RPC Shutdown

[Adam Raff]

Good Day,

Something just happened, and it seems to be very hard to fix. We have a
Windows XP system running SP1. All the files have been updated so it has
the latest Critical updates.

After tuning off a service for AOL (port magic) I started receiving the
following error

Windows must now restart because the Remote Procedure Call (RPC) service
terminated unexpectedly.

This happens every time I start up the system, even if I don't log in to the
system. If I login via Safe Mode the system seems a little bit more stable.
I have ran a virus scan and it came up clean since this is a typical symptom
of the blaster virus.

Any ideas would be a help. Please note that this system did not come with a
Windows XP CD but did come with a restore CD. I do have access to a Windows
XP CD with SP1 if I need it. I would rather not use the restore CD since it
may force me to reformat the drive.

Thanks
Adam Raff

 

[talkinggoat]

start the service back up. see if that fixes the problem.

 

[Michael Solomon \(MS-MVP\)]

It sounds as though you have the Blaster Worm:
For a quick, small removal tool for W32.Blaster.Worm, see
www.kellys-korner-xp.com/xp_qr.htm#rpc

http://www.microsoft.com/security/incident/blast.asp

826955 Virus Alert About the W32.Blaster.Worm
http://support.microsoft.com/?id=826955

 

[Frank Saunders, MS-MVP]

Good Day,

Something just happened, and it seems to be very hard to fix. We have a
Windows XP system running SP1. All the files have been updated so it has
the latest Critical updates.

After tuning off a service for AOL (port magic) I started receiving the
following error

Windows must now restart because the Remote Procedure Call (RPC) service
terminated unexpectedly.

This happens every time I start up the system, even if I don't log in to
the
system. If I login via Safe Mode the system seems a little bit more
stable.
I have ran a virus scan and it came up clean since this is a typical
symptom
of the blaster virus.

Any ideas would be a help. Please note that this system did not come with
a
Windows XP CD but did come with a restore CD. I do have access to a
Windows
XP CD with SP1 if I need it. I would rather not use the restore CD since
it
may force me to reformat the drive.

Thanks
Adam Raff

Or the Sasser worm
What You Should Know About the Sasser Worm and Its Variants
http://www.microsoft.com/security/incident/sasser.asp
Microsoft has updated the cleanup tool for W32.Sasser.worm to remove the C
and D variants of the Sasser worm. The Sasser removal tool now removes
Sasser A, B, C and D. The updated removal tool is located at
http://www.microsoft.com/downloads/...B6B-4FC3-90D4-9FA42D14CC17&displaylang=en
and is documented in Knowledge Base article KB841720
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx

 

[David H. Lipman]

Please explain how Sasser all of a sudden is causing RPC Shutdowns which is associated
RPC/RPCSS exploits when Sasser exploits vulnerabilities in Lsass. Especially when Adam has
indicated "...Remote Procedure Call (RPC) service terminated unexpectedly."


--
Dave




| What You Should Know About the Sasser Worm and Its Variants
| http://www.microsoft.com/security/incident/sasser.asp
| Microsoft has updated the cleanup tool for W32.Sasser.worm to remove the C
| and D variants of the Sasser worm. The Sasser removal tool now removes
| Sasser A, B, C and D. The updated removal tool is located at
|
http://www.microsoft.com/downloads/...B6B-4FC3-90D4-9FA42D14CC17&displaylang=en
| and is documented in Knowledge Base article KB841720
| http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720
|
| --
| Frank Saunders, MS-MVP, IE/OE
| Please respond in Newsgroup only. Do not send email
| http://www.fjsmjs.com
| Protect your PC
| http://www.microsoft.com./athome/security/protect/default.aspx
|
|

 

[Adam Raff]

Please explain how Sasser all of a sudden is causing RPC Shutdowns which is associated
RPC/RPCSS exploits when Sasser exploits vulnerabilities in Lsass. Especially when Adam has
indicated "...Remote Procedure Call (RPC) service terminated unexpectedly."


--
Dave




| What You Should Know About the Sasser Worm and Its Variants
| http://www.microsoft.com/security/incident/sasser.asp
| Microsoft has updated the cleanup tool for W32.Sasser.worm to remove the C
| and D variants of the Sasser worm. The Sasser removal tool now removes
| Sasser A, B, C and D. The updated removal tool is located at
|
http://www.microsoft.com/downloads/...B6B-4FC3-90D4-9FA42D14CC17&displaylang=en
| and is documented in Knowledge Base article KB841720
| http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720
|
| --
| Frank Saunders, MS-MVP, IE/OE
| Please respond in Newsgroup only. Do not send email
| http://www.fjsmjs.com
| Protect your PC
| http://www.microsoft.com./athome/security/protect/default.aspx
|
|

Hi,

Just a little update on some things.

The program Port Magic is not a service but a program. This should have
restarted after the reboot.

I really can't restart RPC service, every time I try to get into the system
it goes into reboot mode.

As I explained early on my first email. This sounded like the blaster virus
so I ran a full virus scan with nortons 2005 boot CD and it found nothing.
Clean System.

So that is where I am at right now. I don't know if the program has
anything to do with this I am contacting AOL to find out more about the
program.

Could the RPC service be corrupt or became corrupt? I know about a program
called SFC. But the issue is that I can't run it or I believe I can't run
it because of the reboot problem. Is there a way to run this or something
else in Safe Mode?

Thanks
Adam Raff

 

[David H. Lipman]

Adam:

I don't know what it is but it is certainly NOT the Lovsan/Blaster or Sasser worms.

--
Dave





| Hi,
|
| Just a little update on some things.
|
| The program Port Magic is not a service but a program. This should have
| restarted after the reboot.
|
| I really can't restart RPC service, every time I try to get into the system
| it goes into reboot mode.
|
| As I explained early on my first email. This sounded like the blaster virus
| so I ran a full virus scan with nortons 2005 boot CD and it found nothing.
| Clean System.
|
| So that is where I am at right now. I don't know if the program has
| anything to do with this I am contacting AOL to find out more about the
| program.
|
| Could the RPC service be corrupt or became corrupt? I know about a program
| called SFC. But the issue is that I can't run it or I believe I can't run
| it because of the reboot problem. Is there a way to run this or something
| else in Safe Mode?
|
| Thanks
| Adam Raff
|
|

 

[Rebecca Chen [MSFT]]

Hi Adam,

In order to isolate whether or not this issue is caused by the virus, I
suggest you use the following steps:

1. Remove Port Magic from Add/Remove Programs in Control Panel.

2. Perform a Clean Boot.

1) Click Start->Run->Msconfig

2) Goto the Startup tab, and click the Disable All button.

3) Goto the Services tab, click to check "Hide All Microsoft
Services" and click the Disable All button.

4) Click Ok to exit and reboot your machine.

For more details, please refer to the following article:


Q310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/support/kb/articles/q310/3/53.asp

3. Turn off the auto-restart by doing the following steps:
a. Right click My Computer->Properties->Advanced tab

b. Click Settings in Startup and Recovery section

c. Uncheck Automatically restart. Therefore, when the computer encounters
the problems, it will not automatically restart and you can observe what
kind of error occurs.

If it persists, this symptom does look like a virus has attacked the system
may be via Port Magic .

After a virus has successfully been installed on a system, it may be
impossible to trust that system in the future and we cannot guarantee the
system will run normally. You may need to perform a clean installation of
Windows. I understand you have used Norton to perform a full virus scan and
I believe it would be better if you attach this hard disk to another clean
system to perform a full virus scan on it.


You can also call Microsoft PC Safety telephone number, 1-866-727-2338
(1-866-PCSAFETY). This service offers no-charge assistance for
virus-related issues or questions.

I suggest you use the following steps to check if the system is attacked
by the blaster:

Note: During our troubleshooting, in case you encounter the shut-down
prompt again, please click Start and click Run, type in "shutdown /a"
without quotations and press Enter.

Step 1:

1. Click Start. Click Run. Type services.msc and click OK.

2. Double Click on Remote Procedure Call (RPC).
NOTE: Not "Remote Procedure Call (RPC) Locator".

3. Click the Recovery tab.

4. Set all three failure boxes to "Take No Action".

Step 2:

Please download the update to the desktop from the following link:

<http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-953
2-3DE40F69C074&displaylang=en>

or from the direct link:

<http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a
983f01/WindowsXP-KB823980-x86-ENU.exe>

Step 3:

1. Please double click the downloaded file to install it.

2. Reboot the system.

Any update, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Adam Raff]

Please explain how Sasser all of a sudden is causing RPC Shutdowns which is associated
RPC/RPCSS exploits when Sasser exploits vulnerabilities in Lsass. Especially when Adam has
indicated "...Remote Procedure Call (RPC) service terminated unexpectedly."


--
Dave




| What You Should Know About the Sasser Worm and Its Variants
| http://www.microsoft.com/security/incident/sasser.asp
| Microsoft has updated the cleanup tool for W32.Sasser.worm to remove the C
| and D variants of the Sasser worm. The Sasser removal tool now removes
| Sasser A, B, C and D. The updated removal tool is located at
|
http://www.microsoft.com/downloads/...B6B-4FC3-90D4-9FA42D14CC17&amp;displaylang=en
| and is documented in Knowledge Base article KB841720
| http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720
|
| --
| Frank Saunders, MS-MVP, IE/OE
| Please respond in Newsgroup only. Do not send email
| http://www.fjsmjs.com
| Protect your PC
| http://www.microsoft.com./athome/security/protect/default.aspx
|
|

Hi,

I am sorry, I thought I replied and I guess I did not.

As per my earlier email, I ran a complete virus scan on the system using
Norton's 2005 from the CD by booting off of it. If found no case of virus.
So I believe I can rule that one out at this time.

Also as an update, the AOL service is a program not a service so I will be
checking with AOL to see what it does.

Could the RPC service be corrupt and if so I know about SFC /Scannow which
will allow me to reinstall the files if it finds files that are either
missing or corrupt. It is also my understanding that SFC will reinstall
files even files that have been updated with SP1. My issue is that I can't
see to get into the program since my system keeps rebooting.

Can I do this from SafeMode or SafeMode Dos Prompt?

Thanks
Adam Raff

 

[Adam Raff]

Hi Adam,

In order to isolate whether or not this issue is caused by the virus, I
suggest you use the following steps:

1. Remove Port Magic from Add/Remove Programs in Control Panel.

2. Perform a Clean Boot.

1) Click Start->Run->Msconfig

2) Goto the Startup tab, and click the Disable All button.

3) Goto the Services tab, click to check "Hide All Microsoft
Services" and click the Disable All button.

4) Click Ok to exit and reboot your machine.

For more details, please refer to the following article:


Q310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/support/kb/articles/q310/3/53.asp

3. Turn off the auto-restart by doing the following steps:
a. Right click My Computer->Properties->Advanced tab

b. Click Settings in Startup and Recovery section

c. Uncheck Automatically restart. Therefore, when the computer encounters
the problems, it will not automatically restart and you can observe what
kind of error occurs.

If it persists, this symptom does look like a virus has attacked the system
may be via Port Magic .

After a virus has successfully been installed on a system, it may be
impossible to trust that system in the future and we cannot guarantee the
system will run normally. You may need to perform a clean installation of
Windows. I understand you have used Norton to perform a full virus scan and
I believe it would be better if you attach this hard disk to another clean
system to perform a full virus scan on it.


You can also call Microsoft PC Safety telephone number, 1-866-727-2338
(1-866-PCSAFETY). This service offers no-charge assistance for
virus-related issues or questions.

I suggest you use the following steps to check if the system is attacked
by the blaster:

Note: During our troubleshooting, in case you encounter the shut-down
prompt again, please click Start and click Run, type in "shutdown /a"
without quotations and press Enter.

Step 1:

1. Click Start. Click Run. Type services.msc and click OK.

2. Double Click on Remote Procedure Call (RPC).
NOTE: Not "Remote Procedure Call (RPC) Locator".

3. Click the Recovery tab.

4. Set all three failure boxes to "Take No Action".

Step 2:

Please download the update to the desktop from the following link:

<http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-953
2-3DE40F69C074&displaylang=en>

or from the direct link:

<http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a
983f01/WindowsXP-KB823980-x86-ENU.exe>

Step 3:

1. Please double click the downloaded file to install it.

2. Reboot the system.

Any update, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no

rights.


Hi Rebecca,

I guess you are always in this group.

Thanks again for your help I will give it a shot and see what happens. At
least it's a starting point and it allows me to stop the reboot at least.

Thanks
Adam Raff

 

[Rebecca Chen [MSFT]]

Hi Adam,

Yes, I am always here to be of assistance.

Please try the steps to check the status. In addition, there are some free
online virus scan which are my faviorates, sometimes they are quite helpful
since I don't need to worry about the virus will infect the anti-virus:

Trend
http://www.housecall.antivirus.com

MacAfee:
www.mcafee.com

Any update, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[David H. Lipman]

The online scanners are below and if Adam has kept his AV software up-to-date, it isn't the
problem. If it was, there would be many more of the posts just like Adams showing up. They
are not, I know, I specifically look for that kind of trend information. Adam knew it
sounded like the Lovsan/Blaster so he indicated he did perform a scan.

Lets keep this support issue to a corruption of RPC DLLs dependencies and/or or services.
Focus on this statement made by Adam --

"After tuning off a service for AOL (port magic) I started receiving the following error --
Windows must now restart because the Remote Procedure Call (RPC) service terminated
unexpectedly."


AV Vendor online scanners
-----------------------------------------
Trend Micro - Free online virus Scan
http://housecall.trendmicro.com/
http://housecall.antivirus.com

McAfee Security - FreeScan
http://www.mcafee.com/myapps/mfs/default.asp

Panda ActiveScan - Free online scanner
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

DialogueScience:
http://www.antivir.ru/english/www_av/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

BitDefender
http://www.bitdefender.com/scan/license.php

Freedom Online scanner
http://www.freedom.net/viruscenter/index.html


Adam:

So we can totally eliminate the RPC/RPCSS I-worm possibilities, please perform the
following...


Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/

1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode and shutdown as many applications as possible
3) Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point





* * * Please report back your results * * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html




| Hi Adam,
|
| Yes, I am always here to be of assistance.
|
| Please try the steps to check the status. In addition, there are some free
| online virus scan which are my faviorates, sometimes they are quite helpful
| since I don't need to worry about the virus will infect the anti-virus:
|
| Trend
| http://www.housecall.antivirus.com
|
| MacAfee:
| www.mcafee.com
|
| Any update, let us get in touch!
|
| Best regards,
|
| Rebecca Chen
|
| MCSE2000 MCDBA CCNA
|
|
| Microsoft Online Partner Support
| Get Secure! - www.microsoft.com/security
|
| =====================================================
|
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
|
| =====================================================
| This posting is provided "AS IS" with no warranties, and confers no rights.
|

 

[Adam Raff]

The online scanners are below and if Adam has kept his AV software up-to-date, it isn't the
problem. If it was, there would be many more of the posts just like Adams showing up. They
are not, I know, I specifically look for that kind of trend information. Adam knew it
sounded like the Lovsan/Blaster so he indicated he did perform a scan.

Lets keep this support issue to a corruption of RPC DLLs dependencies and/or or services.
Focus on this statement made by Adam --

"After tuning off a service for AOL (port magic) I started receiving the following error --
Windows must now restart because the Remote Procedure Call (RPC) service terminated
unexpectedly."


AV Vendor online scanners
-----------------------------------------
Trend Micro - Free online virus Scan
http://housecall.trendmicro.com/
http://housecall.antivirus.com

McAfee Security - FreeScan
http://www.mcafee.com/myapps/mfs/default.asp

Panda ActiveScan - Free online scanner
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

DialogueScience:
http://www.antivir.ru/english/www_av/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

BitDefender
http://www.bitdefender.com/scan/license.php

Freedom Online scanner
http://www.freedom.net/viruscenter/index.html


Adam:

So we can totally eliminate the RPC/RPCSS I-worm possibilities, please perform the
following...


Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/

1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode and shutdown as many applications as possible
3) Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point





* * * Please report back your results * * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html




| Hi Adam,
|
| Yes, I am always here to be of assistance.
|
| Please try the steps to check the status. In addition, there are some free
| online virus scan which are my faviorates, sometimes they are quite helpful
| since I don't need to worry about the virus will infect the anti-virus:
|
| Trend
| http://www.housecall.antivirus.com
|
| MacAfee:
| www.mcafee.com
|
| Any update, let us get in touch!
|
| Best regards,
|
| Rebecca Chen
|
| MCSE2000 MCDBA CCNA
|
|
| Microsoft Online Partner Support
| Get Secure! - www.microsoft.com/security
|
| =====================================================
|
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
|
| =====================================================
| This posting is provided "AS IS" with no warranties, and confers no rights.
|

Good day everybody, The problem seems to be solved.
I uninstalled the port magic app and now the system no longer reboots. I
will keep it that why and find out why AOL installed it. After a Google
search it seems that the latest version of AOL does indeed install the
program which allows it to open ports as needed on a network or router. Any
way, thinks for all your help and the ideas.

Adam Raff

 

[David H. Lipman]

Yep, it was always my conviction that it was NOT a virus, worm or Trojan.

Thanks for updating this thread. It is valuable feedback !

--
Dave





| Good day everybody, The problem seems to be solved.
| I uninstalled the port magic app and now the system no longer reboots. I
| will keep it that why and find out why AOL installed it. After a Google
| search it seems that the latest version of AOL does indeed install the
| program which allows it to open ports as needed on a network or router. Any
| way, thinks for all your help and the ideas.
|
| Adam Raff
|
|

 

[Rebecca Chen [MSFT]]

Great to hear it!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Brian J. Burnett]

I'm glad to see that Adam found a solution to his problem.

However, I'm experiencing similar symptoms but don't use AOL or Port Magic.

Yesterday my daughter installed Microsoft AntiSpyware and at the same time
updated to Acrobat Reader 7. Her machine then went into the reboot cycle
caused by the RPC process termianting as described in this thread.

I've managed to gain some level of control over her PC by booting in safe
mode however there is not much you can run that does not try to start the
RPC process which then causes the auto reboot.

Her Norton AV was up to date and I've not found any trace of msblast or the
other virus that effect RPC.

One observation. The PC is really slow to boot. Takes about 10 minutes
even in Safe mode. When it does boot there is no drag and drop or property
sheets (e.g. I can't get in to the properties of the RPC service to change
the recovery actions!).

I'm really stuck.

Help much appreciated.

 

[David H. Lipman]

I think you need to start a NEW thread and completely state what was installed, what the
adverse affects were and all pertinent information.

--
Dave




| I'm glad to see that Adam found a solution to his problem.
|
| However, I'm experiencing similar symptoms but don't use AOL or Port Magic.
|

< snip >

 

[Brian J. Burnett]

will do.

 

[Guest]

I am trying to learn how to transfer a picture I downloaded into "My
Pictures" unto a community board that I post on.

I would appreciate your help.

Thank you.

Judith

 

[Malke]

I am trying to learn how to transfer a picture I downloaded into "My
Pictures" unto a community board that I post on.

I would appreciate your help.

Thank you.

Judith

It really depends on how the community board is set up. Some allow
members some space on their servers. Others want you to link to a file
on a webserver. Look on the messageboard site for help.

Malke