System Shutdown: NT Authority\System

B

Billy

My computer randomly shutsdown. A message comes up that
gives me 60 seconds to close any programs. It says it
was initiated by NT Authority\System. It also says
something about a Remote Procedure Call. How can I keep
this from happening.
 
W

wojo

Billy said:
My computer randomly shutsdown. A message comes up that
gives me 60 seconds to close any programs. It says it
was initiated by NT Authority\System. It also says
something about a Remote Procedure Call. How can I keep
this from happening.

You have the Blaster worm.

1st to stop the RPC error so it doesn't interupt you while your making
repairs:
Start | Run | services.msc /s
Scroll down to "Remote Proceedure Call (RPC)" NOT (RPC) Locator
Right click and select properties
Under the "Recovery" Tab change all failures from "Restart the Computer" to
"Restart the Service"
This will keep the RPC from coming up.

Disable msblast.exe in task manager.
Ctrl+Alt+Del | Processes | Right click msblast.exe and click "End Process"

Download the Blaster Security Patch at:
http://www.microsoft.com/security/incident/blast.asp

Download AdAware & Spybot S & D:
AdAware:
www.lavasoftusa.com/software/adaware/
Spybot S & D:
www.safer-networking.org/

Disconnect from the internet

Run AdAware & Spybot
Run the Security Patch you downloaed earlier.

Make sure you have a firewall and AV software enabled and updated.
As long as you downloded and ran the patch above Blaster shouldn't come back
but there are plenty of others that can find your computer in minutes.

Change the RPC back to "Restart the Computer" the same as you did above.

Reconnect to the Internet and download the rest of the Microsoft Update
Security Patches.

--
kwoyach[SPAM]53954@yahoo[SPAM].com
TO Email: Remove [SPAM]
If I can help you I will.
If you can help me thanks.

--

**Useful Links**
AdAware: www.lavasoftusa.com/software/adaware/

Spybot S & D: www.safer-networking.org/

Check for Parasites/Worms: www.gemal.dk/browserspy/parasites.html

CWShredder: http://www.spywareinfo.com/~merijn/downloads.html
 
G

Gary Tsang

Hi,

It appears your computer has been infected with the Blaster virus. For more
information and how to fix this please see follow this link:
http://www.microsoft.com/security/incident/blast.asp
http://www.microsoft.com/security/protect/main.asp

Microsoft Knowledge Base Article - 824146
A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious Programs
http://support.microsoft.com/?kbid=824146

More information about this particular worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Removal Information can be found here
http://www.kellys-korner-xp.com/xp_qr.htm#rpc
 
B

Bruce Chambers

Greetings --

If you connected the PC to the Internet without having first
enabled a firewall, without having first installed an antivirus
application with current virus definition files, and before installing
the KB824146 Hotfix, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

MS04-012 Cumulative Update for Microsoft RPC-DCOM
http://support.microsoft.com/default.aspx?scid=kb;en-us;828741

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top