I'm in Computer Hell!!!

EatSleepFly

Well-Known Member
I\'m in Computer Hell!!!

Alright, I have to make this quick before it does it again...

My computer keeps coming up with an error message basically saying "save everything, cause I'm shutting down in 60 seconds", and then it proceeds to count down from 60 and shut down. It says something about shutting down because the Remote Procedure Call service terminated unexpectedly.... Anyone have any ideas whatsoever?
 

racemey

Well-Known Member
Re: I\'m in Computer Hell!!!

As I am writing this my computer is doing the same thing. Tried running virus and window update to no avail HELP!!
 

Kristie

Mama Bear....
Staff member
Re: I\'m in Computer Hell!!!

what type of computer do you have? whose the manufacturer?? is it a desktop or laptop and is your modem a store bought card or came with the computer/set up by installers card?
 

aloft

New Member
Re: I\'m in Computer Hell!!!

That's a sign of an attack from an outsider. Couple things you can do; first and foremost is get some firewall protection, either a router or software, like ZoneAlarm. If you're running Win XP, make sure Internet Connection Firewall is checked.

Then, go to windowsupdate.microsoft.com and check for updates to your system (there's a patch for this particular vulnerability).

If that doesn't work, here's some more advanced ideas:

[ QUOTE ]
Try running "services.msc" in run and there find the RPC(Remote procedure call) and then stop that and disable it and also go to the "recovery" tab on the same RPC window and get the three lines which says " Reboot the computer " and change that to " take no action ".
If you are not intending the stop RPC then you can try going to the recovery tab and then putting up take no action in all the three options over there... That should fix it...

Then try getting the patch and installing it....
Could be found on:

www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

[/ QUOTE ]

Anyone running Win XP should be in the habit of checking for system updates regularly or enabling Automatic Updates on their computer.
 

smokey1

Well-Known Member
Re: I\'m in Computer Hell!!!

My computer was doing the same thing!Ack!
Smokey....................................................
 

JDMcFly

New Member
Re: I\'m in Computer Hell!!!

I just checked my firewall log and I have hundreds of TCP port 135 DCOM attempts..

I don't have XP though, and It isn't gonna get through my firewall, so I'm alright fer now.

Really people.. get a firewall. It will help protect you and others on your subnet.
 

aloft

New Member
Re: I\'m in Computer Hell!!!

[ QUOTE ]
It's a new virus, goin' around like crazy.

[/ QUOTE ]
Yeah, just checked the incoming log on my router, it's been getting hammered on ports 135 and 137 today. Oh well.

By-the-by, everybody on a broadband connection (cable, dsl, dish, T1, whatever), you should REALLY have a router. A simple cable/dsl router like the Linksys BEFSR41 is entirely adequate, and pretty cheap these days.
 

tonyw

Well-Known Member
Re: I\'m in Computer Hell!!!

[ QUOTE ]
By-the-by, everybody on a broadband connection (cable, dsl, dish, T1, whatever), you should REALLY have a router. A simple cable/dsl router like the Linksys BEFSR41 is entirely adequate, and pretty cheap these days.

[/ QUOTE ]

Okay, I have DSL, and I have no clue about these things. Can you please explain this to me?

And ZoneAlarm rocks. I've gotten pinged on the ports that this virus uses but since ZoneAlarm prevents anything from getting in, they don't even know I'm here.
 

EatSleepFly

Well-Known Member
Re: I\'m in Computer Hell!!!

Cool...thanks for the help everybody! I think I managed to get rid of it...my god that was frustrating.
 

Mr_Creepy

Well-Known Member
Re: I\'m in Computer Hell!!!

I have seen this happen several times on mine and others computers.

First of all, I don't think it's a virus.

I DO think it is an attack from outside. Someone has managed to get past your firewall and is turning off your RPC service.

A router stops this pretty well (not 100%!)

A router has it's on IP address and "screens" your computers IP address from outside folks, so they cannot write to your ports unless they get your IP somehow. SInce this has happened to me even behind a router there must be some way to get your IP even past a router.

Still researching it, will post more when I find out.
 

MDPilot

Well-Known Member
Re: I\'m in Computer Hell!!!

Worm is more technically the correct term, it puts a file called msblast.exe on your computer, sets it in the registry to run instead of windows update, and then causes the overflow that shuts down your computer. Saw it last night on a panic call from one of my friends, his McAfee anti virus didn't sniff it out, but Norton did. I also installed ZoneAlarm, IMHO a must for anyone with a cable or DSL connection even with a router installed.
 

Mr_Creepy

Well-Known Member
Re: I\'m in Computer Hell!!!

Do you know in what directory msblast.exe is placed?

I'd like to find out
 

MDPilot

Well-Known Member
Re: I\'m in Computer Hell!!!

On my friends computer, I believe it was in the Windows directory. Instead of just deleting the file(which does nothing to erase the registry entry) go to this link and download FixBlast.exe, this should remove the worm from your computer. Symantec FixBlast

Just for grins (from the Symantic website), this is what this sucker actually does:



When W32.Blaster.Worm is executed, it does the following:


Creates a Mutex named "BILLY." If the mutex exists, the worm will exit.


Adds the value:

"windows auto update"="msblast.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.


Calculates a random IP address, A.B.C.0, where A, B, and C are random values between 0 and 255.

NOTE: 40% of the time, if C > 20, a random value less than 20 will be subtracted from C.


Once the IP address is calculated, the worm will attempt to find and exploit a computer on the local subnet, based on A.B.C.0. The worm will then count up from 0, attempting to find and exploit other computers, based on the new IP.


Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability.

NOTES:
This means the local subnet will become saturated with port 135 requests.
Due to the random nature of how the worm constructs the exploit data, this may cause computers to crash if it sends incorrect data.
While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003, unpatched computers running these operating systems may crash as the result of attempts by the worm to exploit them.


Creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, allowing an attacker to issue remote commands on the infected system.


Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it will send that computer Msblast.exe and tell it to execute the worm.


If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on Windows Update. The worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.


The worm contains the following text, which is never displayed:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
 

flyboy04

Well-Known Member
Re: I\'m in Computer Hell!!!

Speaking of pc problems anyone know how to delete a trojan? I have this program on my pc called live girls, dont know how it got there but i cant delete it and its always coming back and trying to connect. Ive deleted so much stuff but every 2 hours or so its back, and it drives me crazy.
 

naunga

New Member
Re: I\'m in Computer Hell!!!

[ QUOTE ]
I have this program on my pc called live girls, dont know how it got there...

[/ QUOTE ]
Sure you don't.


Seriously, best way to get rid of them is to invest in something like McAffee Virus Scan.

Viruses etc a lot of time emmbed themselves into the code of programs. So the only way to get rid of it would be to delete the program / document that you probably you want to keep anyhow.

A scanner will locate the bad code and (if possible) remove it.

In this day and age if you spend anytime online you should have a virus scanner anyway

Cheers.

Naunga
 
Top