1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

NT AUTHORITY shutting down my PC

By acidosmosis ยท 344 replies
Aug 2, 2003
  1. SinFayth

    SinFayth TS Rookie

    i did the 5.5mb file first :S lol silly me didnt see the file size of the other file DOH!

    but we tried the 5.5mb file and it didnt work, but the 1.Xmb file seems to be working.

    try the small one first i would
  2. defuzz

    defuzz TS Rookie

    I too used AVG virus software. It didn't find any blastworms but it did find another worm (can't remember which though)

    The AVG site has no news on th blast worm yet though so we'll hve to wait until tomorrow at least.

    I've done a virus check, patched it and removed the reg entry. After restarting the MSBLAST.EXE didn't appear so hopefully its OK now.

    I run Kazaa too, maybe that was involved.
  3. Scalpy

    Scalpy TS Rookie

    I don't have MSN 6, but do use Kazaa lite. I'm betting that's where it's come from.
  4. Jerry0

    Jerry0 TS Rookie

    I just downloaded the patch and everything seems to be fine now, but I'm not running MSN 6 and still got it.
  5. woodee

    woodee TS Rookie

    Do you use kazaa jerry?
  6. TFD

    TFD TS Rookie

    Kazaa seems like a very likely source...

    It's times like this I'm glad to still be running Windows 98 :D My comp may be a POS, but at least hackers can't de-rail me :p
  7. suger and spice

    suger and spice TS Rookie


    Hi everyone, great site I'm definately comming back here.
    I think were on the right track with MSBLAST.exe. I started getting the NT/AUTHORITY shutdown problem earlier this evening and am so glad I found this site.

    I was first alerted to MSBLAST by my firewall which showed maybe 10 outgoing connections by this little sucker to remote addresses which kept changing every second. I thought this was strange so I dennied all outgoing access to this exe. The thing is its in the win32 /temp folder so I didnt know if it needed to get out or not. Then I stumbled on the post with symantec and that explained everything. I went to regedit like it said and deleted the registry setting as it states. I have had no problems since.

    My anti virus is avg and that is uptodate which proves that this exploit is real time.

    But what do we do if our anti virus does not spot it?

    I have done a search on my pc and found to msblast instances one in c:windows /prefetch and the exe in c:windows32.

    Does anyone else have these? and should we just delete them?

    Im running xp pro

    Anyway best of luck to all that are suffering.
  8. TFD

    TFD TS Rookie

    As far as I know, deleting it would *not* be the best option. The few virus experiences I've had before, deleting the virus only made it "replicate" to a different spot on my hard drive.
  9. Fen

    Fen TS Rookie

    I too am having the same problem as Ilson.

    My computer just hands down wont start up anymore. My Mom got the same problem last night (98SE) but after af ew hours it cleared up. I'm hoping it'll do the same for mine and start up in a few hours so I can get started on this.

    I've had the problem for a while now, but it only occured every once in a while and it wasnt any big deal. Just today it started happenign right as soon as win finished booting up, and now my comp wont start up at all.

    Hopefully i'll be able to boot up soon and try the patch.
  10. TFD

    TFD TS Rookie

    98SE you say... oh crap :|
  11. Killerbyte

    Killerbyte TS Rookie

    Let's throw some fuel on the fire! I am a cable modem tech, and just ran into this problem today. These pc's worked fine before I started the instal, but when I restarted the pc's, they had this problem. Not just a little, but almost emmediately on restart. It is like an endless loop of shut down and restart. So I do not think this is something that is limmited to just a chance dl. I am running XP pro, and yet am having no problems personally. I checked my system for MSBlast.exe and found nothing. And I am running msn mes 6.0. It is clear to me that at this time, I do not have this problem. What is not clear is why this problem has happened to our customers the second I restart AFTER cable modem installation. Any more uber geakiness would be very helpfull, since my superiors and tech sapport have their heads firmly inserted in their collective asses!
  12. suger and spice

    suger and spice TS Rookie

  13. Corsepheus

    Corsepheus TS Rookie


    had two friends who had this today

    A programmer in my office used to spam shutdowns at me with NT4 option pack

    But i wrote a work around that spammed the cancel command whenever that came up ><

    Just can't find that anywhere now lol
  14. Fen

    Fen TS Rookie

    TFD, she wasnt getting the whole NT Auth thing, just her comp wouldn't boot up.
  15. agsswanson1981

    agsswanson1981 TS Rookie

    i had this problem and now it doesnt happen after the patch unless i am using aim it seems... at least i think. any ideas??
  16. Killerbyte

    Killerbyte TS Rookie

    I scanned that a few times, and wile it looks like a doosy, I don't think it is the same problem, or at least all of it. They make no mention of NT Authority shut down. I may have missed it. You can understand why it is important for me to make SURE that the whole of the problem is known and fixed. Otherwise I will have some real angry customers saying I killed their pc. But this site has the best info so far.
  17. black eyed dog

    black eyed dog TS Rookie

  18. Shemyaza

    Shemyaza TS Rookie

    My son is having this MSBLAST problem. He thought there was a virus and reformatted and reloaded XP back on, but the same problem occurred. He couldn't instal the firewall or the virus software because the system kepts shutting down. We managed to download the patch and instal it, but when he rebooted, XP took ages to load and when it did, there was no start button. We went into safe mode and managed to delete the registry key, but he can't get the virus software to load on in order to take care of the MSBLAST.EXE file. Can anyone shed any light as to why there was no start key at the bottom?

    Any help would be appreciated.
  19. black eyed dog

    black eyed dog TS Rookie

    Oh, and thanks for the help people!!
  20. Killerbyte

    Killerbyte TS Rookie

  21. newuser100

    newuser100 TS Rookie


    i am new to this place and pc's

    i tried to download the patch as told by you people . as it was downloading the message cameup again and started to restart my pc.

    now it goes in a cycle and would never allow to do anything. it does not even come up to the startup screen. it open some page like starting rom and then windows and then restarts.

    i tried to go in safe mode but it lists some files and again restarts in cycle.

    help me as to what i have to do???
  22. spenj2k

    spenj2k TS Rookie

    Hi Guys, i got this problem at aboit 9pm tonight.

    I've now ran the patch,deleted mcblast,deleted the reg key for mcblast and empted my "C:\Documents and Settings\Spencer\Local Settings\Temp" folder.

    I Found my internet is now running at normal speed and i dont get the 60sec shutdown thing.

    I've now just tried to install my anti virus software again and its not letting me it says it cant continue and needs restarting..ive tried restarting (installation and pc) but it doesnt work.

    i looked in task manager and found i still have about 4 svchost.exe running i end tasked all including one that says network service this caused the 60 sec pop up again..after a reboot i made it so my PC wouldnt reboot with that error...now i can end task svchost prob is tho soon as i end task a cople 2 more pop up..i've just looked again and i now have 3 running

    I guessed svchost had something to do with it right from the start cos i usually only have 1 of them running.

    Any ideas anyone??? (oh yeah i just nearly cried when my pc's task bar flashed from XP to classic and back again (remminded me of when i was hacked sometime ago)

    I'm getting quite scared now!

    Thanks for any help and thankyou for all the help so far and thanks to this forum! and its moderators
  23. Killerbyte

    Killerbyte TS Rookie

    ACH!!!! It did not explain anything about NT Authority.
  24. black eyed dog

    black eyed dog TS Rookie

    Web Worm Attacks Windows, Spreads Fast-Experts
    Mon August 11, 2003 07:23 PM ET
    SAN FRANCISCO (Reuters) - An Internet worm that takes advantage of a recently discovered, widespread security hole in Microsoft Corp.'s MSFT.O Windows software emerged around the United States on Monday, crashing systems and spreading to vulnerable computers, security experts said.
    The worm, dubbed LoveSan, Blaster, or MSBlaster, exploits a vulnerability in the Distributed Component Object service that is hosted by a Remote Procedure Call feature in Windows 2000 and Windows XP.

    Once it gets onto a vulnerable computer, the program downloads code from a previously infected machine that enables it to propagate itself. Then, it scans the Internet for other vulnerable machines and attacks them, said Johannes Ullrich, chief technology officer at the Internet Storm Center at the SANS Institute.

    In some cases, the worm crashes the victim machine, but does not infect it, he said.

    It is spreading rapidly and has infected several thousand machines, Ullrich said.

    The worm also appears to instruct the computer to launch a distributed denial of service (DDOS) attack on August 16 against a Microsoft Web site, he added. In a DDOS attack, a Web site is temporarily paralyzed after receiving requests from numerous multiple computers.

    "It's dangerous from the perspective that it can consume a lot of bandwidth," said Russ Cooper of TruSecure Corp. "Every compromised machine is constantly attacking."

    The worm contains code that includes a phrase: "Billy Gates why do you make this possible? Stop making money and fix your software," according to SANS.

    Anti-virus provider Network Associates rated it a medium risk for consumers and corporate computer users, while rival Symantec Corp. rated it a high risk for distribution and a low risk for damage.

    Security professionals have been expecting such a worm since last month.
  25. suger and spice

    suger and spice TS Rookie

    Well I've read the Reuters post and it looks like MSBLAST is quite likely to be the culprit. As I said in one of my previouse posts I noticed that msblast was making around 10 outgoing connections to ip addresses that were changing every second.

    Now I dont know if Killerbytes problem is the same, I could reboot my machine fine but as soon as i went online thats when i would get the reboot by NT AUthority. I would check these machines to see if they have msblast or one of its varients.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...