NT AUTHORITY shutting down my PC

[tkteo]

BRPlayer, as far as I am aware, svchost is a legit file that controls and runs several Win2K and XP functions. So it's not unusual to find several copies running when you check with TasK Manager. It's not a file you should delete.

I can't tell you exactly which functions are being loaded by svchost, you can try searching for it using a search engine and there will be sites with articles on what the file does.

More importantly, from your description, it's not so much svchost that is your problem right now, it's the fact that the NT Authority thingie is still plaguing you, which means you have contracted and yet to remove the worm?

Checking the earlier pages of this thread should help. Or try Cnet News or eweek for their reports as well, which should contain links to info.

 

[BRPlayer]

Thanks for the help guys. I will look into it.

 

[tkteo]

kewlness, given that your system has been scanned and proclaimed clean, then you're probably safe as long as you keep up to date with patches and AV/firewall updates.

In the end, the larger issue is not about this particular worm alone; it's about what the end user and Microsoft should do respectively to ensure secure computing.

I have been thinking about this: I bought a computer years ago just to play games. Back then it was still MS-DOS, and I had to learn config.sys and autoexec.bat tweaks in order to maximize the amount of higher memory available (extended and expanded memory, himem.sys and em386.exe if I recall correctly?).

Soon, for school projects, I slowly learnt word processing. But after all these years, I never learnt to program, unless you include HTML and some statistical package stuff.

But I have found myself increasing visits to sites like Techspot for their tweak guides, etc. It seems to me that in order to really use a computer optimally and securely, one almost has to become a "techie" by default and necessity. I mean, now I even assemble my own systems instead of buying from Dell and the like...

I don't know if this is asking a bit too much of end users, most of whom would just simply like to run their everyday productivity programs, games, surf and that's about it. What do you guys think?

 

[kewlness]

tkteo...tks for the response

I think as time goes by, end users (such as myself...lol) will have to become more knowledgeable or else their computers won't last 24 hrs.

2:24 a.m. here...zzz....g/nite

 

[acidosmosis]

SVCHost is a normal task. I have about 4-5 running on my system at once all the time. No cause for alarm

 

[Julio Franco]

Interesting graph

From CNet news.com round-up about the worm:

 

[slowEJ6]

hmm........i see a few of you saying that cmd.exe is a virus? yet according to this......

http://www.uksecurityonline.com/husdg/windowsxp/shutdownports.htm

its a necessary file to find out what ports are open on your computer......

 

[RedF]

Thank goodness for this site. I am a relative novice on my machine and am just learning the ropes really. I feared the worst when I couldn't shift the shut down messages. Used my office pc to search google and found this.

Great community spirit , thanks for all the tips.

By the way, my computer seems ok now after using the removal tool and then downloading the patch (fingers crossed, touch wood, etc, etc...)

 

[murphey]

RPC Call

Originally posted by acidosmosis
lil_lars80; Yea, you will only be affected when your online. Setting Remote Procedure Call to take no action will stop that from happening

Hello, I had this problem late at night on the 11th, thought that was my Xp that was causing me problems, and I knew that the RPC Call was one of the Services so I set it to take no action to stop the continuous shut down, unfortunatly I'm not an expert so I also disabled de hardware profile. That stopped the problem but created others like losing my taskbar, being unable to cut, paste or copy anything or opening several programs. I got rid of the MSBlast but when I tried to activate de RPC Call I couldn't, it gave me an error 1058 message that probably had to do with the hardware profile that I don't know how to enable again.

Can any of you pleaseeeeeeeeeeeeeeee help.

Thanks.

 

[spenj2k]

what do you make of this Has anyone experienced problems even after removing the virus? i have norton anti virus at home telling me its unable to start up its messenger scanner, my old msn messenger doesn't work anymore but msn 6.0 does. Sygate personal firewall won't install it says "Error loading support files Error loading support type library/DLL (svchost is related to dlls running in the background). Also when trying to install a different version of norton anti virus i get an error where it says it was interupted and can't continue the install.

 

[conradguerrero]

for the norton antivirus, try going into options and select "page defaults" for every option page.

did u try to install sygate/norton in safe mode?

 

[spenj2k]

I didnt try them in safe mode but i will give it a go later today thanks, why would i need to do this though?. could the virus have corrupted my Windows instaler or maybe some dll's?

 

[Mictlantecuhtli]

Ilsom - Your computer won't start problem - make a new thread in "Other Hardware" forum, let's keep this thread on topic.

killerbyte - If you believe the cable modem installation problem is not related to this worm - make a new thread in "Storage & Networking" forum (or Windows OS if you feel it's more about the OS).

solarist - Make new threads about the keylog thing and ports 1025 & 1026 if you want, let's keep this thread on topic.

slowEJ6 - ditto about ACMru.


Those who are concerned about svchost - as its name might tell, it's Service host - if you somehow would be able to delete it, your OS wouldn't work after that.

 

[Laser558]

I had the following files which AV software found to be infected....

gyuiiw.dll
xtvvjtf.dll
xtvvjtf.exe
SSF8.tmp
msblast.exe
xtvvjtf.exe******.pf
msblast.exe******.pf

The first five were in the Windows\System32 dir however the last two, ending in .pf lurked in the Windows\Prefetch folder and definately needed deleting otherwise they seemed to recreate their counterparts back in \system32 on reboot!!

 

[Shawn Badyk]

The Patch

I have Windows XP 32 Bit & I tried downloading the Patch but when I go to the Wizard, I got to the 2nd step then the wizard just shut down. So I tried again about 30 times afterwards, & again the same thing happened. I went to the link given on the start of this Thread, so why can I not download the patch? How do I download the patch?

 

[J_Bone]

Re: problem with the patch??

Originally posted by BlueMagic
I just realized I had this worm, so I downloaded the patch of off Microsoft's website, but as I'm trying to install it, it says, Extraction Failure because "xpsp1hfm.exe is not a valid Win32 application" And then it stops. What is going on, and how can I fix this??? Please please help!! :-(

You need to download the 32bit version of the patch. Sound like you downloaded the 64bit version.

 

[Shawn Badyk]

32 bit

I did download the 32 bit version, but it won't work. The wizard starts, then I click on agree to terms then it goes to the next step, then I click on next then the wizard just shuts down.

 

[poertner_1274]

It sounds like your download might be corrupted. I would try to download it again.

 

[cobrabird]

guys! i also experienced that NT stupid thing lately, so i search for what that is at google, i saw your site, damn! u guys really help solve my problem! thanks guys!!! i'LL stick and support your site forever!!!

 

[scopexmoh]

Hey guys you dont have to do all that services config stuff to stop the shutdown. In the middle of the shut down go to run and type shutdown -a this will temprarly disarm the thng till u can downlaod patches and fixes.

 

[acidosmosis]

What You Should Know About the Blaster Worm
Updated August 12, 2003, 6:30 P.M. Pacific Time

Related Resources
Get More Details in the Technical Virus Alert


Glossary Terms

Click the term to get the definition from our Security and Privacy Glossary.

virus
worm


At 11:34 A.M. Pacific Time on August 11, Microsoft began investigating a worm reported by Microsoft Product Support Services (PSS). A worm is a subclass of a virus that generally spreads without user action and distributes complete copies (possibly modified) of itself across networks. A worm can consume memory or network bandwidth, thus causing a computer to stop responding.

Update Several antivirus companies have responded and written tools to remove the Blaster worm.

Who Is Affected?
Users of the following products are affected:

Microsoft® Windows NT® 4.0
Microsoft Windows® 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003
The virus was discovered August 11. Customers who had previously applied the security patch MS03-026 are protected. To determine if the worm is present on your machine, see the technical details section of the PSS Security Response Team Alert.

Why We Are Issuing This Alert
A new worm known as W32.Blaster.Worm (also known as MBlaster, W32/Lovsan.worm, MSBlast, W32.blaster.worm, Win32.posa.worm, Win32.poza.worm) has been identified that is seeking to exploit the vulnerability that was addressed by Microsoft Security Bulletin MS03-026. Blaster is designed to launch a denial of service attack against Microsoft's Windows Update Web site.

http://www.microsoft.com/security/incident/blast.asp

 

[Carrot]

Originally posted by Laser558
First post on this forum and let me start by saying one big thanks for all the help offered on this "lovesan" virus. Been getting same NT Authority shutdown errors since Sunday night and found you all as the top hit on Google.
Managed to beat the shutdown and download the patch along with AV updates (just changed IE6 privacy settings to max....seemed to do the trick, or was I just lucky?). AV found the virus and allowed me to delete it (had to use safemode for a couple of awkward files) and cleaned out associated entries in registry as suggested.
All seemed OK on reboot, HOWEVER started to see message appear on screen at random when not connected to the internet (56K modem) saying "YOU OR A PROGRAM IS TRYING TO CONTACT MICROSOFT.COM....WHICH CONNECTION DO YOU WISH TO USE?"
This would reappear every 10 mins or so and made me wonder whether something has been left behind on my pc, with regards to this possible DDOS attack on MicroSoft on Aug 16th!!
Ran a basic search for this interesting SVCHOST.exe file and found one somewhat similar lurking in the Windows Prefetch folder. It was called SVCHOST.exe******.pf or very close and was a real swine to delete, even in safe mode. After three/four attempts causing pc to crash whilst deleting, it has finally gone and no more messages re an attempt to contact MicroSoft!! All in all a very interesting experience BUT I am not sure it's all over yet.

I don't know if this helps, but we were talking about the worm not having a payload on our forums, and we got this response...

And this thing does carry a payload of sorts. It's set to do a DOS attack against support.microsoft.com on the 15th or 16th of august.

May explain why something is trying to contact MS.

 

[John McC]

Your PC is infected with the W32.blaster.worm for help go to http://www.symantec.com/region/reg_eu/ where you will find help and a removal tool. Good luck

 

[SaTaNzBish]

Blah

i got tha MsBlaster.exe the way i got rid of it was i downlaoded the patch restarted the computer and then i did alt crtl del and ended the task on it then i went to the Xp Search on my computer and searched Ms.Blaster.exe and it found it so i deleted it... but the thing is though my dad logged on his user name and he got the message and when i loged on mine i didnt get it hmm wonder what happened there?

 

[waiyeh]

hi guys,
still got the problem,
the problem i am getting is that i can't download the windows updates. when i go to microsoft update site , it then scans my machine and see what i need but after it does all that and i select install it just does nothing.
the dialog box comes up and ask if i accept the install and terms and i acepts and nothing happens.
just stays there on that page. can't see anything downloading and checked nothing has been downloaded.
the first one i need to install is the service pack or the express update. but i can't install it.
by the way the msblast keeps coming back as when i check in taskbar manager its there and i have deleted it many times.
i have installed the fixit tool by norton and tried to apply patch but i think it doesn't fully apply and its installing dialog box just disapears.
most inportant is to update windows but i cant.

please guys can anyone help.

ps i have look in this discussion but no answers .