PCs being shut down remotely
Posted on 2005-03-09
I have several PCs on my network that are shutting down with no warning. The users see each application window close then the PC powers off. There is no warning dialog that the PC will shutdown , such as some older viruses (Blaster, Sasser ) show. Each time it happens the PC records an Event ID 1074 in the system log as listed here
Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Time: 3:47:37 PM
The process winlogon.exe has initiated the restart of JEROMINO2 for the following reason: No title for this reason could be found
Minor Reason: 0xff
Shutdown Type: shutdown
0000: ff 00 00 80 ÿ..€
This message is identical on all PCs. It is a shutdown, not a reboot & even the data (0xff) stays the same.
I'm not sure whether this is a virus or a trojan, or something else altogether. I started capturing packets on the most affected machines & found that an INITSHUTDOWN packet was being received & I had the IP address of the offending PC!
So far I have found 3 PCs that do this - 2 of these PCs have suffered from being shutdown themselves. I even managed to run a process monitor on one of the offending machines when it sent a shutdown command.
I could see that shutdown.exe was being run at the right time, and that the scheduler seemed to be involved as well. A job was being written to the scheduler, the job was run, then the job file was deleted, so I can't see what was in the job. ( A file %windir%\SchedLgU.txt list this information). the result was that shutdown.exe would run and another computer on the LAN would shut itself down.
I can duplicate the effect by opening a command prompt & typing:
"shutdown -s -m \\PCNAME -t 00"
This will give the same message in the event log as above, right down to the "data" values.
Now I can do this because I'm a domain administrator. The computers that have being issuing the shutdowns are not logged in as domain admins. If the normal user is logged in they get "Access is denied" if they try to run shutdown on someone else's PC. (They are all local administrators of their own PCs)
I have scanned the boxes using InnoculateIT v7.1 with the latest update files. ( updated daily) & no infections found.
I have also tried the "fixblast" tool from Symantec, and the Stinger tool but no virus was detected
The PCs are running XP service pack 2
CAn anyone tell me what is causing the shutdowns & how do I prevent it?
If I don't get a full answer, I will give points to anyone who can tell me how the PCs can get access to send the shutdown order. As I said, they should get access denied.
THis has had me puzzled for some time, so feel frre to fire in the questions & I will answer them as quickly & as best I can (bear in mind I'm in Aus. so I'm on UTC +11 time at the moment :-> )