shutdown in 60 seconds

pat kenny

Under a freash windowsXP install a friend of mine gets the following error.
The system runs fine untill he connects to the internet and aftewr 5 mins he is presented with an error message something like the following.


"NTAuthority/system remote procedure will shut down in 60 seconds"

Once the 60 seconds counts down the computer shuts down.
sorry I cant be more spacific about the error message but thats all I can get.

tuxy

blaster worm

seamus

He has a blaster worm.
Google for it.

Fresh installs of XP SP1, should always be followed by installing a firewall that blocks all but HTTP traffic and then connecting to internet/network, and downloading all windows updates.

ColmOT [MSFT]

Make sure that you install patch KB824146 from Windows Update. This is the fix to prevent infection with Blaster.

Cabaal

No matter how many times I hear users getting this message it still makes me kinda laugh especially when they try say its my fault

catho_monster

ok. i have this thing too.
but i havent installed any

Fresh installs of XP SP1

it just started coming up with no reason...

ressem

Seamus was describing what you should be doing.

Now that you've got the virus
follow the instructions and download the patches recommended at
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
to prevent your PC from restarting and fix the problem.



I'm assuming your PC is on a home dialup,
so install a software firewall,
switch off netbios over TCP, and file and printer sharing on your internet network adapter.

Then patch your PC (windows / ie/ office) and repeat each month.
I know it's a B***** to do on a dial up connection, especially since MS stopped allowing PC magazines to distribute service packs but you can use windows update to get Q patch numbers and download the large files from a company or uni network.

OT
Can our resident MSFT impersonator explain why MS stopped us from securing our PC's using magazine Cds? Technically I'm not legally allowed to make up a monthly patch CD for colleagues home PC's which indirectly is a risk for the business.

vibe666

with reference to the windows update problem, what you need is AutopatcherXP from Neowin.net it does all the XP patches from SP1 to current and is released as an update on a monthly basis. Very handy.

ressem

Nice one. Thanks.

Creamy Goodness

to abort the shutdown type

shutdown -a

in the start >> run

ressem

to abort the shutdown type
shutdown -a

Providing you've got
Windows XP or
resource kit installed on Windows2000

Johnny Versace

Click Start > Run. The Run dialog box appears.
Type:

SERVICES.MSC /S

in the open line, and then click OK. The Services window opens.


In the right pane, locate the Remote Procedure Call (RPC) service.

---

CAUTION: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two.

---

Right-click the Remote Procedure Call (RPC) service, and then click Properties.
Click the Recovery tab.
Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
Click Apply, and then OK.

---

CAUTION: Make sure that you change these settings back once you have removed the worm (change "Restart the Service" back to "Restart the Computer".)

---

You then need to download the Blaster Virus removal tool. You can get it here -
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

...

Beware that the Blaster virus could be on your / or E:/ and is waiting to reinfect C.

Also, stop opening attachments from people you don't know, or anything that is not a ZIP or graphic or movie.

ressem

Some of the blaster variants spread only through the RPC hole, not mail.

Which is why file/printer/netbios/iis/msde and the other unnecessary stuff should be disabled.


Every second mail virus these days bundles itself within a zip.

Lots of others use the
.gif <lots of spaces> .pif
or
.mpeg <lots of spaces > .exe
that is easy to miss.

or the html link exploit, that opens the enclosed file.

Hard and fast rules like this don't work well under windows.
Which is why a virus checker and firewall are desirable.

(preferably both hardware and software, since viruses are around that target a particular security product and use its vunerabilities to rip apart your machine)

There's plenty of threads recommending products along these lines, so I won't rehash them.

Johnny Versace

Sure, I wasn't trying to give all the hard and fast rules, just pointing out that general awareness is the first line of defence...

ressem

Sorry, no criticism intended.

As a supercillious \. reading IT-know-it-all, I used to give the same advice last year, but the virus kiddies made the suggestions invalid again.

I know people well smarter than me and with AV that got caught by the first weekend of blaster or netsky variants, and so felt the "stop opening attachments " assumption to be a little harsh, given that there's so many areas that have to be maintained, which no-one is taught about except through experience. Half of them haven't even been mentioned in this thread.

E.g
Get your rotating backup strategies ready for when vicious feckers alter these to rot harddrive data as opposed to propagation, like the witty worm.

MadKevo

Originally posted by ressem
Sorry, no criticism intended.

As a supercillious \. reading IT-know-it-all, I used to give the same advice last year, but the virus kiddies made the suggestions invalid again.

Was going to ask what backslash-dot was, but I suppose it is a Windows specific board...!!
Just my little joke.
Me goes back into lurk mode again...:ninja:

Villain

I got this when it first arrived and installed the patch and removed the worm.

However it started re-appearing again last week and I can't get rid of it.

I ran stinger and it foung Blaster.b deleted that and installed patch again

Following day it happened again, ran stingert and it found blaster.d

What am I doing wrong??

Dempsey

Originally posted by ressem
Providing you've got
Windows XP or
resource kit installed on Windows2000

The blaster worm only infects Xp

oneweb

Originally posted by Dempsey
The blaster worm only infects Xp

Incorrect, it infects NT based systems (Win2k AND XP). I should know - I had to present my final year project in a room full of poxy blaster infected W2K machines :mad: