XP Rebooting System After 1 Minute Warning On Line

[misterg1]

When going on line no matter which ISP or XP system (tried two) get Official looking Operating System message: NT Authority\System ....... Remote Procedure Call (RPC) Service Terminated Unexpectedly ...... Exit programs and logoff .... 60 second countdown starts immediately and cannot be stopped by Task Manager..... This started today on 2 machines when going on line and both these systems were just updated by Microsoft on line to update to DirectX 9.0b last week. HM-M-M-M ?????? Anyone else experiencing this cute little problem ???
BTW no problem going on line and downloading etc. with W98 (downloaded current NAV and no virus on either system)

 

[FREAKHEAD]

Hello T-H Community. I came here looking for an answer to this very question. I am a techy/branch manager for a small Customer PC shop and have had 3 people call in the last 10 min about this very problem and have never seen nor heard of it. We believe it may have something to do with this new virus (worm) and it may require a reboot to get itself installed properly but we have NO IDEA for sure.

I am hoping that someone here has run into this and can confirm that this is the worm or if it is related to some sort of nasty spyware or give us any info on this.

In the mean time I am directing folks to do a virus scan via the online scanner at various sites as well as running spybot.

While I have been typing this I have gotten 2 more phone calls...Looks like we will be extremely busy tomorrow.

Thanks for your time.

 

[misterg1]

Thanks for letting me know I'm not the only one.... I been at this business for 21 years so I guess I'm an OLD Nerd.
Hope we get some feedback soon............. Mister "G"

 

[Toejam31]

Have you guys seen this security bulletin?

<A HREF="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp" target="_new">Microsoft Security Bulletin MS03-026</A>

Toey

<A HREF="http://forums.btvillarin.com/index.php?act=ST&f=41&t=328&s=91c282f2e5207e99b7a652ee13b3512a" target="_new"><font color=green>My System Rigs</font color=green></A>
___________________________________________

<A HREF="http://forums.btvillarin.com/" target="_new"><b><font color=purple>BTVILLARIN.com</font color=purple></b></A> - <i><font color=orange>Your Computer Questions Answered</font color=orange></i>

 

[Toejam31]

You should take a look at this, as well:

<A HREF="http://vil.nai.com/vil/content/v_100547.htm" target="_new">W32/Lovsan.worm</A>

Quoted from Ted Bridis:

<i>WASHINGTON (AP) - A virus-like infection that was the subject of urgent U.S. government and industry warnings spread rapidly Monday across the Internet, causing computers to mysteriously restart and coordinating an electronic attack against Microsoft Corp. (MSFT)

Security experts said the infection, which exploits an unusually dangerous flaw in Windows software, wasn't yet seriously disrupting Internet traffic but posed that risk as it was expected to continue spreading quickly overnight.

Researchers discovered it about 3 p.m. EDT, and reported tens of thousands of infected computers inside universities, businesses and homes.

"It seems to be taking off fairly quickly," said Johannes Ullrich of Boston, who runs the D-Shield network of computer monitors.

Infected computers were programmed to automatically launch an attack on a Web site operated by Microsoft on Saturday. The site, windowsupdate.com, is used to deliver repairing software patches to Microsoft customers to prevent against these types of infections.

Microsoft offers a free patch on the Web site to protect Windows users.

The infection was quickly dubbed "LovSan" because of a love note left behind on vulnerable computers: "I just want to say LOVE YOU SAN!" Researchers also discovered another message hidden inside the infection that appeared to taunt Microsoft Chairman Bill Gates: "billy gates why do you make this possible? Stop making money and fix your software!"

Government and industry experts have anticipated such an outbreak since July 16, when Microsoft acknowledged that the flaw affected nearly all versions of its flagship Windows operating system software.

"It's much too early to expect to see any (Internet slowdowns) whatsoever," said Vincent Gullotto, a vice president at Network Associates Inc. (NET) "It really depends on how much it spreads."

The Microsoft flaw affects Windows technology used to share data files across computer networks. It involves a category of vulnerabilities known as "buffer overflows," which can trick software into accepting dangerous commands."</i>

Toey

<A HREF="http://forums.btvillarin.com/index.php?act=ST&f=41&t=328&s=91c282f2e5207e99b7a652ee13b3512a" target="_new"><font color=green>My System Rigs</font color=green></A>
___________________________________________

<A HREF="http://forums.btvillarin.com/" target="_new"><b><font color=purple>BTVILLARIN.com</font color=purple></b></A> - <i><font color=orange>Your Computer Questions Answered</font color=orange></i>

 

[FREAKHEAD]

I am quite aware of the security bulletin as well as the one on symantecs website. I simply hadn't read anything about the symptoms that the poster listed and my customers were calling about. None of them mentioned this request to reboot. I wanted to make sure that I wasn't creating a panic and that I was on the right track. I hope I am.

First you need to make sure your Windows is updated. And I will Copy/Paste the rest from Symantec.

"W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. It will attempt to download and run the file Msblast.exe.

You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP" "

you can find more and the removal instructions at the following link.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Thanks again.

 

[Boilermaker]

<A HREF="http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html" target="_new">clickable link</A>

 

[phial]

yah my friend works in a M$ call centre, and their call queue TRIPLED cause of this.


fix for it - firewall


its someone attakcing your open ports. fixed it for me

www.zonelabs.com

-------

<A HREF="http://www.albinoblacksheep.com/flash/you.html" target="_new"> I highly recommend you DONT click my signature. Dont say I didnt warn you!1!! </A>

 

[Toejam31]

Enabling a firewall is not exactly what I'd call the "fix". This may halt the problem, but it doesn't repair the security vulnerability, and it won't repair a system already infected by the virus. The <i>fix</i> is installing the patch mentioned in the security bulletin, and removing the virus if a system is compromised.

Everyone should be running a firewall of some kind. It's too bad that something like this has to occur before users begin to wake up and realize that laziness isn't a virtue.

Note: For those who are not currently running with a firewall of some kind in place, it may be necessary to enable the Internet Connection Firewall in WinXP long enough to stay online to download the patch ... or to do as phial has mentioned, and take a look at the a popular firewall like ZoneAlarm, which has a <A HREF="http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za" target="_new">freeware version</A>.

<A HREF="http://www.microsoft.com/windowsxp/pro/using/itpro/securing/enableicf.asp" target="_new">How to Enable Internet Connection Firewall in Windows XP</A>

Toey

<A HREF="http://forums.btvillarin.com/index.php?act=ST&f=41&t=328&s=91c282f2e5207e99b7a652ee13b3512a" target="_new"><font color=green>My System Rigs</font color=green></A>
___________________________________________

<A HREF="http://forums.btvillarin.com/" target="_new"><b><font color=purple>BTVILLARIN.com</font color=purple></b></A> - <i><font color=orange>Your Computer Questions Answered</font color=orange></i>

 

[pat]

If I remove the msblast.exe and the 2 registry key and install the patch, will that works? Or I absolutly need an AV programme to do the trick? And do online anti-virus can do the job if I enable firewall in XP?

Just curious!

-Always put the blame on you first, then on the hardware !!!

 

[FREAKHEAD]

You need to run the AV tool from either Norton or McAfee to fully ensure the removal of the virus.

 

[Zoron]

Online scan should be enough to get rid of the worm... once that's done, make sure you have all the appropriate updates.

One other thing you can do is go to <A HREF="http://www.grc.com" target="_new">Gibson Research Corporation</A> and download the DCOMbob utility which will disable DCOM. Unless you really need it, it can be safely disabled which will also protect you from future DCOM vulnerabilities.

<font color=red> If you design software that is fool-proof, only a fool will want to use it. </font color=red>