RPC reboot loop

[Randy]

A user's home laptop (year old Sony running XP Home Edition) has developed a
reboot loop where, when you log in, it immediately states that the "RPC
service abnormally aborted" and the computer will reboot in one minute. Of
course, with one minute, it is essentially impossible to troubleshoot
further in normal mode.

All the safe modes work but I was unable to find in the registry or services
MMC what was causing this. Also, Last Known Configuration is of no help, as
the computer succeeds at login.

Anyone have any ideas?

 

[David H. Lipman]

When you get the shutdown message...

Go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/ and install following patch for the RPC/RPCSS
Buffer Overflow Vulnerability that is addressed by Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

Please read: http://www.microsoft.com/security/incident/blast.asp

You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected.

I also suggest the installation of *ALL* MS Critical Updates ASAP.

Dave



| A user's home laptop (year old Sony running XP Home Edition) has developed a
| reboot loop where, when you log in, it immediately states that the "RPC
| service abnormally aborted" and the computer will reboot in one minute. Of
| course, with one minute, it is essentially impossible to troubleshoot
| further in normal mode.
|
| All the safe modes work but I was unable to find in the registry or services
| MMC what was causing this. Also, Last Known Configuration is of no help, as
| the computer succeeds at login.
|
| Anyone have any ideas?
|
|

 

[Randy]

I'll give this a try. Thank you for your help.

 

[Randy]

There were two worms on the machine and, of course, one preyed on the RPC
buffer overflow vulnerability. The stinger program did not find it but
www.antivirus.com (Trend Micro) did find it with the online scan.

Thank you.

 

[David H. Lipman]

Stating "There were two worms..." is not enough. Trend named those worms. Please provide
those names for the benefit of all.

Dave



| There were two worms on the machine and, of course, one preyed on the RPC
| buffer overflow vulnerability. The stinger program did not find it but
| www.antivirus.com (Trend Micro) did find it with the online scan.
|
| Thank you.
|
|
| | > When you get the shutdown message...
| >
| > Go to; Start --> Run
| > enter; shutdown -a
| >
| > This will halt the shutdown and give you a chance to Download the McAfee
| worm removal tool,
| > Stinger: http://vil.nai.com/vil/stinger/ and install following patch for
| the RPC/RPCSS
| > Buffer Overflow Vulnerability that is addressed by Microsoft Security
| Bulletin MS03-39
| > http://support.microsoft.com/?kbid=824146
| >
| > Please read: http://www.microsoft.com/security/incident/blast.asp
| >
| > You also need a FireWall. If you don't patch the PC and not use a
| FireWall then you will
| > just be re-infected.
| >
| > I also suggest the installation of *ALL* MS Critical Updates ASAP.
| >
| > Dave
| >
| >
| >
| > | > | A user's home laptop (year old Sony running XP Home Edition) has
| developed a
| > | reboot loop where, when you log in, it immediately states that the "RPC
| > | service abnormally aborted" and the computer will reboot in one minute.
| Of
| > | course, with one minute, it is essentially impossible to troubleshoot
| > | further in normal mode.
| > |
| > | All the safe modes work but I was unable to find in the registry or
| services
| > | MMC what was causing this. Also, Last Known Configuration is of no
| help, as
| > | the computer succeeds at login.
| > |
| > | Anyone have any ideas?
| > |
| > |
| >
| >
|
|