COMPUTER SHUTS DOWN AS SOON AS IT LOGS ON

Discussion in 'Virus Information' started by RICK, Aug 22, 2004.

  1. RICK

    RICK Guest

    my friends computer is infected i think with a
    virus.whenever she logs on a pop up comes on and says it
    going to shut down in 60 seconds, and then the computer
    shuts down.what i need to know is what do i need to do to
    get the computer the computer to stay on long enough to
    get kill the virus. thanks
     
    RICK, Aug 22, 2004
    #1
    1. Advertisements

  2. It is either the Sasser or the Blaster or one of their variants.

    When your "friend" gets the shutdown message...

    Go to; Start --> Run
    enter; shutdown -a

    Assuming the Blaster:
    This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
    Stinger: http://vil.nai.com/vil/stinger/
    http://www.microsoft.com/downloads/details.aspx?FamilyId=E70A0D8B-FE98-493F-AD76-BF673A38B4CF&displaylang=en
    and install the following patch for the RPC/RPCSS and DCOM Vulnerabilities that are
    addressed by Microsoft Security Bulletin MS04-012 - KB828741
    http://support.microsoft.com/default.aspx?scid=kb;en-us;828741 and finally
    http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

    Please read: http://www.microsoft.com/security/incident/blast.asp

    Assuming Sasser:
    Download the McAfee worm removal tool, Stinger: http://vil.nai.com/vil/stinger/
    Read the following...
    http://www.microsoft.com/security/incident/sasser.mspx

    Install the vulnerability patch
    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx



    Your "friend" also needs a FireWall. If he/she doesn't patch the PC and not use a FireWall
    then he/she will
    just be re-infected.

    I also suggest the installation of *ALL* MS Critical Updates ASAP.

    Dave







    | my friends computer is infected i think with a
    | virus.whenever she logs on a pop up comes on and says it
    | going to shut down in 60 seconds, and then the computer
    | shuts down.what i need to know is what do i need to do to
    | get the computer the computer to stay on long enough to
    | get kill the virus. thanks
     
    David H. Lipman, Aug 22, 2004
    #2
    1. Advertisements

  3. RICK

    BG250 Guest

    Could be Blaster or SASSER or it could be a new ones such as SPYBOT or
    W32/Rbot-GO
    I had a hit on our network. It has the LSASS error and the sixty second shut
    down on several computers. It was found as msnmsg.exe on a laptop. It was in
    several RUN entries of the registry. After clearing the registry of the
    entries and deleting the file, all is calm. AVG 7 with the latest download
    would not detect it even if I right clicked on the file and selected scan
    with AVG. Stinger and some other tools would not see it either.

    msnmsg.exe is not a valid windows file it is named similar to look like one.
    Sophos website seems to be one of the few who are aware of this one.

    If the virus is not found on her PC, check the others if she is on a LAN. Be
    sure the Internet connection is blocked. Some of the mentioned viruses
    launch DOS attacks and steal passwords.

    bg
     
    BG250, Aug 22, 2004
    #3
  4. Greetings --

    What happens when the machine is re-booted into Safe Mode, or when
    it's disconnected from the network/Internet?

    As you haven't provided any specific details or error messages,
    the following is the result of having to guess what your problem might
    be. There are at least two possibilities:

    1) If you connected the PC to the Internet without having first
    enabled a firewall, without having first installed an antivirus
    application with current virus definition files, and before installing
    the KB828471 Hotfix, you're very likely to get infected from any of
    the thousands of PCs on the Internet that are constantly broadcasting
    the Blaster and/or Welchia worms. It only takes a few seconds of
    exposure.

    To stay on-line long enough to get the necessary updates, patches,
    and removal tools, click Start > Run, and enter "shutdown -a" when the
    next RPC countdown begins. This will abort the shut down. Also, make
    sure you've enabled a firewall before starting, to preclude any more
    intrusions while getting the updates/patches/tools.

    MS04-012 Cumulative Update for Microsoft RPC-DCOM
    http://support.microsoft.com/default.aspx?scid=kb;en-us;828741

    What You Should Know About the Blaster Worm
    http://www.microsoft.com/security/incident/blast.asp

    W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
    http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

    W32.Blaster.Worm Removal Tool
    http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

    W32.Welchia.Worm a.k.a. W32/Nachi.Worm
    http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

    W32.Welchia.Worm Removal Tool
    http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

    McAfee AVERT Stinger
    http://us.mcafee.com/virusInfo/default.asp?id=stinger


    2) You've apparently contracted the latest worm, W32.Sasser.Worm,
    specifically designed to attack people who do not update their
    computers promptly and who do not practice "safe hex." In other
    words, like Blaster, this worm was developed and distributed _after_ a
    patch for the vulnerability was announced and made publicly available.
    Further, and also like Blaster, this worm could not affect any
    computer whose user had taken the basic precaution of using a properly
    configured firewall.

    To stay on-line long enough to get the necessary updates, patches,
    and removal tools, click Start > Run, and enter "shutdown -a" when the
    next Shutdown countdown begins. This will abort the shut down. Also,
    make sure you've enabled a firewall before starting, to preclude any
    more intrusions while getting the updates/patches/tools.

    What You should Know about the Sasser Worm and its Variants
    http://www.microsoft.com/security/incident/sasser.asp

    Microsoft Security Bulletin MS04-011
    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

    W32.Sasser.Worm
    http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

    A tool is available to remove the Sasser worm variants
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

    W32.Sasser.Worm Removal Tool
    http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

    McAfee AVert Stinger Virus Removal Tool
    http://vil.nai.com/vil/stinger/


    Bruce Chambers
    --
    Help us help you:
    http://dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html

    You can have peace. Or you can have freedom. Don't ever count on
    having both at once. - RAH
     
    Bruce Chambers, Aug 22, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.