Page 1 of 1

NT Authority

PostPosted: Wed Sep 01, 2004 8:01 am
by Bobtheduck
I reset my comp (formatted and reinstalled windows)

As soon as I logged on, I faced problems. Besides minor things like not having my CAA password (I went through some of my common passwords and it was one I use in another place... Not very comforting, I try not to use any password twice...) I immediately got hit by an abuse of a security flaw... My computer, within minutes, crashed 3 system processes and shut down because of what it called "NT authority"

Well, I don't have NT, first off, or win2000 for that matter, so I tried to look it up, but it would reset my comp before I had a chance to look anything up... So I used the laptop I was conveniently borrowing and found out it was linked to a virus... Well, I ran the virus scan... Nothing... I ran the stuff it told me to... Nothing... I turned off Windows Messenger (which I do anyhow) and the thing that was making it reset on crashing of system files... So, it doesn't reset anymore, but I bet that the crashing of these files is the primary cause of my computer's problems before I reset everything, too... And if it's a trojan, norton wont' pick it up...

Oh, BTW for whoever on staff that gets my letter, or reads my livejournal, that was before I tried some possible passwords... So, you can ignore that... Friday is still my last normal day...

PostPosted: Wed Sep 01, 2004 9:05 am
by Link Antilles
O_o Whoa, lemme get this straight.... you reformatted and reinstalled windows.... and after a little bit of time on the 'net... you got what appears to be a virus? What kind of connection do you have? If 56k... that kinda puzzles me. That's pretty fast for it to jump on your system..... (Random thought: Isn't true that some virus' can lay dormat in RAM or is that a rumor I heard? )


Wait! I know what it is.... just realized! D'oh! *smacks head*

You get that "Windows must now restart because Remote Procedure Call (RPC) Service terminated unexpectedly", right? That's MSBLAST aka MSBLASTER worm, alright.... I'm pretty sure.



Alright here's how you rid thyself of this problem.

First off... we need to give you time to get rid of the problem.... do this..

"You can disable this shutdown by following the steps below during the countdown

1. Click on Start, Run
2. Type in CMD and press ENTER
3. Type in the following command and press Enter

SHUTDOWN -A

This will terminate the shutdown, however in most cases the system may be to unstable to try to recover and may need to be rebooted anyway."

Alright... now to kill it...

Here's the removal tool...

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

You'll still need to download the DCOM RPC Exploit patches for windows.

Hope that helps! :thumb:

PostPosted: Wed Sep 01, 2004 9:45 am
by Bobtheduck
The scary thing is, I think this is a new variant or soemthing, because norton didn't pick it up... So, I don't know if its gone... I could have given someone credit card info and passwords at half, ebay, netflix... If this stayed on my system when I reset everything, there's nothing I can do to get rid of it... I have a big waste of 1100 bucks (well, its worth less now, but that's about how much we payed for it initially)

PostPosted: Wed Sep 01, 2004 10:31 am
by Link Antilles
Bobtheduck wrote:The scary thing is, I think this is a new variant or soemthing, because norton didn't pick it up... So, I don't know if its gone... I could have given someone credit card info and passwords at half, ebay, netflix... If this stayed on my system when I reset everything, there's nothing I can do to get rid of it... I have a big waste of 1100 bucks (well, its worth less now, but that's about how much we payed for it initially)


I wouldn't worry to much... the thing about virus' staying in RAM is only rumor at best, I hope. Otherwise, it's very very rare. We'll let the big computer aficionados here confirm that.

Anyways.....


As for MSBLAST.... it's rather harmless. All it does is restart your system. Most likely this is your problem, because it attacks any unprotected system right off the bat when they connect to the Internet.

Also, I highly doubt it's a new variant, because the creator was arrested a while back. Then again, a hacker could have modded it, but I've heard no news of that. Btw, if memory serves.... Norton could never detect it in the first place.

You should be fine. ^_^

PostPosted: Wed Sep 01, 2004 12:19 pm
by Kaligraphic
No, viruses cannot remain in RAM past a reboot. They have to be reloaded from the disk or reinfected from the network. While there exist RAM-only viruses, these viruses can can be removed simply by rebooting. That said, the problem does sound like it is MSBlaster, so I'd say:
1: run services.msc, find "remote procedure call", and double-click on it. Go to the recovery tab of the box that comes up, and set all the failures to "restart the service" instead of "restart the computer".
2: run the removal tool that Link Antilles linked to.
3: run Windows Update and download the bajillion or so critical updates you've probably got waiting.