XP Pro initiates a shutdown when connected to the Web

[Michael Turnbull]

Hi All,

When I have my XP Pro firewall disabled within 10 minutes
of initiating a dial up connection the following 2
messages are generated by the system log. When the XP
firewall is active the computer NEVER shuts down and is
very very stable. Any ideas?????? I'm running XP Pro with
SP1a loaded. IE Version: 6.0.2800.1106.xpsp1.020828-1920

Event Viewer*******MESSAGE1**************************
The process winlogon.exe has initiated the restart of
PC01 for the following reason: No title for this reason
could be found
Minor Reason: 0xff
Shutdown Type: reboot
Comment: Windows must now restart because the Remote
Procedure Call (RPC) service terminated unexpectedly

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
******************************************

Event Viewer*******MESSAGE2**************************
The Remote Procedure Call (RPC) service terminated
unexpectedly. It has done this 1 time(s). The following
corrective action will be taken in 60000 milliseconds:
Reboot the machine.
******************************************

 

[Dave]

sounds like msblaster, nachi, or welchia worm at work.

 

[MAP]

-----Original Message-----
Hi All,

When I have my XP Pro firewall disabled within 10 minutes
of initiating a dial up connection the following 2
messages are generated by the system log. When the XP
firewall is active the computer NEVER shuts down and is
very very stable. Any ideas?????? I'm running XP Pro with
SP1a loaded. IE Version: 6.0.2800.1106.xpsp1.020828-1920

Event Viewer*******MESSAGE1**************************
The process winlogon.exe has initiated the restart of
PC01 for the following reason: No title for this reason
could be found
Minor Reason: 0xff
Shutdown Type: reboot
Comment: Windows must now restart because the Remote
Procedure Call (RPC) service terminated unexpectedly

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
******************************************

Event Viewer*******MESSAGE2**************************
The Remote Procedure Call (RPC) service terminated
unexpectedly. It has done this 1 time(s). The following
corrective action will be taken in 60000 milliseconds:
Reboot the machine.
******************************************




.WinLogonEXE

----------------------------------------------------------
----------------------

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Detection and Removal ·
· Research ·

----------------------------------------------------------
----------------------





Overview
Category: Hijacker: Any software that resets your
browser's settings to point to other sites. Hijacks may
reroute your info and address requests through an unseen
site, capturing that info. In such hijacks, your browser
may behave normally, but be slower. Homepage Hijackers
will change your home page to some other site. Error
Hijackers will display a new error page when a requested
URL is not found.

Similar Pests: Hijacker
Origins
Date of Origin: July, 2003
Distribution
Prevalence: WinLogonEXE: 0.0% of all pest reports (11 per
100,000 reports) More Info

Clot Factor: WinLogonEXE: On average, 2 objects detected
in each machine
The "Clot Factor" is a measure of how much a pest "gums
up" a machine by adding registry entries, files, and
directories. As more objects are placed in a machine,
manual removal becomes more difficult and more error-
prone.

Countries Affected: In the past three months, we have
received reports of WinLogonEXE in Belgium, Canada,
Denmark, France, Germany, Greece, Hong Kong, Italy,
Japan, Netherlands, Poland, Spain, Sweden, Switzerland,
Turkey, United Kingdom, United States.
Growth: WinLogonEXE: Increased 300.0% over the last 90
days

Operation
Storage Required: at least 1401KB
Browser Performance: Likely to slow performance of
Internet Explorer.
Detection and Removal
Automatic Removal: PestPatrol detects this.

PestPatrol removes this.



Manual Removal: Follow these steps to remove WinLogonEXE
from your machine. Begin by backing up your registry and
your system, and/or setting a Restore Point, to prevent
trouble if you make a mistake.
Stop Running Processes:

Kill these running processes with Task Manager:

winlogon.exe
winlogon.unpacked.exe


Remove AutoRun Reference:

Go To the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run.



Unregister DLLs:

Unregister these DLLs with Regsvr32, then reboot:

systemroot+\cntrs.dll
systemroot+\csynth.dll
systemroot+\csyntht.dll
systemroot+\vlrs.dll

Clean Registry:

Remove these registry items (if present) with RegEdit:

HKEY_CURRENT_USER\software\microsoft\windows\currentversio
n\run\winlogon

Remove Files:

Remove these files (if present) with Windows Explorer:

systemroot+\cntrs.dll
systemroot+\csynth.dll
systemroot+\csyntht.dll
systemroot+\vlrs.dllwinlogon.exe
winlogon.exe.txt
winlogon.unpacked.exe


Restore Settings:

After following the instructions above, you will still
need to restore your original settings

 

[Guest]

By disabling a firewall you are now completely vulnerable
to worms/virus from the net. And have now just gotten a
very widely publisized wurm. Do not ever connect without a
firewall up or guess what this will hapenn again! follow
EVERYTHING below or guess what youll keep getting it!
Stop the reboots, remove it, prevent getting it again

Your computer is now infected with the W32.Blaster.Worm or
one of its variants. This happened because you have not
been using an internet connection firewall and have
apparently neglected to install the critical updates
available at the Windows Update website.
-----------------------------------------------------------
-------
If your computer is constantly attempting to shutdown
or reboot, quickly go to:

Start > Run and type: CMD , and hit enter.
This opens the Command Prompt window.

Then type: shutdown -a , and hit enter.

This should halt the rebooting problem.
-----------------------------------------------------------
-------
Then immediately turn-on Windows XP's built-in Firewall:
http://www.microsoft.com/security/protect/
(To enable the built-in firewall, go to:
Control Panel, double-click Networking and Internet
Connections, then click Network Connections. Right-click
your connection, then
Click Properties, and on the Advanced tab, click the option
"Protect my computer and network..." Note: the built in
firewall only monitors incoming traffic not outgoing (ie
spyware, trojans, etc.. you may have on your system).)

Special note if you use AOL:
America Online installs its own connection settings that
override
the ones that come with Windows XP. America Online's
connection settings don't include a way to turn on Windows
XP's
built-in firewall.


What You Should Know About the Blaster Worm and Its
Variants
http://www.microsoft.com/security/incident/blast.asp

A tool is available to remove Blaster worm and Nachi worm
infections from computers
that are running Windows 2000 or Windows XP
http://support.microsoft.com/?kbid=833330

A security issue has been identified that could allow an
attacker to
remotely compromise a computer running Microsoft Windows
and
gain complete control over it. You can help protect your
computer
by installing this update from Microsoft.
http://www.microsoft.com/downloads/details.aspx?
FamilyId=2354406C-C5B6-44AC-9532-
3DE40F69C074&displaylang=en

Above courtesy of MVP Carey
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

***Install a good firewall. ZoneAlarm is a free one you
can install.
Install a good anti-virus program making sure you keep
it's definitions up to date! ***
- - - - - - - - - - - - -
Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

Protect Your PC
http://www.microsoft.com/security/protect/default.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm
..html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm
..removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32
..welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm
..removal.tool.html

 

[Bruce Chambers]

Greetings --

Rule #1 - Never, ever, connect a computer to the Internet without
a firewall enabled.

If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH