You have the MSBlaster worm. To remove it, do the
following:

The following instructions are in three parts
1. Stop it from running
2. Remove it from your system
3. Make sure it doesn't come back

Before beginning, if you have an always-on internet
connection,
it's a good idea to disconnect it.

1. Stop it from running
Press Ctrl-Alt-Delete to bring up the Task Manager, then
on the
Processes tab, click msblast.exe and then "End process."
Reply
"Yes" to the warning message that comes up.

This stops the worm from running, so your system will not
shut
down. However, it doesn't remove it, and if that's all you
do, it
will start up again the next time you boot.
***
2. Remove it from your system

a. Start the registry editor program, regedit, by going to
Start
| Run, and typing REGEDIT
Navigate to
HKEY_Local_Machine\Software\Microsoft\Windows\Curr ent
Version\Run by clicking the plus signs next to each of the
folders in the left hand pane. When you get to the last of
them,
Run, click the word Run itself.
Find an entry called "Windows Auto Update" on the right
side.
Right-click it and delete it.

b. Do a Windows search for msblast, and delete all files
found.
The worm is now gone, and won't start again the next time
you
boot. But if that's all you do, you can get reinfected
just as
you did the first time.
***
3. Make sure it doesn't come back

a. Make sure you're running a firewall that prevents worms
like
this from getting in. You can enable the built-in Windows
XP
firewall, or download and install another one such as the
free
version of ZoneAlarm. To enable the built-in firewall, go
to
Control Panel, double-click Networking and Internet
Connections,
then click Network Connections. Right-click your
connection, then
click Properties, and on the Advanced tab, click the option
"Protect my computer and network...". Note: the built in
firewall only monitors incoming traffic not outgoing(ie
spyware, trojans, etc.. you may have on your system).

b. If you've disconnected your internet connection,
reconnect it.
Download and install the Microsoft patch at
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-
458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
That will remove the vulnerability that the worm exploits.

c. Be sure you are running an anti-virus program, and that
you
regularly download the latest updated virus definitions.

-----------------------------------------------------------
-----------------------------------------------------------
------------------------
If you connected the PC to the Internet without
having first
installed the KB824146 Hotfix, without having first
installed an
antivirus application with current virus definition
files, and before
enabling a firewall, you're very likely to get infected
from any of
the thousands of PCs on the Internet that are constantly
broadcasting
the Blaster and/or Welchia worms. It only takes a few
seconds of
exposure.

To stay on-line long enough to get the necessary
updates, patches,
and removal tools, click Start > Run, and enter "shutdown -
a" when the
next RPC countdown begins. This will abort the shut
down. Also, make
sure you've enabled a firewall before starting, to
preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

Protect Your PC
http://www.microsoft.com/security/protect/default.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm
..html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm
..removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32
..welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm
..removal.tool.html


>-----Original Message-----
>Dear Sir/Madam
>
>I have purchased the Win XP Pro software and I have
installed(by myself) the same in my computer.
>However, after a few days of usage, I encountered the
foll problem:
>Initially when Yahoo chat messenger was being used for
chatting, suddenly RPC error will appear and then auto -
shutdown will take place. After 4 or 5 such instances, the
foll problem started:
>
>After the selection of user is done, and when the desktop
is visible, suddenly there is a msg telling the the
computer will shutdown- a 60 sec countdown timer starts-
reason given:NT Authority/System, RPC call problem etc.
>In the event log, I found that there was an error is COM+
call, RPC problem etc.
>I tried to perform simple operations like copy and paste
but pasting func became totally disabled when the abv
timer started.
>
>Even the control-alt-del etc doesn't work when the timer
starts.
>
>XP Help files didn't mention about such issues. In
despair, I tried to start in XP Safe mode and checked
whether disabling RPC services providing endpoint mapper &
misc RPC services(from Services screen helps or not). I
was able to disable- the RPC error upon logging was not
there but the computer became totally unoperational after
that-this service couldn't be enabled again even by
administrator.
>
>Is there any things I can do to prevent above situations?
>Before installing any software like a digital camera
software, is there anythg I need to check?
>During surfing of NET do I need to enable/disable some
settings?
>Is there any way I can disable such shutdowns?
>
>I would like to request advise/help and point-by-point
reply to above questions.
>
>Yours truly,
>S Dutta
>.
>

Greetings --

If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers

--
Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH


"S Dutta" > wrote in message
...
> Dear Sir/Madam
>
> I have purchased the Win XP Pro software and I have installed(by
myself) the same in my computer.
> However, after a few days of usage, I encountered the foll problem:
> Initially when Yahoo chat messenger was being used for chatting,
suddenly RPC error will appear and then auto -shutdown will take
place. After 4 or 5 such instances, the foll problem started:
>
> After the selection of user is done, and when the desktop is
visible, suddenly there is a msg telling the the computer will
shutdown- a 60 sec countdown timer starts- reason given:NT
Authority/System, RPC call problem etc.
> In the event log, I found that there was an error is COM+ call, RPC
problem etc.
> I tried to perform simple operations like copy and paste but pasting
func became totally disabled when the abv timer started.
>
> Even the control-alt-del etc doesn't work when the timer starts.
>
> XP Help files didn't mention about such issues. In despair, I tried
to start in XP Safe mode and checked whether disabling RPC services
providing endpoint mapper & misc RPC services(from Services screen
helps or not). I was able to disable- the RPC error upon logging was
not there but the computer became totally unoperational after
that-this service couldn't be enabled again even by administrator.
>
> Is there any things I can do to prevent above situations?
> Before installing any software like a digital camera software, is
there anythg I need to check?
> During surfing of NET do I need to enable/disable some settings?
> Is there any way I can disable such shutdowns?
>
> I would like to request advise/help and point-by-point reply to
above questions.
>
> Yours truly,
> S Dutta

Xref: kermit microsoft.public.windowsxp.newusers:111040

http://search.symantec.com/custom/us/query.html

Follow the link

--
p.mc

please type in p.mc in personal replies
or leave signature, otherwise posts will
not be received
"S Dutta" > wrote in message
...
> Dear Sir/Madam
>
> I have purchased the Win XP Pro software and I have installed(by myself)
the same in my computer.
> However, after a few days of usage, I encountered the foll problem:
> Initially when Yahoo chat messenger was being used for chatting, suddenly
RPC error will appear and then auto -shutdown will take place. After 4 or 5
such instances, the foll problem started:
>
> After the selection of user is done, and when the desktop is visible,
suddenly there is a msg telling the the computer will shutdown- a 60 sec
countdown timer starts- reason given:NT Authority/System, RPC call problem
etc.
> In the event log, I found that there was an error is COM+ call, RPC
problem etc.
> I tried to perform simple operations like copy and paste but pasting func
became totally disabled when the abv timer started.
>
> Even the control-alt-del etc doesn't work when the timer starts.
>
> XP Help files didn't mention about such issues. In despair, I tried to
start in XP Safe mode and checked whether disabling RPC services providing
endpoint mapper & misc RPC services(from Services screen helps or not). I
was able to disable- the RPC error upon logging was not there but the
computer became totally unoperational after that-this service couldn't be
enabled again even by administrator.
>
> Is there any things I can do to prevent above situations?
> Before installing any software like a digital camera software, is there
anythg I need to check?
> During surfing of NET do I need to enable/disable some settings?
> Is there any way I can disable such shutdowns?
>
> I would like to request advise/help and point-by-point reply to above
questions.
>
> Yours truly,
> S Dutta

This sounds like the same problem I had and it is part of a virus called WELCHIA.WORM if you have norton atvi virus program you can log onto their site and look for the W32.Eelchia Worm Removal Tool at WWW.symantec.com/avcenter/FixWelch.exe. You download
this file to your computer and once download to you files you click on the file and it will then stast the removal of the problem

----- S Dutta wrote: -----

Dear Sir/Madam

I have purchased the Win XP Pro software and I have installed(by myself) the same in my computer.
However, after a few days of usage, I encountered the foll problem:
Initially when Yahoo chat messenger was being used for chatting, suddenly RPC error will appear and then auto -shutdown will take place. After 4 or 5 such instances, the foll problem started:

After the selection of user is done, and when the desktop is visible, suddenly there is a msg telling the the computer will shutdown- a 60 sec countdown timer starts- reason given:NT Authority/System, RPC call problem etc.
In the event log, I found that there was an error is COM+ call, RPC problem etc.
I tried to perform simple operations like copy and paste but pasting func became totally disabled when the abv timer started.

Even the control-alt-del etc doesn't work when the timer starts.

XP Help files didn't mention about such issues. In despair, I tried to start in XP Safe mode and checked whether disabling RPC services providing endpoint mapper & misc RPC services(from Services screen helps or not). I was able to disable- the RPC er
ror upon logging was not there but the computer became totally unoperational after that-this service couldn't be enabled again even by administrator.

Is there any things I can do to prevent above situations?
Before installing any software like a digital camera software, is there anythg I need to check?
During surfing of NET do I need to enable/disable some settings?
Is there any way I can disable such shutdowns?

I would like to request advise/help and point-by-point reply to above questions.

Yours truly,
S Dutta

ignore last posted on wrong topic. you have the Blaster worm and that can be removed by downloading from Microsofts downloads site

----- wegs wrote: -----

This sounds like the same problem I had and it is part of a virus called WELCHIA.WORM if you have norton atvi virus program you can log onto their site and look for the W32.Eelchia Worm Removal Tool at WWW.symantec.com/avcenter/FixWelch.exe. You down
load this file to your computer and once download to you files you click on the file and it will then stast the removal of the problem

----- S Dutta wrote: -----

Dear Sir/Madam

I have purchased the Win XP Pro software and I have installed(by myself) the same in my computer.
However, after a few days of usage, I encountered the foll problem:
Initially when Yahoo chat messenger was being used for chatting, suddenly RPC error will appear and then auto -shutdown will take place. After 4 or 5 such instances, the foll problem started:

After the selection of user is done, and when the desktop is visible, suddenly there is a msg telling the the computer will shutdown- a 60 sec countdown timer starts- reason given:NT Authority/System, RPC call problem etc.
In the event log, I found that there was an error is COM+ call, RPC problem etc.
I tried to perform simple operations like copy and paste but pasting func became totally disabled when the abv timer started.

Even the control-alt-del etc doesn't work when the timer starts.

XP Help files didn't mention about such issues. In despair, I tried to start in XP Safe mode and checked whether disabling RPC services providing endpoint mapper & misc RPC services(from Services screen helps or not). I was able to disable- the R
PC error upon logging was not there but the computer became totally unoperational after that-this service couldn't be enabled again even by administrator.

Is there any things I can do to prevent above situations?
Before installing any software like a digital camera software, is there anythg I need to check?
During surfing of NET do I need to enable/disable some settings?
Is there any way I can disable such shutdowns?

I would like to request advise/help and point-by-point reply to above questions.

Yours truly,
S Dutta

In message >, S Dutta
> writes
>Hi All,

>Thanks a lot for all your replies.
>All of U agree that I have Blaster worm

>Again thx for all the help

>yrs truly
>S Dutta

I too have had the same message on my screen - the computer counts down
to shut down in 60 secs and the message says it is 'initiated by NT
Authority\System and something about RPC.'
When I read this thread I thought I must also have the (blasted!)
Blaster, but on following the advice given in an earlier posting, I
looked in Processes in Task manager but there was no sign of mblast.exe.
Is there anything else that can be causing this problem?
It occurs to me, even as I write, that in the meantime I have downloaded
an update of avg free edition - would that have cured the problem
automatically even though it did not alert me to anything amiss?

Many thanks to everyone who helps computer ignoramuses (ignorami?) like
myself and I hope you have had an excellent Christmas.

--
Cernunnos

On Fri, 26 Dec 2003 15:21:40 +0000, Cernunnos wrote:

> When I read this thread I thought I must also have the (blasted!)
> Blaster, but on following the advice given in an earlier posting, I
> looked in Processes in Task manager but there was no sign of mblast.exe.
> Is there anything else that can be causing this problem?

There are several variants of MS Blast. Not all of them create the
msblast.exe process. Read the info that Bruce's links go to and you will
learn more.

--
Sharon F
MS MVP - Windows XP Shell/User

I have done that, Sharon, but couldn't find any sign of any of the other
exe files mentioned either.

Thanks for replying, though.



In message >, Sharon F
> writes
>On Fri, 26 Dec 2003 15:21:40 +0000, Cernunnos wrote:
>
>> When I read this thread I thought I must also have the (blasted!)
>> Blaster, but on following the advice given in an earlier posting, I
>> looked in Processes in Task manager but there was no sign of mblast.exe.
>> Is there anything else that can be causing this problem?
>
>There are several variants of MS Blast. Not all of them create the
>msblast.exe process. Read the info that Bruce's links go to and you will
>learn more.
>

--
Cernunnos

On Mon, 29 Dec 2003 22:17:25 +0000, Cernunnos wrote:

> I have done that, Sharon, but couldn't find any sign of any of the other
> exe files mentioned either.
>
> Thanks for replying, though.

Perhaps that's a good thing? What is happening with your system that makes
you suspect a virus?
--
Sharon F
MS-MVP/Windows XP

On Mon, 29 Dec 2003 19:41:56 -0600, Sharon F wrote:

> Perhaps that's a good thing? What is happening with your system that makes
> you suspect a virus?

Never mind. I went back in the thread and see that you were getting the
scheduled shutdown message from NT Authority and RPC as well. Are you still
having that problem or is it gone now?

Yes, it's possible your antivirus cleaned this up for you. There's usually
some extra steps that the user has to do manually to get rid of "missing
file" messages at startup but apparently you were spared those steps.

--
Sharon F
MS MVP - Windows XP Shell/User

In message >, Sharon F
> writes
>On Mon, 29 Dec 2003 19:41:56 -0600, Sharon F wrote:
>
>> Perhaps that's a good thing? What is happening with your system that makes
>> you suspect a virus?
>
>Never mind. I went back in the thread and see that you were getting the
>scheduled shutdown message from NT Authority and RPC as well. Are you still
>having that problem or is it gone now?
>
>Yes, it's possible your antivirus cleaned this up for you. There's usually
>some extra steps that the user has to do manually to get rid of "missing
>file" messages at startup but apparently you were spared those steps.
>

I haven't had the problem the last couple of times I used the internet,
so I'm hoping that avg free edition has cured it. Thanks for your help,
anyway.


--
Cernunnos

In message >, Cernunnos
> writes
>
>
>In message >, Sharon F
> writes
>>On Mon, 29 Dec 2003 19:41:56 -0600, Sharon F wrote:
>>
>>> Perhaps that's a good thing? What is happening with your system that makes
>>> you suspect a virus?
>>
>>Never mind. I went back in the thread and see that you were getting the
>>scheduled shutdown message from NT Authority and RPC as well. Are you still
>>having that problem or is it gone now?
>>
>>Yes, it's possible your antivirus cleaned this up for you. There's usually
>>some extra steps that the user has to do manually to get rid of "missing
>>file" messages at startup but apparently you were spared those steps.
>>
>
>I haven't had the problem the last couple of times I used the internet,
>so I'm hoping that avg free edition has cured it. Thanks for your
>help, anyway.
>
>

Sharon (and anyone else!)

Sorry to bang on about this problem, but it has happened again! The
same scheduled shutdown message from NT Authority and RPC. I ran a
check with the free edition avg, which confirmed Worm/LovsanA with
mslaugh.exe. But before I ran the avg, I looked in the Processes Tab of
Task Manager and couldn't find any sign of any of the exe's that are
supposed to be there if the virus is present. I have religiously
followed up all the links for info on the subject, but am still puzzled!
Anyway, the avg again claims to have cured the problem - it really does
seem to be very good, specially as it's free!

--
Cernunnos

Shut down the system restore, reboot and enable it again. Reboot again. That
will flush out all the restore points which may or may not have "bits" of
the virus remaining.


"Cernunnos" > wrote in message
...
> In message >, Cernunnos
> > writes
> >
> >
> >In message >, Sharon F
> > writes
> >>On Mon, 29 Dec 2003 19:41:56 -0600, Sharon F wrote:
> >>
> >>> Perhaps that's a good thing? What is happening with your system that
makes
> >>> you suspect a virus?
> >>
> >>Never mind. I went back in the thread and see that you were getting the
> >>scheduled shutdown message from NT Authority and RPC as well. Are you
still
> >>having that problem or is it gone now?
> >>
> >>Yes, it's possible your antivirus cleaned this up for you. There's
usually
> >>some extra steps that the user has to do manually to get rid of "missing
> >>file" messages at startup but apparently you were spared those steps.
> >>
> >
> >I haven't had the problem the last couple of times I used the internet,
> >so I'm hoping that avg free edition has cured it. Thanks for your
> >help, anyway.
> >
> >
>
> Sharon (and anyone else!)
>
> Sorry to bang on about this problem, but it has happened again! The
> same scheduled shutdown message from NT Authority and RPC. I ran a
> check with the free edition avg, which confirmed Worm/LovsanA with
> mslaugh.exe. But before I ran the avg, I looked in the Processes Tab of
> Task Manager and couldn't find any sign of any of the exe's that are
> supposed to be there if the virus is present. I have religiously
> followed up all the links for info on the subject, but am still puzzled!
> Anyway, the avg again claims to have cured the problem - it really does
> seem to be very good, specially as it's free!
>
> --
> Cernunnos

On Sat, 3 Jan 2004 12:25:49 +0000, Cernunnos wrote:

> I ran a
> check with the free edition avg, which confirmed Worm/LovsanA with
> mslaugh.exe.

Okay, so it was a variant of MSBlast that you have/had. Be sure to follow
up with the manual clean up steps. All parts must be removed. The system
patched and repaired. Protect with a firewall and current A/V to prevent a
reinfection.

--
Sharon F
MS MVP - Windows XP Shell/User

In message >, Sharon F
> writes
>On Sat, 3 Jan 2004 12:25:49 +0000, Cernunnos wrote:
>
>> I ran a
>> check with the free edition avg, which confirmed Worm/LovsanA with
>> mslaugh.exe.
>
>Okay, so it was a variant of MSBlast that you have/had. Be sure to follow
>up with the manual clean up steps. All parts must be removed. The system
>patched and repaired. Protect with a firewall and current A/V to prevent a
>reinfection.
>
Hi again

Many thanks for all your help.
In the end it turned out that I had the Walchia worm (my computer, not
me personally, you understand!)
Anyway, I got help and a cure from the symantec site referred to by
another poster, so I hope that's that.
Many thanks again.

By the way, it's all very well advising me to protect with a firewall.
I have tried the firewall on offer from the microsoft site, but have had
to disable it because it stops all emails from downloading. So I have
it on for internet work, then off just to get my emails.
--
Cernunnos

I had the same problem what fixed it was turning off "software compression" in the dial up settings... Hope this helps...

Find this very hard to believe.

--
All the Best,
Kelly

MS-MVP Win98/XP
[AE-Windows® XP]

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Utilities for Windows XP
http://www.kellys-korner-xp.com/xp_u.htm#xp_util

"Joe" > wrote in message
...
> I had the same problem what fixed it was turning off "software
compression" in the dial up settings... Hope this helps...

rpc problem means your computer is infected by the blaster worm. please
update your virus definitions.
--
the email address from where this message has been sent from is unmonitored.
your replies may not be received. if you want to send a reply to this
message, please do so at http://www.dennislazo.com/email.


"Joe" > wrote in message
...
> I had the same problem what fixed it was turning off "software
compression" in the dial up settings... Hope this helps...