Computer shutdown
Thread Starter
Join Date: Sep 2004
Location: Australia
Posts: 11
Likes: 0
Received 0 Likes
on
0 Posts
Computer shutdown
New to this forum.
For the second time in just a few days, a window has appeared telling me that a "shutdown has been ordered by the NT AUTHORITY\SYSTEM. DCOM Server Process Launcher terminated unexpectedly" and gives me 60 seconds to save and close any programs I might have running.
Can anyone tell me what might be happening?
System XP Pro, sp3, etc etc.
a&dcat
For the second time in just a few days, a window has appeared telling me that a "shutdown has been ordered by the NT AUTHORITY\SYSTEM. DCOM Server Process Launcher terminated unexpectedly" and gives me 60 seconds to save and close any programs I might have running.
Can anyone tell me what might be happening?
System XP Pro, sp3, etc etc.
a&dcat
I haven't seen this myself, but a Google search on the error message you've quoted brings a variety of possible causes. The most commonly reported "cure" seems to come from a scan of the system for malware. I suggest you Google the error message and look at the options it canvasses where others have encountered the problem.
Apparently you can disable the one minute shutdown timer thusly :
That should give you a little more time to see what options you can work through.
Good luck
FOR
Apparently you can disable the one minute shutdown timer thusly :
When you see the timer, go to Start/Run, and type in "shutdown -a" (without quotes) and hit enter. This should disable the timer.
Good luck
FOR
When you see the timer, go to Start/Run, and type in "shutdown -a" (without quotes) and hit enter. This should disable the timer.
Or is that just in command prompt? I've never tried it direct from the Run.. box.
Thread Starter
Join Date: Sep 2004
Location: Australia
Posts: 11
Likes: 0
Received 0 Likes
on
0 Posts
Computer shutdown
Thankyou all for your suggestions.
I have Malwarebytes installed and ran its scanning yesterday. The computer even shutdown in the middle of this process.
When I was able to get it to scan it showed 12 problems which I promptly deleted. Computer still shutdown. It also reported it had blocked two IP addresses, didn't recognise either. Any way of checking an IP address to see who/where it comes from?
I restarted on the Internet this morning. Within 15 minutes the computer shutdown twice!
I then disconnected the internet connection.
I then scanned with MBAV for over an hour, NO shutdowns, NO errors either?
I downloaded Firefox 3.6 yesterday but I don't believe that this caused the problem as it was shutting down prior to this. I also use IE7.
I use ZA for firewall and AVG both fully paid for and registered.
Am about to reconnect to the internet. Will let you know what the result is.
a&dcat
I have Malwarebytes installed and ran its scanning yesterday. The computer even shutdown in the middle of this process.
When I was able to get it to scan it showed 12 problems which I promptly deleted. Computer still shutdown. It also reported it had blocked two IP addresses, didn't recognise either. Any way of checking an IP address to see who/where it comes from?
I restarted on the Internet this morning. Within 15 minutes the computer shutdown twice!
I then disconnected the internet connection.
I then scanned with MBAV for over an hour, NO shutdowns, NO errors either?
I downloaded Firefox 3.6 yesterday but I don't believe that this caused the problem as it was shutting down prior to this. I also use IE7.
I use ZA for firewall and AVG both fully paid for and registered.
Am about to reconnect to the internet. Will let you know what the result is.
a&dcat
I understand the paid for version of AVG includes a firewall? If this is the case definitely check to make sure it is off, as it would conflict with ZA big time.
Any chance of seeing the MBAM scan report?
Any chance of seeing the MBAM scan report?
Join Date: Jan 2008
Location: The Land of Beer and Chocolate
Age: 56
Posts: 798
Likes: 0
Received 0 Likes
on
0 Posts
Any way of checking an IP address to see who/where it comes from?
Amongst others, there's a shedload of sites out there which will do the same thing out there, but they all use the whois database
Thread Starter
Join Date: Sep 2004
Location: Australia
Posts: 11
Likes: 0
Received 0 Likes
on
0 Posts
MBAM report
Malwarebytes' Anti-Malware 1.44
Database version: 3623
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
24/01/2010 17:24:01
mbam-log-2010-01-24 (17-24-01).txt
Scan type: Quick Scan
Objects scanned: 126040
Time elapsed: 10 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersio n\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersio n\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersio n\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127 ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8 cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6 cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (CWINDOWS\system32\userinit.exe,CWINDOWS\system32\sdra64 .exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
CWINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.
Files Infected:
CDocuments and Settings\XXXXXXX XXXXXXX\My Documents\downloads\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
CWINDOWS\Temp\8.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
CDocuments and Settings\XXXXXXX XXXXXXX\Local Settings\Temp\~TM13.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
CDocuments and Settings\XXXXXXX XXXXXXX\Local Settings\Temp\~TM3D.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
CDocuments and Settings\XXXXXXX XXXXXXX\Local Settings\Temp\~TME.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
CWINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
CWINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
CDocuments and Settings\XXXXXXX XXXXXXX\Application Data\wiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.
Database version: 3623
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
24/01/2010 17:24:01
mbam-log-2010-01-24 (17-24-01).txt
Scan type: Quick Scan
Objects scanned: 126040
Time elapsed: 10 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersio n\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersio n\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersio n\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127 ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8 cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6 cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (CWINDOWS\system32\userinit.exe,CWINDOWS\system32\sdra64 .exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
CWINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.
Files Infected:
CDocuments and Settings\XXXXXXX XXXXXXX\My Documents\downloads\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
CWINDOWS\Temp\8.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
CDocuments and Settings\XXXXXXX XXXXXXX\Local Settings\Temp\~TM13.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
CDocuments and Settings\XXXXXXX XXXXXXX\Local Settings\Temp\~TM3D.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
CDocuments and Settings\XXXXXXX XXXXXXX\Local Settings\Temp\~TME.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
CWINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
CWINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
CDocuments and Settings\XXXXXXX XXXXXXX\Application Data\wiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.
Last edited by a&dcat; 25th Jan 2010 at 01:01. Reason: Forgot address: For Tarq57
This is a trojan/backdoor usually installed using a rootkit. It's potentially serious, depending on the particular version, which I am not eductaed enough to deduce.
One of it's assigned names is "banker trojan", another includes the title "infostealer", so it would be in your interests to change any passwords, especially to banking sites.
Check your AVG quarantine, also the firewall log of blocked connections. It is likely (hopefully) that the firewall should have prevented this thing from connecting outbound, unless you approved it.
I'd also run a disk cleanup using ATF Cleaner (This one runs from the folder it is downloaded to; no install required.) Tick everything except "cookies" and "history" and run it by clicking "empty selected.
MBAM is usually pretty good at this sort of thing.
Reboot, update MBAM, run another quick scan, if anything malicious found, please post back.
One of it's assigned names is "banker trojan", another includes the title "infostealer", so it would be in your interests to change any passwords, especially to banking sites.
Check your AVG quarantine, also the firewall log of blocked connections. It is likely (hopefully) that the firewall should have prevented this thing from connecting outbound, unless you approved it.
I'd also run a disk cleanup using ATF Cleaner (This one runs from the folder it is downloaded to; no install required.) Tick everything except "cookies" and "history" and run it by clicking "empty selected.
MBAM is usually pretty good at this sort of thing.
Reboot, update MBAM, run another quick scan, if anything malicious found, please post back.
Thread Starter
Join Date: Sep 2004
Location: Australia
Posts: 11
Likes: 0
Received 0 Likes
on
0 Posts
Computer shutdown
Hi Tarq57
So far, so good.
Computer running on the INET for 5 hours now and NO SHUTDOWN!!
Just ran the ATF program, no problems, updated MBAM and reran scan, no problems.
Looks like it might now be OK.
No logs on firewall (ZA only) I do keep getting a message from MBAM telling me it has blocked the following 91.212.226.60 an IP somewhere in Holland!
Will let you know if anything happens again.
Thanks for your help.
a&dcat
So far, so good.
Computer running on the INET for 5 hours now and NO SHUTDOWN!!
Just ran the ATF program, no problems, updated MBAM and reran scan, no problems.
Looks like it might now be OK.
No logs on firewall (ZA only) I do keep getting a message from MBAM telling me it has blocked the following 91.212.226.60 an IP somewhere in Holland!
Will let you know if anything happens again.
Thanks for your help.
a&dcat
That seems to be good news.
No guarantees, but on the face of it, with MBAM not detecting a repeat offender (this variant apparently sometimes re-installs itself despite cleaning) it would appear you're clean.
It appears you downloaded the trial of MBAM (the green download button rather than the blue free version) if it is blocking stuff. IIRC correctly it is a one-time payment to purchase ongoing protection using this program once the trial is up.
I would consider hardening your system. The use of Firefox as a browser, with the noscript and adblockplus extensions would help hugely. IE is insecure, even the latest patched version of IE8. IE7 is even less secure.
Consider installing a Hosts File. It will need updating from time to time. Will block known bad sites.
Check your software is up to date with either an online (OSI) or intallable (PSI) Software inspector (free) from Secunia. I'll bet there is software that is out of date on board. Flash, Java and Adobe especially represent a big hole if left unpatched.
Go well.
No guarantees, but on the face of it, with MBAM not detecting a repeat offender (this variant apparently sometimes re-installs itself despite cleaning) it would appear you're clean.
It appears you downloaded the trial of MBAM (the green download button rather than the blue free version) if it is blocking stuff. IIRC correctly it is a one-time payment to purchase ongoing protection using this program once the trial is up.
I would consider hardening your system. The use of Firefox as a browser, with the noscript and adblockplus extensions would help hugely. IE is insecure, even the latest patched version of IE8. IE7 is even less secure.
Consider installing a Hosts File. It will need updating from time to time. Will block known bad sites.
Check your software is up to date with either an online (OSI) or intallable (PSI) Software inspector (free) from Secunia. I'll bet there is software that is out of date on board. Flash, Java and Adobe especially represent a big hole if left unpatched.
Go well.
Hippopotomonstrosesquipidelian title
Join Date: Oct 2006
Location: is everything
Posts: 1,826
Likes: 0
Received 0 Likes
on
0 Posts
Actually, that IP seems to be in Russia, Luxembourg or China at the moment, and passes through the (in)famous as5577.net, probably hosting d45648675.cn. So if MBAM is actively blocking that address, your system may not be clean yet. Have you ever downloaded a scanner called Windows Protector?
Official PPRuNe Chaplain
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
Er - 'scuse me butting in, but there are a couple of "Bad" entries in that MBAM log. I don't like having them, even if corralled. My inclination would be to run Regedit (all the usual caveats apply) and remove them altogether.
Totally concur with "Don't use IE, install Firefox with Adblock Plus and NoScript".
Totally concur with "Don't use IE, install Firefox with Adblock Plus and NoScript".
Join Date: Jan 2008
Location: The Land of Beer and Chocolate
Age: 56
Posts: 798
Likes: 0
Received 0 Likes
on
0 Posts
Regarding all you really need to know about that IP address, lookee here:-
MalwareURL
Not going to post all that is on that link, suffice to say it is not a good deal to have your PC connecting to any of his addresses (91.212.226.0 - 255)
MalwareURL
Not going to post all that is on that link, suffice to say it is not a good deal to have your PC connecting to any of his addresses (91.212.226.0 - 255)