Need Info on how to stop a hack Ip scanning NT/authority Smart PPl PLZ 1

[JPirate]

OK ... A few days ago... a message box on my computer emerged saying i had to save and close all my programs in use... cause a remote shutdown was in progress i had only one minute... ... so I did... It shutdown.... I was using a conection witch was not firedwalled at the moment (I THOUGHT) ... not sure... The User who said was shutting my computer down.. was (NT AUTHORITY/ SYSTEM)"CAN HE TURN OFF MY FIREWALL REMOTELY? then when I restarted my pc... an unknown file was in my start folder.. and my computer did not recognize which program to use to open it... I found it very... suspicious.. so i deleted... I thought i had firedwall that conection.. ... using built in OS firewall... i did a system restore... and used for a while the "netstat" command in MS DOS... to check out regularly if someone was on my pc... did not find anything iregular... now today... it happened again... ... i thought the problem was over... but the same user called (NT AUTHORITY/ SYSTEM) restarted this time my computer ... I AM REALLY MAD
now checking out this forums someone gave me the idea to check my error log files... OMG!!!!!!! A LOT OF ERRORS FROM NT AUTHORITY / SYSTEM .. errors about REGISTRY"S... and something saying ... that the NT AUTHORITY/ SYSTEM ... was trying to START some controls in my system like NAVAP , and BACKGROUND INTELLIGENT TRANSFER SERVICES STUFF LIKE THAT.... someone pls please help me I want to stop this.... and i want to get him back! I will b vry thnkful i want to know ... what is causing this.. .how is he doing this??? Would like to learn commands on MS DOS... anything you can help PLZ!!!! WHERE DID HE SCAN MY IP???? through msn messenger ???? could that be done? .. .plz heelp!!!!!!

 

[smah]

Get the appropriate security patches from Windows Update and enable a firewall. Do a thorough virus scan faq760-3862. You may need to restore the registry using System Restore (if available).

 

[bcastner]

The XP forum has been swamped all day with this, as have other Forums and the MS newsgroup sites. There is a worm going around (MSBLASTER) that is causing serious problems at the moment.

The fix, the Microsoft security patch, and all workarounds can be seen here: thread779-627674

 

[JPirate]

bcastner you seem to know a lot about this... but im not sure if i have the mblaster worm... I did find a file called UNWISE.EXE I read in another forum... that this file should not be attempted to be deleted... so i haven't ... I did download Trend Micro's Free System Cleaning software... but did not work... since the log file said not to have found any viruses... and it also said that a lot of the Files where acces denied.... not sure why... I thought it was suppose to have access to all of this... After i spend 3 hours plus scanning viruses with this software... Im not sure if this NT Authority/system has anything to do with this UNWISE.EXE ... witch i found on my C: or does the mblaster.exe... I tried to search mblaster on my pc... no files were found... only Windows update files came up :s ... some advice plz

 

[bcastner]

Unwise.exe is a de-installer for the Wise Installation program, a commonly used software installation handler. Leave it alone.

Install a firewall, if using XP you can enable the default firewall.

Apply the Microsoft patch.

You should be fine now.

See this discussions about NT Authority /System in the Windows XP Forum. There are many.

 

[bcastner]

Be sure to read the whole thread here before doing anything: thread779-627674

 

[JPirate]

Dear mr. bcastner ...

I apreciate your help ... still I turned on my XP firewall .... I havennt been shut down remotely .. but in my event viewer LOG i have found that something or someone by the USER NAME NT AUTHORITY/SYSTEM is still sending start controls after i turned it on ... (i thought it was turned on when i was shut down remotely the first time) ... like: {copied and pasted from the log}

*The Remote Access Auto Connection Manager service was successfully sent a start control.

*The SymEvent service was successfully sent a start control.

*The Remote Access Auto Connection Manager service was successfully sent a start control.

*The SSDP Discovery Service service was successfully sent a start control.

*The Terminal Services service was successfully sent a start control.

*The NAVENG service was successfully sent a start control.... all of theese by the USER: NT AUTHORITY/SYSTEM ....

Mr. bcastner....
is this someone getting through the xp firewall?

please reply....

 

[bcastner]

The NT authority is you.

Or more acurately, it is the shell attempting to get its services in line to accomplish something you requested.

It is normal, the firewall logs are all to private IP addresses that represent your workstation.

 

[kayeth]

1. While the system is shut down, disconnect any network (local network, cable modem, DSL, broadband, etc.) from the back of the system.

2. Turn on the system.
If using a dial-up (i.e., modem) connection, do not connect to the Internet.

3. Click the Start button, and then click Run.

4. In the Open box, type:
Services.msc

5. Click the OK button.

6. In the list of services scroll halfway to the bottom and double-click the first Remote Procedure entry.

7. Click the Recovery. tab

For all the failure dropdowns, click to select Take No Action.

8. Click the OK button to apply the changes.

9. Exit the services window by clicking the X in the upper right corner of the window.

10.Reconnect your cable modem or DSL modem.

11.Start an Internet session.

12.Go to

http://download.microsoft.com

click the link for blaster worm patch for winxp

13.Download and save that on your desktop.

14.Execute the patch

15.Update your virus software and run a complete virus scan.

Hope this can help. God Bless!!!