locked
XP Failure after startup... RRS feed

  • Question

  • Windows XP starts normally and proceeds to the desktop.  Starting the first application; Outlook, Internet Explorer,  notebook; a message appears that appears to be ordering a system shutdown originating from the network administrator.  Unfortunately, the message does not persist and does not remain on the screen to allow a full read and copy of the message.  It simply flashes and then Windows shuts down normally.  This only occurs after connecting to the network.  I suspect enemy action.  Our organization has two networks.  I am using exactly the same equipment and exactly the same level of software on both systems.  This problem is occurring only on one of those systems and has manifested itself in a single network and a single PC on 15 November.  Tech Support states that the only resolution is upgrading to a new PC.  I am unable to locate a single entry anywhere that substantiates this claim.

    Is it possible to issue an administration shutdown command directed to a specific User/PC from the network server that will shutdown the windows application and turn off the computer at the first (and every) attempt to initiate an application under Windows XP (SP2)?  If yes, what is the command and how is it activated?  How can it be negated?  Can it be stopped from the affected PC? How can evidence of the attack be collected?

    Thanks for your assistance and reply to kenbumgarner@hotmail.com

    Ken Bumgarner

     

     

    Thursday, November 17, 2011 1:13 PM

Answers

  • Hello

    Such command exists: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/shutdown.mspx?mfr=true

    It can be sent remotely or locally.

    a) If it happens randomly, maybe someone is remotely shutting down your machine.

    b) If it happens every time you open, for example, Notepad, then maybe someone has "rigged" your Notepad shortcut to execute a .bat file instead, which locally invokes the command.

    c) If it happens as soon as you connect to the network then it might also be a driver or application error. For example, termination of the lsass.exe process also causes a computer shutdown. This process can be terminated on error or by a virus.

    What you can do about it:

    1) Try to figure out when this happens, it will make it easier to find out what's wrong.

    2) Check the shortcuts you call; maybe one of them is fake and calls a .bat file.

    3) Install an antivirus if you haven't got one (for example AVG Free), and enable your Windows Firewall if it's off (Control Panel => Windows Firewall). Additionally, install a malware remover like Malwarebytes or ComboFix.

    4) Go to Start => Control Panel => Administrative Tools => Event Viewer and check the System Errors and the Application Errors for items marked with a red "X" icon, which may hint what's going on.

    ----Advanced solutions follow, use with caution----

    5) Use Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902 to see/edit the files which execute when you boot your computer.

    6) Use TCPView http://technet.microsoft.com/en-us/sysinternals/bb897437 to see/close the addresses which connect to your computer.

    7) Use PsTools http://technet.microsoft.com/en-us/sysinternals/bb896649 to see/kill the processes which run on your computer.

    8) Change the static IP and hostname of your computer (if the network administrator allows you to do so).

    Be careful and good luck.

     

    Konstantinos



    Thursday, November 17, 2011 3:26 PM