Auto Shutdown... Virus?

Posted on 2003-11-26
Last Modified: 2012-05-04

I seem to remember reading this somewhere, but im not sure where. I think it is a virus that will keep shutting down your machine with an error message, but which one???!!! Any help appreciated!
Question by:qwertykeyboard
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 49

Accepted Solution

sunray_2003 earned 50 total points
ID: 9825533
Dear qwertykeyboard,

MS Blaster

LVL 49

Expert Comment

ID: 9825541
Well there could be many but the latest I know is MS Blaster


Expert Comment

ID: 9825557
You'll need all the securty updates for windows - if you want to stop the shutdown go to run type shutdown -a  in the run dialog box when it appears. Check symantec's website for a removal tool as well.
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

LVL 57

Expert Comment

by:Pete Long
ID: 9825566
Hi qwertykeyboard,
"svchost.exe" errors with RPC messeges and reboots


"NT Authority...shut down in 1 min"

Soundslike youve got the "Blaster Worm"

This is the hole it exploits
Your computer is being accessed. Download the MS03-026 patch from Microsoft.

Fixes Available here

More Links

Automatically Remoce the Virus with

Download and run it, it will create a directory called SOPHTEMP

From Command line type


How do I remove W32/Blaster-A manually?
To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP:

ensure you have installed Microsoft patch MS03-026 and implemented as many of the steps mentioned above as is feasible.
press Ctrl+Alt+Del
in Windows NT/2000/XP click Task Manager and select the Processes tab
look for a process named msblast.exe in the list
click the process to highlight it
click the 'End Process' (in Windows 95/98/Me 'End Task') button
close Task Manager.
Search for the file msblast.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
Locate the HKEY_LOCAL_MACHINE entry:

in the righthand pane select

windows auto update = msblast.exe

and delete it if it exists.
Close the registry editor.
You should reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.

Which systems are affected?
Windows 95/98/Me and Windows NT/2000/XP are potentially affected
Apple-based workstations, Unix and other platforms (including PDAs and games consoles) cannot be infected with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped there by an infected computer, or it has been executed locally.

How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit. When it finds one it causes the remote computer to use TFTP to download a copy of the worm. This is saved as msblast.exe in the Windows system folder and the registry on that computer is changed so that the worm will be run when the computer restarts.

My computer is continuously rebooting, how can I download RESOLVE?
Often when a computer is infected with W32/Blaster-A it restarts every few minutes, usually with a message similar to "Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly". This prevents the required patches and files from being downloaded.

On Windows XP you may be able to prevent the computer from rebooting by turning on the inbuilt firewall.

To do this:

go to Network Connections
click on your internet connection (LAN or dial-up)
on the lefthand window click 'Change settings of this connection'
click Advanced
click 'Protect my computer.....'
you will probably then be able to download the files you need.
Where possible, download the RESOLVE W32/Blaster-A self-extractor on another computer. Save it to floppy disk and run the self-extractor on the affected computer.

If you cannot download on another computer, disable Distributed COM to prevent this rebooting.

Windows XP

Select Start|Run and type
Select Console Root|Component services.
Open the Computers subfolder.
Right-click on My Computer|Properties.
Click the Default Properties tab.
Deselect 'Enable distributed COM', click Apply then click OK.
Restart the computer.
Set the options back to normal after applying relevant patches

Windows NT/2000

Select Start|Run and type
Select the Default Properties tab.
Deselect 'Enable distributed COM on this computer', click Apply then click OK.
Restart the computer.i
Set the options back to normal after applying relevant patches



Expert Comment

ID: 9825625

useful article related to the above

Expert Comment

ID: 9828745
Here's a little tip for stopping the shutdown.  Its definately not a permanant fix but a temporary one at least.  When the shutdown beings open a command prompt and type shutdown -a.  This will abort the shutdown.  Start-->Run-->cmd-->shutdown -a.

Just a tip

Expert Comment

ID: 10168963
I've encountered the same problem.  It turned out to be a computer virus named Lovesan or Blaster.  There are several options to avoid system shutdown until you can resolve the virus problem.
1.  Got to Start->Control Panel->Administrative Tools->Services->Remote Procedure Call(RPC)->Recovery Tab and choose "Take No Action" for all three choices
You can to to Start->Run, type in shutdown/a, and press Enter
Change the system time back by several hours
Disconnect from the Internet.

Another removal option is:
1. Delete msblast.exe(usually found at c:\windows\system32\msblast.exe)
2. Delete the Windows Registry key: "HKEY_LOCAL_MACHINE\Software\Micorsoft\Windows\CurrentVersion\Run\windows auto update" containing the "msblast.exe".  This is what causes the virus to start on reboot. To edit the Registry, go to Start->Run and put in "regedit"

Hope this helps you. Worked for me.

Expert Comment

ID: 10189637
Hi qwertykeyboard,

"svchost.exe" errors Or RPC messeges and reboots show that your system is infected by blaster virus.

I had the same problem on my network in a xp machine which was outside of the firewall.
To remove this problem,  Log in as administrator, Install all the security updates on your system from the microsoft site.
        {start-> window updates}

 Download the MS03-026 patch from Microsoft.

However, I have experienced that this patch will only execute if you have the required security updates installed. Therefore it is good to install security updates before you install the patch.


Expert Comment

ID: 10214827
Are you error-ing in your browser and getting a shutdown??

If so go to :

My Computer - rightclick(properties), Advanced (tab), Startup and Recovery

Untick the 'Automatically Reboot' checkbox under System Failure.

I had this the other day. Could be this with you too.

Expert Comment

ID: 10455679
If this is a spontaneous reboot I guess you have ruled out cpu overheating.  If computer reboots by itself see
If not please ignore.

Expert Comment

ID: 10557758
I had this exact same problem last week after doing a hard recovery, before I could get my Windows critical updates and NIS program re-installed.  It was the W32.Welchia Worm, which was cleaned after running the removal tool found here....

Expert Comment

ID: 11423563
also you dont have to fix this problem. when auto shutdown counter starts,
shutdown -a
this will cancel shutdwon process.

Expert Comment

ID: 11433819
hi sinacetiner,

this only cancel the shutdown at once only.


Expert Comment

ID: 24410869
I have the same problem , but when  i start windows i just see the shutdown timer for only 2 seconds , so how i can stop shutdown process .. i tried to login safe mode , but could't ...

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like, I've seen routers with default values of:,,, …
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question