NT Authorizes Shutdown

[PAtrick]

If anyone has any ideas, it would be most appreciated.
A client of mine keeps getting this error message while
surfing the internet " NT Authorizes System Shutdown "
then a countdown timer starts and the machine shuts down.
It's boggling my mind. He uses Yahoo's dial-up service
with a USB modem running Windows XP Home edition. I have
checked the system for adware and spyware; updated and
scanned with his anti-virus software; and even used
HiJackThis and havent found anything suspicious. Any help
would be great.

Thanks,
Patrick

 

[Gordon]

If anyone has any ideas, it would be most appreciated.
A client of mine keeps getting this error message while
surfing the internet " NT Authorizes System Shutdown "
then a countdown timer starts and the machine shuts down.
It's boggling my mind. He uses Yahoo's dial-up service
with a USB modem running Windows XP Home edition. I have
checked the system for adware and spyware; updated and
scanned with his anti-virus software; and even used
HiJackThis and havent found anything suspicious. Any help
would be great.

But does he run a firewall, and has he installed the Sasser update patch?

 

[Will Denny]

Hi Patrick

Have a look at the following links:

"Virus Alert About the Blaster Worm and Its Variants"
http://support.microsoft.com/default.aspx?scid=kb;en-us;826955

Sasser?
http://www3.telus.net/dandemar/sasser.htm

--

Will Denny
MS-MVP Windows - Shell/User
Please reply to the News Groups


| If anyone has any ideas, it would be most appreciated.
| A client of mine keeps getting this error message while
| surfing the internet " NT Authorizes System Shutdown "
| then a countdown timer starts and the machine shuts down.
| It's boggling my mind. He uses Yahoo's dial-up service
| with a USB modem running Windows XP Home edition. I have
| checked the system for adware and spyware; updated and
| scanned with his anti-virus software; and even used
| HiJackThis and havent found anything suspicious. Any help
| would be great.
|
| Thanks,
| Patrick

 

[Bruce Chambers]

Greetings --

As you haven't provided any specific details or error messages,
the following is the result of having to guess what your problem might
be. There are at least two possibilities:

1) If you connected the PC to the Internet without having first
enabled a firewall, without having first installed an antivirus
application with current virus definition files, and before installing
the KB828471 Hotfix, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

MS04-012 Cumulative Update for Microsoft RPC-DCOM
http://support.microsoft.com/default.aspx?scid=kb;en-us;828741

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


2) You've apparently contracted the latest worm, W32.Sasser.Worm,
specifically designed to attack people who do not update their
computers promptly and who do not practice "safe hex." In other
words, like Blaster, this worm was developed and distributed _after_ a
patch for the vulnerability was announced and made publicly available.
Further, and also like Blaster, this worm could not affect any
computer whose user had taken the basic precaution of using a properly
configured firewall.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next Shutdown countdown begins. This will abort the shut down. Also,
make sure you've enabled a firewall before starting, to preclude any
more intrusions while getting the updates/patches/tools.

What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.asp

Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

A tool is available to remove the Sasser worm variants
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH

 

[Ron Martell]

If anyone has any ideas, it would be most appreciated.
A client of mine keeps getting this error message while
surfing the internet " NT Authorizes System Shutdown "
then a countdown timer starts and the machine shuts down.
It's boggling my mind. He uses Yahoo's dial-up service
with a USB modem running Windows XP Home edition. I have
checked the system for adware and spyware; updated and
scanned with his anti-virus software; and even used
HiJackThis and havent found anything suspicious. Any help
would be great.

Thanks,
Patrick

Hi Patrick.

While the "NT Authority" type error messages have been most frequently
associated with virus infestations there are in fact a number of
legitimate error conditions that can produce an error message with
these words in it.

In order to help you to specifically diagnose the cause of your
problem we need for you to provide the complete *verbatim* text of the
error message, exactly as it appears on the screen including all of
the file names and other paramters.

Good luck


Ron Martell Duncan B.C. Canada
--
Microsoft MVP
On-Line Help Computer Service
http://onlinehelp.bc.ca

"The reason computer chips are so small is computers don't eat much."

 

[Ken Blake, MVP]

In

If anyone has any ideas, it would be most appreciated.
A client of mine keeps getting this error message while
surfing the internet " NT Authorizes System Shutdown "
then a countdown timer starts and the machine shuts down.
It's boggling my mind. He uses Yahoo's dial-up service
with a USB modem running Windows XP Home edition. I have
checked the system for adware and spyware; updated and
scanned with his anti-virus software; and even used
HiJackThis and havent found anything suspicious. Any help
would be great.

As a result of not running a firewall and not keeping up with the
latest Windows updates, he very likely has a virus, probably
either Sasser or Blaster. To identify which, and for removal
instructions, post back with the exact full verbatim text of the
error message.

 

[Outpost11]

very likely has a virus, probably
either Sasser or Blaster.