Re: system shutdown screen

From: Mcploppy © (gregMYSHOEScrawfordMYSHOES_at_hotmail.com)
Date: 04/17/04 

Date: Sat, 17 Apr 2004 22:28:23 +0100

anonymous@discussions.microsoft.com bashed at the keyboard and said :

> does anyone get a message stating that nt authority
> system is shutting down your computer. you have 60
> seconds to save your work before shutdown. rpc has sent
> this to you. i only get it when i connect to the
> internet. i have wind. xp help. where is microsoft when
> you need them?? they sure promised support when i paid
> 120.00 dollars for their upgrade

*FROM A PREVIOUS POST*

You have the MSBlaster worm. To remove it, do the following:

The following instructions are in three parts

1. Stop it from running
2. Remove it from your system
3. Make sure it doesn't come back

Before starting make sure you have a firewall active see step 3a:

1. Stop it from running
Press Ctrl-Alt-Delete to bring up the Task Manager, then on theProcesses
tab, click msblast.exe and then "End process."
Reply "Yes" to the warning message that comes up.

This stops the worm from running, so your system will not shutdown. However,
it doesn't remove it, and if that's all you do, it will start up again the
next time you boot.

***
2. Remove it from your system

a. Download a removal tool from a link below.

But if that's all you do, you can get reinfected just as you did the first
time.

***
3. Make sure it doesn't come back

a.MAKE sure you're running a Firewall that prevents worms like this from
getting in. You can enable the built-in Windows XP firewall, or(preferred)
download and install another one such as the free version of ZoneAlarm. To
enable the built- in firewall, go to Control Panel, double-click Networking
and Internet Connections, then click Network Connections. Right-click your
connection, then click Properties, and on the Advanced tab, click the option
"Protect my computer and network...".

Note: the built in firewall only monitors incoming traffic not outgoing(ie
spyware, trojans, etc.. you may have on your system).

b.If you've disconnected your internet connection, reconnect it.
Download and install the Microsoft patch at
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

That will remove the vulnerability that the worm exploits.

c.MAKE sure you are running an Anti-Virus program, and that you regularly
download the latest updated virus definitions.

----------------------------------------------------------------------------
------------------------------------------------------------------
If you connected the PC to the Internet without having first installed the
KB824146 Hotfix, without having first installed an antivirus application
with current virus definition files, and before enabling a firewall, you're
very likely to get infected from any of the thousands of PCs on the Internet
that are constantly broadcasting the Blaster and/or Welchia worms. It only
takes a few seconds of exposure.

To stay on-line long enough to get the necessary updates, patches,and
removal tools, click
Start > Run, and enter "shutdown - a" when the next RPC countdown begins.
This will abort the shut down. Also, make sure you've enabled a firewall
before starting, to preclude any more intrusions while getting the
updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

Protect Your PC
http://www.microsoft.com/security/protect/default.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html 

-- 
McPloppy ©
{ Remove both MyShoes to email me }
{ Homepage: http://tinyurl.com/bbel }
{ Local Radio: http://tinyurl.com/j1vi }
{ My Alternative Site: http://tinyurl.com/rynb }

Relevant Pages

  • Re: XP rebooting
    ... Problem with both of these fixes obviously - I CAN'T GET INTO WINDOWS. ... > and your computer has been infected by the Sasser worm, ... disconnect from the Internet: ... > Step 5: Enable a Firewall ...
    (microsoft.public.security.virus)
  • RE: XP rebooting
    ... sasser virus as sasser is more prevalent these days. ... take these steps to update your software, remove the worm, and help ... To avoid further problems, disconnect from the Internet: ... Step 5: Enable a Firewall ...
    (microsoft.public.security.virus)
  • Re: Cant access the Internet from behind a 192.168.1.x net using natd
    ... computer without a firewall. ... Can't access the Internet from behind a 192.168.1.x net using natd ... > Here's one set of firewall rules I tried: ... > # End of required user input if you only intend to allow ssh connections ...
    (FreeBSD-Security)
  • Re: blaster worm
    ... The first thing you should do is enable Windows XP's built-in Firewall: ... then click Network Connections. ... internet security package, such as: ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Connection Sharing on demand
    ... user has to authenticate for each time they want an Internet service, ... That can be done as a firewall application with lots ... you'd have the user connect to a server ... mentioned blocking inbound connections - that's trivial to do with the ...
    (comp.os.linux.networking)