RPC Shutdown Error Virus-Do I Have It?

[Luigi]

About once a month I get the Remote Procedure Shutdown error which I've been
told by net research is the Blaster Worm Virus. I cannot find any evidence
of this virus. I have downloaded MS Removal Tool, Symantec FixBlast Tool
(which took like 2 hours to run and didn't find anything either). Tried a
couple of other site scans and everything tells me I don't have this virus.
I went through this last month when it happened and it just happened again a
few days ago. My NOD32 is up to date and full scan turned up nothing. Is
this a symptom of something else? I am running Win XP and have a home
network of 3 computers total (all Win XP) and none of the other computers
displayed this or any unusual behavior.

Distressed Louie

 

[Ron Lopshire]

About once a month I get the Remote Procedure Shutdown error which I've been
told by net research is the Blaster Worm Virus. I cannot find any evidence
of this virus. I have downloaded MS Removal Tool, Symantec FixBlast Tool
(which took like 2 hours to run and didn't find anything either). Tried a
couple of other site scans and everything tells me I don't have this virus.
I went through this last month when it happened and it just happened again a
few days ago. My NOD32 is up to date and full scan turned up nothing. Is
this a symptom of something else? I am running Win XP and have a home
network of 3 computers total (all Win XP) and none of the other computers
displayed this or any unusual behavior.

Louie,

Since NOD32 doesn't find Blaster, I would look elsewhere first. On my
WinXP HE box I have the Remote Procedure Call service disabled.

(http://www.ntsvcfg.de/ntsvcfg_eng.html)

If you have this service enabled, check out the other services that
use it (there are tons of them).

1a) Start -> Run -> services.msc, or
1b) Right-click My Computer -> Manage -> select Services
2) Right-click Remote Procedure Call -> select Properties
3) Select the RPC Dependencies Tab

If your problem does indeed have to do with the RPC service, it could
be caused by any of the other services/devices that use it. Since you
have a LAN set up, you probably need a few services that I don't need,
but you still want to disable those that you don't need.

Ron

 

[David H. Lipman]

From: "Luigi" <[email protected]>

| About once a month I get the Remote Procedure Shutdown error which I've been
| told by net research is the Blaster Worm Virus. I cannot find any evidence
| of this virus. I have downloaded MS Removal Tool, Symantec FixBlast Tool
| (which took like 2 hours to run and didn't find anything either). Tried a
| couple of other site scans and everything tells me I don't have this virus.
| I went through this last month when it happened and it just happened again a
| few days ago. My NOD32 is up to date and full scan turned up nothing. Is
| this a symptom of something else? I am running Win XP and have a home
| network of 3 computers total (all Win XP) and none of the other computers
| displayed this or any unusual behavior.
|
| Distressed Louie
|

You need to be exact and specific.
Are you using XP SP2 on the affected PC ?

Do you get the following 60 sec shutdown message ?

NT AUTHORITY\SYSTEM

"Windows must now restart becuase the Remote Procedure Call (RPC) Service terminated
unexpectedly"

Even if you do it is NOT indicative of a RPC/RPCSS DCOM Exploitation of the buffer overflow
vulneraility worms take advantage of using TCP Port 135.

You indicate you have a SOHO LAN which means a NAT Router so the likely of an Internet worm
exploiting TCP port 135 is extremely low.

I doubt it is such an exploit. Even still, the Lovsan/Blaster is a dead/dying worm with
extremly low indcidents now. There are however many BOTs that will exploit the RPC/RPCSS
DCOM buffer overflow vulneraility and the so-called Blaster removeal tools are worthless on
them. The RadeBOT, SDBot, GAOBot, RBot are just a few that now take advantage of this
exploitation metod.

Please run the following command...

Go to; Start --> Run
Type; notepad %windir%\KB828741.log
Hit the enter key.

Does NOTEPAD show a LOG file or does it generate an error that KB828741.log was not found ?

Plaese answer and respond to ALL of my questions.

 

[Luigi]

I am using XP SP2 and I do get the 60sec shutdown msg you mentioned. The run
command did generate a log file.
Louie

 

[David H. Lipman]

From: "Luigi" <[email protected]>

| I am using XP SP2 and I do get the 60sec shutdown msg you mentioned. The run
| command did generate a log file.
| Louie


Then your vulnerability has been plugged and the source of the RPC Shutdown is not due TCP
port 135 and worm activity attempting exploitation of the noted buffer overflow
vulnerability.

I have seen this happen before. I was cleaning a PC heavily infected with non-viral malware
and using Ad-aware SE. During the scan the 60 sec. shutdown was generated. This was
consistent. It is assumed that an identified malware was using this as a self preservation
method.

When you get the 60 sec. shutdown message, you can stop the shutdown process by executing...

shutdown -a

What the cause and the problem source is I don't know but you can conclude the problem is
with the RPC Service itself if it is auto-generated and not caused by a service or action
dependant upon the RPC NT Service.

 

[Luigi]

Thank you very much for your help.
Louie

 

[thecreator]

Hi Louie,

If you have occasion to remove a copy of svchost.exe using Taskmgr and End Process, it creates the exact error you are posting about.When you have another computer available that is working, compare the Startup Type settings in Services for each Service and change the Startup Type in the computer you are having problems with, to match the computer Settings with the computer you aren't having problems with. See what happens.