Solved

Auto Shutdown... Virus?

Posted on 2003-11-26
14
115,917 Views
Last Modified: 2012-05-04
Ok,

I seem to remember reading this somewhere, but im not sure where. I think it is a virus that will keep shutting down your machine with an error message, but which one???!!! Any help appreciated!
0
Comment
Question by:qwertykeyboard
14 Comments
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 50 total points
ID: 9825533
Dear qwertykeyboard,

MS Blaster

Thanks,
Sunray
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9825541
Well there could be many but the latest I know is MS Blaster

Sunray
0
 
LVL 3

Expert Comment

by:StealthMullet
ID: 9825557
You'll need all the securty updates for windows - if you want to stop the shutdown go to run type shutdown -a  in the run dialog box when it appears. Check symantec's website for a removal tool as well.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9825566
Hi qwertykeyboard,
"svchost.exe" errors with RPC messeges and reboots

OR

"NT Authority...shut down in 1 min"

Soundslike youve got the "Blaster Worm"
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html


This is the hole it exploits
Your computer is being accessed. Download the MS03-026 patch from Microsoft.
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Fixes Available here
http://support.microsoft.com/?kbid=823980

More Links
http://www.cert.org/advisories/CA-2003-19.html

Automatically Remoce the Virus with

http://www.sophos.com/misc/blastsfx.exe

Download and run it, it will create a directory called SOPHTEMP

From Command line type

C:\SOPHTEMP\RESOLVE.COM -DF=BLASTERA.DAT -NOC

How do I remove W32/Blaster-A manually?
To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP:

ensure you have installed Microsoft patch MS03-026 and implemented as many of the steps mentioned above as is feasible.
press Ctrl+Alt+Del
in Windows NT/2000/XP click Task Manager and select the Processes tab
look for a process named msblast.exe in the list
click the process to highlight it
click the 'End Process' (in Windows 95/98/Me 'End Task') button
close Task Manager.
Search for the file msblast.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

in the righthand pane select

windows auto update = msblast.exe

and delete it if it exists.
Close the registry editor.
You should reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.


Which systems are affected?
Windows 95/98/Me and Windows NT/2000/XP are potentially affected
Apple-based workstations, Unix and other platforms (including PDAs and games consoles) cannot be infected with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped there by an infected computer, or it has been executed locally.



How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit. When it finds one it causes the remote computer to use TFTP to download a copy of the worm. This is saved as msblast.exe in the Windows system folder and the registry on that computer is changed so that the worm will be run when the computer restarts.

My computer is continuously rebooting, how can I download RESOLVE?
Often when a computer is infected with W32/Blaster-A it restarts every few minutes, usually with a message similar to "Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly". This prevents the required patches and files from being downloaded.

On Windows XP you may be able to prevent the computer from rebooting by turning on the inbuilt firewall.

To do this:

go to Network Connections
click on your internet connection (LAN or dial-up)
on the lefthand window click 'Change settings of this connection'
click Advanced
click 'Protect my computer.....'
you will probably then be able to download the files you need.
Where possible, download the RESOLVE W32/Blaster-A self-extractor on another computer. Save it to floppy disk and run the self-extractor on the affected computer.

If you cannot download on another computer, disable Distributed COM to prevent this rebooting.

Windows XP

Select Start|Run and type
dcomcnfg.exe.
Select Console Root|Component services.
Open the Computers subfolder.
Right-click on My Computer|Properties.
Click the Default Properties tab.
Deselect 'Enable distributed COM', click Apply then click OK.
Restart the computer.
Set the options back to normal after applying relevant patches

Windows NT/2000

Select Start|Run and type
dcomcnfg.exe.
Select the Default Properties tab.
Deselect 'Enable distributed COM on this computer', click Apply then click OK.
Restart the computer.i
Set the options back to normal after applying relevant patches

From http://www.sophos.com/support/disinfection/blastera.html

Cheers!
0
 
LVL 3

Expert Comment

by:StealthMullet
ID: 9825625
http://www.pcsympathy.com/article161.html

useful article related to the above
0
 

Expert Comment

by:stevecuccia
ID: 9828745
Here's a little tip for stopping the shutdown.  Its definately not a permanant fix but a temporary one at least.  When the shutdown beings open a command prompt and type shutdown -a.  This will abort the shutdown.  Start-->Run-->cmd-->shutdown -a.

Just a tip
0
 

Expert Comment

by:digid50
ID: 10168963
I've encountered the same problem.  It turned out to be a computer virus named Lovesan or Blaster.  There are several options to avoid system shutdown until you can resolve the virus problem.
1.  Got to Start->Control Panel->Administrative Tools->Services->Remote Procedure Call(RPC)->Recovery Tab and choose "Take No Action" for all three choices
You can to to Start->Run, type in shutdown/a, and press Enter
Change the system time back by several hours
Disconnect from the Internet.

Another removal option is:
1. Delete msblast.exe(usually found at c:\windows\system32\msblast.exe)
2. Delete the Windows Registry key: "HKEY_LOCAL_MACHINE\Software\Micorsoft\Windows\CurrentVersion\Run\windows auto update" containing the "msblast.exe".  This is what causes the virus to start on reboot. To edit the Registry, go to Start->Run and put in "regedit"

Hope this helps you. Worked for me.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 2

Expert Comment

by:nrip_cheema
ID: 10189637
Hi qwertykeyboard,

"svchost.exe" errors Or RPC messeges and reboots show that your system is infected by blaster virus.

I had the same problem on my network in a xp machine which was outside of the firewall.
To remove this problem,  Log in as administrator, Install all the security updates on your system from the microsoft site.
        {start-> window updates}

 Download the MS03-026 patch from Microsoft.
          http://www.microsoft.com/security/security_bulletins/ms03-026.asp

However, I have experienced that this patch will only execute if you have the required security updates installed. Therefore it is good to install security updates before you install the patch.

Regards
0
 

Expert Comment

by:mikkydoos
ID: 10214827
Are you error-ing in your browser and getting a shutdown??


If so go to :

My Computer - rightclick(properties), Advanced (tab), Startup and Recovery

Untick the 'Automatically Reboot' checkbox under System Failure.

I had this the other day. Could be this with you too.
0
 

Expert Comment

by:rhg1
ID: 10455679
If this is a spontaneous reboot I guess you have ruled out cpu overheating.  If computer reboots by itself see
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20894067.html
If not please ignore.
rhg1
0
 

Expert Comment

by:katnap
ID: 10557758
I had this exact same problem last week after doing a hard recovery, before I could get my Windows critical updates and NIS program re-installed.  It was the W32.Welchia Worm, which was cleaned after running the removal tool found here....  http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
0
 

Expert Comment

by:sinacetiner
ID: 11423563
also you dont have to fix this problem. when auto shutdown counter starts,
start/run
shutdown -a
this will cancel shutdwon process.
0
 
LVL 1

Expert Comment

by:daniellyh
ID: 11433819
hi sinacetiner,

this only cancel the shutdown at once only.

daniel
0
 

Expert Comment

by:belals
ID: 24410869
I have the same problem , but when  i start windows i just see the shutdown timer for only 2 seconds , so how i can stop shutdown process .. i tried to login safe mode , but could't ...
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now