System Shutdown

I

Ian Ripsher

Just installed WinXP SP1 on a new system. When I've been
online for a few minutes I get a System Shutdown message
initiaited by NT Authority\System that says:

Remotre procedure Call (RPC) service was terminated
unexpectedly.

What causes this?
 
R

Ramesh [MVP]

Ian,

Your system is infected by RPC (W32.Blaster) Worm. This is causing the system to shutdown abnormally.

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

MS03-039: Buffer Overrun in RPC Interface May Allow Code Execution
http://support.microsoft.com/?kbid=824146

http://www.kellys-korner-xp.com/xp_qr.htm#rpc

Cause: You have not enabled the firewall while browsing the internet and not patched the system with latest Microsoft WindowUpdate hotfixes.

--
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k
-------------------------------------------
Computer viruses: description, prevention, and recovery:
http://support.microsoft.com/?kbid=129972
-------------------------------------------


Just installed WinXP SP1 on a new system. When I've been
online for a few minutes I get a System Shutdown message
initiaited by NT Authority\System that says:

Remotre procedure Call (RPC) service was terminated
unexpectedly.

What causes this?
 
I

Ian Ripsher

Many thanks for this. Sorry about the rather terse
original message, but I had to do this quickly before it
took effect!
Ian
-----Original Message-----
Ian,

Your system is infected by RPC (W32.Blaster) Worm. This
Click to expand...
is causing the system to shutdown abnormally.
What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w3 2.blaster.worm.removal.tool.html

MS03-039: Buffer Overrun in RPC Interface May Allow Code Execution
http://support.microsoft.com/?kbid=824146

http://www.kellys-korner-xp.com/xp_qr.htm#rpc

Cause: You have not enabled the firewall while browsing
Click to expand...
the internet and not patched the system with latest
Microsoft WindowUpdate hotfixes.
 
K

Ken Blake

In
Ian Ripsher said:
Just installed WinXP SP1 on a new system. When I've been
online for a few minutes I get a System Shutdown message
initiaited by NT Authority\System that says:

Remotre procedure Call (RPC) service was terminated
unexpectedly.

What causes this?
Click to expand...


You have the MSBlaster worm. To remove it, do the following:

The following instructions are in three parts

1. Stop it from running

2. Remove it from your system

3. Make sure it doesn't come back



Before beginning, if you have an always-on internet connection,
it's a good idea to disconnect it.



1. Stop it from running

Press Ctrl-Alt-Delete to bring up the Task Manager, then on the
Processes tab, click msblast.exe and then "End process." Reply
"Yes" to the warning message that comes up.

This stops the worm from running, so your system will not shut
down. However, it doesn't remove it, and if that's all you do, it
will start up again the next time you boot.


***

2. Remove it from your system

a. Start the registry editor program, regedit, by going to Start
| Run, and typing REGEDIT
Navigate to HKEY_Local_Machine\Software\Microsoft\Windows\Current
Version\Run by clicking the plus signs next to each of the
folders in the left hand pane. When you get to the last of them,
Run, click the word Run itself.

Find an entry called "Windows Auto Update" on the right side.
Right-click it and delete it.

b. Do a Windows search for msblast, and delete all files found.

The worm is now gone, and won't start again the next time you
boot. But if that's all you do, you can get reinfected just as
you did the first time.

***


3. Make sure it doesn't come back

a. Make sure you're running a firewall that prevents worms like
this from getting in. You can enable the built-in Windows XP
firewall, or download and install another one such as the free
version of ZoneAlarm. To enable the built-in firewall, go to
Control Panel, double-click Networking and Internet Connections,
then click Network Connections. Right-click your connection, then
click Properties, and on the Advanced tab, click the option
"Protect my computer and network..."


b. If you've disconnected your internet connection, reconnect it.
Download and install the Microsoft patch at
http://download.microsoft.com/downl...e-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

That will remove the vulnerability that the worm exploits.


c. Be sure you are running an anti-virus program, and that you
regularly download the latest updated virus definitions.
 
I

Ian Ripsher

Many thanks for this extremely comprehensive reply. I do have NAV 2003, but
I was foolish enough to go online before setting it up on my new XP system
(and before installing the XP security/critical patches - which I had to d/l
anyway!). I actually managed to get rid of this worm via the Symantec
removal tool in the end.

Thanks again for your help.

Ian
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Remote Procedure Call (RPC) service is terminated Unexpectedly 8
nt authority system shutdown 4
System shutdown 3
Remote Procedure Call Service (RPC) Terminated Unexpectedly 4
System Shutdown 1
System Shutdown initiated by NT AUTHORITY\SYSTEM 4
NT AUTHORITY\SYSTEM error 5
System Shutdown NT Authority 1

Top