N/T authority system is shutting down comp

[some dude]

my buddy just bought a brand new laptop that he installed
Earthlink dial-up onto. he cant get anything done with it
because it keeps shutting itself off. he was close to
being done with a virus scan when it shut itself off again.

this is the error message:
computer shutting down, save all work immediately. all
unsaved work will be lost. this is being performed by N/T
authority system.

Must restart because Remote Procedure Call Service
terminated immediately.

and then a different window pops up and says:
your computer has been infected'. and then it gives a
link to where you can go and purchase a download for $20
that supposedly will clean it. the link that it gives is
www.windowspatch.info

 

[Nictu]

The laptop is infected with the Blaster virus.

 

[Chris Holden]

my buddy just bought a brand new laptop that he installed
Earthlink dial-up onto. he cant get anything done with it
because it keeps shutting itself off. he was close to
being done with a virus scan when it shut itself off again.

this is the error message:
computer shutting down, save all work immediately. all
unsaved work will be lost. this is being performed by N/T
authority system.

Must restart because Remote Procedure Call Service
terminated immediately.

and then a different window pops up and says:
your computer has been infected'. and then it gives a
link to where you can go and purchase a download for $20
that supposedly will clean it. the link that it gives is
www.windowspatch.info

When the shutdown countdown starts go to: Start> run> type 'shutdown -a'
without the quotes. Hit okay. Do it again should the countdown start again
during the process.
Then go Start> contol panel> network connections> select your internet
connection and right click it. Select properties. Click the advanced tab and
tick the 'protect this...' box. Hit okay until the boxes disappear.
Now go to
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
and read the page. Download the fixblast.exe (link about half way down that
page). Run it.
When your machine is clean, go to windowsupdate.com and download all the
recommended fixes.

This is a stock answer - you may not actally have the blaster worm, but it
will fix the problem you have!

Chris

 

[Kasvera]

Hi,

This is issue occurs if your system is affected with Blaster virus. There
are multiple steps provided in this message. Please see the following
website:
http://www.hp.com/cposupport/mixed/support_doc/c00035757.html

Manual instn:

1. Click Start, Run and then type: shutdown -a


This prevents the system from automatically restarting long enough

for you to download and install the Microsoft security update.

2. Click OK.

3. If the "shutdown -a" command fails to keep the computer from

restarting, use the following steps:

a. Click Start, Run, and then type: services.msc

A Services window appears.

b. Click OK.

c. Double-click Remote Procedure Call (RPC) and select the

Recovery tab. Be careful to not use the Remote Procedure Call

(RPC) Locator item.

d. Set the First Failure, Second Failure, and Subsequent Failures

items to Take No Action.

e. Click OK to apply the settings.

4. Install the latest critical updates using Windows Update. For more

information, go to the following Web sites:

* Microsoft's Security Bulletin: MS03-039:

http://www.microsoft.com/security/security_bulletins/ms03-039.asp


* How to use Windows Update:

http://www.hp.com/cposupport/personal_computing/support_doc/bph07159.html

5. Remove the worm using your antivirus software. Do this by

attaining the latest virus definitions and then performing a scan.

For more detailed information go to the following Web sites:

* McAfee's VirusScan Web page on the W32/Lovsan.worm virus:


http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

* Symantec's Norton AntiVirus Web page on the 32.Blaster.Worm

virus.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.htm
l

If all went well, the computer is now clean and protected. If

these steps did not resolve the problem, contact Microsoft and your

anti-virus software vendor for additional assistance.


6. If you used the "services.msc" command (as explained above in

Step 3) to prevent your computer from restarting, restore your RPC

recovery settings to their original state as follows:


a. Click Start, Run, and then type: services.msc

b. Click OK.

c. Double-click Remote Procedure Call (RPC) and select the

Recovery tab. Be careful to not use the Remote Procedure Call

(RPC) Locator item.

d. Set the First Failure, Second Failure, and Subsequent Failures

items to Restart the Computer.

e. Click OK to apply the settings.

For more information on resolving and preventing viruses on your

Computer, go to the following HP Web site:

http://www.hp.com/cposupport/personal_computing/support_doc/bph07130.html

- kasvera [MCP]

 

[Nictu]

Following are instruction posted many, many, many, times
by Ken Blake.
Thanks Ken. Hope you don't mind me reposting this.

gls858

You have the MSBlaster worm. To remove it, do the
following:

The following instructions are in three parts

1. Stop it from running

2. Remove it from your system

3. Make sure it doesn't come back



Before beginning, if you have an always-on internet
connection,
it's a good idea to disconnect it.



1. Stop it from running

Press Ctrl-Alt-Delete to bring up the Task Manager, then
on the
Processes tab, click msblast.exe and then "End process."
Reply
"Yes" to the warning message that comes up.

This stops the worm from running, so your system will not
shut
down. However, it doesn't remove it, and if that's all you
do, it
will start up again the next time you boot.


***

2. Remove it from your system

a. Start the registry editor program, regedit, by going to
Start

Run, and typing REGEDIT

Navigate to
HKEY_Local_Machine\Software\Microsoft\Windows\Current
Version\Run by clicking the plus signs next to each of the
folders in the left hand pane. When you get to the last of
them,
Run, click the word Run itself.

Find an entry called "Windows Auto Update" on the right
side.
Right-click it and delete it.

b. Do a Windows search for msblast, and delete all files
found.

The worm is now gone, and won't start again the next time
you
boot. But if that's all you do, you can get reinfected
just as
you did the first time.

***


3. Make sure it doesn't come back

a. Make sure you're running a firewall that prevents worms
like
this from getting in. You can enable the built-in Windows
XP
firewall, or download and install another one such as the
free
version of ZoneAlarm. To enable the built-in firewall, go
to
Control Panel, double-click Networking and Internet
Connections,
then click Network Connections. Right-click your
connection, then
click Properties, and on the Advanced tab, click the option
"Protect my computer and network..."


b. If you've disconnected your internet connection,
reconnect it.
Download and install the Microsoft patch at
http://www.microsoft.com/downloads/details.aspx?
FamilyID=e70a0d8b-fe98-493f-ad76-
bf673a38b4cf&displaylang=en

That will remove the vulnerability that the worm exploits.


c. Be sure you are running an anti-virus program, and that
you
regularly download the latest updated virus definitions.

 

[Kasvera]

Also,

You got Blaster worm virus!!

Download 2 sets of patches:

Patch #1:
http://www.kellys-korner-xp.com/regs edits/msblast.vbs

Patch #2:
** Fix from Microsoft **
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS03-039.asp

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

- KASVERA [MCP]

 

[Guest]

thanks much chris!! ill relay the info and get that darn
thing cleaned off.

 

[Chris Holden]

thanks much chris!! ill relay the info and get that darn
thing cleaned off.

SNIP

You are, of course, welcome.
Chris

 

[Bruce Chambers]

Greetings --

Two issues, both having the same root cause, an unsecured computer:

1) If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger

2) This type of spam has become quite common over the past several
months, and unintentionally serves as a valid security "alert." It
demonstrates that you haven't been taking sufficient precautions while
connected to the Internet. Your data probably hasn't been compromised
by these specific advertisements, but if you're open to this exploit,
you may well be open to other threats, such as the Blaster Worm that
recently swept cross the Internet. Install and use a decent,
properly configured firewall. (Merely disabling the messenger
service, as some people recommend, only hides the symptom, and does
little or nothing to truly secure your machine.) And ignoring or just
"putting up with" the security gap represented by these messages is
particularly foolish.

Messenger Service of Windows
http://support.microsoft.com/default.aspx?scid=KB;en-us;168893

Messenger Service Window That Contains an Internet Advertisement
Appears
http://support.microsoft.com/?id=330904

Stopping Advertisements with Messenger Service Titles
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp

Blocking Ads, Parasites, and Hijackers with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

Whichever firewall you decide upon, be sure to ensure
UDP ports 135, 137, and 138 and TCP ports 135, 139, and 445 are _all_
blocked. You may also disable Inbound NetBIOS (NetBIOS over TCP/IP).
You'll have to follow the instructions from firewall's manufacturer
for the specific steps.

You can test your firewall at:

Symantec Security Check
http://security.symantec.com/ssc/vr_main.asp?langid=ie&venid=sym&plfid=23&pkj=GPVHGBYNCJEIMXQKCDT

Oh, and be especially wary of people who advise you to do nothing
more than disable the messenger service. Disabling the messenger
service, by itself, is a "head in the sand" approach to computer
security. The real problem is _not_ the messenger service pop-ups;
they're actually providing a useful, if annoying, service by acting as
a security alert. The true problem is the unsecured computer, and
you've been advised to merely turn off the warnings. How is this
helpful?


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH