RPC Services keep terminating which shuts down XP automatically

[Gregg Harvey]

Keep getting this message 'System Shutdown', 'Windows
must now restart because the RPC services terminated
unexpectedly'.

Why is this happening? Is there anything that can be done
so that the RPC service is more reliable? ANy clues
appreciated

thanks

 

[Kaylene aka Taurarian]

I would eliminate Blaster virus first


http://www.microsoft.com/security/incident/blast_faq.asp
Blaster Worm FAQ

1. CTRL-ALT-DELETE to bring up the Task Manager. Look for msblast.exe and select
it and End Process. This will stop the computer from shutting down.
It doesn't remove the worm.

To enable your firewall :
- Click Start
- Click Control Panel
- Double Click "Network Connections"
- Right-click on your Dial up Connection, then left click 'Properties'
- Left Click 'Advanced' Under "Internet Connection Firewall" tick the box
'Protect my computer and networking by limiting or preventing access to this
computer from the internet'
- Click Ok and Close the "network connections" box.
You can then connect to the Internet and download the Microsoft relevant patch.

You could also try:
Click Start/Run then type in cmd
and then type in : shutdown -a
Do this when the shutdown prompt appears.

W32.Blaster.Worm patch is available here:-
MS03-039: A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious
Programs
http://support.microsoft.com/?kbid=824146

You must download and install the patch. In many cases, you will need to do this
before you can continue with the removal of the worm.
Because of the way the worm works, it may be difficult to connect to the
Internet to obtain the patch, definitions, or removal tool before the worm shuts
down the computer. It has been reported that, for users of Windows XP,
activating the Windows XP firewall may allow you to download and install the
patch, obtain virus definitions, and run the removal tool. This may also work
with other firewalls, although this has not been confirmed.

2. You can download the Symantec Removal Tool from here
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
or you can visit this site to assist in the removal of the worm
http://www3.ca.com/virusinfo/virus.aspx?ID=36265
To download ClnPoza.zip - a utility that cleans a local machine affected by
Win32.Poza,
or this site for assistance: http://www.kellys-korner-xp.com/xp_qr.htm#rpc

http://www.updatexp.com/cryptographic-service.html
For information on the Cryptographic Services

 

[Guest]

Your computer is now infected with the W32.Blaster.Worm or
one of its variants. This happened because you have not
been using an internet connection firewall and have
apparently neglected to install the critical updates
available at the Windows Update website.
-----------------------------------------------------------
-------
If your computer is constantly attempting to shutdown
or reboot, quickly go to:

Start > Run and type: CMD , and hit enter.
This opens the Command Prompt window.

Then type: shutdown -a , and hit enter.

This should halt the rebooting problem.
-----------------------------------------------------------
-------
Then immediately turn-on Windows XP's built-in Firewall:
http://www.microsoft.com/security/protect/
(To enable the built-in firewall, go to:
Control Panel, double-click Networking and Internet
Connections, then click Network Connections. Right-click
your connection, then
Click Properties, and on the Advanced tab, click the option
"Protect my computer and network..." Note: the built in
firewall only monitors incoming traffic not outgoing (ie
spyware, trojans, etc.. you may have on your system).)

Special note if you use AOL:
America Online installs its own connection settings that
override
the ones that come with Windows XP. America Online's
connection settings don't include a way to turn on Windows
XP's
built-in firewall.


What You Should Know About the Blaster Worm and Its
Variants
http://www.microsoft.com/security/incident/blast.asp

A tool is available to remove Blaster worm and Nachi worm
infections from computers
that are running Windows 2000 or Windows XP
http://support.microsoft.com/?kbid=833330

A security issue has been identified that could allow an
attacker to
remotely compromise a computer running Microsoft Windows
and
gain complete control over it. You can help protect your
computer
by installing this update from Microsoft.
http://www.microsoft.com/downloads/details.aspx?
FamilyId=2354406C-C5B6-44AC-9532-
3DE40F69C074&displaylang=en

Above courtesy of MVP Carey
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

***Install a good firewall. ZoneAlarm is a free one you
can install.
Install a good anti-virus program making sure you keep
it's definitions up to date! ***
- - - - - - - - - - - - -
Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

Protect Your PC
http://www.microsoft.com/security/protect/default.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm
..html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm
..removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32
..welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm
..removal.tool.html

 

[Ken Blake, MVP]

In

Keep getting this message 'System Shutdown', 'Windows
must now restart because the RPC services terminated
unexpectedly'.

Why is this happening? Is there anything that can be done
so that the RPC service is more reliable? ANy clues
appreciated

It has nothing to do with the RPC service being reliable. You
have the MSBlaster worm. To remove it, do the following:

The following instructions are in three parts

1. Stop it from running

2. Remove it from your system

3. Make sure it doesn't come back



Before beginning, if you have an always-on internet connection,
it's a good idea to disconnect it.



1. Stop it from running

Press Ctrl-Alt-Delete to bring up the Task Manager, then on the
Processes tab, click msblast.exe and then "End process." Reply
"Yes" to the warning message that comes up.

This stops the worm from running, so your system will not shut
down. However, it doesn't remove it, and if that's all you do, it
will start up again the next time you boot.


***

2. Remove it from your system

a. Start the registry editor program, regedit, by going to Start
| Run, and typing REGEDIT
Navigate to HKEY_Local_Machine\Software\Microsoft\Windows\Current
Version\Run by clicking the plus signs next to each of the
folders in the left hand pane. When you get to the last of them,
Run, click the word Run itself.

Find an entry called "Windows Auto Update" on the right side.
Right-click it and delete it.

b. Do a Windows search for msblast, and delete all files found.

The worm is now gone, and won't start again the next time you
boot. But if that's all you do, you can get reinfected just as
you did the first time.

***


3. Make sure it doesn't come back

a. Make sure you're running a firewall that prevents worms like
this from getting in. You can enable the built-in Windows XP
firewall, or download and install another one such as the free
version of ZoneAlarm. To enable the built-in firewall, go to
Control Panel, double-click Networking and Internet Connections,
then click Network Connections. Right-click your connection, then
click Properties, and on the Advanced tab, click the option
"Protect my computer and network..."


b. If you've disconnected your internet connection, reconnect it.
Download and install the Microsoft patch at
http://support.microsoft.com/?kbid=824146 or

That will remove the vulnerability that the worm exploits.


c. Be sure you are running an anti-virus program, and that you
regularly download the latest updated virus definitions.