NT Authority System

[Ralph]

New user Windows XP Home, computer will only stay
connected to Internet for a few minutes. Message says NT
Authority System is shutting down computer, Remote
Procedure Call. Can reconnect but only for a short while
before another shut down. Problem is occuring on a Dell
Dimension 4600, desk top.

 

[Jason Tsang]

You have a virus.

Get the cleaner for Blaster from here
http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html

After you remove the virus, IMMEDIATELY goto Windowsupdate and install the
latest patches. Previous failure to do so led to the computer being
infected with the virus

See here for more information
http://www.microsoft.com/security/protect/

 

[Carey Frisch [MVP]]

Apparently, your computer is infected with the W32.Blaster.Worm or one of its variants.
This happened because you have not been using an internet connection firewall and have
apparently neglected to install the critical updates available at the Windows Update website.

If your computer is constantly attempting to shutdown
or reboot, quickly go to:

Start > Run and type: CMD , and hit enter.
This opens the Command Prompt window.

Then type: shutdown -a , and hit enter.

This should halt the rebooting problem.

Then immediately turn-on Windows XP's built-in Firewall:
http://www.microsoft.com/security/protect/

What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

A tool is available to remove Blaster worm and Nachi worm infections from computers
that are running Windows 2000 or Windows XP
http://support.microsoft.com/?kbid=833330

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

----------------------------------------------------------------------


| New user Windows XP Home, computer will only stay
| connected to Internet for a few minutes. Message says NT
| Authority System is shutting down computer, Remote
| Procedure Call. Can reconnect but only for a short while
| before another shut down. Problem is occuring on a Dell
| Dimension 4600, desk top.

 

[Taurarian]

Sounds a bit like the Blaster worm


http://www.microsoft.com/security/incident/blast_faq.asp

Blaster Worm FAQ

http://www.f-prot.com/news/vir_alert/msblast.html#reaction_b_and_c
New W32/Msblast variants: W32/Msblast.B and W32/Msblast.C

1. CTRL-ALT-DELETE to bring up the Task Manager. Look for msblast.exe and select
it and End Process. This will stop the computer from shutting down.
It doesn't remove the worm.

To enable your firewall :
- Click Start
- Click Control Panel
- Double Click "Network Connections"
- Right-click on your Dial up Connection, then left click 'Properties'
- Left Click 'Advanced' Under "Internet Connection Firewall" tick the box
'Protect my computer and networking by limiting or preventing access to this
computer from the internet'
- Click Ok and Close the "network connections" box.
You can then connect to the Internet and download the Microsoft relevant patch.

You could also try:
Click Start/Run then type in cmd
and then type in : shutdown -a
Do this when the shutdown prompt appears.

W32.Blaster.Worm patch is available here:-
www.microsoft.com.au/blasterhelp
http://www.microsoft.com/security/incident/blast.asp
You must download and install the patch. In many cases, you will need to do this
before you can continue with the removal of the worm.
Because of the way the worm works, it may be difficult to connect to the
Internet to obtain the patch, definitions, or removal tool before the worm shuts
down the computer. It has been reported that, for users of Windows XP,
activating the Windows XP firewall may allow you to download and install the
patch, obtain virus definitions, and run the removal tool. This may also work
with other firewalls, although this has not been confirmed.

2. You can download the Symantec Removal Tool from here
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
or you can visit this site to assist in the removal of the worm
http://www3.ca.com/virusinfo/virus.aspx?ID=36265
To download ClnPoza.zip - a utility that cleans a local machine affected by
Win32.Poza,
or this site for assistance: http://www.kellys-korner-xp.com/xp_qr.htm#rpc
Panda Software also provides a free application especially designed to detect
and eliminate the Blaster worm and repair the damage that it may have caused in
affected computers. This utility is available for download at
http://www.pandasoftware.com/download/utilities/.
W32/Blaster-A disinfection instructions and FAQ
http://www.sophos.com/support/disinfection/blastera.html#3

F-Secure Virus Descriptions
http://www.f-secure.com/v-descs/msblast.shtml

http://www.updatexp.com/cryptographic-service.html
For information on the Cryptographic Services

 

[Kelly]

Hi Ralph,

MS Blaster Tool: http://tinyurl.com/3h8kw

To stop the reboots: Go to Start/Run and type in: services.msc. Scroll down
to Remote Procedure Call (RPC)/Recovery/First Failure/Restart the Service.

Close Windows Explorer, run the edit on line 257 which includes the prompt
for the patch once your system has been cleaned.

This script removes all variants of the W32.Blaster.Worm (original, B, C, D,
E and F) and will inform you whether or not the patch is already installed.
http://www.kellys-korner-xp.com/xp_tweaks.htm. Direct download:
http://www.kellys-korner-xp.com/regs_edits/msblast.vbs

More information here:
http://www.kellys-korner-xp.com/xp_qr.htm#rpc

 

[Bruce Chambers]

Greetings --

If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

Removal Tool for Blaster/Nachi worm infections from computers running
Win2K or WinXP
http://support.microsoft.com/?kbid=833330

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH