New user of XP today. First time and each time since,
checking email with XP-I got error message...from NT
AUTHORITY SYSTEM (?) something about Remote Procedure
Call. When I did a search on Microsoft with Remote
Procedure Call, Wormblaster virus showed up under one of
the articles. I did a virus scan update and scan and my
report was clean. Anyone know what either NT AUTHO. SYS.
is or Remote Proc. Call?? and waht I should do about it??

Thanks

Greetings --

If you connected the PC to the Internet without having first
enabled a firewall, without having first installed an antivirus
application with current virus definition files, and before installing
the KB828471 Hotfix, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

MS04-012 Cumulative Update for Microsoft RPC-DCOM
http://support.microsoft.com/default.aspx?scid=kb;en-us;828741

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers
--
Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH


"baker" > wrote in message
...
> New user of XP today. First time and each time since,
> checking email with XP-I got error message...from NT
> AUTHORITY SYSTEM (?) something about Remote Procedure
> Call. When I did a search on Microsoft with Remote
> Procedure Call, Wormblaster virus showed up under one of
> the articles. I did a virus scan update and scan and my
> report was clean. Anyone know what either NT AUTHO. SYS.
> is or Remote Proc. Call?? and waht I should do about it??
>
> Thanks

Congratulations!



Your system is infected with the much publicized Sasser worm. You have
allowed
yourself to become infected because of ALL of the following;


1. You have not updated your version of Windows.

2. You are not using an UP TO DATE antivirus program.

3. You connected to the internet without a firewall on your computer.

Until you correct ALL of the above situations, you will remain vulnerable to
infection not only by SASSER, but also by the thousands of other worms,
viruses, trojans, keyloggers, spyware, malware, etc.

Because you do not practice even the most basic level of computer security,
you are not only a threat to yourself but to the entire internet community.
When your machine is infected, it looks for other machines, owned by persons
like yourself who have poor computer security practices, to infect.

First, disconnect from the network.


When the shutdown message appears, go START > Run and type in "shutdown -a"
(without the quotes), and hit the enter key.

Download the Windows critical update and the SASSER removal tool.here are
the

links..



Security Update:



http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en





and the SASSER removal Tool:



http://www.microsoft.com/downloads/details.aspx?FamilyID=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en


After rebooting, go to the website of the company that makes your antivirus
program and download all the updates that are available. If your antivirus
has expired, you must
purchase a new one.
Third, go to www.zonealarm.com and download the FREE firewall.
Keep your version of Windows updated. Always install any critical patches
that are posted to the Microsoft update website.

Keep you antivirus program up to date. New virus detection signatures are
released nearly on a daily basis, so this is something you should do every
day. Not once a month, or "when I have time", or "when I remember".

Once you have done these things, you will find your internet experience to
be much safer and happier.


Bobby







"baker" > wrote in message
...
> New user of XP today. First time and each time since,
> checking email with XP-I got error message...from NT
> AUTHORITY SYSTEM (?) something about Remote Procedure
> Call. When I did a search on Microsoft with Remote
> Procedure Call, Wormblaster virus showed up under one of
> the articles. I did a virus scan update and scan and my
> report was clean. Anyone know what either NT AUTHO. SYS.
> is or Remote Proc. Call?? and waht I should do about it??
>
> Thanks

Not sasser, but blaster. However, the method to stop the shutdown is the
same.

Information:

http://www.kellys-korner-xp.com/xp_qr.htm#rpc
http://www.pchell.com/virus/msblast.shtml
http://vil.nai.com/vil/content/v_100499.htm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
http://www.bigblackglasses.com/Article.aspx?Article=342

You need the patch described here to protect against it:

MS03-039: A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious
Programs
http://support.microsoft.com/?kbid=824146

Problem is, you needed to install the patch BEFORE you got infected to avoid
it.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org

"NoNoBadDog!" <mysocks_bjsledge_AT_pixi.com> wrote in message
...
> Congratulations!
>
>
>
> Your system is infected with the much publicized Sasser worm. You have
> allowed
> yourself to become infected because of ALL of the following;
>
>
> 1. You have not updated your version of Windows.
>
> 2. You are not using an UP TO DATE antivirus program.
>
> 3. You connected to the internet without a firewall on your computer.
>
> Until you correct ALL of the above situations, you will remain vulnerable
to
> infection not only by SASSER, but also by the thousands of other worms,
> viruses, trojans, keyloggers, spyware, malware, etc.
>
> Because you do not practice even the most basic level of computer
security,
> you are not only a threat to yourself but to the entire internet
community.
> When your machine is infected, it looks for other machines, owned by
persons
> like yourself who have poor computer security practices, to infect.
>
> First, disconnect from the network.
>
>
> When the shutdown message appears, go START > Run and type in
"shutdown -a"
> (without the quotes), and hit the enter key.
>
> Download the Windows critical update and the SASSER removal tool.here are
> the
>
> links..
>
>
>
> Security Update:
>
>
>
>
http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en
>
>
>
>
>
> and the SASSER removal Tool:
>
>
>
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en
>
>
> After rebooting, go to the website of the company that makes your
antivirus
> program and download all the updates that are available. If your
antivirus
> has expired, you must
> purchase a new one.
> Third, go to www.zonealarm.com and download the FREE firewall.
> Keep your version of Windows updated. Always install any critical patches
> that are posted to the Microsoft update website.
>
> Keep you antivirus program up to date. New virus detection signatures are
> released nearly on a daily basis, so this is something you should do every
> day. Not once a month, or "when I have time", or "when I remember".
>
> Once you have done these things, you will find your internet experience to
> be much safer and happier.
>
>
> Bobby
>
>
>
>
>
>
>
> "baker" > wrote in message
> ...
> > New user of XP today. First time and each time since,
> > checking email with XP-I got error message...from NT
> > AUTHORITY SYSTEM (?) something about Remote Procedure
> > Call. When I did a search on Microsoft with Remote
> > Procedure Call, Wormblaster virus showed up under one of
> > the articles. I did a virus scan update and scan and my
> > report was clean. Anyone know what either NT AUTHO. SYS.
> > is or Remote Proc. Call?? and waht I should do about it??
> >
> > Thanks
>
>