PDA

View Full Version : Who is NT Authority\System and Why does he restart my PC?



Chilling_Silently
12-08-2003, 12:01 PM
Who is NT Authority\System and Why does he restart my PC?
Its my Gateway running WinXP Pro.. and it keeps rebooting...?

Why does somebody I never authorised shut down my PC?

godfather
12-08-2003, 12:07 PM
Haven't read the postings this morning have we Chilling?

Look here (http://pressf1.pcworld.co.nz/thread.jsp?forum=1&thread=38193)

Chilling_Silently
12-08-2003, 01:33 PM
> Haven't read the postings this morning have we
> Chilling?

Nup!

You know me ;-)

Thanks though, it would appear Im far from alone in this dilemma mind you.

Any word on why it would have only started today? I was connected fine all last night until around 2AM when I rebooted the Gateway.. What would have made it begin today of all days?

stu140103
12-08-2003, 01:43 PM
We are also running Win XP pro on our gateway & we have not had this problem yet(as far as I am aware) ** touch wood **

Greg S
12-08-2003, 02:15 PM
Ahhh - what bliss it is to never have these issues because running behind a correctly configured firewall :) *gloat*

Steve Askew
12-08-2003, 02:15 PM
> Any word on why it would have only started today? I
> was connected fine all last night until around 2AM
> when I rebooted the Gateway.. What would have made it
> begin today of all days?


Hey Chill, It happened to me once last week & i didn't realise what was happening.
When I was returning to my PC ,I saw that popup just for a few seconds, but not long enough to read it.
It must of been a oneoff at the time as everything was fine till this morning.

cheers steve

John Grieve
12-08-2003, 02:20 PM
This has to be one of the worst windows attacks in a while. I moderate a tech forum on another NZ site and it exploded with questions about this attack and its effects today.

Firewall and the specific Windows patch is whats needed to slow it. It surprises me that the public still obviously neglects to use whats available to protect ones PC from the evildoers. A windows machine without a decent firewall is like a bank with all its cash laid out on tables in a public space....asking for it!

Chilling_Silently
12-08-2003, 02:31 PM
Oh I agree totally.. hence why I run Redhat 9 ;-)

Peter H
12-08-2003, 02:50 PM
That's why I run W98se !!!! Far better.
Bye

stu140103
12-08-2003, 03:20 PM
That's why I run Win ME :D

Jim B
12-08-2003, 03:31 PM
People especially those using XP or Win2000 are advised to download patches urgently.

The worm in question is known as the W32/Lovsan.worm or
W32.Blaster.Worm. Rather than propogating via e-mail, the worm seeks to connect to another vunerable machine using a "remote procedure call" (RPC). Early versions of the worm used ports 135 and 4444 for this. However, the latest versions of the worm seems to be using randomly selected ports making them difficult to block.

Thomas
12-08-2003, 03:39 PM
Anybody know why I get this?

Cannot display the page
The page you are trying to view cannot be displayed because the server it resides on does not respond. Please try again later.

This is me asking xp to update,says I dont have a internet connection,which I do.

I will add,it says this evertime I go to windows update.

Jester
12-08-2003, 03:45 PM
Thomas:

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

bruciebear
12-08-2003, 03:47 PM
My son has this problem he just phoned me. So how can you stay on line long enough to download patches? Any ideas I will point him to the patches. Thanks

PoWa
12-08-2003, 03:49 PM
Chill, why isn't your gateway pc running linux? I would've thought it would be safer to do that ;)

John Grieve
12-08-2003, 04:02 PM
I just cut and pasted this from our forums so I hope you can make sense of it alright. This works fine apparently to get online long enough to get the patch.

"msblast should be in windows task manager, remove it from there, then go to hk_local_machine\software\microsoft\windows\curren tversion\r
un and delete 'windows auto update = msblast.exe'. That should enable u to stay online long enough to get the patch from www.microsoft/technet, its on the main page."

The msblast is the payload you need to disable.

metla
12-08-2003, 04:08 PM
what a day,ive been trying to remove the *&^% for hours,couldnt stay online for more then a few minutes before she decided to shut down.

Anyway,ive applied the patch so here's hoping.

On my machine it apeared as msblast.exe postioned in windows>system32.In the start up list it showed up as msblaster-ms office automatic updater(yeah right),I also noticed it has complety disabled xp updater and running the cleaner from moosoft it identifies it as autorooter trojun.

i highly suggest people download the cleaner from www.moosoft.com and run it after appling the patch.

Chilling_Silently
12-08-2003, 07:10 PM
I can upload the patch as a spilt .Zip file if people want?

Im going out, but it'll be up by 10PM with a URL for you all.. I'll split it into 70kb files so you can download them in 60 seconds before you get cut off or whatever...

Chilling_Silently
12-08-2003, 07:29 PM
For those who arent too keen on registry editing, you can download the patch files from:
http://www.rescuemannz.orcon.net.nz/patch/

the files are named:
http://www.rescuemannz.orcon.net.nz/patch/patch.zip
and then there's:
http://www.rescuemannz.orcon.net.nz/patch/patch.z01
all the way to:
http://www.rescuemannz.orcon.net.nz/patch/patch.z17

You'll need WinZip 6.4 or higher to open them when they're done.

I dont care if nobody actually uses it.. but its there if people want. 18 Files... from .zip and .z01 to .z17

:-)

Im uploading now.. could be another 15 mins before its finished.

Sam H
12-08-2003, 07:37 PM
I'm not sure which patch to download, windows xp 32bit or 64bit it's not actually for my pc but someone elses. running xp home so which once should i download for them?

Mike
12-08-2003, 07:47 PM
> windows xp 32bit or 64bit

32bit.

Mike.

Chilling_Silently
12-08-2003, 07:48 PM
32 Bit :-)

John Grieve
12-08-2003, 10:03 PM
Another way to disable this thing long enough to get the patch.

Boot up your computer
Await the message informing you of the shutdown in 60 seconds
open up start > run and type in "shutdown.exe -a" (minus the quotes)
Now that the shutdown procedure has stopped, you have time to grab the patch
Once you're all patched, use a virus scanner to check if you have one of the variations that leaves files on your hdd

PoWa
12-08-2003, 10:21 PM
Surely this thing can't boot when you're in safe mode?? Whats to stop you from just removing the registry startup keys, rebooting again, and then next time you'll have all the time in the world to deal with it. Norton's have issued their live update for this much earlier today, I think it was even under 60kb.

> Ahhh - what bliss it is to never have these issues because running behind a correctly configured firewall *gloat*

LOL, yes. The time n effort pays off ay :D You guys should take a lesson from my aussie friend on 56k (5 Firewalls and 2 antivirus). Enough said.

stu140103
12-08-2003, 11:01 PM
> LOL, yes. The time n effort pays off ay :D You guys
> should take a lesson from my aussie friend on 56k (5
> Firewalls and 2 antivirus). Enough said.

I we are running two firewalls on Win XP pro on our gateway & we have not had this problem!

metla
12-08-2003, 11:11 PM
Well,i booted into safe mode and removed the reg string more then once,Only to find within a few minutes of getting on the net that the puter was once again shutting itself down.

I also ran trojan killers in safe mode,which identified the reg entry and other assoiated files,and deleted what it found,only to find once again after a re-boot that everything had replicated and my puter was again shutting down.

Now either its a particuly cunning nasty,or i was getting re-infected with it the moment i dailed up the net.

Either way,The only thing that put a stop to it long enough to get rid of it was installing the patch from ms.

In the future i will continue to ignore all security updates,Run no firewall,and keep system restore disabled.

..................................HA

Murray P
12-08-2003, 11:46 PM
There's a new varient out there as below. So update your virus definitions. If its a dropper worm (which most like this seem to be) you'll get self replicating, randomley named files poping up all over the show that re-spawn the trojan/exploit, until you clean your system. Stop it then patch, maybe turning off the service will help.

Dear Trend Micro customer,

TrendLabs has received several infection reports of this new worm named WORM_MSBLAST.A which exploits the RPC DCOM BUFFER OVERFLOW, a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

This worm has been observed to continuously scan and send data to vulnerable systems in the network using port 135. When the system date is August 15, it performs a Distributed Denial Of Service attack against windowsupdate.com.

HTH Murray P

Murray P
13-08-2003, 12:34 AM
Or try this one at MS (http://support.microsoft.com/default.aspx?scid=kb;en-us;231917) Thomas.

Cheers Murray P

Term_X
13-08-2003, 12:45 AM
i had the same error msg...nt/system is shutting down..kept rebooting the damn pc

anyway..thomas correctly gave the right link,i downloaded the patch and now im SWEET AS

GET THAT DAMN PATCH NOW NOW NOW

buuuut..the thing is..dont waste time..soon as ur online go to the link thomas gave and then download it straightaway.. i managed to sneak the download in before the pc rebooted and installed it after the reboot so now im crusin the net highway like before.. ahhhh.. lol

peace yalls

Term_X

tweak\'e
13-08-2003, 12:48 AM
i just saw this.......

W32.Blaster.Worm Removal Tool

For all the peoples who were victims of the W32.Blaster.Worm ( we reported), Symantec has released a tool to remove the worm. What the tool does:
Terminates the W32.Blaster.Worm viral processes.
Deletes the W32.Blaster.Worm files.
Deletes the dropped files.
Deletes the registry values that the worm added
Download the tool over here (http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html)
and make shure to secure you system by download the Microsoft Hotfix (http://www.warp2search.net/modules.php?name=News&file=article&sid=13750)

neptune
13-08-2003, 01:04 AM
Hii,

I dont think i have got it yet but not sure on it.
i got a message from sygate saying a file was trying to access internet.. and i clicked on "do not allow"
When i look under security logs in Syagte Firewall, it says:

"08/12/2003 23:08:01 Executable File Change Denied Major Outgoing TCP 216.187.107.31 0.0.0.0 E:\Program Files\Internet Optimizer\optimize.exe 1 08/12/2003 23:07:59 08/12/2003 23:07:59"

Thsi is showing under logs for Sygate
Is this file related to the virus or is it just a case of spyware or if its normal and part of IE 6.0

Cheers

PoWa
13-08-2003, 01:40 AM
Why don't you use GETRIGHT!!!! if its stopping your download b4 it finishes

bmason
13-08-2003, 01:49 AM
Just cleaned it off my dads computer. The latest AVG update picks it up.

Ironically, since he only uses the computer for email he probably got infected while downloading the virus update.

Going back tomorrow because AVG doesn't remove everything. And to patch & install a firewall.

Chilling_Silently
13-08-2003, 01:54 AM
Because over 90% of the people here would have to download GetRight.. now how big is the installer's EXE?

Its just adding to the stress, hence why splitting it up, or temp. removing the virus is a good solution.. or even permanently removing it :D

PoWa
13-08-2003, 02:46 AM
Yer but all 56k users should have a copy of getright, first point of call. How can you do without it? argh! :)

Greg S
13-08-2003, 10:36 AM
Just curious... why 32 and not 64?

Greg S
13-08-2003, 10:38 AM
> Ironically, since he only uses the computer for email
> he probably got infected while downloading the virus
> update.

haha!

> & install a firewall.

Good man!

Chilling_Silently
13-08-2003, 12:59 PM
> Just curious... why 32 and not 64?

Because you dont have a 64Bit processor do you :-)

John Grieve
13-08-2003, 03:19 PM
I decided to do a bit of digging around about all this and it somewhat interesting what I found.

It may be possible to use a program called Dcomcnfg.exe in 2000 to disable the DCom functions long enough to update as well as the other ways posted.

http://www.uksecurityonline.com/husdg/windows2000/close135.htm

And these are interesting just if you want to know more about DCom and US reaction etc.

http://cexx.org/rpcss.htm
http://support.cox.net/custsup/safety/port_135.shtml
http://nsit.uchicago.edu/alert/port-135.html
http://www.outpostfirewall.com/forum/showthread.php?s=&threadid=2210
http://www.iss.net/security_center/advice/Exploits/Ports/groups/Microsoft/default.htm

It would appear from some of this that fixing this permanently might just be a problem and port 135 might have to be blocked permanently online eventually. I wonder if any particular people would benefit from port 135 being blocked worldwide permanently? (I am old conspiracy nut so take no notice of that :D )

And this is an explanation of how to deal with it with pretty pictures to show all.

http://www.f-secure.com/v-descs/msblast.shtml

Beef
13-08-2003, 07:18 PM
so this doesnt affect anyone below XP/2000?

excellent, thank you bill gates (hes still a fag)

vk_dre
13-08-2003, 07:25 PM
one of my friends says he's had this problem on Win me for over 1 year, but he cant be bothered fixing it, i dont belive him.....is it tru or is he making this up?:D

PoWa
13-08-2003, 07:32 PM
Lol he's probably not making it up. He probably disabled a few services from starting up :P

parry
13-08-2003, 07:35 PM
No doesnt affect WinMe which is what my desktop is. My laptop however is XP, but on hearing that the intention is a DOS on M$, maybe I'll leave it unpatched until 17/8 ]:)

PoWa
13-08-2003, 07:47 PM
> My laptop however is XP, but on hearing that the intention is a DOS on M$, maybe I'll leave it unpatched until 17/8

ROFL. I like your style. I'm wondering why the virus creator didn't set the upcoming DOS attack on MS to start from say the 13/14. Seems everyone is getting it about now. Too much longer and everyone will have the thing fixed!

robsonde
13-08-2003, 08:03 PM
> Too much longer and everyone will have
> the thing fixed!

this would be good if it was true....

<rant mode>

people dont patch, dont fix, dont care. if people patched and fixed then we would be rid of "code red" but ever day I get hits from it looking for a way in.


I dont blame MS for this at all, the patch has been out for a few weeks, who patched there system before yesterday?? ( I did :-) )

</rant mode off>

Gorela
13-08-2003, 08:34 PM
Hi John,

If you are interested in knowing a bit more this link (http://www.xfocus.org/advisories/200307/4.html) is supposedly a proof of concept for the DCOM exploit :D

Personally I think it is primarily to exploit the Joe Blow user rather than corporates. Who in their right mind would pin-hole 135 :)

parry
13-08-2003, 10:07 PM
ROFL. I like your style. I'm wondering why the virus creator didn't set the upcoming DOS attack on MS to start from say the 13/14. Seems everyone is getting it about now. Too much longer and everyone will have the thing fixed!


Ive been thinking about the dates and my spin on it is this....

1) If you reek havoc for a few days before payload date the publicity level is greater - exactly what the culprit wants.

2) How many people will be ringing MS or downloading from their site?Heaps!! This has a similar effect to the actual virus itself - it causes lots of work at MS with an increase of traffic on their site.

3) He obviously wants MS worried and the world to know about it. Builds the tension if you leave it for a few days.

PoWa
14-08-2003, 02:28 AM
Did anyone read this from the last link (http://www.f-secure.com/v-descs/msblast.shtml) John posted?

" The worm contains these texts (which are not displayed):
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!! "

ROFL again.

jcr1
14-08-2003, 08:19 AM
Thanks John Grieve, your procedure gave me time to get onto the Symantec site, use the removal tool, then download the patch from microsoft.
Whew, what excitement!

Beef
14-08-2003, 08:16 PM
so in theory the virus only intends to piss everyone off and not "exactly" do any harm..so what will happen to windowsupdate.com when this is triggered...just out of curiostiy

Chilling_Silently
15-08-2003, 01:32 PM
windowsupdate.com goes down :-)

Simple as that!