hello everybody ,
It's been like two weeks since i have been trying to fix this problem on my friends pc. the problem is that once you connect to the internet a message comes out in the front window that says the computer will turn off automatically in 30 seconds some guys told me it could be the sasser worm or the blaster but it is not that i have even formatted the hard drive and deleted its partitions.
running a windows xp
any help you can give will be appreciated thanx!

Recommended Answers

All 18 Replies

Only happens when you connect to the net, eh? And it still happens after a full format and reinstall as well... odd.

How is your friend connecting to the net? What browser, conection type, etc.?

When the screen to reboot comes up, go to
start-run and type CMD
on the black screen type "shutdown -a" and hit enter that will prevent from restat and will give you enough time to fic the problem, it is a blaster worm, you can click on this link http://securityresponse.symantec.com/avcenter/FixBlast.exe , you would have to save it in your desktop and run it..let us know what happen

Hello,

I would take a look at the Microsoft Logs and see if something is written in there describing why the computer may have shut off. If you are lucky, the logs might suggest something for you.

I have also heard of stolen registrations of XP shutting down, and in one case, locked up a person's hard drive that he could not access his files off.

Good Luck,

Christian

well hi everyone i tried this things the shutdown -a gives it about 2 minutes more and that's it he is connecting on dial-up connection i have been searching and no it's not the blaster worm i can't find the files msblast.exe on this files of sys32 or on the registry and i have gone to symantec.com and can't find anything i just found something about that whenever you format a pc infected with this blaster you have to enable a firewall so i'll just have to format the harddrive again and thanx guys but if there is nothing else with what you can help me i'll appreciate it.
another question does anybody know why a computer wont letyou download things such as virus removal tools and any other av system?

another question does anybody know why a computer wont letyou download things such as virus removal tools and any other av system?

Yes- some of the malicious programs out there redirect requests to anti-virus/anti-spyware web sites by modifying your "hosts" file. Search for the hosts file and open it in Notepad. A basic hosts file will only contain a few lines of comments at the beginning, and the following single entry:

127.0.0.1 localhost

If you see any other 127.0.0.1 entries, they should be deleted.


As to your original problem- there's always the possibility that you've got a hardware problem. Things like bad RAM, a fault on the motherboard, or overheating could all cause unexpected shutdowns.

hello
i did found some hosts with the ip 127.0.0.1 so i erased them is there anything else i have to do have this fixed or just once you erase it it's ok and by the way can you give me a little help on how to fix the pc that is turning off by itself with a message saying shutdown initiated by nt authorized system i formatted the hard drive and installed xp back on it but once they connected there it was again my friend is connecting on a dial up i have no idea what kind of pc but it is but i even erased the partitions it had and made new ones if you could help me please.

Removing the hosts entries should at least allow you to reach the previously-blocked sites. I'd make sure to run the lastest version of your anti-virus, as well as Ad Aware, SpyBot, HijackThis, etc. to make sure you're clean; whatever altered your hosts file is probably still lurking in your system.

I'll have to get back to you on the shutdown problem later...

This is typical Sasser activity. It does not matter whether you format and reinstall or not. Until you turn on your firewall and patch the vulnerability you will be wide open to attack. The Sasser worm attacks by REMOTELY seeking out and infecting insecure computers (brand new builds without the patch are the most likely targets); the infected computer then becomes part of the problem.
To sort this out follow these steps
1. Format and reinstall but do NOT allow the computer to connect to the internet.
2. Download the patch to another secure computer. http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
3. Apply the patch to the newly built computer.
4. Turn on the ICF (Internet connection firewall).
5. Only now is it safe to connect to the internet and update at the Windows update site.
Hope this helps. If you need any more assistance send me a private message.

hi silbylaw
i have also tried looking for info. on the sasser worm and what i found to fix the problem is this a manually removal but didn't work it might work for somebody else so i'll leave it here
You can also remove Sasser manually by following these steps.

  1. Disconnect your computer from the Internet.
  2. Boot in Safe Mode by pressing the F8 key during startup.
  3. Navigate to your Windows directory (c:\WINDOWS or c:\WINNT) on your hard drive.
  4. Look for a file named AVSERVE.EXE. Delete it.
  5. Click on the Start menu and select Run.
  6. Type "regedit" (without quotes).
  7. Navigate to the following Registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  8. In the windows to the right, look for a value called avserve. Delete it.
  9. Exit RegEdit.

Reboot.
Another question does any body knows how to enable the win xp firewall thanx for all your solutions but wont work. I am trying to think that is is a hardware problem but if there is any other solution for this i would thank you so much if you guys share it with me.

david@mex

The removal instructions you posted here are incomplete and will NOT work.
avserve is only one variant of sasser. There are 6 in all I think.
If you don't want to format and reinstall then you must deal with all possible variants. Follow the instructions here:

http://www.microsoft.com/security/incident/sasser_printxp.asp

This also gives instructions for turning on the firewall.

hello everyone
silbylaw i search on it and followed the steps but nothing but well i think i will have to format it again. DOES anybody have an idea on how to remove the about:blank webpage when you connect to the internet explorer i have tried things that i found in different forums but nothing works i even post it and nobody answered but if anybody can help me
thanx

[too all and to david hello every body here
i too recive the message given by david .his code is just like this . this is an application error . i c it in from r.click on my computer then manage view application error .this is an error of lsass.exe .one think importan when i get this problum at that time i dis connect a pc camera from my computer .then i format my c drive but stilll i have this problum any body help on this regard.....some time my computer don't restart for a day but some time it is restart in just few minute ....plz help david and me

not sure if it was posted, host file is located in

C:/Windows/System32/Drivers/Etc/ for win xp/nt/2k and for 9x users it is located in just C:/Windows/

have you tried HiJackThis im sure a complete log file will be able to better show us what we may be dealing with.

im having the same problem in my computer..my computer just shuts of while im on it and it will turn back on for a few then it will do the same thing...if i let it set of about 30 mints then i will be ok..but just the other day it just wouldnt come on at all i have been readin around for the past hr and i have found somethen called Vundo Trojan..it has the MO of wat i think thats worng wit my computer.....im goin try to do it myself before i take it to bestbuy or a computer guy cuz its a 3,000 apple desktop mp4 if u know anything about this vundo can u help me plz.....the links are 24 lines long and 3 pages..i think i found out wats wrong wit it but im not sure if anyone has anything can u plz help me im goin to try and get back on here in about 45mins to see if i got any response from this form

(HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainActiveState
02F96FB7-8AF6-439B-B7BA-2F952F9E4800
HKEY_LOCAL_MACHINESOFTWAREClassesATLEvents.ATLEvents.1
HKEY_LOCAL_MACHINESOFTWAREClassesATLEvents.ATLEvents
8109AF33-6949-4833-8881-43DCC232B7B2
2316230A-C89C-4BCC-95C2-66659AC7A775
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce*[filename]
HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerMainActive StateHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce*WinLogon
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser Helper Objects{8109AF33-6949-4833-8881-43DCC232B7B2}
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser Helper Objects{2316230A-C89C-4BCC-95C2-66659AC7A775}
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionExplorerBrowser Helper Objects{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
HKEY_LOCAL_MACHINE SOFTWAREClassesCLSID{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
HKEY_LOCAL_MACHINE SOFTWAREClassesATLEvents.ATLEvents.1
HKEY_LOCAL_MACHINE SOFTWAREClassesATLEvents.ATLEvents
HKEY_CLASSES_ROOTCLSID{8109AF33-6949-4833-8881-43DCC232B7B2}
HKEY_CLASSES_ROOTCLSID{2316230A-C89C-4BCC-95C2-66659AC7A775}
HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows CurrentVersionRunOnce*[filename]
HKEY_CURRENT_USER SoftwareMicrosoftWindows CurrentVersionRunOnce*WinLogon)

Yes, I see its traces. Currently the best detection/removal tool is MBAM, and is kept well up-to-date. Really. Run it. Any tech you take the machine to will use MBAM to clean it as a first step.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

Hell:0)

Maybe your PC has TURN OFF PC on high temperature mode ON. Go to BIOS and disable it...

Yeah. Then you can cook your cpu, given that that is the problem.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.