2
   

Shutdown Initiated by NT Authority /System

 
 
MurrayS
 
Reply Mon 11 Aug, 2003 04:02 pm
Edit (5/4/04): The information below is an old topic about the Blaster worm, which shows similar symptoms to the Sasser worm that is currently spreading. If you found this in a search engine after 4/30/04 you are probably looking for help for what is probably a Sasser infection. You can find help here: Sasser Virus Help

---------------

Howdy All:

Take care all as there is another worm doing what Blaster did..

http://www.able2know.com/forums/about24107.html


There is a nasty new "hit" taking place that is affecting alot of XP systems. Got this from another site I use.. make sure your system updates, av programs and firewall is up to snuff..

To all:

This is a very hard one to figure out, only that there has been a flurry of these recently. I honestly believe it is a deliberate attack on port 139 that is being launched. This CNN Report of last week is typical of the warnings now being issued in the US: http://www.cnn.com/2003/TECH/internet/07/31/internet.atttack.ap/index.html

There is a recent hotfix that addresses this RPC vulnerability: http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Install or enable a firewall immediately.
http://support.microsoft.com/?kbid=283673

Run an updated virus scan.
Or Scan for Viruses online:
http://security.symantec.com/ssc/home.asp?j=1&langid=ie&venid=sym&plfid=23&pkj=IRLFIZTYMWPAZTJWUFJ

Also be sure to update immediatly to prevert this in the future:
http://windowsupdate.microsoft.com/

This will tell you more:
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

If your system is continuously restarting with this error:

Try early and often pounding of the F8 key. You want to use the "Last Known Good" configuration option.

If that does not work, I can only guess. Some anti-virus software can run from a DOS session even with NTFS disks. If yours is able to do this start there.

If no joy, do a registry replacement. This requires booting from the XP CD and hitting the first R(epair) choice you receive in order to access the Recovery Console. See this site and print out all of the instructions found there: http://www.digitalwebcast.com/2002/03_mar/tutorials/cw_boot_toot.htm

If still no joy you need to do a maintenance re-install of XP. You will not lose your data or applications but you will lose your Service Packs and Hotfixes: http://support.microsoft.com:80/support/kb/articles/q315/3/41.asp&NoWebContent=1

Murray
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 2 • Views: 54,834 • Replies: 17
No top replies

 
MurrayS
 
  1  
Reply Mon 11 Aug, 2003 04:29 pm
Update
It appears a virii called Msblast is causing all the trouble..

McAfee Comments and removal Instructions: http://vil.nai.com/vil/content/v_100547.htm

Symantec Comments and Removal Instructions:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Murray
0 Replies
 
Craven de Kere
 
  1  
Reply Mon 11 Aug, 2003 04:32 pm
Sounds interesting. Is the source for this one posted anywhere?
0 Replies
 
MurrayS
 
  1  
Reply Mon 11 Aug, 2003 04:36 pm
Msblast
Craven:

Google News has started tracking the problem. See the Sci/Tech subsection on this Worm. Several articles already.

Murray
0 Replies
 
Craven de Kere
 
  1  
Reply Mon 11 Aug, 2003 04:38 pm
Ok, no biggie. It's always hard to find source code for these things (for damn good reason, script kiddies would compile and disseminate them). I am certain I will not find it in Google news but every now and then a white hat (or black hat) site will post the code and curious folk like myself get to peek under the hood.
0 Replies
 
Monger
 
  1  
Reply Tue 12 Aug, 2003 05:27 am
I'm seeing reports of this from customers in Japan. Thanks for the heads up, Murray.
0 Replies
 
MurrayS
 
  1  
Reply Tue 12 Aug, 2003 07:01 am
Quick Fix
Howdy All:

The following instructions should keep you on long enough to get and apply the proper patch etc.

Boot to Safe Mode.

First open task manager, find and end the process 'msblast.exe' If it is there.

Second, delete the registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Find the value windows auto update
if its value in the right panel is C:\windows\system32\msblast.exe delete the key.

Finally, delete the file c:\windows\system32\msblast.exe

reboot.

Logon as Administrator.
Don't try the Internet yet. Enable the Windows native Firewall.

Start, Run, services.msc

See if the Remote Procedure Call service is started. If not try to start it.

If it is running, go to the Internet and get the patch.

Even if msblast.exe is not there, by enabling the native firewall you should have enough breathing room to download and apply the patch.

Murray
0 Replies
 
Monger
 
  1  
Reply Tue 12 Aug, 2003 07:36 am
Craven de Kere wrote:
Sounds interesting. Is the source for this one posted anywhere?

Dunno about if the source code itself is out there, but here's an interesting bit about its origin, from an article by ZDNet.

"... The worm attacks Windows computers via a hole in the operating system, which Microsoft warned of 16 July. Nine days after the software giant announced the flaw, hackers from the Chinese X Focus security group publicly posted a program to several security lists designed to allow an intruder to break into Windows computers. The Windows flaw has been characterized by some security experts as the most widespread ever found in Microsoft's OS. " ...
"The Chinese code worked on only three variants of Windows, but other hackers have since refined it. Nine days ago, a hacker posted an attack program to a security mailing list. Many facets of the current worm seem to be similar to that program."
0 Replies
 
Craven de Kere
 
  1  
Reply Tue 12 Aug, 2003 09:41 am
I have dealt with 6 people infected thus far. This is going to be big (but I predict it won't have the longevity of other huge viruses).

I'll get the source from one of the infected computers if the people are able to follow the instructions to send it to me.
0 Replies
 
littlek
 
  1  
Reply Tue 12 Aug, 2003 09:45 am
maybe this is what I have.
0 Replies
 
Craven de Kere
 
  1  
Reply Tue 12 Aug, 2003 12:47 pm
MSBlast W32.Blaster.Worm :: history and removal instructions
0 Replies
 
Monger
 
  1  
Reply Mon 18 Aug, 2003 09:09 am
Craven have you seen the source yet? I just noticed astalavista posted a decompilation today.
0 Replies
 
Craven de Kere
 
  1  
Reply Mon 18 Aug, 2003 09:31 am
Yeah, I got it back on the day I asked for it. I had a few coworkers infected so I snagged it then.
0 Replies
 
babyasshole
 
  1  
Reply Tue 13 Apr, 2004 10:05 am
i dunno what gave me the inspiration.. but by turning on the internet connection firewall in windows xp network connections, the shutdown problem never happened again. i do believe it is some kind of bug or hacker attack.. well, correct me if im wrong, im no expert in this matter
0 Replies
 
Craven de Kere
 
  1  
Reply Tue 4 May, 2004 04:45 pm
Murray S.

Several thousand people a day are finding this thread (and other pages that show the fisrt post of this thread) when searching about the NT Authority. Thing is all the recent searchers are looking for help with the Sasser worm, and this is about Blaster.

Can you add a link to timber's Sasser virus removal writeup to your post to direct all these new Sasser victims to sasser removal info?
0 Replies
 
MurrayS
 
  1  
Reply Tue 4 May, 2004 05:42 pm
No Problem..

Sasser problem shows same symptoms as Blaster..

http://www.able2know.com/forums/about24107.html

Not sure how to put the link in my first post but if you can edit it to show the Sasser link, be my guest !!

Murray
0 Replies
 
Craven de Kere
 
  1  
Reply Tue 4 May, 2004 05:49 pm
I edited it and added it. To edit your posts there is an edit button BTW.
0 Replies
 
gozturk44
 
  1  
Reply Tue 24 Apr, 2007 04:46 am
nt authority system shut down
Hi there
I now have the same problem ( After 4 years same problem )
I have windows Xp with service pack 2 with all the updates
And i have Norton antivirus with all the updates.
I can not able to find the worm , i think it is a new kind of Sasser.
It just gives just 7 seconds for shut down.

Does someone has the same problem

any comments
0 Replies
 
 

Related Topics

Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » Shutdown Initiated by NT Authority /System
Copyright © 2021 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 07/30/2021 at 01:38:30