Solved

Auto Shutdown... Virus?

Posted on 2003-11-26
14
115,930 Views
Last Modified: 2012-05-04
Ok,

I seem to remember reading this somewhere, but im not sure where. I think it is a virus that will keep shutting down your machine with an error message, but which one???!!! Any help appreciated!
0
Comment
Question by:qwertykeyboard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 50 total points
ID: 9825533
Dear qwertykeyboard,

MS Blaster

Thanks,
Sunray
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9825541
Well there could be many but the latest I know is MS Blaster

Sunray
0
 
LVL 3

Expert Comment

by:StealthMullet
ID: 9825557
You'll need all the securty updates for windows - if you want to stop the shutdown go to run type shutdown -a  in the run dialog box when it appears. Check symantec's website for a removal tool as well.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 57

Expert Comment

by:Pete Long
ID: 9825566
Hi qwertykeyboard,
"svchost.exe" errors with RPC messeges and reboots

OR

"NT Authority...shut down in 1 min"

Soundslike youve got the "Blaster Worm"
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html


This is the hole it exploits
Your computer is being accessed. Download the MS03-026 patch from Microsoft.
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Fixes Available here
http://support.microsoft.com/?kbid=823980

More Links
http://www.cert.org/advisories/CA-2003-19.html

Automatically Remoce the Virus with

http://www.sophos.com/misc/blastsfx.exe

Download and run it, it will create a directory called SOPHTEMP

From Command line type

C:\SOPHTEMP\RESOLVE.COM -DF=BLASTERA.DAT -NOC

How do I remove W32/Blaster-A manually?
To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP:

ensure you have installed Microsoft patch MS03-026 and implemented as many of the steps mentioned above as is feasible.
press Ctrl+Alt+Del
in Windows NT/2000/XP click Task Manager and select the Processes tab
look for a process named msblast.exe in the list
click the process to highlight it
click the 'End Process' (in Windows 95/98/Me 'End Task') button
close Task Manager.
Search for the file msblast.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

in the righthand pane select

windows auto update = msblast.exe

and delete it if it exists.
Close the registry editor.
You should reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.


Which systems are affected?
Windows 95/98/Me and Windows NT/2000/XP are potentially affected
Apple-based workstations, Unix and other platforms (including PDAs and games consoles) cannot be infected with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped there by an infected computer, or it has been executed locally.



How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit. When it finds one it causes the remote computer to use TFTP to download a copy of the worm. This is saved as msblast.exe in the Windows system folder and the registry on that computer is changed so that the worm will be run when the computer restarts.

My computer is continuously rebooting, how can I download RESOLVE?
Often when a computer is infected with W32/Blaster-A it restarts every few minutes, usually with a message similar to "Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly". This prevents the required patches and files from being downloaded.

On Windows XP you may be able to prevent the computer from rebooting by turning on the inbuilt firewall.

To do this:

go to Network Connections
click on your internet connection (LAN or dial-up)
on the lefthand window click 'Change settings of this connection'
click Advanced
click 'Protect my computer.....'
you will probably then be able to download the files you need.
Where possible, download the RESOLVE W32/Blaster-A self-extractor on another computer. Save it to floppy disk and run the self-extractor on the affected computer.

If you cannot download on another computer, disable Distributed COM to prevent this rebooting.

Windows XP

Select Start|Run and type
dcomcnfg.exe.
Select Console Root|Component services.
Open the Computers subfolder.
Right-click on My Computer|Properties.
Click the Default Properties tab.
Deselect 'Enable distributed COM', click Apply then click OK.
Restart the computer.
Set the options back to normal after applying relevant patches

Windows NT/2000

Select Start|Run and type
dcomcnfg.exe.
Select the Default Properties tab.
Deselect 'Enable distributed COM on this computer', click Apply then click OK.
Restart the computer.i
Set the options back to normal after applying relevant patches

From http://www.sophos.com/support/disinfection/blastera.html

Cheers!
0
 
LVL 3

Expert Comment

by:StealthMullet
ID: 9825625
http://www.pcsympathy.com/article161.html

useful article related to the above
0
 

Expert Comment

by:stevecuccia
ID: 9828745
Here's a little tip for stopping the shutdown.  Its definately not a permanant fix but a temporary one at least.  When the shutdown beings open a command prompt and type shutdown -a.  This will abort the shutdown.  Start-->Run-->cmd-->shutdown -a.

Just a tip
0
 

Expert Comment

by:digid50
ID: 10168963
I've encountered the same problem.  It turned out to be a computer virus named Lovesan or Blaster.  There are several options to avoid system shutdown until you can resolve the virus problem.
1.  Got to Start->Control Panel->Administrative Tools->Services->Remote Procedure Call(RPC)->Recovery Tab and choose "Take No Action" for all three choices
You can to to Start->Run, type in shutdown/a, and press Enter
Change the system time back by several hours
Disconnect from the Internet.

Another removal option is:
1. Delete msblast.exe(usually found at c:\windows\system32\msblast.exe)
2. Delete the Windows Registry key: "HKEY_LOCAL_MACHINE\Software\Micorsoft\Windows\CurrentVersion\Run\windows auto update" containing the "msblast.exe".  This is what causes the virus to start on reboot. To edit the Registry, go to Start->Run and put in "regedit"

Hope this helps you. Worked for me.
0
 
LVL 2

Expert Comment

by:nrip_cheema
ID: 10189637
Hi qwertykeyboard,

"svchost.exe" errors Or RPC messeges and reboots show that your system is infected by blaster virus.

I had the same problem on my network in a xp machine which was outside of the firewall.
To remove this problem,  Log in as administrator, Install all the security updates on your system from the microsoft site.
        {start-> window updates}

 Download the MS03-026 patch from Microsoft.
          http://www.microsoft.com/security/security_bulletins/ms03-026.asp

However, I have experienced that this patch will only execute if you have the required security updates installed. Therefore it is good to install security updates before you install the patch.

Regards
0
 

Expert Comment

by:mikkydoos
ID: 10214827
Are you error-ing in your browser and getting a shutdown??


If so go to :

My Computer - rightclick(properties), Advanced (tab), Startup and Recovery

Untick the 'Automatically Reboot' checkbox under System Failure.

I had this the other day. Could be this with you too.
0
 

Expert Comment

by:rhg1
ID: 10455679
If this is a spontaneous reboot I guess you have ruled out cpu overheating.  If computer reboots by itself see
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20894067.html
If not please ignore.
rhg1
0
 

Expert Comment

by:katnap
ID: 10557758
I had this exact same problem last week after doing a hard recovery, before I could get my Windows critical updates and NIS program re-installed.  It was the W32.Welchia Worm, which was cleaned after running the removal tool found here....  http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
0
 

Expert Comment

by:sinacetiner
ID: 11423563
also you dont have to fix this problem. when auto shutdown counter starts,
start/run
shutdown -a
this will cancel shutdwon process.
0
 
LVL 1

Expert Comment

by:daniellyh
ID: 11433819
hi sinacetiner,

this only cancel the shutdown at once only.

daniel
0
 

Expert Comment

by:belals
ID: 24410869
I have the same problem , but when  i start windows i just see the shutdown timer for only 2 seconds , so how i can stop shutdown process .. i tried to login safe mode , but could't ...
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question