RPC FAILS AND WINDOWS REBOOTS

[Mark Schooley]

For some reason my Windows XP computer has justed started
displaying an error message that says the "RPC Failed To
Initialize and Windows is Now Shutting Down" or words to
that affect. The system then goes through what appears to
be a normal shutdown cycle and you have to reboot to get
back into windows. This happens entirely at random but
usually within 5 minutes of logging on. I disconnected
the DSL modem and the problem seems to go away. Anybody
have any ideas of why this is happening?

 

[Carey Frisch [MVP]]

There are thousands of nasty computer viruses/worms looking for unprotected
computers. Your computer can be infected within a few milliseconds the moment
an internet connection is established if your computer is unsecured.

Apparently, your computer is infected with the W32.Blaster.Worm or one of its variants.
This happened because you have not been using an internet connection firewall and have
apparently neglected to install the critical updates available at the Windows Update website.

If your computer is constantly attempting to shutdown
or reboot, quickly go to:

Start > Run and type: CMD , and hit enter.
This opens the Command Prompt window.

Then type: shutdown -a , and hit enter.

This should halt the rebooting problem.

Then immediately turn-on Windows XP's built-in Firewall:
http://www.microsoft.com/security/protect/

What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

A tool is available to remove Blaster worm and Nachi worm infections from computers
that are running Windows 2000 or Windows XP
http://support.microsoft.com/?kbid=833330

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

--------------------------------------------------------------------------------


| For some reason my Windows XP computer has justed started
| displaying an error message that says the "RPC Failed To
| Initialize and Windows is Now Shutting Down" or words to
| that affect. The system then goes through what appears to
| be a normal shutdown cycle and you have to reboot to get
| back into windows. This happens entirely at random but
| usually within 5 minutes of logging on. I disconnected
| the DSL modem and the problem seems to go away. Anybody
| have any ideas of why this is happening?

 

[anonymous.]

You're infected by either the blaster or one of its
variants, make your way to the run command &
type "services.msc" without the quotes, then acces the
properties of the "RPC" service & set the recovery options
to "take no action" instead of the default - restart, if
this doesnt work then from a different pc d/load the
blaster removal tool from www.symante.com

best of luck

 

[Marc Reynolds [MSFT]]

It appears your computer has been infected with the Blaster virus. For more
information and how to fix this please see these links:

http://www.microsoft.com/downloads/...8b-fe98-493f-ad76-bf673a38b4cf&displaylang=en

http://support.microsoft.com/?kbid=826955

http://www.microsoft.com/security/incident/blast.asp

http://www.microsoft.com/security/protect/main.asp



--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[techguru100]

You're missing the 824146 hotfix. You should go to
Windows update immediatley to get that fix and other
critical security updates.

 

[Bruce Chambers]

Greetings --

If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

Removal Tool for Blaster/Nachi worm infections from computers running
Win2K or WinXP
http://support.microsoft.com/?kbid=833330

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[cquirke (MVP Win9x)]

On Sat, 17 Jan 2004 15:15:13 -0700, "Bruce Chambers"

If you connected the PC to the Internet without having first

installed the KB824146 Hotfix,

Yes (if that's the RPC fix)

installed an antivirus application with current virus definition files,

Yes, BUT you'd have problems even with effective av running

before enabling a firewall,
Yes

you're very likely to get infected from any of the thousands of
PCs on the Internet that are constantly broadcasting the Blaster
and/or Welchia worms. It only takes a few seconds of exposure.

An av will prevent these malware from infecting you. But it will NOT
prevent you PC from restarting or going wobbly due to the DoS effect
of *attempts* to infect the system, whether these succeed or not.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down.

Just that one shutdown, or all subsequent on-failure shutdowns?

If the latter, I'd disable "Automatically restart on system errors"
and "Restart Windows on first/second/subsequent RPC failures" too.

Also, make sure you've enabled a firewall before starting, to preclude
any more intrusions while getting the updates/patches/tools.

To check: Does the built-in XP firewall stop these RPC attacks?

--------------- ----- ---- --- -- - - -

Dreams are stack dumps of the soul

 

[Bruce Chambers]

Greetings --

Yes, it does.

Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[cquirke (MVP Win9x)]

On Sun, 18 Jan 2004 10:26:58 -0700, "Bruce Chambers"

Greetings --

Yes, it does.

(built-in firewall blocks RPC attacks)

Thanks, I'll integrate that into my Lovesan advice

I feel sorry for Win2000 users, though...
- no firewall
- patch needs huuuuge SP2 first
- mis-versioned attack packets crash RPC service
- Lovesan sends 4 x XP attacks for every 1 x W2k attack
- so Win2000 users more likely to suffer this DoS effect
....and maybe we should be particularly careful when advising Win2000
users to "just (do a repair) install Windows" for this reason!

As I have one (1) Win2000 user who generally supports himself, I don't
read the Win2000 newsgroups, so it's "not my problem" heh heh

--------------- ----- ---- --- -- - - -

Dreams are stack dumps of the soul

 

[Jupiter Jones [MVP]]

Yes, that is one of the reasons I suggest to enable a firewall BEFORE
physically connecting the network cable after a reload etc.

 

[Bruce Chambers]

Greetings --

Yes, Win2K users would need to install some sort of firewall
before starting to download any patches or service packs. One thing I
always do, having to support a lot of Win2K machines, is create an
installation CD with the latest service pack slip-streamed, and then
add a few additional essential patches and a freeware firewall to be
applied before connecting to the Internet.

Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[cquirke (MVP Win9x)]

On Sun, 18 Jan 2004 15:46:12 -0700, "Bruce Chambers"

Yes, Win2K users would need to install some sort of firewall
before starting to download any patches or service packs. One thing I
always do, having to support a lot of Win2K machines, is create an
installation CD with the latest service pack slip-streamed, and then
add a few additional essential patches and a freeware firewall to be
applied before connecting to the Internet.

That's a great idea, I wish I knew how to build a slipstreamed
installation CD! I'm "in the trade" and thus nervous about the
legalities of this, esp. if proving these to the end user (along with
the "real" DSP CD, of course).

What I do is build steam-powered (.bat) build CDRs that shell the OS
CD and semi-automate the various freeware add-ons I use. I'd like to
be able to render all settings changes in .reg form and apply these to
the account prototype, but have a way to go there - I saved a page
suggested to me on pre-setting the account prototype but no time to
check it out yet. Maybe when I dop next week's batch.

I've also taken to using BING as a partitioner/formatter, as this
avoids the tedium of those silly "checking disk..." things that FDisk
does around 10 times, in the course of creating 4 HD volumes...
- FDisk, Yes I want large HD support (FAT32)
- (checking disk...) Do you want one big dummy C:? NO
- (checking disk...) What size C: do you want? 8185 (or whatever)
- (checking disk...) Do you want one big extended? Yes
- (checking disk...) Do you want a logical? NO
- exit/re-enter FDisk, No I don't want large HD support (FAT16)
- (checking disk...) Do you want a logical? Yes: 2047
- (checking disk...) Do you want a logical? NO
- exit/re-enter FDisk, Yes I want large HD support (FAT32)
- (checking disk...) Do you want a logical? Yes: <all_but_2G>
- (checking disk...) Do you want a logical? NO
- exit/re-enter FDisk, No I don't want large HD support (FAT16)
- (checking disk...) Do you want a logical? Yes: 2047
- (checking disk...) Do you want a logical? (offers the lst 8M) NO
- exit FDisk, reboot to put partition table into effect
- Format C: /s Format D: Format E: Format F:

It's not like FDisk's checking actually spots the last FAT16 volume
will often overhang the end of the physical HD (hence last unused 8M)

--------------- ----- ---- --- -- - - -

Dreams are stack dumps of the soul

 

[Bruce Chambers]

Greetings --

In this case, there are no "legalities" to be concerned with;
Microsoft even provides instructions. The following KB Article was
written for Service Pack 1, but the same procedures have worked for
subsequent service packs:

HOW TO Integrate Service Pack 1 into a Windows 2000 Installation
http://support.microsoft.com/default.aspx?scid=kb;en-us;271791

Making a bootable Windows 2000 CD
http://www.thetechguide.com/win2kbootcd/


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[cquirke (MVP Win9x)]

On Mon, 19 Jan 2004 14:39:12 -0700, "Bruce Chambers"

In this case, there are no "legalities" to be concerned with;
Microsoft even provides instructions. The following KB Article was
written for Service Pack 1, but the same procedures have worked for
subsequent service packs:

HOW TO Integrate Service Pack 1 into a Windows 2000 Installation
http://support.microsoft.com/default.aspx?scid=kb;en-us;271791

Great link! Does that work for XP too?

Making a bootable Windows 2000 CD
http://www.thetechguide.com/win2kbootcd/

Hm, looks a tad fiddly. I've played with the "poor man's PE builder"
(a 3rd-party tool to build XP that runs off CDR) with an eye to using
it as a maintenance OS for NTFS systems (data recovery, formal virus
scanning and cleaning). It has potential, but:

1) The registry you see is the CDR's, not target PC's
2) It doesn't run DOS apps like F-Prot for DOS
3) It doesn't run NAI's Stinger
4) It does run several of Symantec's Fix... cleaners
5) Antivirus apps that must be "installed" not likely to work

So, the quest for a maintenance OS for NTFS continues...

--------------- ----- ---- --- -- - - -

Dreams are stack dumps of the soul