Financial Daily from THE HINDU group of publications
Monday, Jun 28, 2004
eWorld
Features
Stocks
Port Info
Archives

Group Sites

 eWorld - Computer Usage
Columns - Tip Off


Shutdown problems

I have a Windows 2003 server (standard edition) with Internet Explorer (version 6.0) in my PC. If I try logging on to the Internet after a few minutes, the system shuts down automatically and the following error message appears: "The system is shutting down, please save all works in progress and log off. Any unsaved changes will be lost. The shutdown was initiated by NT authority/system. Time before shutdown - 55 seconds... " And the message "Windows must now restart because the remote procedure call (RPC) terminated unexpectedly" also appears.

I used to have the same problem with Windows 2000 Professional, and I had IE 5.0 installed on my PC then. I have not made any changes. Please suggest a solution.

-- Biswajit Dash

This shutdown problem is due to the blaster worm that affects only Windows 2003/XP/2000/NT computers. The worm and its variants are also known as W32.Blaster.Worm, W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), and Win32.Posa.Worm (Computer Associates). W32.Blaster.Worm exploits the DCOM RPC vulnerability using TCP port 135 that is described in Microsoft Security Bulletin MS03-026 and MS03-039. The worm does not require user interaction to infect new systems; it simply scans the network from a host system and looks for machines that have not been patched. If a vulnerable system is found, the worm installs the file MSblast.exe into the Windows System32 folder, which is usually C:\Windows\System32 or C:\WINNT\System32. You must download and install the patch from Microsoft that fixes the vulnerability and run the blaster worm removal tool.

To remove the blaster worm, please follow these instructions:

Please download and install the Microsoft security patch KB824146 corresponding to your operating system which is available at the following URL: http://support.microsoft.com/default.aspx?kbid=824146. The patch size of Windows server 2003 32-Bit Edition is 1.94MB. To install this patch, you must be logged on as administrator or a user that is a member of the Administrators group. If your computer does not stay running long enough to download this patch, please try the following steps.

  • Enable a personal firewall or ICF. This may prevent your machine from shutting down due to DCOM RPC vulnerability and future attacks. In Windows 2003/XP, Microsoft has included Internet Connection Firewall (ICF) to supposedly keep your system safe while staying connected to the Internet. It provides inbound protection from items moving from the Internet on to your machine. To enable or disable ICF, click Start - Settings - Control Panel - Network Connections - Under Dial-up or LAN or High-Speed Internet. Please right-click the connection that you want to protect (probably click Dial-up if you connect to the Internet through Dial-up or DSL connection), and then click Properties - Advanced tab - under Internet Connection Firewall. Now please do one of the following.

  • To enable ICF, select the "Protect my computer and network by limiting or preventing access to this computer from the Internet" check box. To disable ICF, clear the "Protect my computer and network by limiting or preventing access to this computer from the Internet" check box.

  • The next option is to open windows Task Manager, press CTRL+SHIFT+ESC and click the Processes tab. Please look for a process named MSBLAST.EXE, PENIS32.EXE, TEEKIDS.EXE, MSPATCH.EXE, MSLAUGH.EXE, ENBIEI.EXE in the list. If you find it, click the process to highlight it. Now please click the End Process button and close Task Manager.

  • To stop Windows 2003/XP from shutting down within 60 seconds, press the Start - Run - cmd - at the command prompt, and type "Shutdown - a" without quotes. Another way is to change the settings for the Remote Procedure Call (RPC) service; this may allow you to connect to the Internet without the computer shutting down. To do this, please click Start - Run - type "services.msc /s" without quotes. In the right pane, please double click the service Remote Procedure Call (RPC) (not the Remote Procedure Call (RPC) Locator). Click the Recovery tab. Using the drop-down lists, change First failure, Second failure and Subsequent failures to "Restart the Service" and click OK. Please make sure that you change these settings back once you have removed the worm.

  • If possible, you may download the patch from another computer that has Internet connectivity and place it on a floppy. You can then take this disk to your computer to install the patch.

    Once you have installed it, please download and run any one of the following removal tools that will scan your computer for the W32.Blaster.Worm. http://securityresponse.symantec.com/avcenter/FixBlast.exe (132KB) of Symantec. Download ClnPoza.zip(335KB) at http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=36265 of CA. Download stinger.exe(766KB) at http://vil.nai.com/vil/stinger/ (McAfee). This will scan for 43 viruses, trojans and Variants.

    To stop future attacks, especially if you are an Internet surfer, you have to follow the guidelines given below: Use an Internet Firewall, either ICF or third-party personal firewall. If you like to download the personal Firewall (freeware), please follow the URL link http://www.snapfiles.com/freeware/security/fwfirewall.html. The second option is to get the latest Microsoft security updates. Use either the Automatic Updates feature of Windows XP/2003 or go to the Windows update site, at http://windowsupdate.microsoft.com and click "Scan for Updates". The third option is to use Anti-virus Software with the latest virus definition file. For more information to protect your PC, please refer http://www.microsoft.com/security/protect/

    Solution by M. Sampath

    Please e-mail us at eworld@thehindu.co.in if you have queries on computer usage or if you find an interesting way of using a computer.

    Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

    • Stories in this Section
    Don't just watch!

    A new connection
    Working for a freeway
    Take it, it's free
    Gross margins
    Hear me, loud and clear?
    Shutdown problems
    A giant gets dressed...
    Look for all of it
    Quiz
    From India to America
    Cartoon
    Power unlimited...

    The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
    Group Sites: The Hindu | Business Line | The Sportstar | Frontline | The Hindu eBooks | Home |

    Copyright © 2004, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line