Re: Shut down in 60 secs...... HELP! Pls

From: Bruce Chambers (bruce_a_chambers_at_h0tmail.com)
Date: 10/11/04 

Date: Mon, 11 Oct 2004 07:07:13 -0600

lorne wrote:
> Greetings all,
>
> I seem to have contracted the evil shut down in 60 sec. virus. I
> reformatted my hard drive installed win xp pro and as soon as i
> plugged in my internet to get my updates, i got the dreaded shutting
> down in 60 sec warning. I unplugged my internet, ran stinger (found
> and corrected 2 infections). Restarted the computer, ran AVG
> (didn't
> find anything), ran stinger again (didnt find anything), plugged in
> the internet to do the updates.... bang... 60 sec warning!!
> disconnected the internet, tried to run avg (won't run) went into
> safe mode, ran stinger (didnt find anything). checked the registry
> (run, run once, run service etc). everything looked good.
> rebooted,
> plugged in the internet and bang.... 60 second warning.
>
> What should i do now??
>
> thank you all for suggestions.

    Knowing that you're likely to get re-infected as soon as you
connect to the Internet, is there any particular reason you still
refuse to use a firewall?

    As you haven't provided any specific details or error messages,
the following is the result of having to guess what your problem might
be. There are at least two possibilities:

1) If you connected the PC to the Internet without having first
enabled a firewall, without having first installed an antivirus
application with current virus definition files, and before installing
the KB828471 Hotfix, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

    To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

MS04-012 Cumulative Update for Microsoft RPC-DCOM
http://support.microsoft.com/default.aspx?scid=kb;en-us;828741

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger

2) You've apparently contracted the latest worm, W32.Sasser.Worm,
specifically designed to attack people who do not update their
computers promptly and who do not practice "safe hex." In other
words, like Blaster, this worm was developed and distributed _after_ a
patch for the vulnerability was announced and made publicly available.
Further, and also like Blaster, this worm could not affect any
computer whose user had taken the basic precaution of using a properly
configured firewall.

    To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next Shutdown countdown begins. This will abort the shut down. Also,
make sure you've enabled a firewall before starting, to preclude any
more intrusions while getting the updates/patches/tools.

What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.asp

Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

A tool is available to remove the Sasser worm variants
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/ 

-- 
Bruce Chambers
Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html
You can have peace. Or you can have freedom. Don't ever count on 
having
both at once. - RAH

Relevant Pages

  • Re: Windows XP Product Activation
    ... application with current virus definition files, and before installing ... sure you've enabled a firewall before starting, ... What You Should Know About the Blaster Worm ... W32.Blaster.Worm Removal Tool ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: NT Authority System
    ... sure you've enabled a firewall before starting, ... What You Should Know About the Blaster Worm ... W32.Blaster.Worm Removal Tool ... firewall and WinXP's Internet Connection Sharing feature. ...
    (microsoft.public.windowsxp.general)
  • Re: System is shuttng down NT authority 60 seconds
    ... and removal tools, click Start> Run, and enter "shutdown -a" when the ... sure you've enabled a firewall before starting, ... What You Should Know About the Blaster Worm ... W32.Blaster.Worm Removal Tool ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Virus?
    ... school behind a firewall, so I am confused on how Sasser ... >> Office 2003 and all updates, ad aware and updates, and ... > You've apparently contracted the latest worm, ... >McAfee AVert Stinger Virus Removal Tool ...
    (microsoft.public.security.virus)
  • Re: NT Authorizes Shutdown
    ... and removal tools, click Start> Run, and enter "shutdown -a" when the ... What You Should Know About the Blaster Worm ... W32.Blaster.Worm Removal Tool ... more intrusions while getting the updates/patches/tools. ...
    (microsoft.public.windowsxp.general)
Loading