Shutdown Initiated by NT Authority /System (16 Replies)
Just a word of warning XP users.. There has been a very nasty bug hitting the net that is causing alot of problems for XP users.. I took this from another site I use..
bcastner (IS/IT--Manageme) Aug 11, 2003 To all:
This is a very hard one to figure out, only that there has been a flurry of these recently. I honestly believe it is a deliberate attack on port 139 that is being launched. This CNN Report of last week is typical of the warnings now being issued in the US: cnn.com/2003/TECH/internet/07/31/internet.atttack
If your system is continuously restarting with this error:
Try early and often pounding of the F8 key. You want to use the "Last Known Good" configuration option.
If that does not work, I can only guess. Some anti-virus software can run from a DOS session even with NTFS disks. If yours is able to do this start there.
If no joy, do a registry replacement. This requires booting from the XP CD and hitting the first R(epair) choice you receive in order to access the Recovery Console. See this site and print out all of the instructions found there: digitalwebcast.com/2002/03_mar/tutorials
If still no joy you need to do a maintenance re-install of XP. You will not lose your data or applications but you will lose your Service Packs and Hotfixes: http://support.microsoft.com:80/support/kb/articles/
Murray
Edited to stop page deformity caused by lengthy continuous text.
[This message was edited by Karrow on 08-27-03 at 01:07 PM.] *************************************************************** 08-11-03, 05:31 PM Murray S. Update:
It appears a virii called Msblast is causing all the trouble..
Edited to stop page deformity caused by lengthy continuous text.
[This message was edited by Karrow on 08-27-03 at 01:04 PM.] *************************************************************** 08-11-03, 07:59 PM Kelleygirl Thank you---Bless you! I think that I'm okay now---don't know for sure. How frustrating! *************************************************************** 08-11-03, 08:29 PM MuchWyza Hi everyone.
Yep, this is going to be a big one. Here's a copy of a blurb I just sent all my newsletter subscribers on the topic. Sorry if it duplicates some info already posted here.
IMPORTANT: Viruses/Worm Information: MIMAIL and W32/Msblast.A
To all my newsletter recipients,
Even though the August newsletter is not quite ready for distribution, I pulled this piece out of it to send you because you need this information today. This is an immediate threat to any computer using the following versions of Microsoft Windows:
Windows XP Windows NT® 4.0 Windows NT 4.0 Terminal Services Edition Windows 2000 Windows Server™ 2003
Read what Reuters is reporting about this threat: snurl.com/211i
There are a couple of nasty bugs that debuted only in the last few days and they are going to be big.
They take advantage of a known Windows vulnerability so go to the Windows Update site to download and install the "Critical Updates" right now: Open Internet Explorer, click the Tools menu and choose Windows Update. Click the "Scan for Updates" link. (It has a little green arrow beside it.) When it finishes scanning your system, click the "Critical Updates and Services Pack" link on the left of the page and follow the downloading instructions.
Do it.
Right now.
I'll wait.
*** Ruth hums a little ditty while she waits: Hmmm-hmm-hmm-dum-de-dum-dum … ***
Okay. Glad you're back.
Now, go to the website of whatever anti-virus program you use and update it. This is free as long as you have a paid anti-virus program on your system and if you don't, what the heck are you doing reading this newsletter??? Rush right down to your local computer store and buy one. (Or buy one online.)
Now, here's the skinny on these particular threats:
1. MIMAIL worm
If you receive an email with "your account" in the Subject Line do NOT open the attachment. The email may look like it came from your ISP - the company you pay for Internet access - so it will seem important and safe. In the body of the email, you'll see something like this:
"Hello there, I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details. Best regards, Administrator"
Read all about it here: www.snurl.com/1ybe. … after you buy/update your anti-virus program and do the Windows Update thing, that is. ;-)
2. W32/Msblast.A (also known as W32/Lovsan, W32.Blaster.Worm, WORM_MSBLAST.A or Win32.Poza )
The affected e-mail message will contain the following sentences (or words very similar):
"I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!"
If you follow my suggestions by (a) downloading the Microsoft's 'Critical Updates' and (b) updating your anti-virus protection, you should be okay.
Bye for now. Ruth *************************************************************** 08-11-03, 09:55 PM Kelleygirl So far so good---it allows you to be online just long enough to find out what you need and then shows up saying that in 1 minute the system will be shut down. MurrayS, I'll remember you in my will---of course, it might just be bills. And thank you, Ruth, for your input. How horrible that someone with that much brain power, can't do something positive with it instead of this! *************************************************************** 08-11-03, 10:02 PM Murray S. Kelleygirl:
Boot to Safe Mode.
First open task manager, find and end the process 'msblast.exe' If it is there.
Second, delete the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Find the value windows auto update if its value in the right panel is C:\windows\system32\msblast.exe delete the key.
Finally, delete the file c:\windows\system32\msblast.exe
reboot.
Logon as Administrator. Don't try the Internet yet. Enable the Windows native Firewall.
Start, Run, services.msc
See if the Remote Procedure Call service is started. If not try to start it.
If it is running, go to the Internet and get the patch.
Even if msblast.exe is not there, by enabling the native firewall you should have enough breathing room to download and apply the patch.
Ruth:
Right now, a good firewall is more important than the av.. You can clean the virii after but NOT if you can't stay online long enough to get the patch.
Murray *************************************************************** 08-12-03, 02:12 AM Dwight A great big "Thank You" to both Murray S and MuchWyza for all this great information. I just finished removing the msblast.exe from a client's computer and your information made this task SO much easier!
An anecdotal note: I could not clear the Registry entry for msblast.exe until I deleted a program file in:
Every time restarted the computer, the Registry entry was back in the "Run" section. I noticed that the memturbo.exe file was re-inserting itself, too.
I tried uninstalling the Memory Turbo program without success, so I tried deleting the file in Windows Explorer while running in Safe Mode. It wouldn't delete, so I stopped it in Task Manager, Running Processes (still in Safe Mode). When I finally did get the entire Silicon folder deleted, the Registry entry for msblast.exe stopped re-inserting itself.
That finally got things back to normal again.
Again, thanks to you both for your posts. You saved me a lot of time today!
Dwight *************************************************************** 08-12-03, 07:42 AM Lydia OK...I'm reading this from my computer at work, so will not be able to do anything until I get home.
Questions - Murray made a comment to "boot to safe mode". How does one do this???
What do I do if I am not able to stay online long enough to download updates and such? Last night, I would log on and only had 5 minutes or less each time I was on.
I am pretty computer "illiterate" - I know how to use a computer, navigate my way around, can type pretty fast and that's about it!!!!! *************************************************************** 08-12-03, 07:50 AM Murray S. Lydia:
To use a Safe Boot option, follow these steps:
Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you see the Boot Menu.
When the Windows Advanced Options menu appears, select an option, and then press ENTER.
When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
Murray *************************************************************** 08-12-03, 08:42 AM Lydia Thanks Murray!! Whatcha doin' tonight? Wink Wanna come over??? Big Grin
Well, I will be giving it a shot tonight and will hope for the best - seems to be lots of instructions for me to follow, so that's a bonus!!!!!
Thank you!!! ~Lydia *************************************************************** 08-12-03, 10:19 AM Dwight Printing tip: If you want to print this list, here is a helpful printing tip: Use the AnswerPool Printing Tool, found by clicking on the Tools button above the first post on any page.
Dwight *************************************************************** 08-12-03, 10:10 PM Lydia Tonight I logged on (or attempted to) - my setup looks different and it won't let me log on as "me" - but let me dial in using my hotmail information. It doesn't appear that I am going to be able to be on long enough to do anything...any suggestions? (20 seconds left Frown *************************************************************** 08-12-03, 10:40 PM Dwight Did you start in Safe Mode and remove the msblast.exe as described (posted 08-11-03 10:02 PM) by Murray S above?
You can try going to Start/Control Panel/(Classic View)/Administrator Tools/Services/Remote Procedures Call/Recovery
Change the "Action" from "Restart the computer" to "Take no action". OK the change.
This will give you time to do downloads, etc.
Dwight *************************************************************** 08-12-03, 10:50 PM LVLF HKLM\Software\Microsoft\Windows\CurrentVersion\Run Find the value windows auto update if its value in the right panel is C:\windows\system32\msblast.exe delete the key.
I also have this stupid worm, and I think I have it taken care of, but I cannot find the above information, and it is slightly different from the Symantec info I got. They told me to go to HKEY_Local_Machine---and then find the " value windows auto update if its value in the right panel is C:\windows\system32\msblast.exe delete the key." Which is what I can't find. Also, the msblast is still listed in msconfig. Will that be there always, or is there a way t get rid of it? *************************************************************** 08-12-03, 10:54 PM Murray S. With no slight to this site or the experts here, go to the following for about the best info I have seen on this worm along with detailed removal instructions..HERE
Murray *************************************************************** 08-14-03, 04:10 AM soaringhorse I have a question, why is it not attacking all Window versions? I have Win Me, as I'm sure others have Win 98. I just wonder if there's patches for our programs. *************************************************************** 08-14-03, 08:08 AM Murray S. Soaringhorse:
The code was written to attack only the NTkernel. WinME and down don't use that..
I guess the scriptkiddies and hackers feel FAT is a dead or going to be very soon dead issue so why bother writing something for nothing !!
Murray
Murray
This message has been edited. Last edited by: DorianGreyed,