September 22nd, 2003, 11:59 PM
msblaster.exe (Usefull commands)
Here are some tips and tricks that i just learned.
Remember that shutdown message that popped up when an attempt to infect you w/ msblaster.exe was executed?
What that popup is, is a timmed shutdown application that is located in c:\windows\system23\shutdown.exe
You can execute that exact popup with a command like this
Start Menu>>Run>> shutdown -s -t 300
Here is what that command means
-s states that you want to shutdown, -r can also be used to restart the machine.
-t sets a time to shutdown, -t <number of seconds>
This command can also be executed on your machine from another machine, so if it happend you will know atleat a little about it.
With msblaster.exe you would have to download a patch and only people who could download that 5.5 mb patch in 30 seconds were able to. With me, everytime that download would get started i would get that popup and my computer would shutdown.
Here is how you can avoid having you computer shutdown eithor by a virus (msblaster) or any other invader. When the shutdown application is executed you are able to view it. Once you know it is running just simply goto Start Menu>>Run>> shutdown -a
-a stands for Abort
the -a command will close the current shutdown process. This is very helpfull when downloading a patch for a virus that uses the shutdown command.
AntiOnline Quick Forum Version 2b Click Here
September 23rd, 2003, 12:54 AM
September 23rd, 2003, 03:14 AM
Start---->Control Panel--->Administrative Tools--->Services---->scroll down to Remote Procedure Call (RPC) *there are 2 RPC services, the second one being (RPC) Locator. Do not alter the locator service*--->right click and choose Properties--->click Recovery tab--->set all failure boxes to Restart the Service---> restart your box and go get your patch.
It isn't paranoia when you KNOW they're out to get you...
September 23rd, 2003, 03:59 AM
If you do not have the NT,Win2k, or XP support pack installed the shutdown command will not be available. It is not a native command in the OS, but rather a part of the admin support pack.
I always use the command line options /c /l /r /y. This will reboot the system and respond yes to any pop-ups. It will also kill any applications that refuse to stop properly so that the system can shutdown. This works very well for unattended installs.
September 23rd, 2003, 06:02 AM
I use shutdown (infrequently) to remotely reboot systems (not servers) on the network when I think there may be something hung. I have the tool on my workstation, but not in the %WinSys% directory.
For servers, I've found that using Steve Gibson's Wizmo is a much better tool. When setting up the automatic shutdown for the UPS in the event of a power outage, the shutdown command just would not take the server to a power-off state. They sit there with the "it is now safe to turn off your system" message on the screen, still sucking up the Kv's.
With Wizmo, I can get a shutdown, dammit! and have the server go to complete power-off.
Like anything that has this level of power and potential, place the tool in its own directory and have your scripts use a full path to run it. Don't put it in the %WinSys% directory.
September 23rd, 2003, 06:32 AM
in win98 and i think 95 its Run32dll.exe, user, exit windows
September 23rd, 2003, 11:06 PM
Yes, theres also a downloadable freeware version of the tool - called psshutdown.
I can't remember where I got it, but I've been using it here since Win98/NT days. I'd put it somewhere obscure (so sub-par malicious users wouldn't find it browsing around) and then would create 2 shortcuts to it with the parameters plugged in.
- One would be with the -a parameter and I'd keep it on the desktop, so a user could abort a restart if one is fired off.
- A second shortcut I'd keep in the same obscure location and would have the restart parameteres with a 30second timer put on it. I'd then have all the systems schedule that second shortcut, to allow them to auto reboot everynight at midnight if they were on.
It was especially useful for back in the day of 166mhz Pentiums and 16-32mb of EDO RAM - those things would crash everyday if not rebooted (and sometimes even if they were)...
I hadn't even thought of that though when blaster was going around. Given i probably would of recongized it had any of the systems here or at my house actually of been infected, or at least i'd like to think so...
September 25th, 2003, 01:14 AM
I always advised customers to press control + alt + delete which brings up the Windows Task Manager advised customers click on MSBLAST.EXE next your gonna wanna click end process. This will disable MSBLASTER.EXE (until you reboot your computer) go to symantec.com download the removal tool. Also have customers install the latest patch for their Operating System. I have customers who just sign up with our Internet Service Provider get online and be infected just minutes later. Its a nasty virus.