?
Solved

PCs being shut down remotely

Posted on 2005-03-09
21
Medium Priority
?
3,443 Views
Last Modified: 2008-01-09
I have several PCs on my network that are shutting down with no warning. The users see each application window close then the PC powers off. There is no warning dialog that the PC will shutdown , such as some older viruses (Blaster, Sasser ) show. Each time it happens the PC records an Event ID 1074 in the system log as listed here

Event Type:     Information
Event Source:     USER32
Event Category:     None
Event ID:     1074
Date:          9/12/2004
Time:          3:47:37 PM
User:          SYSTEM
Computer:     JEROMINO2
Description:
The process winlogon.exe has initiated the restart of JEROMINO2 for the following reason: No title for this reason could be found
 Minor Reason: 0xff
 Shutdown Type: shutdown
 Comment:  
Data:
0000:  ff 00 00 80               ÿ..€

This message is identical on all  PCs. It is a shutdown, not a reboot & even the data (0xff) stays the same.

I'm not sure whether this is a virus or a trojan, or something else altogether. I started capturing packets on the most affected machines & found that an INITSHUTDOWN packet was being received & I had the IP address of the offending PC!

So far I have found 3 PCs that do this - 2 of these PCs have suffered from being shutdown themselves. I even managed to run a process monitor on one of the offending machines when it sent a shutdown command.
I could see that shutdown.exe was being run at the right time, and that the scheduler seemed to be involved as well. A job was being written to the scheduler, the job was run, then the job file was deleted, so I can't see what was in the job. ( A file %windir%\SchedLgU.txt list this information). the result was that shutdown.exe would run and another computer on the LAN would shut itself down.

I can duplicate the effect by opening a command prompt & typing:
"shutdown -s  -m \\PCNAME -t 00"
This will give the same message in the event log as above, right down to the "data" values.
Now I can do this because I'm a domain administrator. The computers that have being issuing the shutdowns are not logged in as domain admins. If the normal user is logged in they get "Access is denied" if they try to run shutdown on someone else's PC. (They are all local administrators of their own PCs)  

I have scanned the boxes using InnoculateIT v7.1 with the latest update files. ( updated daily) & no infections found.
I have also tried the "fixblast" tool from Symantec, and the Stinger tool but no virus was detected
The PCs are running XP service pack 2

CAn anyone tell me what is causing the shutdowns & how do I prevent it?

If I don't get a full answer, I will give points to anyone who can tell me how the PCs can get access to send the shutdown order. As I said, they should get access denied.

THis has had me puzzled for some time, so feel frre to fire in the questions & I will answer them as quickly & as best I can (bear in mind I'm in Aus. so I'm on UTC +11 time at the moment :-> )
0
Comment
Question by:dreadman2k
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
  • 3
  • +4
21 Comments
 
LVL 14

Expert Comment

by:kenfcamp
ID: 13529637
First I'd do a web-based virus scan

Sounds to me either
1) you have a trojan on the systems or
2) you're allowing remote connections

If you don't have a firewall:
First flog yourself ;)
then install one! (I don't mean sp2's firewall, disable it and get a real one)
0
 
LVL 2

Author Comment

by:dreadman2k
ID: 13539891
Kenfcamp,

I have done a web scan (McAfee) of the suspect machines with no result. As for firewalls, the LAN is behind an appliance firewall but I don't run a firewall on each PC, as the company's work requires network communication between PCs.

Yes, it does sound like a trojan, but if so, what one? I cannpot find anyone who is having the same symptoms I'm having & I think its unlikely that I would have the only site in world with this trojan.

ANy search on my symptons turns up references to sasser & blaster but all the Microsoft patches are applied ( the PCs have sp2) and the specific scanners such as "Stinger" find nothing.
0
 
LVL 16

Assisted Solution

by:GUEEN
GUEEN earned 150 total points
ID: 13544542
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:kenfcamp
ID: 13545064
ok, you're not alone in this.

I belive you may be victom of a PRC/DCOM exploit ("IF" nothing was changed by the would-be bonehead doing this) Try blocking PORT 135 UDP/TCP @ your firewall

I'd post the link to the information, but the link includes sample code that shouldn't be linked to and is in PDF form.

0
 
LVL 2

Author Comment

by:dreadman2k
ID: 13560556
Shekerra,

Yes, I've read that article & applied that change, hoping it would trap the shut-down command. However, PCs with this feature turned on still shut down wiothout warning & without any dialog asking the user to enter a reason for the shutdown. This can be tested using the command-line shut-down I listed in the original post. Thanlks for the effort, though.
0
 
LVL 2

Author Comment

by:dreadman2k
ID: 13561242
Kenfcamp,

As for the PRC/DCOM exploit: The PCs in question have all the security patches from Microsoft applied - we use a SUS server to update the PCs. Is there a new vulnerablility that uses this port?

We block TCP port 135 from outside the network, but are suggesting we close it off on the individual PCs? My concern there would be the loss of remote access/monitoring of the PCs on the LAN.

What are your thoughts?
0
 
LVL 14

Accepted Solution

by:
kenfcamp earned 750 total points
ID: 13564274
dreadman2k;

Personaly, if blocking port 135 stopped the problem I could live with finding a way around any issues enabling it would cause.
Even with the patches, it is suggested by MS and others that 135 (among other ports) be blocked.

I'm not saying this will solve your problem, only that based on what I've found looking into this, this seems to be a reasonable shot at solving your problem.

I would suggest however you try it on only 1 pc. If it works, then add the solution to the rest.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 13570319
Hi.
To prevent this shutdown when it occurs do this:
Start button---> Run ----> Cmd

Inside Dos window write:
ShutDown-a

To abort the shutdown process.

Winlogon.exe is a process which is registered as the W32.Netsky.D@mm worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it’s hostile attachment. The worm has it’s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process.

So antivirus should fix that.
But is there is a possibility that a lan user uses an application to shutdown other pcs.

Hope this helps.
0
 
LVL 16

Assisted Solution

by:CodedK
CodedK earned 150 total points
ID: 13570328
Sorry that was:

"There is a possibility that a lan user uses an application to shutdown other pcs."

and
Shutdown/a
0
 
LVL 2

Author Comment

by:dreadman2k
ID: 13571341
Hi Codedk,

Thanks for the suggestion on stopping shutdown, but this shutdown is sent with a zero delay untill shutdown. This means the usual warning dialog is not displayed & the first you know about it is as applications close one after the other. There is no opportunity to cancel the shutdown.

I have scanned the winlogon.exe files on suspact PCs with a scanner that detects Netsky. D and all came back negative.

As to the possiblity of a user doing this deliberately - I guess you can never say 100% that it didn't happen, but we are a small company & I can't come up with a reason for anyone to do this. I know that may not sound convincing to you, but I have considered this before & with the people we have, it simply isn't a believable outcome.

Thanks for your efforts on this.

0
 
LVL 16

Expert Comment

by:CodedK
ID: 13573302
It was just a hypothesis.. :)
Anyway cant come up with something else...

I hope you solve this.
0
 
LVL 2

Author Comment

by:dreadman2k
ID: 13588642
A little more info.

We did a packet capture for the relevent section of the network & were able to capture the packets being sent to the victim PC that triggered the shutdown. THe shutdown order is being sent as a task scheduler job that runs immediately. Its doing this through tcp port netbios-ssn (139). Once again it shouldn't have permission to do this but it does. In previous bouts we did find that shutting down the scheduler service stopped an individual PC from rebooting. This is a workaround to my problem, but I would really like to find what is responsible.
0
 
LVL 23

Assisted Solution

by:gecko_au2003
gecko_au2003 earned 150 total points
ID: 13610837
go to www.google.com and search for shields up and go to that site, it will show the ip address and that is normal. from there go to free utilites and download the dcombobulator and run that on the machine :) I think the fixes on the shields up site is for xp / nt / 2000 platforms , but not sure !

Anyway that dcom bobulator should help you out.

If they go to start --> run and type cmd or cmd32 or something like that sometimes it opens up on some machines, I know this from doing it at a university I used to go to :) I only know this because I had to maintain machines at the university and inform the tech people there of any weakness's that I came across :)
0
 
LVL 11

Assisted Solution

by:ghana
ghana earned 150 total points
ID: 13612183
Sometimes a patch is reported as installed but does not fix the security hole. To find those problems you can use an 'intrusive' vulnerability scanner like NeWT (http://www.tenablesecurity.com/products/newt.shtml). This is a Windows variant of Nessus and it's freeware. While MBSA only performs 'non intrusive' vulnerability scanning by checking the correct file versions NeWT will really try to attack the target system. Because of that you should select carefully the target systems you will scan with NeWT. But in this case I would give it a try to check whether the known vulnerabilities are really patched.
0
 
LVL 2

Author Comment

by:dreadman2k
ID: 13619174
Hi gecko,

Tried the DCOMBobulator but to no avail. The PC still responded to shutdown commands.

I'm still looking at exactly what goes on with RPC connections & trying to get my head around it. I can turn off the schedular service, & maybe block TCP & UDP 135 to foil the attack, but I'm really hoping to find the culprit program/file so that I can locate & remove it, rather than just blocking it.
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 13619585
I dont know if this has been suggested but what abouts getting zone alarm, installing that and then from there if you go to the programs section of zone alarm it will show you what is trying to access the internet and that should show you what program it is that is shutting your computer down assuming it is an actual file on your computer. If not then the firewall will block it and you can also block ports etc using zone alarm :)
0
 
LVL 2

Author Comment

by:dreadman2k
ID: 13648605
Yes, I tried Zonealarm previously on a PC that was issuing the shutdown orders, but wasn't able to trap a specific program sending the AT job to the other computers. I think what ever is running is doing so under svchost.exe , which shows up as "Generic Windows Services" ( something close to that, anyway). A lot of processes run under svchost.exe at any one time & it s difficult to determine exactly what each instance is doing. I'm using Process Explorer (www.sysinternals.com) but even it doesn't give a clear idea of what program is responsible for each thread.

0
 
LVL 11

Expert Comment

by:ghana
ID: 13649191
As far as I know ZoneAlarm is not able to detect outbound traffic via code injection (for example a malicious DLL using IE to generate traffic). Maybe you can install Sygate Personal Firewall which is able to detect this kind of traffic too.
0
 
LVL 13

Assisted Solution

by:gonzal13
gonzal13 earned 150 total points
ID: 13658110
After reading your questions etc and posted comments I am confusered also. But I would try possibly to find a'Malware' that may have been picked up durig an exploratio of various web sites. You mght look at these.

MALWARE  PROGRAMS

There can sometimes be a very fine line between a Virus and "spyware", generally Norton AntiVirus (and most other antivirus applications) will not detect normal "spyware" unless it comes in the form of what is referred to as a "Trojan".  This name is taken from the historical "Trojan Horse" where invaders sneaked into the walled city hidden in a wooden horse.  Similarly, a computer Trojan comes packaged and disguised as something else, and sneaks into your system where it can hide unseen doing a variety of things such as stealing passwords and sending them out to some other remote computer, monitoring activity, etc.

AntiVirus applications are often able to detect known Trojans, but not always.  It is very important for this reason to always allow your AntiVirus program to check regularly for updated "definition" files.  These are the "libraries" (for want of a better word) that the program uses to detect known threats, and new definition files will find new viruses.

Spyware is generally less nasty than a Trojan, but can certainly be a security leak.  In normal cases, they are huge annoyances rather than actual "spies".  I suppose that, if there were sub-categories, they could be divided into "Internet Home Page HiJackers" that redirect your internet pages constantly to specific search pages, "Ad Ware" which monitors your internet browsing habits and transmits them to central repositories for marketing purposes, and "Scumware" that sneakily installs programs that masquerade as legitimate programs and do similar things as "Adware", and "Scumware" which just messes up your system for no particular reason.

For the most part, all of these rely on changing or adding registry settings.  For instance, some will install and register files that have very similar names to genuine Windows system files so that a user checking what program files are currently being used won't immediately suspect a rogue process at work.  Some replace a windows system file with a rogue version of their own, and change a registry setting so that their rogue file does something else entirely different.

There is something known as a "Browser Helper Object" or BHO.  Most are legitimate and helpful, such as the integration of Adobe Acrobat Reader which will open up within Internet Explorer if you click on a link to a .PDF file.  Other BHO's are Norton AntiVirus Helper, which adds a "Scan with NAV" to various places and also runs behind the scenes ready to scan incoming email.  Unfortunately, some unscrupulous programs add unwanted BHO's into your system.

To somebody who is neither well acquainted with the names of files and folders in the "system" areas, and who has never had to know what lies in their windows registry, it can be difficult for that person to identify results thrown up by spyware removal tools.

Microsoft is often maligned and accused of creating unwanted, annoying, or "big brother-like" processes in Windows, and for that reason anti-spyware programs will often identify normal Windows registry settings, files, and processes as undesireable.  In most cases, these found items can be safely removed using the anti-spyware tool without suffering any adverse effects because they are not crucial to functionality.  In odd cases, however, allowing an anti-spyware utility to remove something could adversely affect your system.

There is also the risk that, by removing a rogue file that has deliberately replaced a legitimate system file, your system will look for that file and throw up errors when it can't find it.
The above was plagerized from BilDll

Anti spyware tutorial

Spyware, also known as adware or malware, are programs that can cause problems. These include: pop up advertisements on your computer, browser hijacks, search engine hijacks, website redirections, website restrictions, computer problems (like slowdowns, lockdowns, etc.), personal information being logged in without your permission, preventing you access to certain sites or the whole internet, etc. Some spyware are worst than viruses, in my opinion. This section was created to help you detect and remove any suspicious activity that may be going on your computer. Also included is a section on how to prevent future spyware installations. Please read and follow the steps below to help make this process much faster and easier.

Before running any spyware programs, please run an online antivirus scan at one of the below sites to make sure that you don't have a virus. It is recommended to run a scan online because there are some viruses that can disable or make themselves invisible to the antivirus programs you have on your computer. If any viruses are found, write them down and remove them. Before running any of them, first disable System Restore if you have Windows ME/XP. You may use more than one:

http://www.greyknight17.com/spyware.htm


Spyblaster
http://www.javacoolsoftware.com/spywareblaster.html

Spybot Search and Destroy

Spybot - Search & Destroy can detect and remove a multitude of adware files and modules from your computer. Spybot also can clean program and Web-usage tracks from your system, which is especially useful if you share your computer with other users. Modules chosen for removal can be sent directly to the included file shredder, ensuring complete elimination from your system. For advanced users, it allows you to fix registry inconsistencies related to adware and to malicious program installations. The handy online-update feature ensures that Spybot always has the most current and complete listings of adware, dialers, and other uninvited system residents

http://download.com.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button

Ad-Aware

Malware can track your surfing habits, abuse your Internet connection by sending this data to a third party, profile your shopping preferences, hijack your browser start page or pages, alter important system files, and can do this without your knowledge or permission

http://www.lavasoftusa.com

CWShredder

http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/CWShredder.shtml

http://download.softpedia.com/software/antivirus/CWShredder.exe


Note: Run "CoolWWWSearch.SmartKiller removal tool" BEFORE running CWShredder.

CoolWWWSearch.SmartKiller (v1 and v2) is a new, real ugly variant of CoolWWWSearch. When running, it will close every browser window you use to visit a large list of anti-spyware-sites, and even will close Spybot-S&D and some other anti-spyware applications as well.

http://www.safer-networking.org/files/delcwssk.zip











HiJack This!

HijackThis : A general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.

http://www.merijn.org/files/hijackthis.zip
http://www.spychecker.com/program/hijackthis.html

Hyjack Tutorial

http://www.merijn.org/htlogtutorial.html

Paste logfile created into the text box here:

http://www.hijackthis.de/en

Remove all noted as "Nasty".

CWshredder
A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D and Ad-aware tend to forget essential parts of the hijack, so until they update, you can use this to completely remove the hijack. This program is updated to remove the new variants once they come out  

Installing is CWShredder. Unzip the program to your Desktop. Double click on it to open up the program. Click on Fix and let it remove any traces found. When you click Fix, it will ask you to close all browser windows, so make sure you don't have Internet Explorer, Netscape or any other browser running. Click OK. It will scan and remove any files found. If a window pops up asking you if you want to delete a certain file, choose NO.
Next run Ad-aware

 http://www.majorgeeks.com/download4086.html

Spybot Search and destroy

Spybot - Search & Destroy can detect and remove a multitude of adware files and modules from your computer. Spybot also can clean program and Web-usage tracks from your system, which is especially useful if you share your computer with other users.

http://download.com.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button


http://www.safer-networking.org/en/index.html

gonzal13(joe)
0
 
LVL 2

Author Comment

by:dreadman2k
ID: 14106280
Ok,

Tidying up my mess after way too long. I'm going to split the points among all who contributed, with Kenfcamp getting the lions share for being first in with what I deem the most relevent leads. Thanks to all fort the ideas.

The root cause has not been established, but the problem has ceased, so I don't know what happened unless an MS update fixed the problem.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question