Google Answers Logo
View Question
 
Q: computer shutdown ( Answered,   1 Comment )
Question  
Subject: computer shutdown
Category: Miscellaneous
Asked by: shivasb-ga
List Price: $200.00
Posted: 05 Aug 2003 01:07 PDT
Expires: 04 Sep 2003 01:07 PDT
Question ID: 240172
All of a sudden, I'm getting a message that the remote procedure call
service has been terminated, and my computer is going to shut down. 
It does.  Over and over again.  When I start back up, I get messages
regarding files that can't be launched:  TFTP3216 and TFTP3148. 
Searching for a program to read these files on the web comes up with
nothing.  What has happened?  What can I do?  This has rendered me
non-operational!  Thanks -- Sandra Braman

Request for Question Clarification by joseleon-ga on 05 Aug 2003 02:57 PDT
Hello, shivasb:
  I need more information to solve your problem, but at first glance
it seems you need this patch:

Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

It's a very recent patch, but cannot be sure until you provide more
information.

IMPORTANT: Don't apply it until you answer all my questions, please:

-Are you connected to the internet?
-In which environment? (office, home, etc)
-Which Windows version are you using (2000, XP, etc)?
-Did you installed recently any new software?
-Do you use the Windows Update feature?

Regards.

Request for Question Clarification by joseleon-ga on 07 Aug 2003 01:44 PDT
Hello, shivasb:
   Did you have time to look up the information I requested? Did you
found useful the information I posted?

Regards.

Request for Question Clarification by omnivorous-ga on 07 Aug 2003 11:41 PDT
Shivasb --

In Windows 2000/NT/XP a shutdown due to a remote procedure call is
often an indication that you've been infected with a virus -- more
appropriately a worm or Trojan horse that's trying to communicate via
an Internet connection.

There's one thing that you should try: start the computer in Safe
mode, by hitting the F8 key when you get your first "splash" screen
with manufacturer's logo at bootup.  Then select Safe mode operation
and see if you can restore your system to a previous setting.

Though the virus may disable your ability to run your Anti-virus
software, get online at one of the virus vendors sites (Symantec
recommended by this researcher, but Trend Micro is also excellent) and
run an online scan.  It may take 45-90 minutes.  There's no guarantee
that they'll find the virus, but it's a first step.

Report back please to see if we can progressively eliminate your
issues.

Best regards,

Omnivorous-GA

Clarification of Question by shivasb-ga on 07 Aug 2003 12:00 PDT
Since posting the question I learned from another source that indeed
this is a virus.  I've put the patch on but still have the problem: 
When I boot I get now three of these "TFTP" messages.

I'm using Windows XP on an IBM X22 laptop.  I'm connected to the
internet with a cable modem.

I tried using the IBM "restore" function and it did restore but the
problem was still there.  Will trying the "restore" function in safe
mode make any difference?

shivasb

Request for Question Clarification by omnivorous-ga on 07 Aug 2003 12:27 PDT
Sandra --

You're probably off trying the Windows XP restore function.  It's the
next logical place to go.

Be sure to eliminate these viruses entirely; it may be necessary for
you to reformat this drive and re-install -- though I hope not.  In
the meantime, quarantine this system and do NOT move floppy disks; ZIP
drives; USB memory sticks or anything else to another machine.

Searching pages at the Symantec or Trend Micros sites for your
specific error messages may provide valuable information on how to
solve this problem.

Best regards,

Omnivorous-GA

Clarification of Question by shivasb-ga on 07 Aug 2003 13:22 PDT
I meant that I had used the Windows XP restore function and it didn't
resolve the problem.  Guess I'll try the analysis software you're
recommending next.  I hope it's not necessary to reformat etc. at this
time as of course I'm on deadline (first) and (second) don't have the
skills.  Thanks for the warning regarding moving material.

Clarification of Question by shivasb-ga on 07 Aug 2003 13:24 PDT
Actually, let me ask further:

- I'm not getting what identify themselves as error messages -- just
the message that windows couldn't open these files.  When I tried
searching for software on-line I was told it couldn't be found.

- What might be happening?  I'm always better off if I can get a
picture of what's going on.  Is this a deteriorating situation?  If
so, what will happen?

Request for Question Clarification by omnivorous-ga on 07 Aug 2003 14:19 PDT
Sandra --

I'm not certain if these TFTP programs are infected virus files or
not, though I suspect that they are.  What may be happening is that
they've been installed in the Registry by the virus and whatever
actions you've taken has not eliminated the Registry reference -- so
they appear at boot.

TFTP is a Microsoft program called Trivial File Transfer Protocol,
which is used for network applications.  You should be able to find
TFTP in your C:\windows\system32 folder.

However, these renamed versions hint at a virus.  

If you believe that you've followed the anti-virus vendor's
instructions and safely removed the virus, it may still have missed
editing the Registry entry.  That may prove to be a small issue
(having someone knowledgeable edit the Registry may remove it); or it
may indicate that the virus is:
a.  still present
b.  callable from outside your machine

So, it's difficult to tell if the situation is going to deteriorate --
but one has to prepare for the worst.

Lots of information has been discussed, but when this is done, please
make sure that two things are done:
1.  anti-virus definitions in your anti-virus software is updated
and
2.  get a software firewall installed on your system from someone like
Zone Alarm:
http://www.zonelabs.com

Let me know what additional assistance I can be.

Best regards,

Omnivorous-GA

Request for Question Clarification by livioflores-ga on 12 Aug 2003 22:00 PDT
Can you tell us what are the programs that run with Windows start up.
Just go to Start --> Run --> type msconfig and click enter, the System
Configuration Utility will run, select the Start up tab and let us
know wich are the programs listed and selected in this list.

Thank you.
livioflores-ga
Answer  
Subject: Re: computer shutdown
Answered By: mathtalk-ga on 13 Aug 2003 10:52 PDT
 
Hi, shivash-ga:

Although you say you have applied the Windows update patch, this does
not remove the existing "infection" by what seems to be "LoveSAN"
WORM.  For that I think you will find Symantec's removal tool useful:

[Symantec Removal Tool]
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Please note the explanation and instructions on that page, in
particular the need to turn off XP System Restore in order to remove
the infection from any system restore files (as I noted in my previous
Comment).

In order to carry out these steps on a "professional" edition of XP,
you will need to be logged in with a user account that has Admistrator
privileges.

Here is a brief synopsis:

0.  Download and apply the security patch for your version of Windows
XP.  There are XP Home, XP Pro, XP Pro SP1, and XP Pro SP2 (this last
was my version).  I'll assume you've already done this, but to verify
you can inspect the registery entries (using Regedit.exe) under:

HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Updates 

Look for your version of the operating system, e.g. 

Windows XP -> SP1 

and find a key "KB823980" with a description value:

Windows XP Hotfix - KB823980

as well as some "subordinate" entries (file list).  If the registery
entry is not there, the patch has not been applied.

Note:  KB823980 refers to Microsoft's Knowledge Base article:

[Buffer Overrun in RPC Interface May Allow Code Execution]
http://support.microsoft.com/?kbid=823980

For a follow-up article by Microsoft, see:

[Microsoft Security Bulletin MS03-026]
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

which includes links to downloading for the patches (as you've
probably already done).

1.  Download the FIXBLAST.EXE file from Symantec's link on the URL
posted above, saving it to a known location such as a downloads folder
or even to your "desktop" folder.

2.  Verify the authenticity of the file using the procedures outlined
by Symantec (check the digital signature), stop all running programs,
and disable System Restore (as previously discussed).

3.  Run the removal tool, paying close attention to its results.  If
it is unable to fix one or more infected files that it finds, you will
need to run the program in SAFE mode (ie. restart the computer in Safe
Mode).  After the program is apparently successful in removing all the
infections, reboot the computer and run FIXBLAST.EXE again to verify
that your PC is now clean.

Detailed instructions and links to discussion of individual steps that
may be required (such as rebooting into Safe Mode) are provided at the
Symantec Removal Tool page above.

As a follow-up make sure your antivirus software's virus definition
files are up-to-date.  Antivirus software can help in some situations
where the "WORM" can be detected but not removed by "quarantining" the
infected files, thereby preventing their execution.

regards, mathtalk-ga

Clarification of Answer by mathtalk-ga on 13 Aug 2003 10:54 PDT
Oops... in my third paragraph I misspelled "Administrator".  Sorry for
any confusion.

regards, mathtalk-ga
Comments  
Subject: Re: computer shutdown
From: mathtalk-ga on 12 Aug 2003 08:07 PDT
 
It is likely that you will need to _disable_ the Windows XP system
restore in order to eliminate the virus or worm from the system
restore folders.

A virus cleaner will not be allowed to alter those folders while the
system restore feature is turned on.  In effect, after you clean your
running copy of the Windows operating files, XP will recopy the
virus-infected "backups" over them the next time you reboot.

For a discussion of this and instructions on how to temporarily
disable system restore under XP, see these links:

[Antivirus Tools Cannot Clean Infected Files in the _Restore Folder]
http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP

[W32.Blaster.Worm]
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

[How to turn off or turn on Windows XP System Restore]
http://www.vpsb.k12.la.us/tech/4039.htm

regards, mathtalk-ga

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy