my buddy just bought a brand new laptop that he installed
Earthlink dial-up onto. he cant get anything done with it
because it keeps shutting itself off. he was close to
being done with a virus scan when it shut itself off again.

this is the error message:
computer shutting down, save all work immediately. all
unsaved work will be lost. this is being performed by N/T
authority system.

Must restart because Remote Procedure Call Service
terminated immediately.

and then a different window pops up and says:
your computer has been infected'. and then it gives a
link to where you can go and purchase a download for $20
that supposedly will clean it. the link that it gives is
www.windowspatch.info

"some dude" > wrote in message
...
> my buddy just bought a brand new laptop that he installed
> Earthlink dial-up onto. he cant get anything done with it
> because it keeps shutting itself off. he was close to
> being done with a virus scan when it shut itself off again.
>
> this is the error message:
> computer shutting down, save all work immediately. all
> unsaved work will be lost. this is being performed by N/T
> authority system.
>
> Must restart because Remote Procedure Call Service
> terminated immediately.
>
> and then a different window pops up and says:
> your computer has been infected'. and then it gives a
> link to where you can go and purchase a download for $20
> that supposedly will clean it. the link that it gives is
> www.windowspatch.info


When the shutdown countdown starts go to: Start> run> type 'shutdown -a'
without the quotes. Hit okay. Do it again should the countdown start again
during the process.
Then go Start> contol panel> network connections> select your internet
connection and right click it. Select properties. Click the advanced tab and
tick the 'protect this...' box. Hit okay until the boxes disappear.
Now go to
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
and read the page. Download the fixblast.exe (link about half way down that
page). Run it.
When your machine is clean, go to windowsupdate.com and download all the
recommended fixes.

This is a stock answer - you may not actally have the blaster worm, but it
will fix the problem you have!

Chris

thanks much chris!! ill relay the info and get that darn
thing cleaned off.
>-----Original Message-----
>
>"some dude" > wrote
in message
...
>> my buddy just bought a brand new laptop that he
installed
>> Earthlink dial-up onto. he cant get anything done with
it
>> because it keeps shutting itself off. he was close to
>> being done with a virus scan when it shut itself off
again.
>>
>> this is the error message:
>> computer shutting down, save all work immediately. all
>> unsaved work will be lost. this is being performed by
N/T
>> authority system.
>>
>> Must restart because Remote Procedure Call Service
>> terminated immediately.
>>
>> and then a different window pops up and says:
>> your computer has been infected'. and then it gives a
>> link to where you can go and purchase a download for $20
>> that supposedly will clean it. the link that it gives
is
>> www.windowspatch.info
>
>
>When the shutdown countdown starts go to: Start> run>
type 'shutdown -a'
>without the quotes. Hit okay. Do it again should the
countdown start again
>during the process.
>Then go Start> contol panel> network connections> select
your internet
>connection and right click it. Select properties. Click
the advanced tab and
>tick the 'protect this...' box. Hit okay until the boxes
disappear.
>Now go to
>http://securityresponse.symantec.com/avcenter/venc/data/w3
2.blaster.worm.removal.tool.html
>and read the page. Download the fixblast.exe (link about
half way down that
>page). Run it.
>When your machine is clean, go to windowsupdate.com and
download all the
>recommended fixes.
>
>This is a stock answer - you may not actally have the
blaster worm, but it
>will fix the problem you have!
>
>Chris
>
>
>.
>

> wrote in message
...
> thanks much chris!! ill relay the info and get that darn
> thing cleaned off.
> >-----Original Message-----
> >
SNIP

You are, of course, welcome.
Chris

Hi,

This is issue occurs if your system is affected with Blaster virus. There
are multiple steps provided in this message. Please see the following
website:
http://www.hp.com/cposupport/mixed/support_doc/c00035757.html

Manual instn:

1. Click Start, Run and then type: shutdown -a


This prevents the system from automatically restarting long enough

for you to download and install the Microsoft security update.

2. Click OK.

3. If the "shutdown -a" command fails to keep the computer from

restarting, use the following steps:

a. Click Start, Run, and then type: services.msc

A Services window appears.

b. Click OK.

c. Double-click Remote Procedure Call (RPC) and select the

Recovery tab. Be careful to not use the Remote Procedure Call

(RPC) Locator item.

d. Set the First Failure, Second Failure, and Subsequent Failures

items to Take No Action.

e. Click OK to apply the settings.

4. Install the latest critical updates using Windows Update. For more

information, go to the following Web sites:

* Microsoft's Security Bulletin: MS03-039:

http://www.microsoft.com/security/security_bulletins/ms03-039.asp


* How to use Windows Update:

http://www.hp.com/cposupport/personal_computing/support_doc/bph07159.html

5. Remove the worm using your antivirus software. Do this by

attaining the latest virus definitions and then performing a scan.

For more detailed information go to the following Web sites:

* McAfee's VirusScan Web page on the W32/Lovsan.worm virus:


http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

* Symantec's Norton AntiVirus Web page on the 32.Blaster.Worm

virus.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.htm
l

If all went well, the computer is now clean and protected. If

these steps did not resolve the problem, contact Microsoft and your

anti-virus software vendor for additional assistance.


6. If you used the "services.msc" command (as explained above in

Step 3) to prevent your computer from restarting, restore your RPC

recovery settings to their original state as follows:


a. Click Start, Run, and then type: services.msc

b. Click OK.

c. Double-click Remote Procedure Call (RPC) and select the

Recovery tab. Be careful to not use the Remote Procedure Call

(RPC) Locator item.

d. Set the First Failure, Second Failure, and Subsequent Failures

items to Restart the Computer.

e. Click OK to apply the settings.

For more information on resolving and preventing viruses on your

Computer, go to the following HP Web site:

http://www.hp.com/cposupport/personal_computing/support_doc/bph07130.html

- kasvera [MCP]


"some dude" > wrote in message
...
> my buddy just bought a brand new laptop that he installed
> Earthlink dial-up onto. he cant get anything done with it
> because it keeps shutting itself off. he was close to
> being done with a virus scan when it shut itself off again.
>
> this is the error message:
> computer shutting down, save all work immediately. all
> unsaved work will be lost. this is being performed by N/T
> authority system.
>
> Must restart because Remote Procedure Call Service
> terminated immediately.
>
> and then a different window pops up and says:
> your computer has been infected'. and then it gives a
> link to where you can go and purchase a download for $20
> that supposedly will clean it. the link that it gives is
> www.windowspatch.info

Greetings --

Two issues, both having the same root cause, an unsecured computer:

1) If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger

2) This type of spam has become quite common over the past several
months, and unintentionally serves as a valid security "alert." It
demonstrates that you haven't been taking sufficient precautions while
connected to the Internet. Your data probably hasn't been compromised
by these specific advertisements, but if you're open to this exploit,
you may well be open to other threats, such as the Blaster Worm that
recently swept cross the Internet. Install and use a decent,
properly configured firewall. (Merely disabling the messenger
service, as some people recommend, only hides the symptom, and does
little or nothing to truly secure your machine.) And ignoring or just
"putting up with" the security gap represented by these messages is
particularly foolish.

Messenger Service of Windows
http://support.microsoft.com/default.aspx?scid=KB;en-us;168893

Messenger Service Window That Contains an Internet Advertisement
Appears
http://support.microsoft.com/?id=330904

Stopping Advertisements with Messenger Service Titles
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp

Blocking Ads, Parasites, and Hijackers with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

Whichever firewall you decide upon, be sure to ensure
UDP ports 135, 137, and 138 and TCP ports 135, 139, and 445 are _all_
blocked. You may also disable Inbound NetBIOS (NetBIOS over TCP/IP).
You'll have to follow the instructions from firewall's manufacturer
for the specific steps.

You can test your firewall at:

Symantec Security Check
http://security.symantec.com/ssc/vr_main.asp?langid=ie&venid=sym&plfid=23&pkj=GPVHGBYNCJEIMXQKCDT

Oh, and be especially wary of people who advise you to do nothing
more than disable the messenger service. Disabling the messenger
service, by itself, is a "head in the sand" approach to computer
security. The real problem is _not_ the messenger service pop-ups;
they're actually providing a useful, if annoying, service by acting as
a security alert. The true problem is the unsecured computer, and
you've been advised to merely turn off the warnings. How is this
helpful?


Bruce Chambers

--
Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH


"some dude" > wrote in message
...
> my buddy just bought a brand new laptop that he installed
> Earthlink dial-up onto. he cant get anything done with it
> because it keeps shutting itself off. he was close to
> being done with a virus scan when it shut itself off again.
>
> this is the error message:
> computer shutting down, save all work immediately. all
> unsaved work will be lost. this is being performed by N/T
> authority system.
>
> Must restart because Remote Procedure Call Service
> terminated immediately.
>
> and then a different window pops up and says:
> your computer has been infected'. and then it gives a
> link to where you can go and purchase a download for $20
> that supposedly will clean it. the link that it gives is
> www.windowspatch.info