NT AUTHORITY

[Kathy]

HELP!

I'm all new to the WINXP. WIth everything pre-installed,
I took my new pc out of box, plugged it in, hooked up to
internet and received an error message. Now HP and
others tell me I have a virus. I dont 'believe it. As I
said, this is brand new from factory. I receive this
error message that restarts my pc. This is the deal,
NT AUTHORITY\System has to restart,disconnecting,
initiated by the RPC Service. To me, it sounds like
something that has to do with networking. Now as I said,
HP and others immediately say it's Blaster virus. Again,
just pulled this out the box with everything pre-loaded,
includeing anti-virus. So, I call another so called
expert, LOL, he said same thing, virus. Well now, after
doign some digging myself on my new pc, guess what??
I found that the NT AUTHORITY\System and RPC SERVICE,
it's part of the networkign props.. Howeever, I'm still
unsure how to go about remedying this problem.
Can anyone help!?!?!?

 

[Rifleman]

HELP!

I'm all new to the WINXP. WIth everything pre-installed,
I took my new pc out of box, plugged it in, hooked up to
internet and received an error message. Now HP and
others tell me I have a virus. I dont 'believe it. As I
said, this is brand new from factory. I receive this
error message that restarts my pc. This is the deal,
NT AUTHORITY\System has to restart,disconnecting,
initiated by the RPC Service. To me, it sounds like
something that has to do with networking. Now as I said,
HP and others immediately say it's Blaster virus. Again,
just pulled this out the box with everything pre-loaded,
includeing anti-virus. So, I call another so called
expert, LOL, he said same thing, virus. Well now, after
doign some digging myself on my new pc, guess what??
I found that the NT AUTHORITY\System and RPC SERVICE,
it's part of the networkign props.. Howeever, I'm still
unsure how to go about remedying this problem.
Can anyone help!?!?!?

Presumably no-one told you about Firewalls and anti - virus programs BEFORE
you connected? A SERIOUS industry problem in my view.

(Courtesy of Ken Blake - Microsoft MVP Windows: Shell/User)

You have the MSBlaster worm. To remove it, do the following:

The following instructions are in three parts

1. Stop it from running

2. Remove it from your system

3. Make sure it doesn't come back



Before beginning, if you have an always-on internet connection,
it's a good idea to disconnect it.



1. Stop it from running

Press Ctrl-Alt-Delete to bring up the Task Manager, then on the
Processes tab, click msblast.exe and then "End process." Reply
"Yes" to the warning message that comes up.

This stops the worm from running, so your system will not shut
down. However, it doesn't remove it, and if that's all you do, it
will start up again the next time you boot.


***

2. Remove it from your system

a. Start the registry editor program, regedit, by going to Start
| Run, and typing REGEDIT
Navigate to HKEY_Local_Machine\Software\Microsoft\Windows\Current
Version\Run by clicking the plus signs next to each of the
folders in the left hand pane. When you get to the last of them,
Run, click the word Run itself.

Find an entry called "Windows Auto Update" on the right side.
Right-click it and delete it.

b. Do a Windows search for msblast, and delete all files found.

The worm is now gone, and won't start again the next time you
boot. But if that's all you do, you can get reinfected just as
you did the first time.

***


3. Make sure it doesn't come back

a. Make sure you're running a firewall that prevents worms like
this from getting in. You can enable the built-in Windows XP
firewall, or download and install another one such as the free
version of ZoneAlarm. To enable the built-in firewall, go to
Control Panel, double-click Networking and Internet Connections,
then click Network Connections. Right-click your connection, then
click Properties, and on the Advanced tab, click the option
"Protect my computer and network..."


b. If you've disconnected your internet connection, reconnect it.
Download and install the Microsoft patch at
http://download.microsoft.com/downl...e-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

That will remove the vulnerability that the worm exploits.


c. Be sure you are running an anti-virus program, and that you
regularly download the latest updated virus definitions.

 

[Carey Frisch [MVP]]

There are thousands of nasty viruses/worms looking for unprotected
computers. Your computer can be infected within a few milliseconds
the moment an internet connection is established.

Apparently, your computer is infected with the W32.Blaster.Worm or one of its variants.
This happened because you have not been using an internet connection firewall and have
apparently neglected to install the critical updates available at the Windows Update website.

If your computer is constantly attempting to shutdown
or reboot, quickly go to:

Start > Run and type: CMD , and hit enter.
This opens the Command Prompt window.

Then type: shutdown -a , and hit enter.

This should halt the rebooting problem.

Then immediately turn-on Windows XP's built-in Firewall:
http://www.microsoft.com/security/protect/

What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

A tool is available to remove Blaster worm and Nachi worm infections from computers
that are running Windows 2000 or Windows XP
http://support.microsoft.com/?kbid=833330

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

---------------------------------------------------------------------


| HELP!
|
| I'm all new to the WINXP. WIth everything pre-installed,
| I took my new pc out of box, plugged it in, hooked up to
| internet and received an error message. Now HP and
| others tell me I have a virus. I dont 'believe it. As I
| said, this is brand new from factory. I receive this
| error message that restarts my pc. This is the deal,
| NT AUTHORITY\System has to restart,disconnecting,
| initiated by the RPC Service. To me, it sounds like
| something that has to do with networking. Now as I said,
| HP and others immediately say it's Blaster virus. Again,
| just pulled this out the box with everything pre-loaded,
| includeing anti-virus. So, I call another so called
| expert, LOL, he said same thing, virus. Well now, after
| doign some digging myself on my new pc, guess what??
| I found that the NT AUTHORITY\System and RPC SERVICE,
| it's part of the networkign props.. Howeever, I'm still
| unsure how to go about remedying this problem.
| Can anyone help!?!?!?

 

[Ramesh [MVP]]

Hi Kathy,

Your system is infected by RPC (W32.Blaster) Worm. This is causing the system to shutdown abnormally.

Cause: You have not enabled the firewall while browsing the internet and not patched the system with latest Microsoft WindowUpdate hotfixes.

A tool is available to remove Blaster worm and Nachi worm infections from computers that are running Windows 2000 or Windows XP:
http://support.microsoft.com/default.aspx?scid=833330

Virus Alert About the Blaster Worm and Its Variants:
http://support.microsoft.com/default.aspx?kbid=826955
________________________________
About Firewalls - Windows XP ICF:
http://www.mvps.org/sramesh2k/firewall.htm


--
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k
-------------------------------------------
How to block Pop-ups?:
http://www.mvps.org/sramesh2k/Popups.htm

Using ToolbarCop to remove the unwanted Toolband, Toolbar Icons and BHO:
http://www.mvps.org/sramesh2k/toolbarcop.htm
-------------------------------------------


HELP!

I'm all new to the WINXP. WIth everything pre-installed,
I took my new pc out of box, plugged it in, hooked up to
internet and received an error message. Now HP and
others tell me I have a virus. I dont 'believe it. As I
said, this is brand new from factory. I receive this
error message that restarts my pc. This is the deal,
NT AUTHORITY\System has to restart,disconnecting,
initiated by the RPC Service. To me, it sounds like
something that has to do with networking. Now as I said,
HP and others immediately say it's Blaster virus. Again,
just pulled this out the box with everything pre-loaded,
includeing anti-virus. So, I call another so called
expert, LOL, he said same thing, virus. Well now, after
doign some digging myself on my new pc, guess what??
I found that the NT AUTHORITY\System and RPC SERVICE,
it's part of the networkign props.. Howeever, I'm still
unsure how to go about remedying this problem.
Can anyone help!?!?!?

 

[Rifleman]

There are thousands of nasty viruses/worms looking for unprotected
computers. Your computer can be infected within a few milliseconds
the moment an internet connection is established.

Apparently, your computer is infected with the W32.Blaster.Worm or one of its variants.
This happened because you have not been using an internet connection firewall and have
apparently neglected to install the critical updates available at the

Windows Update website.

I think we ought to start a campaign to force vendors to give a compulsory 5
minute (and that is ALL it takes) briefing to ALL purchasers of new
computers on Internet Security. I have bought 4 PCs and two laptops in the
past ten years and NO-ONE has ever bothered to tell me about internet
security. (The fact that I know all about it anyway is neither here nor
there...we ALL get problems from users with no knowledge of firewalls or AV
progs)

 

[Wesley Vogel]

Rifleman;
Nobody's told me diddly, either.

In my opinion, this should go out in printed form with all new computers. It
should also
be bundled with any Windows XP software.

Internet Storm Center: "If you know of someone who is about to receive a new
computer,
or if you have received one yourself, please, please read our new Windows XP
survival guide,
'Windows XP: Surviving the First Day. (PDF)'"
http://isc.sans.org/presentations/xpsurvivalguide.pdf

 

[Rifleman]

Rifleman;
Nobody's told me diddly, either.

In my opinion, this should go out in printed form with all new computers. It
should also
be bundled with any Windows XP software.

Quite agree. Interestingly, I did a re-format recently, and noticed that
when I created my dial-up connection, the firewall was on by default - I had
to manually uncheck it if I wanted to.(Which I didn't.......)

 

[Epona]

HELP!

I'm all new to the WINXP. WIth everything pre-installed,
I took my new pc out of box, plugged it in, hooked up to
internet and received an error message. Now HP and
others tell me I have a virus. I dont 'believe it. As I
said, this is brand new from factory. I receive this
error message that restarts my pc. This is the deal,
NT AUTHORITY\System has to restart,disconnecting,
initiated by the RPC Service. To me, it sounds like
something that has to do with networking. Now as I said,
HP and others immediately say it's Blaster virus. Again,
just pulled this out the box with everything pre-loaded,
includeing anti-virus. So, I call another so called
expert, LOL, he said same thing, virus. Well now, after
doign some digging myself on my new pc, guess what??
I found that the NT AUTHORITY\System and RPC SERVICE,
it's part of the networkign props.. Howeever, I'm still
unsure how to go about remedying this problem.
Can anyone help!?!?!?

Oh help yourself for Hades sake! This question was asked sixteen times in
the past 36 hours! http://groups.google.com. It would have taken you less
time to search than it did to post!

 

[Wesley Vogel]

Rifleman;
That is interesting. I read somewhere that when sp2 comes out ICF is supposed
to be enabled by default. Maybe it's in a Windows Update already.

 

[Bruce Chambers]

Greetings --

What don't you believe?

If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

Removal Tool for Blaster/Nachi worm infections from computers running
Win2K or WinXP
http://support.microsoft.com/?kbid=833330

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Wesley Vogel]

Rifleman;
I found this while looking around Windows Update:

Windows Update Advanced Networking Pack for Windows XP Service Pack 1 (SP1).
(817778)

Overview of the Advanced Networking Pack for Windows XP
Microsoft Knowledge Base Article - 817778
http://support.microsoft.com/?kbid=817778#1

**********************
[When IPv6 is enabled, IPv6 ICF is automatically enabled for all network
connections.]
****************************