RPC service terminating; machine IS NOT infected with Blaster

[John McNamee]

I've got a Windows XP Professional SP1 system that has started rebooting with
"The Remote Procedure Call (RPC) service terminated unexpectedly". It isn't
happening often, but it is a recurring problem. I know this is the classic
symptom of the Blaster worm, however Symantec Anti-Virus 8.1 with virus defs
dated 9/15/2003 says the machine is CLEAN. This system has never been infected
with ANYTHING. I'm very good about quickly installing security (and other)
patches, and the system gets an automatic virus scan every week just to be
sure.

Here's the thing that has me worried: The first crash occured just a few hours
after I installed the KB824146 and KB824105 fixes. I'm afraid Microsoft may
have released these patches without sufficient testing. Any [MSFT] people care
to comment?

--John

 

[Jupiter Jones [MVP]]

John;
Try a System Restore to before the issue started.

As for releasing patches without sufficient testing, I have no
information about.
However the threat for that particular patch is very real.
Especially now that the source code for the vulnerability is available
to the public.
It is only a matter of time (possibly a few days at the most) before
someone exploits it.
Microsoft is under pressure to get a safe reliable patch available
quickly.
Time is the one commodity that is in short supply for the testing
process.

 

[Jym]

Are you running a firewall? Jym

 

[John McNamee]

The system is behind a corporate firewall. It isn't exposed to the Internet,
but the corporate net is large, and thus suffers from security issues of it's
own. A "personal firewall" that blocked the NETBIOS ports wouldn't work for
me, since I use those services on a daily basis. The system is locked down at
the NTFS and share level (e.g. "EVERYONE" group has no write access), but that
doesn't help with buggy OS components.

 

[Kent W. England [MVP]]

This is exactly what would happen if you have an effective anti-virus
program running in the background to stop the msblast.exe
download/install, yet your system is still unpatched and vulnerable to
the RPC buffer overflow exploit.

 

[Kelly]

Hi,

Run this script and download the newest patch, which you will be prompted to
do if it isn't already installed.
http://www.kellys-korner-xp.com/regs_edits/msblast.vbs

More information here:
http://www.kellys-korner-xp.com/xp_qr.htm#rpc

/top10faqs.htm

This is exactly what would happen if you have an effective anti-virus
program running in the background to stop the msblast.exe
download/install, yet your system is still unpatched and vulnerable to
the RPC buffer overflow exploit.

--
Kent W. England, Microsoft MVP for Windows

I've got a Windows XP Professional SP1 system that has started rebooting with
"The Remote Procedure Call (RPC) service terminated unexpectedly". It isn't
happening often, but it is a recurring problem. I know this is the classic
symptom of the Blaster worm, however Symantec Anti-Virus 8.1 with virus defs
dated 9/15/2003 says the machine is CLEAN. This system has never been infected
with ANYTHING. I'm very good about quickly installing security (and other)
patches, and the system gets an automatic virus scan every week just to be
sure.

Here's the thing that has me worried: The first crash occured just a few hours
after I installed the KB824146 and KB824105 fixes. I'm afraid Microsoft may
have released these patches without sufficient testing. Any [MSFT] people care
to comment?

--John