Sasser like Shutdown and no Task Bar

[Guest]

I have a client running WinXP Home who called about a Trojan on his
daughter's CPU. I had him to download and run the MS Antispyware, (it found
much spyware), uninstall AVG v6.0 and reinstall AVG v7.0.

He has rebooted and now when the computer boots up he receives RPC Shutdown
in 60 seconds, much like the sasser or blaster worms. However he says there
is no taskbar and I don't know how to get to cmd prompt to issue shutdown -a.

I had him try CTRL + ESC and CTRL + ALT + DEL to no avail. Has anyone
encountered this and if so how to stop the RPC if the keyboard commands don't
work and no task bar?

I will go onsite later tomorrow.

Thanks

 

[David H. Lipman]

Make sure the PC is NOT connected to the Internet so that a Blaster/Lovsan PC will not try
to shutdown the affected platform and install the following patch for the RPC/RPCSS and DCOM
Vulnerabilities that are addressed by Microsoft Security Bulletin MS04-012 - KB828741 ASAP !
http://support.microsoft.com/default.aspx?scid=kb;en-us;828741 and finally
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

Make sure SP2 gets installed and if the user is on Broadband, install a Cable/DSL Router
such as the Linksys BEFSR41 which will help mitigate RPC port 135 attacks.

--
Dave




| I have a client running WinXP Home who called about a Trojan on his
| daughter's CPU. I had him to download and run the MS Antispyware, (it found
| much spyware), uninstall AVG v6.0 and reinstall AVG v7.0.
|
| He has rebooted and now when the computer boots up he receives RPC Shutdown
| in 60 seconds, much like the sasser or blaster worms. However he says there
| is no taskbar and I don't know how to get to cmd prompt to issue shutdown -a.
|
| I had him try CTRL + ESC and CTRL + ALT + DEL to no avail. Has anyone
| encountered this and if so how to stop the RPC if the keyboard commands don't
| work and no task bar?
|
| I will go onsite later tomorrow.
|
| Thanks
|
| --
| Phil Gilbert
| Free Radical, LTD
| --
| Phil Gilbert
| Free Radical, LTD.

 

[Rick \Nutcase\ Rogers]

Hi,

Click start/run, type shutdown -a, then click ok. Now, use these free tools:

http://vil.nai.com/vil/stinger/
http://www.emsisoft.com/en/
http://free.grisoft.com/doc/8/lng/us/tpl/v5/nid/3001#3001
http://www.f-secure.com/download-purchase/tools.shtml

Also, you may use this free on-line scanner:
http://housecall.trendmicro.com/

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

 

[Kelly]

He can't, Rick. (

--
All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Hi,

Click start/run, type shutdown -a, then click ok. Now, use these free
tools:

http://vil.nai.com/vil/stinger/
http://www.emsisoft.com/en/
http://free.grisoft.com/doc/8/lng/us/tpl/v5/nid/3001#3001
http://www.f-secure.com/download-purchase/tools.shtml

Also, you may use this free on-line scanner:
http://housecall.trendmicro.com/

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

 

[Rick \Nutcase\ Rogers]

Hey Kelly,

I was reading this "and I don't know how to get to cmd prompt to issue
shutdown -a." as meaning he didn't remember how to get the run prompt or
that he was trying to do it from a command prompt (or possibly forgot how to
get a command prompt?).

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

He can't, Rick. (

--
All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

 

[Guest]

Thanks for the effort,

I maybe could have phrased it better, no task bar and no keyboard response.
I thought maybe he had a wireless or USB keyboard so I called him yesterday
but he says it is a PS2. I'm going on site today, let you know in thread
what's going on.

thanks,

frdbadf

Hey Kelly,

I was reading this "and I don't know how to get to cmd prompt to issue
shutdown -a." as meaning he didn't remember how to get the run prompt or
that he was trying to do it from a command prompt (or possibly forgot how to
get a command prompt?).

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

 

[Rick \Nutcase\ Rogers]

Hi,

Winkey+R should generate a run box, despite the taskbar. Otherwise, open
Task Manager using ctrl+shift+escape and click "new task" on the
applications tab.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

Thanks for the effort,

I maybe could have phrased it better, no task bar and no keyboard
response.
I thought maybe he had a wireless or USB keyboard so I called him
yesterday
but he says it is a PS2. I'm going on site today, let you know in thread
what's going on.

thanks,

frdbadf

 

[David H. Lipman]

| Hi,
|
| Winkey+R should generate a run box, despite the taskbar. Otherwise, open
| Task Manager using ctrl+shift+escape and click "new task" on the
| applications tab.
|
|


Rick:

He shouldn't have to. If it is truly the Blaster than not being connected to the Internet
(or LAN) would mean no RPC/RPCSS exploitations and thus he would not get the RPC 60sec.
shutdown message.

 

[Rick \Nutcase\ Rogers]

You lost me there.

Right now I am trying to tell him how to stop the shutdown. "Why" is another
problem to resolve, but first they need time to figure out what's going on.
As the original post stated that AVG was uninstalled and reinstalled, if the
firewall was down on a reboot this machine would easily and quickly be
infected. Once it (blaster or sasser) has a foothold, it matters not whether
or not the machine is still connected, the machine will still suffer from
the symptoms.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

 

[David H. Lipman]

| You lost me there.
|
| Right now I am trying to tell him how to stop the shutdown. "Why" is another
| problem to resolve, but first they need time to figure out what's going on.
| As the original post stated that AVG was uninstalled and reinstalled, if the
| firewall was down on a reboot this machine would easily and quickly be
| infected. Once it (blaster or sasser) has a foothold, it matters not whether
| or not the machine is still connected, the machine will still suffer from
| the symptoms.


But if AVG was running and an RPC/RPCSS Exploit was in progress then the PC would not be
infected, just be shutdown due the lack of the KB828741 patch. Now we "know" that it is not
sasser becuase he explicitly stated "RPC Shutdown in 60 seconds" so the LSASS vulnerability
plays no part in this equation.

Of course there is no guarantee that its a RPC/RPCSS Exploit in-prgress as I have seen the
same "RPC Shutdown in 60 seconds" under a completely different circumstance (I'll get into
that in a lter paragraph) The way to prove it is or is not a RPC/RPCSS Exploit is to
disconnect it from a network. I feel it is a RPC/RPCSS Exploit becuase he also stated "when
the computer boots up".

The other time I have seen "RPC Shutdown in 60 seconds" was with a self preservation mode of
some (yet to be identified) non-viral malware. One WinXP when trying to execute a scan
using Ad-aware SE I have had two occasions where the "RPC Shutdown in 60 seconds" was
generated just after the Ad-aware scan had begun. The novice would not kniow what to do so
the PC would get rebooted and the malware would "live" on the PC. Of course executing
'shutdown -A' on the WinXP PC defeted the "RPC Shutdown in 60 seconds" sequence and the
Adaware SE scan was completed and the malware was removed.

So I think a resonse "fork" would be go one way if the network is connected and the ""RPC
Shutdown in 60 seconds"" is experinced and not experienced when disconnected from the
network and go the other way if it makes no difference if the PC is connected to a LAN or
not.