Is this Sasser?

Dingusboy · #1 05-14-2004, 02:01 PM

My computer running XP is exhibiting behavior that baffles me.

I came into the office (really small two computer operations) this morning and I attempted to boot my computer. It began the process but shut itself down. Attempts to reboot lead to even quicker shut down (less then 30 seconds). I eventually pulled the plug and waited some time and attempted to reboot and once again shut down with a longer (around a minute) time.

I tried booting from a floppy but the same behavior was evident.

Even when I just go into the bios (Dell Dimension) it shuts down with the same characteristics.

With no C drive available it still shuts down as mentioned above.

No network connections were present throughout the process.

I scanned the 2nd office computer with Symantec fxSasser(Windows Me) and no Sasser was found. My assumption was if one was infected they probably they both would be.

I'm beginning to wonder if this is a hardware issue but maybe there is something about this virus I'm not getting.

Thanks in Advance for any comments, help, or guidance.

ESALADUANE · #2 05-14-2004, 02:10 PM

It could be Blaster.

See if this works to stay connected long enough to do the patch/remove (this is from Microsoft).

Restoring Internet connectivity

In many cases, on both Windows 2000 and XP, changing the settings for the Remote Procedure Call (RPC) service may allow you to connect to the Internet without the computer shutting down. To restore Internet connectivity to your PC, follow these steps:

1. Click Start > Run. The Run dialog box appears.
2. Type: SERVICES.MSC /S in the open line, and then click OK. The Services window opens.
3. In the right pane, locate the Remote Procedure Call (RPC) service.

CAUTION: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two.

4. Right-click the Remote Procedure Call (RPC) service, and then click Properties.
5. Click the Recovery tab.
6. Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
7. Click Apply, and then OK.

CAUTION: Make sure that you change these settings back once you have removed the worm.

This is also from Microsoft:

Step 1: Enable your firewall (the native XP one if you don't have another one).

Step 2: Download the patch from Microsoft (this patch replaces 823980).
http://support.microsoft.com/default.aspx?kbid=824146

Step3: Install or update your anti-virus program

Step 4: Download the worm removal tool for W32.Blaster.Worm
http://securityresponse.symantec.com...oval.tool.html

ESALADUANE · #3 05-14-2004, 02:15 PM

Another way to stop your machine from shutting down when this message is displayed:

Go to the start menu and select run. Then type "shutdown -a" (with a space, but without the quotes) in the text box and click the OK button. This will stop the machine from shutting down. However, this is just a symptom. The cause is probably an exploit of your RPC service.

Dingusboy · #4 05-14-2004, 02:19 PM

Thank you for the quick reply.

I can't get it to stay on long enough to get to a command prompt. It never finishes starting up before the shut down occurs. At the most it gets about a minute into the boot process and shuts down.

That is part of my frustration and confusion. All the fixes I've seen imply getting that far.

ESALADUANE · #5 05-14-2004, 02:26 PM

Can you get into Safe Mode (using f8)?

Dingusboy · #6 05-14-2004, 02:34 PM

No, same thing. safe mode shuts down after around a minute the first time and much quicker if immediatly tried again.