Random RPC-related crashes

[Kirk Sabre]

Every so often, my computer will just spout a message at
me, telling me there was an error in NT AUTHORITY/SYSTEM,
and must be shut down. Gives me 60 seconds to save and
quit everything before it restarts the computer
automatically. It mentions an error in the Remote
Procedure Call or something, and I don't understand it.

It's a freshly installed system. Got a new hard drive,
no baggage from anything past, and it's giving me this.
Anyone know what to do?

 

[Kaylene aka Taurarian]

Perhaps you have the Blaster virus

http://www.microsoft.com/security/incident/blast_faq.asp
Blaster Worm FAQ

1. CTRL-ALT-DELETE to bring up the Task Manager. Look for msblast.exe and select
it and End Process. This will stop the computer from shutting down.
It doesn't remove the worm.

To enable your firewall :
- Click Start
- Click Control Panel
- Double Click "Network Connections"
- Right-click on your Dial up Connection, then left click 'Properties'
- Left Click 'Advanced' Under "Internet Connection Firewall" tick the box
'Protect my computer and networking by limiting or preventing access to this
computer from the internet'
- Click Ok and Close the "network connections" box.
You can then connect to the Internet and download the Microsoft relevant patch.

You could also try:
Click Start/Run then type in cmd
and then type in : shutdown -a
Do this when the shutdown prompt appears.

W32.Blaster.Worm patch is available here:-
MS03-039: A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious
Programs
http://support.microsoft.com/?kbid=824146

You must download and install the patch. In many cases, you will need to do this
before you can continue with the removal of the worm.
Because of the way the worm works, it may be difficult to connect to the
Internet to obtain the patch, definitions, or removal tool before the worm shuts
down the computer. It has been reported that, for users of Windows XP,
activating the Windows XP firewall may allow you to download and install the
patch, obtain virus definitions, and run the removal tool. This may also work
with other firewalls, although this has not been confirmed.

2. You can download the Symantec Removal Tool from here
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
or you can visit this site to assist in the removal of the worm
http://www3.ca.com/virusinfo/virus.aspx?ID=36265
To download ClnPoza.zip - a utility that cleans a local machine affected by
Win32.Poza,
or this site for assistance: http://www.kellys-korner-xp.com/xp_qr.htm#rpc

 

[Shenan Stanley]

Every so often, my computer will just spout a message at
me, telling me there was an error in NT AUTHORITY/SYSTEM,
and must be shut down. Gives me 60 seconds to save and
quit everything before it restarts the computer
automatically. It mentions an error in the Remote
Procedure Call or something, and I don't understand it.

It's a freshly installed system. Got a new hard drive,
no baggage from anything past, and it's giving me this.
Anyone know what to do?

You hooked it to the internet BEFORE turning on the firewall, eh?
You really should have turned on the firewall, hooked it to the Internet and
downloaded the patches. You have been infected with the BLASTER worm.

http://www.microsoft.com/security/incident/blast.asp
and
http://www.microsoft.com/downloads/...8b-fe98-493f-ad76-bf673a38b4cf&DisplayLang=en
and
http://www.microsoft.com/security/protect/

Good Luck!

 

[Kirk Sabre]

Huh... is that what it is? I was running Win98 before,
so I wasn't vulnerable to it. I was confused, 'cause I
didn't know what it looked like, never having seen it
before. Thank you both for the help. Much appreciated.

 

[Bruce Chambers]

Greetings --

If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH