computer randomly restarts

  • Thread starter Thread starter mike
  • Start date Start date
M

mike

I have a problem with windows xp automatically
restarting. I get a message saying that windows xp will
restart in like 30 seconds and it restarts. I went
system properties and disabled "restart on failure" but
it still does it. Usually I'm online when this happens.
However, after formatting my hard drive and signing
online, my computer immediately restarted. I downloaded
nothing. I have an amd athon xp processor with 256mb ram
and a geforce 4 mx video card. I appreciate your help.
 
Yes, Carls right. Does sound like the MSBLASTER worm. A firewall can stop it
from working I think.

The best thing I can recommend is to update to SP1 if your on Windows XP.

The services manager should be able to stop it from restaring, but as you
said you already disabled "restart of failure" im not sure why its still
doing it.
You did choose RPC Remote Procedure Call right? Right click it, do
peroperites and i think its recovery > change all 3 drop down menus to
"Restart the Service" that should fix it while you update to SP1 - if u
cant, i hope this will fix it. Get a firewall too, you shoudln't be without
one. I recommend Zone Alarm Pro, its great, well I think it is.

Oh, and btw - The Geforce 4 MX Graphics Card isn't designed for games, even
if it says it is - its got a huge bug and does crashes with the c++ runtime
libraries - if you wana play games, get a better card. a TI or FX - no
developer shud be releasing the MX chipset anymore, i had huge problems with
it. Cya

Hope this helps
 
On Wed, 14 Jan 2004 21:44:27 -0000, "LITHIA"
Does sound like the MSBLASTER worm. A firewall can stop it I think.
The best thing I can recommend is to update to SP1 if your on Windows XP.

SP1 doesn't fix it - you need a specific patch, which was revised in
September 2003 to fix additional defects.
The services manager should be able to stop it from restaring, but as you
said you already disabled "restart of failure" im not sure why its still
doing it.

I'd also stop the system from restarting on system errors. That will
be in my standard Lovesan/Blaster post I'll paste later.
Oh, and btw - The Geforce 4 MX Graphics Card isn't designed for games, even
if it says it is - its got a huge bug and does crashes with the c++ runtime
libraries - if you wana play games, get a better card. a TI or FX - no
developer shud be releasing the MX chipset anymore, i had huge problems

Nah, I don't think so - or rather, such problems are likely to be
device driver or game specific. Other factors (RAM, AGP bus speed,
overclocking, motherboard chipset, piggy sound cards) may apply.

On drivers: I'd use the ones that came with the card first, and only
if problems would I quest for the "latest drivers" (and even then, I'd
stay away from beta drivers released under two weeks ago).

Ah, that's the system-wide setting, not the ones in Remote Procedure
Call properties as described. You need to fix both, plus fix the
defect that allows these attacks to happen.

BTW: If this behavior happens when not online and not on a LAN or
other TCP/IP network, then it is NOT a Lovesan/Blaster problem.

OK. On a LAN?

That's a given, and one of the reasons why "just re-install" is such
bad advice. Even a "safe" repair install botches all patches, and the
"as fit to ship" CD contains this RPC hole, and others.

<paste>

It's been a while, so let me start with a recap of the history:

1) NT includes a Remote Procedure Call service that cannot be avoided
or turned off, because several internal processes require it. The
service exposes itself to all (TCP/IP only?) networks, including the
Internet. So any computer anywhere in the world can "have a go".

2) Since at least NT 4.0, if not earlier, the coding of this and
related DCOM critical services have included defects that allow
specially-constructed RPC requests to inject raw code into the system,
which Windows will run automatically shortly thereafter.

3) This defect persisted through all the NT 4.0 service packs, the
re-coding of NT for NT 5.0 and 5.1 (Win2000 and XP respectively) and
all the service packs thereof. However, the structure of the attack
packet changed between 5.0 and 5.1 - so that an attack crafted for 5.0
would cause 5.1 to simply crash, and vice versa.

4) In July 2003, MS documented the problem and issued a patch for NT
4.0, Win2000 and XP. As NT 3.xx is no longer supported, the lack of
coverage of this OS does not imply it is immune. However, Win9x
(95xx, 98xx and ME) *are* structurally immune, even if they have the
RPC service added to them - the code is completely different.

5) In August 2003, Lovesan.A spearheaded a series of malware that
attacked the NT RPC service. As well as several Lovesan variations,
there was also Welchia, a variant of the common SDBot trojan with
RPC-attacking capability added, and several others. Of these, only
those with alternate means of spread (such as SDBot.RPC.A) pose risks
to Win9x, though all Internet computers suffered the congestion caused
by Welchia's method of scouting for IP addresses to attack.

6) In Spetember 2003, MS revised the RPC patch, documenting three
additional exploitable defects in the previous "fix".

7) Subsequently, the author of SDBot.RPC.A and the author of a
Lovesan variant that had RAT (Remote Access Trojan) functionality
added to it, were apprehended and charged.


The most significant thing to know about RPC attacks is that you will
be attacked simply because you are connected to an infected network -
no software needs to be run, no action has to be taken by the user.
And the Internet is the mother of all infected networks :-)

Because the process of attempting an attack can crash the system,
traditional antivirus protection is irrelevant. Your NT PC could be
spontaneously restarting every few minutes without any malware
successfully gaining a foothold; the attempts themselves are escalated
to a significant DoS effect, due to particularly dumb MS settings.


To protect yourself against RPC attacks (instructions for XP):

1) Harden the PC against consequences of attack attempts

1.1) Stop the PC from restarting every time a system error occurs

Start, Settings, Control Panel, System icon, Advanced tab
Startup and Recovery section; click the Settings button
UNcheck the "Automatically restart" setting, OKOK

1.2) Stop the RPC service restarting the system when it dies

Start, Settings, Control Panel, Administrative Tools icon
Click into the Service icon
Find and click into Remote Procedure Call (RPC)
Recovery tab; all failures default to Restart the Computer
Change all of those to Restart the Service, OKOKOK

1.3) Turn on the built-in firewall for your Internet connection

This may block RPC attacks; I haven't relied on it alone, so I can't
say whether it alone is enough of a shield.

2) Fix the defective code

Microsoft does NOT send code fixes by email, particularly unsolicited
email (they do send alterts by email if you subscribe to that service,
but these always link to thier site rather than attach files).

So you need to go to MS's web site, find the RPC defect patch that is
relevant to your version of NT, download it, install it, and restart
the PC when prompted so that it can go into effect.

All this while several thousand infected PCs are squirting tiny RPC
attack packets directly into your system, with immediate effect - so
good luck! Hence step (1). Beg a Win9x user to download it for you
if your PC keeps crashing; it fits on one diskette.

3) Detect and clean up Lovesan and other malware

If you are using NTFS, you are forced to rely on informal tools to do
this, i.e. antivirus scanners that try to clean the system while
standing waist-deep in infected code. Several free utilities abound
that will scan specifically for particular malware, and NAI has a
thing called "Stinger" that scans for and cleans up a small but
germain collection of common malware. Stick to reputable URLs, as
malware may "market" itself as anti-malware freebies.

Else http://users.iafrica.com/c/cq/cquirke/virtest.htm applies, i.e.
if you are using FAT32, you can take the formal approach, and should.

4) Apply general risk management

Beyond the scope of this post; Win9x-centric approaches described in
http://users.iafrica.com/c/cq/cquirke may not be directly applicable
to NT, but the concepts may, and "safe hex" is "safe hex".


Blaster is an example of the new breed of pure worms that can spread
globally within a few minutes (Slammer/Sapphire went global in 10
minutes). Not only does that make a mockery of daily av updates,
these are conceptually significant for another reason - they are
infosphere infectors, not computer or file infectors as most malware
and viruses are, respectively.

It's faster for these worms to re-infect you PC from the "installed
base" of infected systems on the Internet than it is to persist across
runtime by infecting your PC's files or OS runpoints. Many do not
even attempt to do so; switch the PC off, and the malware's gone -
until you reconnect to the infected network again.

With always-on servers, no-longer-needs-rebooting NT, and a
consumerland bulging with fast always-on broadband, this strategy
becomes more viable all the time.

The traditional approach to malware has been malware- rather than
risk-focussed. Just as you'd treat a bacterial infection with
antibiotics, malware has been treated with antivirus software that is
used to "cure" the PC. But just as you can't cure bioviral infections
with antibiotics, you can't clean the whole of the infosphere!

So these new threats demand risk management as the front-line defence.
Software that is stupid enough to allow direct attack is simply
indefensible, and has to be repaired (patched) or avoided.

</paste>



-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
 
Back
Top