NT Authority Shutdown

[Bradders]

I wonder if someone would help me with a potential problem please?

Yesterday I was kicked out of my computer twice (no explanation).  The third time I was kicked out with the message NT Authority System Shutdown, then the countdown to being shut down began and the system then restarted.

I ran a virus scan which showed no infected files.  My Windows Update is working normally.

It (so far) hasn't happened again though I worked on my computer for several hours last night.

I've been looking around the net for an explanation and have come up with the possibility that I may have the blaster worm.  Is this likely, given that the computer now seems to be working normally?

All I can find are some very highly technical solutions to this possible problem.  Could anyone please give me the lowdown as to what to do?  I'm fairly techno savvy but I would like a straightforward solution without too many technical intricacies!

Many thanks for any help.

[Bradders]

Sorry, on further reading, I think this might be the sasser worm and not the blaster worm.

I would still like some advice though - thanks.

[Jtaylor83]

What did it say in the message box?

Try running the Malicious Software Removal Tool.

To stop the count down, copy this code:

Code: [Select]

shutdown -a
Then go to start > run > and paste the code above > click OK.

[Bradders]

A box came up with large red cross -

heading  System Shutdown.  This system is shutting down.  Please save all work in progress and log off.  Any unsaved changes will be lost.  This shutdown was initiated by NT AUTHORITY\SYSTEM.

Time before shutdown  (30 seconds and counting)

In smaller box.  Message.  Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.

Thank you for your response.  I have made a note of the shutdown procedure to stop the system shutting down if it happens again. 

The message has appeared on my computer only once but I'd like to know what happened and I'd like to get it sorted out if there is something wrong.

[mkis]

You may have become infected by the blaster worm, which apparently dates back to 2003 but is hardly encountered recently, possibly due to Microsoft building in defences to the worm type as part of its security updates. You would have thought. However, Microsoft does not provide much in the way of warning despite the incidence of the worm being well recorded, and some links to patches on Microsoft website either no longer load a page, or link to security updates you most likely already have.

Yet how you explain the initial appearance of this event in your first post does suggest you would need to take the issue seriously. Here is an older article that may be relevant. If you do have a variant of this worm, things may not be the same e.g readings in Task Manager.

http://windowsitpro.com/article/articleid/40306/why-does-my-pc-keep-rebooting-with-the-message-this-system-is-being-shut-down-in-60-seconds-by-nt-authoritysystem-due-to-an-interrupted-remote-procedure-call-rpc.html

There is a Symantec fix that you have probably already come across --

http://support.gateway.com/s/issues/2-976684501.shtml


The worm type, if that is what it is, may have found room to move in if you are running more than one resident AV simultaneous, or have some other kind of conflict going on in the background. Either way you will need to provide more information -

What AV(s) are you running? This is important.
And anything else in way of spyware, etc...

Also
Your networking details if any? Has occurred where VPN in use.
Your operating system, service packs, and so on?
Anything else you think may help.

[Bradders]

mkis, thank you for your help.

I have made a note of the two options to try and get rid of the problem but I will first of all let you have as much information as I can to see if it really is the blaster worm.

I only have one AVS and that is avast! professional version.  I was careful to remove the previous AVS from my computer before installing avast.

I have service pack 3.5 service pack 1 & .NT Framework 3.5 Family Update for .NET Versions 2.0 through 3.5 (KB951847) x 86.  (Too much information probably, but I will leave you to suss out what you actually need.)

I just have a home PC - there are no other users.  Network - I'm not sure what you want but when I looked at networking I could see the following information:

ISDN channel
USB ADSL PPP

PPP Windows 95/98/NT42000, Internet
Internet Protocol (TCP/IP)

I run Windows XP.

If there is any other information you need I will try and supply it.  I'm at home now - just got back in from work.

Again, thank you.

[Sm3K3R]

Make sure your Windows is up to date (with the latest service pack installed SP 3 for XP) and install along with Avast a good firewall like Outpost, Comodo or Online Armor.
Also turn off all unnecesary Windows services ,like Remote Registry ,NET BIOS ,SSDP Discovery or UPNP.
After you install some proper firewal block lsass.exe network access permanently.
You either got some worm ,either someone is playing with your computer.
Run a full Boot Scan with Avast and do also some scans with Malwarebytes ,DR Web CureIT ,Spybot Search and Distroy and Spyware Terminator.While scanning remove the network cable.

[mkis]

Your welcome Bradders

I think you have enough to go on with now. Probably best run the standard checks and scans to ensure your defences are in place. I usually run mbam for spyware and an avast  boot-time scan set thorough, check archive, turn off System Restore, for my standard scans. You can find abundant info on how to do from within forums.

Also pays to have a good firewall. I use Outpost 2009 free on this computer and when I use Allow I alternate between Runonce and Auto learn mode, depending on what is required. But there is abundant info on firewalls in forum also.

For your XP - as you haven't said how up to date you are
http://forum.avast.com/index.php?topic=47040.msg395951#msg395951

The Secunia check up is important because from what I can gather Blaster tended to target vulnerabilities in systems.

Also check your Java is up to date - Control Panel->Java->Update->Update now

This is a good move - protect your hosts file, which is always target for intrusions by malware
http://forum.avast.com/index.php?topic=47100.msg396929#msg396929


Perhaps good idea to post an mbam or HijackThis log when you think you've covered all the bases, and someone will analyse the log for you.  http://www.filehippo.com/download_hijackthis/download/8571e06e5eb8ab03c649f3b5d647c599/


Edit - since you running avast AV I wouldn't worry about the Symantec fix except as a reference.

[Bradders]

Again, many thanks.  This is what I've been up to today.

Installed Outpost Firewall (free).
Clean bill of health – all results stealthed.

Downloaded Malwarebytes and performed a scan which revealed 509 incorrect files.
Bought mbam to clean all incorrect files.

Did Avast Boot-time scan with System Restore off and network cable unplugged.
There were some corrupted archive files.  No infected files.

Updated Java Platform.

Ran Secunia scan.  Apple Quick Time player was corrupted.  Removed it as I don’t use it.  Sun Java JRE – 3 problem files (needed updating).

Spybot downloaded and scan run.  Revealed 68 infected files.
Bought Spybot.

(How many Spyware systems do I need to pay for?!)

Windows updated.

Windows needed reactivating because of significant changes to the hardware.

Can’t get on to the net – network configuration no longer works.

I hate computers!

Something is preventing me getting on to the net.  Took off Spybot – not the culprit.

Thank goodness for System Restore!

Took off  Outpost Firewall – voila!  It was working so efficiently it was stopping me getting on to the net at all.  Well that should prevent worms all right!

Re-activated Windows Firewall, which seems to have worked perfectly well in the past.

Back on the net.  Phew!  Going for a lie-down and a nice cup of coffee.  Then I shall stay off my computer for a few hours and read a good book!

[mkis]

Hi there Bradders

Well certainly something afoot there allright. Wont bother you just yet other than may be helpful to do a HijackThis scan for now and give the HjT forum experts an idea as to the state of your system.

You don't have to buy these systems antivirus / antispyware on the fly like you're doing although I can understand your motive.

Did your (re) activation of XP go okay and did you actual have significant changes to hardware recently?
I know the Windows (re)activation process nowdays is bit of an ordeal.

Good idea to have a breather. I think best take your time on this one.

Edit - there are  a few issues with Spybot - mainly with it not keeping up with the pace. http://forum.avast.com/index.php?topic=47092.0. Mbam on the other hand gets the good raps

   

[Bradders]

Thanks again for your continuing help.

Yes, the Windows Activation went OK although I couldn't get on the net to do it online.  I had to use their telephone service but, apart from the laborious process of all those numbers, it went fine.  I hadn't added any hardware at all by the way, though of course plenty of software.

I think these Spyware things are designed to show up all these (maybe harmless?) faults so that you are frightened into buying their products.

Unless I have any further problems I will keep things as they are.  If I get the shutdown message again I think I will call on some outside help to try and sort it out for me.  I'm not bad on computers (I've worked as a secretary using a word processor/computer for 25 years) but my expertise is on operating them.  When things get TOO technical then I'm like most people, a total dummy!

Again - I really appreciate your help.  I might not have pinpointed what exactly was wrong but I have learned an awful lot!