"NT AUTHORITY SYSTEM" is shutting down my computer when online
 

Maybe someone on here can help me....My laptop automatically shuts down and restarts and says that a remote call procedure has failed and it has to shut down. It says the program that does it is NT AUTHORITY SYSTEM. When my laptop isn't online, it works fine and doesn't shut down..It only works when I am on the internet.

I'm using Windows XP..Has anybody had this problem and know how to fix it...If I didn't have another computer, I'd be fucked because I wouldn't even be able to ask for help online.

kiddie porn detection system.

its an exploit.....fucking flaw in windows that allows people to do that to you computer. Get the patch on microsofts site....same thing happened to me....

oh yeah... thats big right now... know a few people makin damn worms for it

This exploit is more serious than just shutting down the PC..

Get the patch here:
http://microsoft.com/technet/treevie...n/MS03-026.asp

damn do0d just had the same thing happen to me three times in the last 48 hours. i'm ging to get patched.

me too - i'm actually relieved to know other people are having the same problem. FUCK - as i typed this it just happened again.

I JUST got done battling this shit. I didnt know what the hell was going on. I almost reinstalled the OS because everything I tried didnt work so I figured things were beyond fucked.

I noticed my other machines were having the same problem, so it was not isolated to my main machine and was not virus or worm related.

I noticed shit didnt happen when I would disconnect from cable modem.

Little more probing, its a god damn denial of service attack.

Im on Comcast. The only way I could get it to stop was to switch from my bridge to a router. The MS patch didnt work either.

Im guessing someone is having a good time today.

I got a box that's running beta .net and there's no patch for it but I found that setting the firewall takes care of the attacks

Damn, you guys too.

I started getting that error about 3 hours ago, got shutdown twice, then I started updating from MS... then got shutdown during the update...

So I dl'ed the update unplugged my network cable and installed.

I think there was 3 critical updates I hadn't installed yet.

I guess it shows you that you should install those as soon as they come out.

Glad to see I'm not the only one though :)

if you receive "remote procedure call (rpc) service terminated unexpectedly" messages that keep rebooting your comp, try this:

1. install a firewall. dont bother blocking IPs. block ports being used by RPC - UDP and TCP (more below)
2. install MS bugfix. (hell yea I'd do that if it didnt say "service pack 2 required")
3. control panel -> administrative tools -> services -> remote procedure call (RPC). right click, choose properties. go to recovery tab. choose "no action" for all boxes.

full info here plus xp/2000/nt fix

http://www.securitytracker.com/alert...l/1007212.html

edit: this should read: 1 OR 2 OR 3. either will fix it.

That's a Microsoft loophole :thumbsup

the MS patch seems to be working for now but thanks for the info Brian.

glad to see that i am not the only one that has been gettin this error.

yea thanks brian, i have installed the MS patch and for now it really seems to be working... but lets wait another 10-20 mins and see...

here's the way to completely remove the worm:

Windows XP:

go to start -> run

copy paste this in run:

reg delete HKLM\Software\microsoft\windows\currentversion\run /v "windows auto update" /f

then reboot,

after that, do a search and locate the file msblast.exe and delete it..

that concludes the removal procedure (trust me, I had to do it on 10 computers.)



Windows 2000:

.. it might not crash the RPC like windows XP asking you to shut down, but it can give you problems with mmc.exe (microsoft management console) and also the hole which allows anyone to install any script to create users or do anything on your computer.

The reg deletion command mentionned above doesn't work with windows 2000, so you'll have to go manually with regedit to the key hkey_local_machine\software\microsoft\windows\curr entversion\run and then right click on the windows auto update key ... then delete it. Reboot, delete the msblast.exe file like said up there and you're done.

This exploit ain't no joke, it's dangerous :)

my system is fucked up

i want to fucking murder the punk that wrote this shit

the only thing left working now is the IE with gfy

here's the directly download for the ones that cannot access it,this shit even kills js capabilities and the microsoft site in many parts doesnt work with no js

http://microsoft.com/downloads/detai...displaylang=en

i hope it will work now

microsoft wrote it...

yes, the exploit

but the one that does the attacks is using a virus that infected many computers today

w32.blaster something

which is what im saying, the registry key I mentionned restarts the virus' process each time you reboot, so you gotta delete the reg key AND the file msblast.exe :)

Unreal! Earlier today I did a netstat -a and noticed a lot of connections to .mil computers. So I downloaded Active Ports and I'll be damned if a dozen or so msblast.exe were open.

Is msblast.exe a microsoft thing being exploited? Or is it a trojan/worm? I renamed it to .bak, and sure enough, it wasn't using up anymore ports.

Wonder how I caught this, I am pretty careful.....
Anymore info/links would be appreciated! :)

kill it, this ain't a microsoft file, this is the actual worm.

It's gone.
Do you know how it is being installed on computers? I searched google but came up with nada. Must be pretty new.
I should have taken a screenshot of my netstat command. After seeing all the .mil computers I was hooked up to, I reckoned something was wrong. :(

heh, thats the thing, by opening port 135 UDP ... the attacker can send mostly anything he wants and can actually scripts some things ... most of the time it's the worm being uploaded... but it shouldn't do anything else.... well for me it just installed the worm... I removed it.. and said........ FUCK YOU HACKER!

Found more info...
http://www.crn.com/sections/Breaking...rticleID=43865

thanks jeff,i think i'm clean now :)

I got a call from a friend with the same problem, he has win XP and it's even worse situation. He wants me to go and fix his pc now. 3am... :Graucho

I'll be damned, that was the problem....I thought I was gonna have to take it to the shop and let the tech see all this porn on my computer...Thanks jeff...And that msblast.exe shit was on my machine also..

NP guys, i've been the techie guy for a couple of probs recently heh, if you got other problems with the comps, msg me thats my job :thumbsup

thats why sometimes it's good to have a trusty old mac.Mac users rarely face these probelms

mac -does not- have viruses.. alleluiah.. but I don't like mac :(

true
same goes to amiga operators :glugglug


I was looking some logs yesterday and i noticed there are still amiga surfers. That was a big surprise

Guys, that is the worm that fucked up my harddrive COMPLETELY. I had to actually piece it back together with software (and jact's loving patience). Trust me, get this shit patched up ASAP!!!!!!

you sure? ... maybe someone actually made you execute a script with it ... but it doesn't seem developped too much actually it doesn't seem like much people know how to do it .

Trust me on this one... That was it.

anyone else get svchost.exe error? I'm running win 2000 pro

look up.. the way to solve the problem is just above :P

12Clicks...why don't you add your 2 cents. Your company, Standard Internet makes a practice of adding this sort of exploit to unwary surfer's computers. Your site, stopannoyingpopups.com installs a trojan winpup32.exe, so you should be an expert at telling people how to avoid this sort of scumware.

http://forums.techguy.org/t140495/s3...06a116f53.html

P.S. Guaranteed response from 12Clicks ... He will try to defame my character, make a reference to my "day job" or otherwise put up a smoke screen to the real issue. Just for once 12Clicks, why don't you address the real issue at hand!

j3ff, I followed your instuctions above, I found and deleted msblast.exe after the reboot...I just did another reboot and I get the same error....svchost.exe

any ideas?

Yeah, a few people have mentioned this problem to me as well. This could be a big problem.

Damn...I saw that on 2 computers today only....the patch took care of it successfuly... :thumbsup

I've cleared the virus and rebooted, and checked again that it really is gone (yes no sign of it) - but I am still getting the W2000 error of svchost.exe getting errors and being closed down which causes all sorts of follow up problems.

I've just downloaded and installed the W2000 patch so maybe that will do the trick, but what I do not get is

1, how / where I got the virus in the first place (I am on a dial-up) - does it have to be email? and

2, why I am still getting the svchost errors (maybe the patch really will have fixed that though I suspect it doesn't work quite so nicely as that)

ayj

ahahahaha, still plugging away half wit? If you want to be more believable (so the FTC doesn't laugh in your face a second time) I suggest making up SEVERAL fake names on that board and have them all agree with each other.

The way you are going about it is amateurish at best.

at least your making posts at night to keep us all thinking you're here more than just the weekend.
:1orglaugh

How's that FTC investigation coming along? Will we be seeing the end of SI anytime soon? :1orglaugh

Anyways, to the topic at hand. I got an email from my ISP about this exploit, and a warning from my brother. Stupidly, i gave it the "i'll sort it out tommorrow" attitude. So i try to use my computer this morning. Within a minute or two of connecting to the internet, my computer shuts down. So i restart, same thing. Again and again. Luckily, i back up all my shit just in case anything like this happens. Anyways. Got my brother over to fix it all up, which he did. But yeah, when you get these warnings, update that shit ASAP. Not pleasant what these things can do.

dude that shit is pretty fucked up... my aunt just bought a new HP pc from best buy and it came infected with that virus... I went over and set up her computer for her cable modem.. and as soon sa I put it online I stated getting that shut down message... Best Buy did the intial set up for her, and I assume they infected it when they set it up... but it's pretty bad when you buy a PC from a national chain store and it comes ifeced with a virus.

why don't you like the mac jeff?

thank you very much :thumbsup

I posted this on another forum but here is my message.

For windows XP

After being on the phone with MS techs for over an hour they finally found the solution.

After many reboots.

Enable your XP firewall, this will stop more attacks on your system.

Check your systems for "msblast.exe" -- if you have this file you going to know about it damn soon.

If you do, do this.

1. Get the MS update NOW - credical update 823980
Its about 1.3MB in size.

Go to regedit > HKEY_LOCAL_MACHINE > software > Microsoft > windows > currentversion > run >

If you see a entry called "msblash.exe" delete it.
EXIT

Press Crtl + Alt + Del -- windows task manager will popup, find msblast.exe and right click > "End Process".

Load Windows Explorer > Search C:\windows\ for "msblast.exe" -- there should be 2 files. Delete them both.

If you don't do the MS update of the patch then these files will come back.

If you have it you are given 60 seconds and it will shut down you machine.

This worm is new and it's launch date is the 12th, but it's out now at a computer near you.

Hope this helps someone. :D

Thanks for the patch, I think it worked.

DH

I hate to beat this with a dead horse, I did all of that last night, i did the patch, I deleted out the reg key and the msblast.exe file from windows/system32/ and any other file associated with it.

However, it takes awhile, but it spawns a new name, when it pops up the RPC crash box, i go to the processes tab and I see cmd.exe running.

Then norton finds the virus again, except this time its called like TFT53495 or something like that...

I'm at work right now, and i'm trying to get my girlfriend to run through some more steps, I used to connect to my computer at home from work....but that'll stop now since i configured the firewall at home (just now did that)

Any updates on this for permanent fixes?

My computer at home seems to be seriously fucked over now. Time for a new computer anyway..

Home is running XP Pro.

Download this utility. It tells you what programs are using ports
http://www.webattack.com/get/activeports.shtml

I used it to find that msblast.exe was connecting to a lot of UDP ports yesterday. So I deleted the file and did the registry fix.

Hope that helps!