NT AUTHORITY SYSTEM SHUTDOWN

[Dustin]

I have recently reformmated by hard drive and reinstalled
windows xp onto it,and ever since every time i get online
about 10-20 mins after i get a shutdown notice with a
countown that sais remote procedure call,this doesnt happen
with the built in firewall,but with that on i cant do
anything cuz its blocked,please help,and also my net is
extremely slow,it times out,and doesnt work right ever
since i reinstalled and i downloaded all the updates please
email me at (e-mail address removed) pleeeeeeease help me
thank u

 

[Will Denny]

Hi

Your system has been infected by the Blaster Worm. Have a look at the
following links:

www.kellys-korner-xp.com/xp_qr.htm#rpc

Courtesy of MVP Kelly Theriot.

"Virus Alert About the Blaster Worm and Its Variants"
http://support.microsoft.com/?id=826955

"What You Should Know About the Blaster Worm and Its Variants"
http://www.microsoft.com/security/incident/blast.asp

--

Will Denny
MS-MVP Windows - Shell/User


| I have recently reformmated by hard drive and reinstalled
| windows xp onto it,and ever since every time i get online
| about 10-20 mins after i get a shutdown notice with a
| countown that sais remote procedure call,this doesnt happen
| with the built in firewall,but with that on i cant do
| anything cuz its blocked,please help,and also my net is
| extremely slow,it times out,and doesnt work right ever
| since i reinstalled and i downloaded all the updates please
| email me at (e-mail address removed) pleeeeeeease help me
| thank u

 

[Rick \Nutcase\ Rogers]

Hi Dustin,

When the shutdown warning appears, click start/run and enter "shutdown -a"
to halt the process. It's a virus called blaster or lovesan. Information:

http://www.kellys-korner-xp.com/xp_qr.htm#rpc
http://www.pchell.com/virus/msblast.shtml
http://vil.nai.com/vil/content/v_100499.htm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
http://www.bigblackglasses.com/Article.aspx?Article=342

You need the patch described here to protect against it:

MS03-039: A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious
Programs
http://support.microsoft.com/?kbid=824146

Problem is, you needed to install the patch BEFORE you got infected to avoid
it.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

 

[dcdon]

Hi Dustin,
You need AN AVP BAD...
And a firewall
And SpyBot
AdAware
www.spychecker.com

cheers,
don



I have recently reformmated by hard drive and reinstalled
windows xp onto it,and ever since every time i get online
about 10-20 mins after i get a shutdown notice with a
countown that sais remote procedure call,this doesnt happen
with the built in firewall,but with that on i cant do
anything cuz its blocked,please help,and also my net is
extremely slow,it times out,and doesnt work right ever
since i reinstalled and i downloaded all the updates please
email me at (e-mail address removed) pleeeeeeease help me
thank u

 

[David H. Lipman]

When you get the shutdown message...

Go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/ or the Microsoft Lovsan/Blaster and Nachi/Welchia
Removal Tool
http://www.microsoft.com/downloads/...8B-FE98-493F-AD76-BF673A38B4CF&displaylang=en
and install the following patch for the RPC/RPCSS Buffer Overflow Vulnerability that is
addressed by Microsoft Security Bulletin MS03-39 http://support.microsoft.com/?kbid=824146

Please read: http://www.microsoft.com/security/incident/blast.asp

You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected.

I also suggest the installation of *ALL* MS Critical Updates ASAP.

Additionally:
If you post to UseNet with your TRUE, not a munged, email address then you have invited the
Swen Internet worm [aka; W32/Gibe-F] to visit you.

The Swen is news spelled backwards. The reason it is called this is because the Swen worm
harvests email addresses from UseNet News Groups. It has an engine that allows it to post
itself to UseNet News Groups as well as it has its own email engine. From the list of
email addresses that it has harvested, it will then email itself to those addresses.

Dave



| I have recently reformmated by hard drive and reinstalled
| windows xp onto it,and ever since every time i get online
| about 10-20 mins after i get a shutdown notice with a
| countown that sais remote procedure call,this doesnt happen
| with the built in firewall,but with that on i cant do
| anything cuz its blocked,please help,and also my net is
| extremely slow,it times out,and doesnt work right ever
| since i reinstalled and i downloaded all the updates please
| email me at (e-mail address removed) pleeeeeeease help me
| thank u

 

[Guest]

You can get this error due to virus named blaster or it may possible that rpc service has gone bad
To rectify this problem use the following steps to prevent the forced shut down

From the Start menu, click Run.

In the Run dialog box, type: shutdown -a. Click OK.

Download the FixBlast.exe file from the Symantec Web site and run on the computer

Noteisable the system restore and if computer is connected to cable modem or dsl disconnect it from the computer

End task on msblast.exe.

On your keyboard, press the CTRL+ALT+DELETE keys.
In the Windows Security window, click Task Manager.
In the Windows Task Manager window, click the Processes tab.
On the Processes tab, click msblast.exe, and then click End Proces

After accomplishing above steps run FixBlast.exe in safe mode

After running the fixblast.exe download and install the "Blaster Worm: Critical Security Patch for Windows XP" patch from the Microsoft Web site to prevent this type of attack.

Enable the system restore

If problem presist it may possible service has gone bad

 

[Bruce Chambers]

Greetings --

Given today's Internet environment, only a fool or a masochist
would go on-line without both a firewall and antivirus protection.

If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH