At times I will see a window popup saying that my system will shutdown by NT Authority/System (I think it said that) why is it doing that and what can I do to prevent it?

How up to date is your version of windows? A security flaw was just discovered that can allow people to reboot your machine remotely, without your permission. Also, if you prematurely end certain processes, your PC will be forced to restart.

My recommendation: Run a windows update and a virus scan...

Go to Windows updates and get the security patch for it.

You should also run a firewall that will block such malicious packets being sent to ports the system is listening to over the internet.

I did all of that but know when I do ALT+CTRL+DEL and the prosesses menu comes up it immediatly disapears. Why ios it doing this?

Here is what came up while I was working.

Originally posted by Master Vivi
Go to Windows updates and get the security patch for it.

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

That's the exact patch you need to fix the random reboot/shutdown problem.

As for Task Manager dying, that's due to a trojan/virus killing certain applications on open, and not a Windows bug - perhaps getting an alternate process viewer such as from here (http://www.efsoftware.com/pm/e.htm) to kill the necessary dodgy program (basically something that's running that you don't recognise), then try the normal task manager again. And yes, update your antivirus definition files too :p

Im in the prosess of getting these files but I updated AVG virus scanner like 20 times and it still hasnt detected a thing, edczxcvbnm told me that the virus was most likely so well coded that I might have to format my HD *sigh* again to get rid of it. What else can I do?

Format your HD :p From what I've found of the problem on the net so far, virus scanners or stuff like AdAware don't pick it up one of the programs that can cause this :p

*breaks something expensive out of rage*

<a href=ftp://ftp.f-prot.com/pub/f-prot.zip>F-prot</a> for DOS
App/scripts <a href="http://www.f-prot.com/cgi-bin/get_randomly?fp-def">definition</a> file.
Macros <a href="http://www.f-prot.com/cgi-bin/get_randomly?macrdef2">definitions</a>.


Make a boot floppy.
Write protect floppy.
Put AV over 3 floppies. (*)
Protect floppies.
Boot comp with boot floppy.
Run f-prot. (*)


(*) <a href="http://www.f-prot.com/support/fpdos_faq/06.html">Directions</a>

Hmm, this just started happening to me :(

You can temporarily stop it simply by implementing the XP firewall but yeah, I'm also downloading the patches.

I am friends with some government peeps who have the resources to find out who's doing it to me... :cool: then it's time to "send the boys around".

And I'm not kidding either.

who or what keeps doing that anyway?

Maybe this. http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Two executables are enough to do it:
- the first one to send the data to overflow the rpc buffer and allow the connection. Most of the time the reboot comes from that one failing the command, which forces the system to reboot (it's in the rpc service properties). Sometimes this one is split in two programs.
- the second is a quite common program, you use it to connect to the victim and open a remote shell.


These two exist on virtually any platform, and tutorials exist on how to use the exploit. That's why it's getting so common.

This is happeneing to me too. I downloaded the patch, but it won't install. It keeps giving me an error. This is getting really annoying.

Edit: This is the error message when I try to install the patch:

Setup could not verify the integrity of the file Update.inf. Make sure the Cryptographic service is running on this computer.

I don't know what that means...

Did you get the standalone patch, or directly from Windows Update? Using the other method might work.

The cryptographic options should be in tools > internet options > advanced > scrool down to security.

I've read that if it's the virus that I posted above, patching won't help you if you're already infected. Who knows though.

Geez, I htough ME had alot of friggen holes now XP is arfing up.

Nothing is working for me. This is extremely annoying. oh well.

My sister has this virus now. Yay. Hopefully anti-virus company will release an easy-to-use auto-cleaner utility soon. *once again glad he uses linux*

McAfee and Symantec both appear to have stand alone removers now. There's a link to one on the link Unne posted earlier, the McAfee one is on www.mcafee.com , just follow the links for information on W32/LovSan.worm near the top right.

I've got it as well. *very annoyed*

Edit: the Symantec remover seems to have worked, and I've installed the patch. Many thanks to the advice in this thread. :)

Anyone want to start a contest to see who gets probed on port 135 the most times? I'm up to 36 since I started logging it last night. EDIT: make that 37.

Microsoft is confusing me. No news there, but do I have to install this Service Pack 1 to even install the patch? And how do I know if I have the 32bit or 64bit version of Windows XP?

I've had 0 probes since my IP address is 192.168.0.3 :D And the router PC is firewalled and running scanners etc. too.

Miriamel: You've likely got the 32-bit one, I doubt you have a high-end several-thousand-$ multi-CPU server, but a normal Pentium 1/2/3/4 or AMD Athlon or some variation, which are currently 32 bit :p

It's your choice if you install Service Pack 1 or not beforehand, it's not necessary. But it does contain a multitude of other bug fixes and patches for Windows. I chose not to install SP1 on my machine, and have gone for the seperate patches instead, much like the one you're about to download. :p

I had my router start forwarding all requests on port 135 to my computer so I could count them. Up to 40 now.

I'd install the SP1, it has lots of nice stuff in it. Installing all the tons of patches individually probably ends up taking much longer to do than installing them all at once in the SP, unless you've been keeping up with them. First priority is probably installing the patch to block this virus that's going around though. If it doesn't force you to install the SP, just install that patch, probably.

I didn't even know a 64-bit version of Windows existed in a form anyone was currently using.

Nah, I just found that SP1 really slowed my PC down too much and made it unstable, so got rid of it, and only installed the patches I know I'm vulnerable against and know of now :p

Can somebody please let me know which of all these downloads is Service Pack 1? You guys could make it a lot more simple by just saying



<LI>Service Pack 1: LINK DIRECTLY TO FILE
<LI>Patch: LINK DIRECTLY TO FILE
Download these in that order, install and all your problems will be solved.

There are just so many files on those pages, and not one of them is going around saying "SERVICE PACK 1" anywhere. =/

Windows NT 4.0 Server Patch (http://microsoft.com/downloads/details.aspx?FamilyId=2CC66F4E-217E-4FA7-BDBF-DF77A0B9303F&displaylang=en)
Windows NT 4.0 Terminal Server Edition Patch (http://microsoft.com/downloads/details.aspx?FamilyId=6C0F0160-64FA-424C-A3C1-C9FAD2DC65CA&displaylang=en)
Windows 2000 Patch (http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en)
Windows XP 32-bit Patch (http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en)
Windows XP 64-bit Patch (I doubt any of you guys are using WinXP 64-bit) (http://microsoft.com/downloads/details.aspx?FamilyId=1B00F5DF-4A85-488F-80E3-C347ADCC4DF1&displaylang=en)
Windows Server 2003 32-bit Patch (http://microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C-4061-9009-3A212458E92E&displaylang=en)
Windows Server 2003 64-bit patch (doubt anyone here's using this either :p ) (http://microsoft.com/downloads/details.aspx?FamilyId=2B566973-C3F0-4EC1-995F-017E35692BC7&displaylang=en)

SP1 won't fix the security hole, it's too old, and I'm too lazy to find it's download link too, just search the MS site yourself :p

Okay, I seem to have found the little barsteward responsible for the attack...

Search for "msblast.exe" and delete it. :D

Oh, and the guy who last attacked me with it was from Brazil. So there go my plans of destroying him :(

There are at least 15 EoFFers with this worm/virus/error thing. This virus isn't contagious, is it?

Latest problem: Symantec's lovely removal tool keeps giving me windows errors. Y'no, the ones where they want to send error reports and stuff. Gah. Twice now.

Maybe try McAfee's removal tool? I used the Symantec one and it worked well for me, but I'd imagine the McAfee one also works. Larger file, though; makes it a tricky download when you only have 5 minutes in which to download it!

Search for "msblast.exe" and delete it.Doesn't fix the security hole though, you could easily get reinfected :p Plus it doesn't undo registry changes and other stuff either :p


There are at least 15 EoFFers with this worm/virus/error thing. This virus isn't contagious, is it?The target the virus spreads from from an infected machine is random, although apparently it'll scan whole subnets at a time, so it's possible to spread fast, and is contagious in that manner, although not contagious in the sense that you catch it from visiting a site someone else that's infected is visiting :p


Larger file, though; makes it a tricky download when you only have 5 minutes in which to download it!Good thing decent browsers like Opera know how to resume downloads :p Or use a non-infected machine e.g. linux to get it :p


Before anyone asks, no, it doesn't matter which tool you use, regardless of your virus scanner, the tools are standalone scanners and not part of the standard anti-virus kits.

I just went through the manual correction process with my parent's computer (mine's been spared thus far). I had no real problems. At first, things weren't working - I deleted the windows registry line, and the item in the cntrl alt delete processes list. A bit later, the bloody worm was back. Apparently when they say you have to download the patch first, then do the deletion process, they mean it. After following the instructions, everything is fine. I had assumed the patch only prevented getting it again, and I thought "what're the odds of that?" so I skipped that part of the instructions. Apparently, following *all* the instructions is the key to success.

Searching for msblast.exe on my computer finds nothing. Using one of those stand alone things that you linked to finds nothing. Yet I keep getting the error and my computer keeps restarting against my will!!!!

The patch still won't install, and I'm running out of patience.

Don't bother searching. Hit control alt delete and look at Processes. If MSBlast is in the list, you have this virus. Download the appropriate patch and install it. Then delete the MSBlast in your Processes list. Next go to Start in the bottom left hand corner. Go to Run. Type in regedit and hit ok. Look in the folder "HKEY_LOCAL_MACHINE", then "Software", "Microsoft", "Windows", "CurrentVersion" and finally "Run". In a list of stuff to the right, look for a line containing MSBlast. You might have to expand certain columns to see everything. Delete the line with MSBlast in it here too, and restart your computer. You should be all set. When downloading the patch, I recommend saving to disk instead of opening. Why? Because this virus gives you a very small window of opportunity to fix the problem before restarting. If you save the file, you'll have just enough time to finish saving it before it kicks you off. Then you can install the patch on your next computer restart.

Okay, I hit CTL ALT DEL and clicked the processes tab, and I see no MSBLAST.EXE... I'm really confused now...

EDIT: here's a screenshot of me getting the shutdown error along with showing my processes. No mention of msblast, unless it's something else in that list? (I'm not too good with computers unless it's the really basic stuff...)

I also get this error sometimes. Not every time. Once I close that, it goes immediately to the shut down error. If I leave it sit there, it will eventually go to the shut down error anyway.

I was having this problem... I just deleted msblast.exe (it's the infected file).

Things seem to be back to normal...

RSL, did you try this? It might at least stop your computer from restarting instantly so you can mess with it more. It's from this site: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

" * Because of the way the worm works, it may be difficult to connect to the Internet to obtain the patch, definitions, or removal tool before the worm shuts down the computer. There are at least two known ways to work around this, although neither solution works 100% of the time.
o If you run Windows XP, activating the Windows XP firewall may allow you to download and install the patch, obtain virus definitions, and run the removal tool. This may also work with other firewalls, although this has not been confirmed.
o In many cases, on both Windows 2000 and XP, changing settings for the Remote Call Procedure (RPC) Service may allow you to connect to the Internet without the computer shutting down. Follow these steps:
1. Do one of the following:
+ Windows 2000. Right-click the My Computer icon on the Windows desktop and then click Manage. The Computer Management window opens.
+ Windows XP. Click the Start button, right-click the My Computer icon, click Manage. The Computer Management window opens.
2. In the left pane, double-click Services and Applications and then select Services. A list of services appears.
3. In the right pane, locate the Remote Procedure Call (RPC) service.

CAUTION: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two
4. Right-click the Remote Procedure Call (RPC) service and click Properties.
5. Click the Recovery tab.
6. Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
7. Click Apply and then OK"

Activating the firewall has stopped my computer from restarting. However, none of the suggestions in this thread have worked for me.

The two removal tools did not work. The McAffee one searched my entire computer and found nothing. The other one kept giving an error (probably the same thing that Loony BoB complained of.)

I downloaded the patch, but I've been unable to install it successfuly (refer to earlier post).

I've tried to go through windows updates, but it gives me an error there too.

I'll keep trying stuff. This has consumed all my free time the last two nights... at least it isn't restarting right now, but I want to get this fixed.

The error you get trying to install the Windows patch could just be due to some random suckiness of Windows and not the virus. Who knows. Did you try on the Symantec site, doing the manual removal? Going through step 1 to 5, starting with <b>1. Disabling System Restore (Windows XP)</b>. Especially the part where you edit your registry. Maybe running the tools already did delete all the files that were infected on your computer, or something. Just try all the steps (probably skipping step 2) and see if anything changes.

<i>1. Disabling System Restore (Windows XP)</i>

Done.

<i>3. Ending the Worm process
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager</i>

msblast.exe doesn't show up.

<i>4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with W32.Blaster.Worm, click Delete.
</i>

Nothing.

<i>5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)


Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value:

"windows auto update"="msblast.exe"


Exit the Registry Editor.
</i>

No sign of "windows auto update"="msblast.exe" Or anything mentioning msblast.exe.

Doing all this, I wouldn't even thing something was wrong if my computer hadn't been restarting like that. As for the patch not installing, I'm fairly certain that it's not because of the virus, but I haven't been able to figure out what it is.

your offending process is called SVCHOST.exe in your case.

I found this lovely thing on my computer when I came home from vacation, so I got to spend the first couple hours at home fixing it.

I think SVCHOST is just a normal Windows process that has to do with your internet connection. Could be wrong though.

I don't know what else to try RSL. From everything I read, the virus shouldn't be starting at all without that registry key, since that's all it does to start itself. Maybe you have a different virus. Or maybe I'm just not reading the right things. Sorry.

Whenever all else fails, you always have your windows restore cd. It'll probably take less time than trying to hunt down the offending file.

Thanks for trying Unne :)

Seems like I'm the only one having problems fixing this using the methods posted here :(

Reinstalling Windows would work, yeah. If you could copy the patch to some safe location (a CD or disk), unplug your computer from your internet connection, reinstall Windwows, install the patch from your disk, and plug in your internet cable again, that'd work for sure (pretty much, unless the virus infected the patch file you downloaded, who knows). But you'd also lose everything on your computer. Complete hard drive reformat is the only way to be sure you don't still have a virus hiding somewhere. It'd take longer, but it'd be 100% sure to work.

I don't know if you can do this in winXP, but when my win98 computer got very screwy, instead of reformatting, I booted into DOS and deleted my windows directory and then reinstalled windows. This leaves your programs mostly intact.

SVCHost is a natural WinXP process.

I haven't got the worm/virus/msblast.exe thing, and my process list shows at least 1 SVCHost.exe running like all the time.

That works with XP too eestilinc, I used to do it pretty often when I used Windows just beacuse Windows degenerates natually over time, but when you have a virus, you generally don't want to leave your programs intact. If something in c:\program files\ or c:\games\blah\ or whatever has the virus in it, your new Windows install will be instantly corrupted when you run that program. Not that all malicious programs do infect other files on your computer, but some do. Technically I think they call a program that infects another program a "virus" and a program that doesn't infect any other programs but just runs on its own a "worm", and blaster has been called a "worm" so I notice, but I don't know if that's what RSL even has. If I were you RSL I'd do a complete reformat, but that's just me. If I got any virus, ever, I'd do a complete reformat. Saves time and trouble in the long run.

How tricky is a complete reformat? I've never done it before.

At any rate, it'll have to wait until tommorow as I don't want to be up all night messing around with this.

svchost is a normal program but it is somehow involved with the problem.

the worm probably screws with it or something

at any rate, i just looked at my active processes and didn't find msblast, and i did a search of my hard drive and didn't find msblast.exe, so i guess i've escaped the problem thus far. fool's gold apparently hasn't, though, since one of our admins has mysteriously been renamed to "msblast.exe." hmm. <img src="http://forums.fools-gold.org/images/smilies/ezpimp.gif">

RSL, it involves backing up ALL data you want to be saved, because it will all be gone. Then somehow booting to DOS, using a boot floppy perhaps, then typing format c:, and waiting for a while, which will leave you with NOTHING on your hard drive. Then booting from the Windows CD and installing Windows. Then reconfiguring all your hardware if you need to. Then reinstalling every program you ever installed. It sucks. But then again, so does Windows. Hope you find a better solution so you don't have to do that.

RSL: You're probably not infected then, since there are no traces of the worm on your PC. The reboot thing and the virus are seperate issues, that use the same Windows exploit. Random reboots does not imply the PC is infected, but being infected does imply the PC is unpatched, or was at the time of infection.

As for why the patch will not install, I'm not sure. Are you using the correct one for your OS? Can't think of much else right now.

Microsoft themselves admit that the firewall is a temporary solution to preventing getting infected and getting the reboot errors, just blocking the relevant port numbers is enough, but that doesn't fix the bug exploit in Windows itself.

Okay, not sure if this is of any use to anyone else, but it helped me...

I downloaded the symantec file. Ran through the instructions (ie, deactivating System Restore, opening up commandprompt, doing that weird chktrust -i fileblast thing or whatever and all that crap) and got those errors I was talking about. I checked what file it was stopping at when it got the error (by this time I was doing everything in Safe Mode, btw, following Symantec's instructions), and found it was inside my Temp folder. Funtime! I deleted every last one of my Temporary Internet Files until I narrowed myself down to only having one file remaining, this was under Temp - Content.IE5, in one of those many jumbled folders. I couldn't rename, delete, access properties or anything, but it was still there. I ended up trying something else - opened up command prompt, moved into that directory and ran <b>dir/w</b>, and found only that file. I ran <b>del *.*</b> and it was gone. After that problem, the scan ran smoothly.

The scan took bloody ages, even after deleting all that crap. I can't find all the files that it's going through in my Local Settings folders at all, but after a few hours it finished it's scan and had deleted one file from my computer. I then continued with Symantec's instructions and ran msconfig and removed Safe Mode, restarted and logged into my normal account, and at 6am this morning I started the scan again, as per instructions. The scan was still running when I left for work. Once I go back, I have to ensure that the patch is installed and then I have to reactivate System Restore.

I'll let you know how I get on =P

Deleting msblast.exe may allow you to be re-infected, but the good thing is if you find and kill it, the problem does bugger off long enough for you to get a patch.

It's funny how you guys say you can't find it... because I found multiple copies of it :greenie: I must be really unsecure!

I had the patch already I just wanted the thing off my system :D

Hmm, the scan is stopping on a file in my temp folder too.

I have been unable to delete my temporary internet files. No matter what method I use, it freezes up.

I still can't get the patch to work. Now when I run windows updates it tells me that it can only be done from an adminstrator account. This computer only has one user account, and that's me. I should be able to do anything from it (and windows update has always worked in the past...)

I might have to do that reformat yet...

I just removed the Full Control permission from the Everyone group, so you have to be Administrator to write *anything* to my hard drive. Hence, the program can't get installed.

Originally posted by Loony BoB
I deleted every last one of my Temporary Internet Files until I narrowed myself down to only having one file remaining, this was under Temp - Content.IE5, in one of those many jumbled folders. I couldn't rename, delete, access properties or anything, but it was still there. I ended up trying something else - opened up command prompt, moved into that directory and ran <b>dir/w</b>, and found only that file. I ran <b>del *.*</b> and it was gone.

I did this, and everything was going great, but when I ran the del *.* it didn't delete the file...

This is driving me insane.

EDIT: I was just being an idiot.. it's been a long time since I've done anything with DOS. Guess I'll see how this goes...

I got that same message right now... but it seemed more like a copy... cause like... it was a pop up, and when I control + alt + delete then end tasked it, it went away and my system didn't shut down...

Is this what you guys are talking about? Or can you not end task the real thing?

Interesting idea. I tried myself after forcing a similar situation on a test PC I have (Win2k), and found I get Access Denied if I attempt to kill the process doing the shutdown through Task Manager. However, I can kill it and prevent the shutdown using alternate process tools for WinNT systems.

Since you used the normal Task Manager though (which gives Access Denied if you try to end task through there), I think you might have got one of those annoying Messenger pop-up things disguised as one, but I'm not sure.

In any case, you should be patching your PC anyway, wouldn't be good if you suddenly got the message while you quickly left the room to do something and you return to find the PC off :p

Originally posted by RSL
I did this, and everything was going great, but when I ran the del *.* it didn't delete the file...

This is driving me insane.

EDIT: I was just being an idiot.. it's been a long time since I've done anything with DOS. Guess I'll see how this goes...
I'm not sure if your edit meant that you were able to solve your problems or not. Are you fixed up yet?

If you don't want your OS to restart while you're getting the patch (and you don't want to get a Firewall) just go into Administrative Tools > Services > Remote Procedure Call (RPC) > right click > Properties > Recovery > switch the fields that say "Restart the Computer" to "Restart the Service".

That should do it. :)

Well, I'm pretty sure that I don't have this worm/virus thing. There's no trace of it on my computer. I was able to run the scan completely but it came up with nothing.

Right now I'm having a heck of a time getting the patch to install, but I suspect that's because of my computer settings, not because of this worm/virus.

But I don't think I'll have to reformat since I don't appear to have this thing. Thank you everyone who attempted to help me, I appreciate it a lot! :)

Just a word of advice in general. Running a firewall (assuming you know how to use it) would've completely protected everyone from this virus. If you want a free firewall that's pretty easy to use, http://www.zonelabs.com/store/content/company/zap_za_grid.jsp is a pretty good one. Or if you can find an old version of Tiny Personal Firewall that's free, that's good too. But running a firewall would protect you against attacks like this, and it'd also let you know when you have a virus that's trying to make connections OUT of your computer to other computers. It's always a good idea to run a firewall.

I have no idea why, but ZoneAlarm didn't save my machine. =/

Originally posted by Loony BoB
I have no idea why, but ZoneAlarm didn't save my machine. =/
Could be very possible that you allowed it to connect to your computer when your firewall prompted you.

Hrmm. I can't think of any time in the past few months that I've even been prompted, actually. I have everything unrecognised automatically set to block unless it's originating from my computer, and then I get prompted. The only time I've been prompted lately is when I installed a new game, but that was after I removed the worm, so go figure. I think I got it while I was on holiday, actually. I leave my computer on 24/7.

Hmm, the "blaster worm" as they are calling it... has only just been reported on Sky News :eek:

My god they're slow... by the time they've started a scare we've all learned to kill it :) By the way Yamaneko, that was good advice, I certainly would never have thought to do that!