Re: help! "your system is shutting down"

From: Bruce Chambers (bruce_a_chambers_at_h0tmail.com)
Date: 07/26/04


Date: Mon, 26 Jul 2004 06:48:23 -0600

Greetings --

  There are at least three varieties of pop-ups, and the solutions
vary accordingly. Which specific type(s) is troubling you?

    1) Does the title bar of these pop-ups read "Messenger Service?"

    This type of spam has become quite common over the past several
months, and unintentionally serves as a valid security "alert." It
demonstrates that you haven't been taking sufficient precautions while
connected to the Internet. Your data probably hasn't been compromised
by these specific advertisements, but if you're open to this exploit,
you may well be open to other threats, such as the Blaster Worm that
recently swept cross the Internet. Install and use a decent,
properly configured firewall. (Merely disabling the messenger
service, as some people recommend, only hides the symptom, and does
little or nothing to truly secure your machine.) And ignoring or just
"putting up with" the security gap represented by these messages is
particularly foolish.

Messenger Service of Windows
http://support.microsoft.com/default.aspx?scid=KB;en-us;168893

Messenger Service Window That Contains an Internet Advertisement
Appears
http://support.microsoft.com/?id=330904

Stopping Advertisements with Messenger Service Titles
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp

Blocking Ads, Parasites, and Hijackers with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

    Oh, and be especially wary of people who advise you to do nothing
more than disable the messenger service. Disabling the messenger
service, by itself, is a "head in the sand" approach to computer
security. The real problem is _not_ the messenger service pop-ups;
they're actually providing a useful, if annoying, service by acting as
a security alert. The true problem is the unsecured computer, and
you've been advised to merely turn off the warnings. How is this
helpful?

    2) For regular Internet pop-ups, you might try the free 12Ghosts
Popup-killer from http://12ghosts.com/ghosts/popup.htm, Pop-Up Stopper
from http://www.panicware.com/, or the Google Toolbar from
http://toolbar.google.com/, which is what I use. Alternatively, you
could download, install, and use a different Internet browser, such as
Firefox (http://www.mozilla.org/products/firefox/), that has some
built-in pop-up blocking capabilities.

    3) To deal with pop-ups caused by any sort of "adware" and/or
"spyware,"such as Gator, Comet Cursors, Xupiter, Bonzai Buddy, or
KaZaA, and their remnants, that you've deliberately (but without
understanding the consequences) installed, two products that are
quite effective (at finding and removing this type of scumware) are
Ad-Aware from www.lavasoft.de and SpyBot Search & Destroy from
www.safer-networking.org/. Both have free versions. It's even
possible to use SpyBot Search & Destroy to "immunize" your system
against most future intrusions. I use both and generally perform
manual scans every week or so to clean out cookies, etc.

    More information and assistance is available at these sites:

The Parasite Fight
http://www.aumha.org/a/parasite.htm

PC Hell Spyware and Adware Removal Help
http://www.pchell.com/support/spyware.shtml

    As you haven't provided any specific details or error messages,
the following is the result of having to guess what your problem might
be. There are at least two possibilities:

1) If you connected the PC to the Internet without having first
enabled a firewall, without having first installed an antivirus
application with current virus definition files, and before installing
the KB828471 Hotfix, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

    To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

MS04-012 Cumulative Update for Microsoft RPC-DCOM
http://support.microsoft.com/default.aspx?scid=kb;en-us;828741

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger

2) You've apparently contracted the latest worm, W32.Sasser.Worm,
specifically designed to attack people who do not update their
computers promptly and who do not practice "safe hex." In other
words, like Blaster, this worm was developed and distributed _after_ a
patch for the vulnerability was announced and made publicly available.
Further, and also like Blaster, this worm could not affect any
computer whose user had taken the basic precaution of using a properly
configured firewall.

    To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next Shutdown countdown begins. This will abort the shut down. Also,
make sure you've enabled a firewall before starting, to preclude any
more intrusions while getting the updates/patches/tools.

What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.asp

Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

A tool is available to remove the Sasser worm variants
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/

Bruce Chambers

-- 
Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html
You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH
<anonymous@discussions.microsoft.com> wrote in message
news:3fb801c472e2$bd8398b0$a501280a@phx.gbl...
I just got online with my new labtop and haven't installed any
anti-virus
software yet.  A pop-up immediately appeared saying I should go to
www.spw3f.com for anti-spyware downloads.  Stupidly I went to that
site
and ever since have been having this problem: About 30 seconds to a
minute after getting online, I get a message from the System Admin
(which
is me, right?) saying something like, "your system will be shutting
down in
59 seconds"  and then my computer proceeds to re-start.  It only
happens
when I plug in the ethernet card to get online.  Also, I get frequent
download prompts popping up that I didn't initiate.
Help! Does anyone have a suggestion on free downloads online to get
rid of
this virus or whatever it is, and any quality software purchase
suggestions to
protect my pc in the future?
Thanks.


Relevant Pages

  • Re: Spyware
    ... recently swept cross the Internet. ... "putting up with" the security gap represented by these messages is ... Messenger Service Window That Contains an Internet Advertisement ... also blocks many of the pop-up adds on the Internet. ...
    (microsoft.public.security)
  • Re: Spyware
    ... recently swept cross the Internet. ... "putting up with" the security gap represented by these messages is ... Messenger Service Window That Contains an Internet Advertisement ... also blocks many of the pop-up adds on the Internet. ...
    (microsoft.public.security.virus)
  • Re: unending pop-up(s)
    ... and unintentionally serves as a valid security "alert." ... recently swept cross the Internet. ... Messenger Service Window That Contains an Internet Advertisement ... also blocks many of the pop-up adds on the Internet. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Spyware
    ... recently swept cross the Internet. ... "putting up with" the security gap represented by these messages is ... Messenger Service Window That Contains an Internet Advertisement ... also blocks many of the pop-up adds on the Internet. ...
    (microsoft.public.win2000.security)
  • Re: Mydoom worm
    ... ignoring or just "putting up with" the security gap represented by ... Messenger Service of Windows ... Stopping Advertisements with Messenger Service Titles ... > worm on this PC. ...
    (microsoft.public.windowsxp.security_admin)