NT AUTHORITY shutting down my PC

Status
Not open for further replies.
right it seems im all clear now,huge thanks to techspot :grinthumb
what i would like to know is whats the best way to protect myself in future?,Im no computer expert you see :confused:

Any help gratefully recieved :)
 
this was posted on one of the forums I frequent, and my brother has just got this virus.

If this is going over what has been said already I apologise.

Hello everyone. Like many other people here, my computer was infected
by the lovesan/msblast virus. I managed to remove the virus and fix
the problems it caused without the help of anti-virus software, and I
thought I'd share with everyone else.
This virus only infects computers running Windows 2000 or Windows XP.
I run Windows XP, so I do not know how much of the following
information applies to Windows 2000.
Here are the symptoms of the virus:
1) When Windows starts up, you may get an error message which says
that a file name "TFTP" (or something similar) cannot be found. The
filename will have a random number at the end. For example, mine was
"TFTP2434".
2) After Windows has been running for a few minutes, the following
error message occurs:
"This system is shutting down. Please save all work.
This shutdown was initiated by NT AUTHORITY\SYSTEM
Windows must now restart because the Remote Procedure Call (RPC)
service terminated unexpectedly."
After this message pops up, the system will shut down after one
minute, and there's nothing you can do to stop it. When Windows
restarts, the same thing will happen again after a few minutes.
3) Sometimes you will get the following message:
"Generic Host Process for Win32 Services
has encountered a problem and needs to close.
We are sorry for the inconvenience."
Closing this window will usually result in getting the "This system is
shutting down" message with the one minute countdown.

How to remove the virus:
Note: In order to prevent the system from crashing while you are
trying to remove the virus, you should start up your computer in Safe
Mode (*without* network support).
1) In Windows, press and hold down the ctrl, alt, and del keys to make
the Windows Task Manager pop up. Click on the Processes tab and look
for a process named msblast. This process is the virus running in your
computer memory. To remove it, click on it and then press the End
Process button. Now the virus is not running in the background.
2) Go to your C:\Windows\System32 folder and look for the file named
msblast.exe. Delete it. Now the virus cannot be executed again. Also
look in your C:\Windows\prefetch folder for files with similar names.
For example, I found a file named "msblast.exe -o9FF84F2.pf". If you
find any such files, delete them as well.
3) Click on the Start button and then click on Run. Type in "regedit"
and hit Enter. This will run the Windows registry editor. Navigate to
the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Click on the "Run" key and several values will appear to the right.
Look for the value named "windows auto update". The data for this
value will read "msblast.exe" or something similar. This is what makes
the virus start up every time Windows starts. Delete it.
4) Look in your StartUp folder in the start menu for a file name
"TFTP" or something similar. This is responsible for the error message
that occurs when windows starts up. Delete this file.
Note: If you started up in safe mode, you now need to reboot your
computer in normal mode in order to access the internet.
Another Note: With the virus removed, you'd think your computer
wouldn't crash anymore but mine still did (although it didn't seem to
do it as quickly as before). After I ran Windows Update, the crashes
stopped (see bellow).
5) Next, run Windows Update from the Start Menu. This will patch the
bug that allowed you to get the virus in the first place.
Specifically, the patch you are looking for has the id number 823980.
You should probably select just that patch because the system might
still shut down at any minute (although this did not happen to me
during the update). Once the patch is installed you should stop
getting error messages and you can then download other patches if you
want to.
6) The virus can still be in your Recycle Bin or in a System Restore
backup. To be safe you should now empty your Recycle Bin. Next you
should disable and re-enable System Restore. This should delete your
backups. To disable System Restore, first run the System Restore
program (It should be in your start menu under
programs\accessories\system tools\) and then click on the link that
says "System restore settings." Check the checkbox that says "turn off
system restore on all drives" and hit ok. You can re-enable it the
same way.

Hope this helps.
For further information:
http://us.mcafee.com/virusInfo/defa...&virus_k=100547
http://securityresponse.symantec.co...aster.worm.html
http://www.f-secure.com/v-descs/msblast.shtml
 
I've been hit

I just had the same problem as described here. My PC kept shutting down with the NT.AUTHORITY/SYSTEM and remote procedure call message (RPC.

Have loaded the microsoft patch and seems to be working, although some questions, Scanned files with Noton AV which then picked it up, claimed fixed but unable to remove W32.Blaster.Worm, why didn't it pick it up originally, how do I totally remove it ?

Also would Norton firewall, if loaded, stop this problem in the future

Thanks
 
just my personal opinion, and not based on ANY kind of fact...

e32.blaster.worm sounds like it may be some sort of variant of msblast.

Why it wasn't removed is most likely because it is in the protected system restore files. You will need to clean them, because any virus in there cannot be deleted whilst system restore is enabled.

This seems to be a fairly new virus, and not everyone has updated their definitions. Also, if you have a Norton protected Recycle bin, it MAY reside in there is you have attempted to delete it.

I HATE norton with avengance, I don't know hwy, I just don't get on with it. I personally use AVG Anti-virus.

Will a firewall help? Pass. A firewall does not stop virus, it attempts to prevent unauthorised remote access. If a virus gets on your machine, then no matter how good your firewalls, it can still reconfigure your PC to access outside.

Now I have the Windows XP Firewall turned OFF (Part of my inherent mis-trust of MicroShaft) BUT I have Zone-Alarm Pro installed on my PC, and my router, the Netgear FR114P has a ProSafe firewall in it. As far as I am aware, it is a NAT firewall, but I could be wrong.

I hope that helps, but please take note that I am a novice and most of the above is speculation.
 
I still believe somthing is not right here, somthing we cannot see or we don't know enough about (ie svchost) mcblast seems to be more like a decoy.

At work today someone was connected to our network and had mcblast on their laptop. I've now removed that and can't seem to find it on any other machines. I've patched most of our admin machines with the 32bit patch but we then seemed to have problems with outlook even on machines that weren't patched and i hadn't patched the servers. The exchange server wasnt letting us access outlooks inbox/send messages/view contact lists on various machines and some where it did load up had outlook then close after a few seconds. The only process running was STORE.exe which was using 400mb of recources! we restarted all 3 servers and now things seem fine.

I would say this was coinsidence but have just heard from an old colleague at another company who have had the same problem

Our exchange server is also hosting the website and therefore presumably has open ports and the like. (so is the other company)

Any ideas anyone?


Cheers
 
Hi, thanks to all the good information on these boards I think I have succesfully removed the "scum", and my system comes up clean.

But my firewall (Zonealarm) keeps informing me that it has blocked internet access to my computer (TCP port 135) from Various IP addresses. In fact over 100 attempts per hour at the moment! And all of them are from IP's which are identical to mine apart from the last 3 digits.

Is anyone else having the same thing happen to them? I am on cable, I suspect maybe there are other local computers which are still affected and they are coming up with my IP adress and attempting to gain access.

Is there any other course of action I can take or should I just sit tight and wait?

thanks in advance
 
I also have received this message, and attempted to add the patch. But my pc is logged off after 1 minute, while we need longer to install the patch. Any suggestions as to what we can do?
 
Microsoft Knowledge Base Article - 250320 - Description of Svchost.exe in Windows 2000

Microsoft Knowledge Base Article - 314056 - A Description of Svchost.exe in Windows XP

More info here
http://www.annoyances.org/exec/forum/winxp/n1037995042
http://www.grtg.org/stuff/computers/windows/svchost_exe.php
http://www.ntfaq.com/Articles/Index.cfm?ArticleID=20609

RE STORE.exe
327332 - XADM: Store.exe Process Causes 99-100 Percent CPU Utilization


RE: eddieerfy
Orginally posted by Thodin here
Up-to-date antivirius software should be able to detect and remove the worm, but they can't stop you getting infected in the first place. For that, you'll want to update windows, making sure you have the latest security fixes, particularly those fixing the vunerability used by this worm in the Remote Procedure Call service. A firewall blocking any connections to port 135 should also work.



RE: howard
Check my first post on this page, the large quote, post id 54905
 
thanks thanks thanks..!

i could kiss you guys.. thanks alot for fixing this annoying bug.. i hard to format twice and it still was there. but i got rid of it thanks to you guys..
 
thanks , this post helped me out alot . i noticed after solving this problem that i had a file called MSBLAST.exe constantly hitting my firewall , after looking round the net i found this is apparently a virus , so maybe thats what started my problems. I never had any of these troubles with win98 . good old microsoft :( .

thanks again guys.
 
nt authority system shutting down my pc

Hi to all and thanks for your help already! I see that I have the same problem that many of you have...however nt shuts mine down in 2 minutes. How will I have time to install the patch?
Any help would be greatly appreciated. Thanks much and have a super day!
 
nancy,if you can download the patch quick enough.it is a small
file.then i disconnected from the internet ,then installed the patch.
and reconnected and i have been ok since then.
regards othg_chris774
 
Originally posted by Killerbyte
I would hold off on the summery. I got a feeling that we are all in for some solid twists before this is done. I don't think the fixes are final. I think there is more to come here.


I completely agree with this. I've done everything mentions in this thread, and it all seems fine now, but i have this very strange feeling that is not over.
 
I was surprised not to see anything on TV about this incident, but it's been posted all over the net and in my local paper, even. I think a lot have caught on how to fix this, and Microsoft is waiting to see what happens on August 16th...

I'm glad we all got together to beat this thing...I think I'm gonna hang out at this site and these boards more often.
 
Nancy,

Go back to my post here and follow the proceedure I outlined...it should help you. You may have a diff. OS, but you should be able to fix the problem.

Hope that helps!
 
for everyone that is seeing constant attempts to connect with port 135 on your computer. this is going to continue, every infected machine out there is actively pinging for vunerable port 135 access. the microsoft patch does not close port 135 it simply fixes the flaw that allows NT Authority/Msblast to access your compouter through that port.

steve gibson of Gibson research is actively working on a solution to safely block or close port 135 you might want to visit his site.
while you are there run his free "sheilds up" test which test how vunerable your computer is to being accessed. ( it also tests your firewall) his site is

http://grc.com/default.htm

unfortunately it appears he is temporarily down so you might try visiting him later.
 
Similar problems,

Had the NT/Authority shutdown within 30 seconds of any internet connection all last night.

AVG found the lovsan and removed it this morning

Task manager and regedit are still shutting down immediately after launch.

Zone Alarm has blocked 70+ attempts From "Windows Explorer" trying to access the internet in about 2 minutes. But I can still use IE to surf the web.

And I'm going through serious withdrawal symptoms from Star Wars Galaxies. (I curse the friend that talked me into getting this game)
 
I got the patch downloaded last night, and got the new Norton update installed, and everything is squeaky clean over here. Also took the opportunity to clean out all my cache, temp internet folders, history, defrag and scandisk. I recommend everyone else doing the same thing. Don't know what kind of crap this thing has left behind.

I used to have Zone Alarm installed, but thought it might not be of any use to me since I don't have a constant internet connection - I've changed my thinking :) I'm going to download Zone Alarm today and get it running again.

Forthose of you that tink that the 'NT AUTHORITY" messages aren't related to the Blaster worm - just read the latest Associated Press article that confirms the two are connected.

Hopefully this whole mess will convince those that have opted out of having any kind of virus protection, to get protected!
 
I read earlier from someone in here that they were having difficulty downloading the whole patch before the thing shutdown. Luckily I have a download accelerator I got before I ever had this problem. If any of you have it out there, then you can just pause your download before it crashes, and resume it when it re-loads. Pain in the butt, I know, but it's what I had to do. Here is my question. Did you guy's computers shut down any time the felt like it? My computer would only give the NT AUTHORITY SYSTEM message when I got on the internet. Thanks, and sorry for the low IQ I have when it comes to these things. I can work a computer, but I'm no hacker or systems analyst or whatever you call the smart people who understand these things.
 
newtempguy: From my end, it appeared that it would only shutdown when there was a connection to the internet. Further, as long as that MSBLAST.EXE program was loaded in the background, it was constantly sending data out even when I was not running a web browser or email. So somebody out there does have some of my files! :(
 
Error

Hello, I'm dutch and when I download the patch from the Microsoft site and try to install it , I get an error which says: "Setup cannot update your Windows XP files because the language installed on your system is different from the update language".

I've tried to find a Dutch version of the patch , but I haven't found it yet.. :(

Can anybody plz help me with this one? Because otherwise I'll never get rid of this annoying problem of rebooting over and over again!

id (I've run the FixBlast patch from Symantec)
 

Attachments

  • error_message.jpg
    error_message.jpg
    15.6 KB · Views: 9
further problem with trying to install the patch...

so. i've managed to rid my system of the worm once, and shall likely have to do so again after i get offline.

my major problem is this: when i try to install the patch, it quits the install and says 'unable to verify integrity of update.inf. please check that the crytographic service is running'

i've never seen anything like that before, and it means i can't install the patch and am consequently being reinfected.

the other instructions for avoiding the system restart and other things here have been incredibly helpful, hopefully i can fix this bit as well.

thanks :)
 
I think you guys are making this harder on yourselves than it needs to be. If you are in fact being shut down by "NT AUTHORITY" then the following will fix the problem for you.

This is an email I sent to all of our customers. (I work for an ISP). I had a few calls last night from friends and one customer which were having this problem. After they followed these instructions below that I gave them, the problem was fixed.


***IMPORTANT INFORMATION***

You may have been experiencing an issue when you are online which causes your computer to shut down. In Microsoft Windows there is a security flaw which allows hackers to cause your computer to shut down. If you receive a message stating that NT AUTHORITY is shutting down your computer and you have 45 seconds to save all your work then you will need to follow the instructions below. If you have not already been affected by this problem then you may soon so please still follow these instructions. The only computers which are immune to this problem are the ones that have had a full Windows update in the past few weeks from Microsoft's website.

To prevent this problem from occurring immediately:

(Your computer will then no longer be affected by this problem. You will not need to be online to do this).
Click Start, Control Panel, Administrative Tools, Services, browse down till you see "Remote Procedure Call (RPC)". Right click on that, and click Properties. Click Recovery. In the boxes that say First, Second and Subsequent failures, browse down on the lists and select "Take No Action". Then just click Ok.

This will stop your computer from shutting down. (Hackers have found an exploit which takes advantage of Windows security feature which shuts down your PC in case a problem occurs -- This disables that feature).

Download the Microsoft Windows security updates:

(You will need to be online for this part of the instructions. If you followed the instructions above your computer will no longer be shut down so you will have no problem getting these updates).
Visit http://windowsupdate.microsoft.com and download all updates marked "security update" or "critical update". You can click on Remove for the rest, unless you just want to install those too. Either way it won't hurt.

If you would like more information about this problem then read the Yahoo! article at http://story.news.yahoo.com/news?tmpl=story&u=/washpost/20030812/ts_washpost/a46233_2003aug11

If you have any questions please give us a call. Please do not feel threatened by this problem. It can cause no harm to your computer and will only cause your computer to shut down in which case all you can do is restart your computer. This is affecting everyone across the Internet with Windows versions higher than 2000.


There is no need to download ANY software, or anything of the sort. Just follow the instructions above and then liveupdate for Norton Antivirus if you have it and run a scan just to make sure.
 
For me...

The NT AUTH/SYS restart only popped up after an Internet connection was made. I logged back into Windows XP under a different user, connected to Internet using a differnet server and everything was fine, thus, research lead me here.

Then, I updated all available Windows security updates (about 30 something)...'sigh' and everything has been fine. I've searched high and low under all users of the computer for the MSBLAST.exe file and there isn't one...'whew'. My AV is updated and all scans were clean.
<--------knocking on wood w/fingers crossed!!!

THANKS for all the info everyone has provided!!!!!
 
Status
Not open for further replies.
Back