You have been hit by the RPC-DCOM exploit. This allows a remote user to gain administrator access to your computer by exploiting the Remote Procedure Call service, thus allowing them to install programs of their choice, access your files, or use your computer to attack remote users. You will know you’re infected when you see a message about an “NT AUTHORITY” error saying that the system will shut down in 60 seconds.
First, install the patch from Microsoft. You can download the patch and read more information at Microsoft Technet.
After this is installed, go to start, run, and type in msconfig. Go to the startup tab and UNCHECK “msblaster.exe”. Restart the computer, enter safemode by pressing the F8 key before windows loads and choosing Safemode from the menu that appears, and delete msblaster.exe. This is one of the several viruses that may have been installed.
WARNING: It is entirely possible that other viruses or trojans could have been installed. Furthermore, there may still be keyloggers or file servers running. Keyloggers will send your passwords or any credit card data you type in to a remote user. A file server could be hosting child pornography, pirated software, or other illegal content. I strongly suggest that you format your computer, then install the patch on a clean system BEFORE you connect it to the internet.
For some reason, thousands of people across this country are having this problem, the call center I work at is flooded with four times as many calls as we usually get, most of them regarding this issue. Either there is a widespread hack attack going on against broadband users across the nation, or there was some dormant virus that is just now being activated (w32.spybot.worm is the likely suspect right now).
You can keep the computer from rebooting by disconnecting your network cable from the computer.
Well, if you follow Aleoron’s instructions for removing msblast.exe, you should be okay long enough to download the update.
Then again, maybe not. My firewall is detecting a port 135 request every one-to-three minutes today. People are scanning hard for that open port. If you get hit with another request in between the time you remove the program and the time you download the update, you may be re-infected before you have a chance to get the update.
Of course, if you have a firewall, you can just block port 135 after deleting msblast and download the updates at your leisure.
You are being hit by “denial of service” attacks. Here’s what someone posted today on another board after being hit 5 times:
Some of you may know about this already. Your playing _____, or anything else in general, and your system forces you to restart because the Remote Call Procedure close unexpectdly. This is not a virus nor a trojan. It’s a DoS (Denial of Service) attack affecting Windows XP, Windows 2000, and Windows Server 2003.
To stop this from happening, There are two solutions.
XP Users
1.)Go to start> run> services.msc
2.)Scroll down till you see Remote Protocal Procedure (RCP).
3.)Right Click and select Properties.
4.)Select the ‘Recovery Tab’
5.)Change all fields to ‘Restart the service’ from ‘Restart sytem’.
6.)Apply and all that good stuff.
I never used Windows 2000, so I don’t know if it has services. However, here’s another way that I’m sure 2000 users can. You’ll need to get a firewall (Windows XP, 2000, and Servers 2003 comes with one), and set it to block the following ports: 135, 139, 445 coming from TCP.
Don’t just do this. All this does is keep your computer from rebooting. It doesn’t remove the worm.
Yes, Windows 2000 has services. So does Windows NT. But, similar to your previous solution, blocking the affected ports is only half the battle. You have to remove the worm and apply the patch from Microsoft.
McAfee has a little one-shot, single-purpose cleaner that will take care of this worm: http://vil.nai.com/vil/stinger/. As far as I can tell, this is a freebie, and it’s small enough that you could actually download it someone else’s machine and copy it to a floppy (!) to take to your own PC.
Just pay careful attention to the instructions, particularly about shutting down System Restore before scanning.
No need for a panicky format and reload. This is just another virus, one that can be cleaned off an infected system without submitting yourself to hours of work.
This whole thing is NOT a Denial Of Service attack (yet). It IS a trojan that will launch a DOS attack FROM YOUR COMPUTER in the future.
Saying that it’s a DOS would imply that there is nothing wrong with your computer and someone or something is just flooding your PC’s network connection with MANY unwanted “messages” VERY quickly. This would cause major slowdowns and problems on your network, but it wouldn’t mean that there’s something on your computer causing the problem.
There IS something ON the OP’s PC causing the problem.