Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Shutdown Initiated by NT Authority /System 5

Status
Not open for further replies.
I'm looking for a downloadable patch for this problem fora friend now - I fixed mine thru the help here, but this friend can't even access the internet right now, that error message comes up too frequently - plus - the "msblast.exe" isn't even on her pc - could there be another name????? thanks ppl
 
BlackBerry,

You can download the patch here instead of using Windows Update:

But first try to stop the restarting process:

Boot to Safe Mode.

First open task manager, find and end the process 'msblast.exe' If it is there.

Second, delete the registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Find the value windows auto update
if its value in the right panel is C:\windows\system32\msblast.exe delete the key.

Finally, delete the file c:\windows\system32\msblast.exe

reboot.

Logon as Administrator.
Don't try the Internet yet. Enable the Windows native Firewall.

Start, Run, services.msc

See if the Remote Procedure Call service is started. If not try to start it.

If it is running, go to the Internet and get the patch.

Even if msblast.exe is not there, by enabling the native firewall you should have enough breathing room to download and apply the patch.
 
Info that is was going to happen to system that was not patched has be out there for a couple weeks now. People need to keep there systems, virus and spyware programs updated I just look at my router fire wall log, it's full or port 135's we are being hit big time. good info hear also a netstat /a can be useful to see if you have problems.
 
allteltec,

I agree, but there has been a lot of mis-information about Hotfixes, as well as some initially bum hotfixes.

It has created a sort of paranoia about using the Windows Update recommendations.

If a security patch is available marked critical I apply it. For larger patches to the Shell32 or application software that are not security related I tend to wait a little while.

Part of the problem is that one sees to many comments like "I applied Hotfix Qxxxxxx and it totally screwed up my system." which is decidedly not useful, but contributes to the paranoia surrounding the use of Hotfixes and Service Packs.

I tend to ignore any comment that does not provide details of what problems occured from a Hotfix. And when there are details I note whether they have any bearing on my system. For some an apparant latency in response time to an on-line game is a life or death issue. I understand that. But it would not be a concern for me.

What I do find shocking is the number of large managed sites that were affected by this worm. Even without the patch I find it hard to believe that ports 335 and 4444 were so often left exposed on the internet in such settings.
 
Elminster, for the time being enable the native XP firewall facility, ICF.

You can still get infected, it is just your machine will not bomb out on you.
 
Ok, Thanks. But since it’s my aunt system, and she is extremely “user” … I taught of installing zone alarm in stead. It should be easier for her to maintain her system. What do you think? I never used WinXp’s built-in firewall before. Is it easy to use or do you need to be a power user to set it up?
 
For anyone that wants a double (or triple or whatever) check, try some of these online virus scanners faq760-3862
 
...and the windowsupdate site doesn't answer anymore... are they already going through DoS ? I thought it was only for the 16th... Ah, never mind, while I was writing the above, the page finally loaded... took almost 30 seconds to display... (and i'm on cable, not dialup! :))



Cheers,

Realm174
 
My morning paper said that MS downloaded over 40 million copies of the Hotfix yesterday.
 
NT Authority Shutdown

Strangely enough after reading all the problems outhere and all the possible fixes (which may or maynot work) After much reading I tried to delete and rename *.Evt files with no success. Then I plugged in my origianl Windows XP CD disk and ran the compare files. Although it said no problem found it seemed to fix the problem. Then I went and turned on my firewall. Its been two days now and the NT AUTHORITY Shutdown counter did not come back. Hopefully this may have worked and and may help others that have been attacked. If this works for others outhere
please let me know.

Good Luck !!

Miracolo
 
For really technical details, the folks at the Security Forum of broadbandreports.com are reverse engineering the code:
In simpler terms:

An infected machine (lets call it Host) uses this logic to determine what IP to attempt to send the worm payload:

Initializes the attack vector for Windows 2000 or Windows XP based on a simple mathematical calculation. Each infected instance will only attack Windows XP or Windows 2000. One out of five worm infections will attack windows 2000, and the remaining four will target Windows XP.

There is a 40% probability that the worm picks a random IP and then scans sequentially from the starting point. There is a 60% probability that the worm scans sequentially from its own IP address.

So it determines a target. It then probes port 335 of the target to see if it is open and listening to DCOM service requests. If so it sends deliberate malformed TCP packets to force a buffer overflow of the RPC service, and the initiation of the code pointer to an agent. The agent is now running, and this allows it to send a FTP request through port 4444 of the attacked machine to the Host and receive the payload through a download. The payload is the mblast.exe program essentially. The agent installs this software in the directory \windows\system32, and modifies the registry. It then forces an abend of the RPC service to force a reboot of the machine.
 
This particular virus does not spread by emails, but rather, uses system TCP port #135 (invisible to the user) to take control and infect. Just being online, even with a dial-up connection, puts a vulnerable system at high risk. The computers at risk from this particular virus are those running Windows NT, 2000, XP and Server 2003. (The old Windows 98, 98se and Millennium are NOT affected.) Especially noticed with XP, an infected computer continually reboots.

Here is yet another web page that describes how to remove the infection:

Free DOS antivirus program from F-PROT:
(low-cost for Windows and other systems)

Free online antivirus checking:
 
I hate to say this, but there is only one place I know of that has a complete listing for the location of the patch on hand: Microsoft.

I think it is kind of neat of someone there.

 
Just kidding. But it is a curious twist to have a "White Knight" virus.

My removal instructions: set your computer clock to 1\30\2004 and reboot. Set your clock back.
 
One caveat regarding setting the clock ahead:

Be sure the PC you are going to do this to does not run any programs that are time sensitive. There may be some programs out there set to do certain things after a certain amount of time has elapsed, such as purging data.
 
You should also delete c:\windows\wins\dllhost.exe and c:\windows\wins\svchost.exe

Expect to see some general cleaners available soon. You antivirus software with new definitions should also be able to clean this very soon.
 
Status
Not open for further replies.

Similar threads

hamburg18w
  • Locked
  • Question
Task Host is Stopping the Shutdown
Replies
1
Views
220
Ign3us
Ign3us
Flinx
  • Locked
  • Question
Windows 10 Strange problems recently appear caused by microsoft ransomeware protection
Replies
3
Views
143
Andrzejek
Andrzejek
spamjim
  • Locked
  • Question
Sanitizing illegal filenames on NTFS volumes
Replies
2
Views
86
spamjim
spamjim
Thespian
  • Locked
  • Question
Transfer files and applications from a hard drive to a new system
Replies
4
Views
74
gbaughma
gbaughma
Shimmy613
  • Locked
  • Question
Systematically and safely deleting folder shortcuts seemingly to itself 1
Replies
6
Views
94
Mike Lewis
Mike Lewis

Part and Inventory Search

Sponsor

Back
Top