NT Authority

The geek forum. PHP, Perl, HTML, hardware questions etc.. it's all in here. Got a techie question? We'll sort you out. Ask your questions or post a link to your own site here!

NT Authority

Postby Bobtheduck » Wed Sep 01, 2004 8:01 am

I reset my comp (formatted and reinstalled windows)

As soon as I logged on, I faced problems. Besides minor things like not having my CAA password (I went through some of my common passwords and it was one I use in another place... Not very comforting, I try not to use any password twice...) I immediately got hit by an abuse of a security flaw... My computer, within minutes, crashed 3 system processes and shut down because of what it called "NT authority"

Well, I don't have NT, first off, or win2000 for that matter, so I tried to look it up, but it would reset my comp before I had a chance to look anything up... So I used the laptop I was conveniently borrowing and found out it was linked to a virus... Well, I ran the virus scan... Nothing... I ran the stuff it told me to... Nothing... I turned off Windows Messenger (which I do anyhow) and the thing that was making it reset on crashing of system files... So, it doesn't reset anymore, but I bet that the crashing of these files is the primary cause of my computer's problems before I reset everything, too... And if it's a trojan, norton wont' pick it up...

Oh, BTW for whoever on staff that gets my letter, or reads my livejournal, that was before I tried some possible passwords... So, you can ignore that... Friday is still my last normal day...
https://www.youtube.com/watch?v=evcNPfZlrZs Watch this movie なう。 It's legal, free... And it's more than its premise. It's not saying Fast Food is good food. Just watch it.
Legend of Crying Bronies: Twilight's a Princess
Image
User avatar
Bobtheduck
 
Posts: 5867
Joined: Mon Aug 25, 2003 9:00 am
Location: Japan, currently. Gonna be Idaho, soon.

Postby Link Antilles » Wed Sep 01, 2004 9:05 am

O_o Whoa, lemme get this straight.... you reformatted and reinstalled windows.... and after a little bit of time on the 'net... you got what appears to be a virus? What kind of connection do you have? If 56k... that kinda puzzles me. That's pretty fast for it to jump on your system..... (Random thought: Isn't true that some virus' can lay dormat in RAM or is that a rumor I heard? )


Wait! I know what it is.... just realized! D'oh! *smacks head*

You get that "Windows must now restart because Remote Procedure Call (RPC) Service terminated unexpectedly", right? That's MSBLAST aka MSBLASTER worm, alright.... I'm pretty sure.



Alright here's how you rid thyself of this problem.

First off... we need to give you time to get rid of the problem.... do this..

"You can disable this shutdown by following the steps below during the countdown

1. Click on Start, Run
2. Type in CMD and press ENTER
3. Type in the following command and press Enter

SHUTDOWN -A

This will terminate the shutdown, however in most cases the system may be to unstable to try to recover and may need to be rebooted anyway."

Alright... now to kill it...

Here's the removal tool...

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

You'll still need to download the DCOM RPC Exploit patches for windows.

Hope that helps! :thumb:
Image
User avatar
Link Antilles
 
Posts: 2528
Joined: Mon Aug 11, 2003 4:00 am
Location: South Carolina

Postby Bobtheduck » Wed Sep 01, 2004 9:45 am

The scary thing is, I think this is a new variant or soemthing, because norton didn't pick it up... So, I don't know if its gone... I could have given someone credit card info and passwords at half, ebay, netflix... If this stayed on my system when I reset everything, there's nothing I can do to get rid of it... I have a big waste of 1100 bucks (well, its worth less now, but that's about how much we payed for it initially)
https://www.youtube.com/watch?v=evcNPfZlrZs Watch this movie なう。 It's legal, free... And it's more than its premise. It's not saying Fast Food is good food. Just watch it.
Legend of Crying Bronies: Twilight's a Princess
Image
User avatar
Bobtheduck
 
Posts: 5867
Joined: Mon Aug 25, 2003 9:00 am
Location: Japan, currently. Gonna be Idaho, soon.

Postby Link Antilles » Wed Sep 01, 2004 10:31 am

Bobtheduck wrote:The scary thing is, I think this is a new variant or soemthing, because norton didn't pick it up... So, I don't know if its gone... I could have given someone credit card info and passwords at half, ebay, netflix... If this stayed on my system when I reset everything, there's nothing I can do to get rid of it... I have a big waste of 1100 bucks (well, its worth less now, but that's about how much we payed for it initially)


I wouldn't worry to much... the thing about virus' staying in RAM is only rumor at best, I hope. Otherwise, it's very very rare. We'll let the big computer aficionados here confirm that.

Anyways.....


As for MSBLAST.... it's rather harmless. All it does is restart your system. Most likely this is your problem, because it attacks any unprotected system right off the bat when they connect to the Internet.

Also, I highly doubt it's a new variant, because the creator was arrested a while back. Then again, a hacker could have modded it, but I've heard no news of that. Btw, if memory serves.... Norton could never detect it in the first place.

You should be fine. ^_^
Image
User avatar
Link Antilles
 
Posts: 2528
Joined: Mon Aug 11, 2003 4:00 am
Location: South Carolina

Postby Kaligraphic » Wed Sep 01, 2004 12:19 pm

No, viruses cannot remain in RAM past a reboot. They have to be reloaded from the disk or reinfected from the network. While there exist RAM-only viruses, these viruses can can be removed simply by rebooting. That said, the problem does sound like it is MSBlaster, so I'd say:
1: run services.msc, find "remote procedure call", and double-click on it. Go to the recovery tab of the box that comes up, and set all the failures to "restart the service" instead of "restart the computer".
2: run the removal tool that Link Antilles linked to.
3: run Windows Update and download the bajillion or so critical updates you've probably got waiting.
The cake used to be a lie like you, but then it took a portal to the deception core.
User avatar
Kaligraphic
 
Posts: 2002
Joined: Wed Jul 21, 2004 12:00 pm
Location: The catbox of DOOM!


Return to Computing and Links

Who is online

Users browsing this forum: No registered users and 262 guests