RPC Call Shutdown

  • Thread starter Thread starter kb
  • Start date Start date
K

kb

I am having ongoing issues with an error that states
Windows NT/Security has called an RPC Call Shutdown. The
computer reboots and after a short amount of time the same
error appears.

I have tried installing a new hard drive, re-imaging the
system, running all current viral scans, but still have
the issue.

Running Windows XP with only Office 2000, SBCYahoo DSL,
and McAfee installed on an IBM Netvista with plenty of
memory.

Any ideas?? Thanks
 
Hi,

It appears your computer has been infected with the Blaster virus. For more
information and how to fix this please see follow this link:
http://www.microsoft.com/security/incident/blast.asp
http://www.microsoft.com/security/protect/main.asp

Microsoft Knowledge Base Article - 824146
A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious Programs
http://support.microsoft.com/?kbid=824146

More information about this particular worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Removal Information can be found here
http://www.kellys-korner-xp.com/xp_qr.htm#rpc
 
kb said:
I am having ongoing issues with an error that states
Windows NT/Security has called an RPC Call Shutdown. The
computer reboots and after a short amount of time the same
error appears.

I have tried installing a new hard drive, re-imaging the
system, running all current viral scans, but still have
the issue.

Running Windows XP with only Office 2000, SBCYahoo DSL,
and McAfee installed on an IBM Netvista with plenty of
memory.

Any ideas?? Thanks
Click to expand...

You have been attaced by a malware (e.g. Blaster Worm)
=> http://www.microsoft.com/security/
e.g. http://www.microsoft.com/security/home/ (e.g. "Security Basics for Home
Users")

Cheers,

Hausi
 
-----Original Message-----
I am having ongoing issues with an error that states
Windows NT/Security has called an RPC Call Shutdown. The
computer reboots and after a short amount of time the same
error appears.

I have tried installing a new hard drive, re-imaging the
system, running all current viral scans, but still have
the issue.

Running Windows XP with only Office 2000, SBCYahoo DSL,
and McAfee installed on an IBM Netvista with plenty of
memory.

Any ideas?? Thanks
.
Click to expand...

Have you been under a rock or in a very deep hole for the
last few months?


(Courtesy of Ken Blake - Microsoft MVP Windows: Shell/User)

You have the MSBlaster worm. To remove it, do the
following:

The following instructions are in three parts

1. Stop it from running

2. Remove it from your system

3. Make sure it doesn't come back



Before beginning, if you have an always-on internet
connection,
it's a good idea to disconnect it.



1. Stop it from running

Press Ctrl-Alt-Delete to bring up the Task Manager, then
on the
Processes tab, click msblast.exe and then "End process."
Reply
"Yes" to the warning message that comes up.

This stops the worm from running, so your system will not
shut
down. However, it doesn't remove it, and if that's all you
do, it
will start up again the next time you boot.


***

2. Remove it from your system

a. Start the registry editor program, regedit, by going to
Start
| Run, and typing REGEDIT
Navigate to
HKEY_Local_Machine\Software\Microsoft\Windows\Current
Version\Run by clicking the plus signs next to each of the
folders in the left hand pane. When you get to the last of
them,
Run, click the word Run itself.

Find an entry called "Windows Auto Update" on the right
side.
Right-click it and delete it.

b. Do a Windows search for msblast, and delete all files
found.

The worm is now gone, and won't start again the next time
you
boot. But if that's all you do, you can get reinfected
just as
you did the first time.

***


3. Make sure it doesn't come back

a. Make sure you're running a firewall that prevents worms
like
this from getting in. You can enable the built-in Windows
XP
firewall, or download and install another one such as the
free
version of ZoneAlarm. To enable the built-in firewall, go
to
Control Panel, double-click Networking and Internet
Connections,
then click Network Connections. Right-click your
connection, then
click Properties, and on the Advanced tab, click the option
"Protect my computer and network..."


b. If you've disconnected your internet connection,
reconnect it.
Download and install the Microsoft patch at
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-
458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

That will remove the vulnerability that the worm exploits.


c. Be sure you are running an anti-virus program, and that
you
regularly download the latest updated virus definitions.
 
You are being called from an infected system using an exploit to shut down
your machine (over the Internet). You should have patched your machine with
Windows Update ages ago so go and patch it now at
http://windowsupdate.microsoft.com. At the very least your connection
should have XP's firewall on it which would've stopped it.
 
Greetings --

If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
Thanks all. As dumb as I may look at the moment, ponder
this... I gave my pc to our IT group twice and they didn't
solve. In fact on one occasion they handed it back with
the lovsan.worm on it.
 
Time to tell the IT's boss. Maybe he'll replace them with people who will
actually earn their wages. That is a serious thing to miss.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Remote Procedure Call (RPC) service is terminated Unexpectedly 8
Shut-Down Error (RPC) 4
RPC Error when system starts 6
Remote Procedure Call (RPC) 7
RPC won't start 3
Remote Procedure Call (RPC) Shutdowns 3
SFC wont check files rpc server running 4
(RPC) Remote Procedure Call ??? 4

Back
Top