computer reboots by itself see
If not please ignore.

Expert Comment

ID: 10557758
I had this exact same problem last week after doing a hard recovery, before I could get my Windows critical updates and NIS program re-installed.  It was the W32.Welchia Worm, which was cleaned after running the removal tool found here....

Expert Comment

ID: 11423563
also you dont have to fix this problem. when auto shutdown counter starts,
shutdown -a
this will cancel shutdwon process.

Expert Comment

ID: 11433819
hi sinacetiner,

this only cancel the shutdown at once only.


Expert Comment

ID: 24410869
I have the same problem , but when  i start windows i just see the shutdown timer for only 2 seconds , so how i can stop shutdown process .. i tried to login safe mode , but could't ...

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question