NT AUTHORITY shutting down my PC

Status
Not open for further replies.

acidosmosis

Posts: 1,310   +0
A few times a message has appeared on my screen suddenly telling me that NT AUTHORITY/SYSTEM was going to shut down my PC. All you can do is save your work and basically take it like a man unforunately and let your computer reboot.

This is a security flaw in Microsoft Windows, mainly NT/XP/Server.
If you see this message you should install Windows updates as soon as possible. There is basically someone out there sending data to your PC causing this to happen.




Advisory Warning to all users of the following operating systems:

Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

Your Microsoft Operating System may potentially be under attack by HACKER ACTIVITY. The vulnerability attack can fool software into accepting insecure commands that could let intruders steal data, delete files or eavesdrop on e-mails.

Due to the seriousness of this vulnerability the Department of Homeland Security and Microsoft encourages system administrators and computer owners to update vulnerable versions of Microsoft Windows operating systems as soon as possible.

Our recommendation is to please go to:

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp to install the patch immediately.
 
Thought I'd pass around some info that's going around at my job about this exploit - not sure if it'll help anyone though

****> It should be noted, however, that since the vulnerability
permitted an attacker to do almost anything with a victim machine, the
information below may represent only one of many possible attack
results. Therefore, the absence of the files described below should
*not* be considered to be a conclusive indication that a system was
not compromised due to this vulnerability.

The latest version of McAfee VirusScan Enterprise 7 (and I would guess
VS 4.5.1 also) does NOT recognize any files related to exploiting the
RPC DCOM vulnerability as being problematic. This may not be
surprising, since we're not dealing with a virus - yet. Please don't
rely on a virus scanner to find these, or similar files on a system at
this time.

Files that exploit RPC DCom will only show up on a machine as part of
kit that one might use to carry out attacks on remote hosts. However,
because such files can only be installed when an attacker has
substantial access to a victim machine, the most reliable method of
clean up is to rebuild the victim machine from known, good media,
while __NOT__ connected to the network (e.g., rebuild and _fully_
patch, and enable the XP built-in firewall, while behind a firewall
device (e.g. Linksys BEFSR41), or while disconnected from the network).

Hence, if a host is discovered to have been the victim of the RPC DCOM
exploit, and until organizations such as CERT, NAI, etc can issue more
definitive information on what the bounds of these exploits might be,
Information Security can only endorse the recommendation that the
machine be rebuilt. As soon as we become aware of a less-drastic yet
more certainly effective means of ensuring identification of whatever
the attackers may have done, we will pass that along.

Several of the victim workstations examined have had the following
characteristics in common (note: these characteristics represent only
one "footprint" - there are certainly other, different footprints
related to exploiting RPC DCOM - absence of these files does *NOT*
mean definitively that the system was not victimized in some other way):

* Three files located in a directory named "c:\temp"
+ directx.exe
+ cygwin1.dll
+ rpcroot.exe

* Some of the machines examined had a copy of directx.exe and
rpcroot.exe in c:\windows\system32.

* Directx.exe, while a file by that name may normally be present as
part of the Windows 'Direct-X' display facility, is in this case
actually an IRC server. When executed, directx.exe will create the
following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+ C:\test\directx.exe

HKLM\SOFTWARE\ColdVision
+ (Default)
+ update

* In addition to the registry entries, directx.exe will generate two
text files (in the same directory as directx.exe):
+ JoinMe.conf
+ operators.conf
The "operators.conf" file is empty, while "JoinMe.conf" contains 22
lines of IRC server configuration variables (with no interesting
values). It has been reported that directx.exe may contain a client
component which attempts to connect to an IRC server at 38.115.134.245.

* After a re-boot, the victim host will be running the IRC server on
port 6667

* Turns out that directx.exe and "ColdVision" have a bit of a history.
See http://vil.nai.com/vil/content/v_100024.htm

* The rpcroot.exe file is a script-kiddie utility that will allow one
to reboot vulnerable Windows machines remotely (via the RPC DCom issue).
Note that rpcroot.exe does not give one a shell on the victim machine
(other utilities floating around the Internet apparently will provide
shell access).

Cygwin1.dll is, of course, probably used in support of the IRC server
(directx.exe). It's possible for rpcroot.exe to be used for any
number of bad deeds: e.g., from general troubel making, to remotely
rebooting other victim Windows machines for the purpose of bringing up
newly installed IRC servers.
 
Thanks for posting this. I was searching around for "nt authority/ system" and came across this forum. I did the update patch and i hope this doesn't happen to me anymore. This was happening to me yesterday and happened 7 times!
 
Wow 7 times, lol. Yeh at least you got it patched and hopefully things are in the clear now. :grinthumb
 
Thanks all, I had this problem as well (about 6/7 times). Installed the patch and it seems to have worked. Cheers again for your help. :)
 
Thanks poertner_1274, found you guys through google but will deffo stick about, seems a nice board.
 
i need help on this please i went to ure link acidosmosis but while it was downloading that error came up again and it auto restarted in 60 secs, i have windows xp home
any1 know how to fix this?
 
Mr magician,i know what your saying about trying to download and then being shutdown,but eventually i managed to get the whole file and once installed it has cured the problem though,stick with it,
Scary stuff i must say :S thanks all for the help,thought i was truly stuffed for a while :)
 
same here too scary but i think i may have fixed the problem myself im downloading the patch right now but all i just did was went to network wizard and set up a firewall and its seems to have stopped but im still downloading patch just in case to be sure this doesnt happen again
heh knowing that im only 14 yrs old i did i by myself
thnx alot guys for the patch i might decide to stick around here to see what goes on..
 
thanks for the help

thanks guys for the solution for this dodgy thing
i had the same problem downloading it just before the thing shut me down
get a friend to download it maybe if you can't download it in time
:rolleyes:
 
Lol.. There is an error message when I install it from a CD to my computer from a different one.. but it hasn't been happening lately.. well anyway.. What did you guys do to make it start doing this? I'll tell you after you guys tell me ;)
 
rrrr [FONT=courier new]fff[/FONT] hhhh

I had the same problem but after I downloaded the update it seemed to have fixed it, thanks everyone...you are a life saver.
 
Guys.. :(

The patch worked, it doesn't force me to restart... But, now i can't seem to ctrl + alt + dlt, at all it just closes it asap, and i see these 2 members named msmoncon or something like that its an exe and a user, i can't delete there exe cuase it says there protected.

And i can't go into my msconfig, becuase that closes also so i can't take them off user list or ne thing.

If you guys know ne thing plz help.
 
That sounds like you need to boot into Safe Mode and run your antivirus, as well as adaware or spybot. That should get rid of your new problem with task manager being shut down as soon as you bring it up.

I'm very glad we could help all of you newcomers. It is nice to know we are getting out there and helping the computing community. :)
 
New Information

Hello guys ..

This patch does work .. however things are getting worse today.

I work for a Cable ISP in Canada... Our customers are experiencing this bug. However instead of it happening 7 times/day .. its happening every 40-60 Seconds... making it nearly impossible to update there systems.

Resulting of a lot of floppy disk pickups at the front office :)
 
This post got googled or something, you might have noticed the 1000+ active users in vB at any time, 15333 reads so far.

Welcome everyone!
 
Wow, thanks so much.

This message was coming up every time my computer booted up. Thank god I found this post using google! I had to bookmark it (and later, the microsoft page) so I could read through and finish in time...

Luckily, I was able to download the patch within my 60 seconds :-S I had to save it, and boot up in safe mode, to get the thing running in time, but now everything looks like it's working!

I don't know what we would have done without you! Thanks :)
 
i've been having this problem for the past few days...
but i woke up this morning to it happening more frequently...
then once i got to my computer to see if there were any fixes it would start rebooting almost as soon as windows was finished loading.
so i decided to shut it down when i got the chance, and go look on my roomates computer for help...now i cant seem to start my machine back up, its dead to the world...and perhaps its just me over reacting but i swear i smelt fried electronics when i walked back in my room to turn it on
if anyone has ideas as to how i can get my computer back up and running so i can try the update, or reformat, i would be greatful
thanls for the info so far, its helped alot...this is the only plac ei found so far thats had any info related to this problem
 
This is happeing to me about every 5 min and want stop i installed the patch and have my fingers crossed but i dont know i was jsut curious if this is a hacker thing and what exactlly they can do thank you
 
Thanks so much for the info - my girlfriend is having this problem, but as she's a 56ker, she cant download the 5.5mb patch in time.

I have broadband, i've tried sending the file by msn, but still no luck.

Any tips? I cant even compress the file with winzip. She's very upset... and poor Sin cant make it better.... :(

unless she pays me 50p for a CD :p lol

Anyway i can reduce the file size?
 
looks like D Day for this exploit. tech forums all over the net are being bombarded with pleas for help. I have seen several links to this article posted at many places if reference to resolving the problem.
 
Status
Not open for further replies.
Back