RPC System Shutdown

[Rob F.]

I had to use the system restore utility to reinstall
windows after my PC locked up and could not restart
windows. I now have a problem whenever I dial into the
internet using dial-up networking.

I get repeated System Shutdown attributed to Remote
Procedure Call, Initiated by NT AUTHORITY/SYSTEM.

I am not connected to a LAN but have two network adapters.
I tried uninstalling them (hoping to stop the RPCs) but
this made no difference.

Please advise how to troubleshoot this. E-mail replies
GREATLY appreciated as I am using a loaner PC since I
cannot maintain internet connections on the machine in
question. Besure to remove the "removethis" from the e-
mail address above.

Thanks in advance.

 

[randwulf57]

Rob F.:
W32.BLASTER.WORM
http://www3.telus.net/dandemar/blaster.htm

 

[MAP]

-----Original Message-----
I had to use the system restore utility to reinstall
windows after my PC locked up and could not restart
windows. I now have a problem whenever I dial into the
internet using dial-up networking.

I get repeated System Shutdown attributed to Remote
Procedure Call, Initiated by NT AUTHORITY/SYSTEM.

I am not connected to a LAN but have two network adapters.
I tried uninstalling them (hoping to stop the RPCs) but
this made no difference.

Please advise how to troubleshoot this. E-mail replies
GREATLY appreciated as I am using a loaner PC since I
cannot maintain internet connections on the machine in
question. Besure to remove the "removethis" from the e-
mail address above.

Thanks in advance.
.

If you connected the PC to the Internet without
having first
installed the KB824146 Hotfix, without having first
installed an
antivirus application with current virus definition
files, and before
enabling a firewall, you're very likely to get infected
from any of
the thousands of PCs on the Internet that are constantly
broadcasting
the Blaster and/or Welchia worms. It only takes a few
seconds of
exposure.

To stay on-line long enough to get the necessary
updates, patches,
and removal tools, click Start > Run, and
enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut
down. Also, make
sure you've enabled a firewall before starting, to
preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.wor
m.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.wor
m.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w3
2.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.wor
m.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger

 

[Guest]

Your computer is now infected with the W32.Blaster.Worm or
one of its variants. This happened because you have not
been using an internet connection firewall and have
apparently neglected to install the critical updates
available at the Windows Update website.
-----------------------------------------------------------
-------
If your computer is constantly attempting to shutdown
or reboot, quickly go to:

Start > Run and type: CMD , and hit enter.
This opens the Command Prompt window.

Then type: shutdown -a , and hit enter.

This should halt the rebooting problem.
-----------------------------------------------------------
-------
Then immediately turn-on Windows XP's built-in Firewall:
http://www.microsoft.com/security/protect/
(To enable the built-in firewall, go to:
Control Panel, double-click Networking and Internet
Connections, then click Network Connections. Right-click
your connection, then
Click Properties, and on the Advanced tab, click the option
"Protect my computer and network..." Note: the built in
firewall only monitors incoming traffic not outgoing (ie
spyware, trojans, etc.. you may have on your system).)

Special note if you use AOL:
America Online installs its own connection settings that
override
the ones that come with Windows XP. America Online's
connection settings don't include a way to turn on Windows
XP's
built-in firewall.


What You Should Know About the Blaster Worm and Its
Variants
http://www.microsoft.com/security/incident/blast.asp

A tool is available to remove Blaster worm and Nachi worm
infections from computers
that are running Windows 2000 or Windows XP
http://support.microsoft.com/?kbid=833330

A security issue has been identified that could allow an
attacker to
remotely compromise a computer running Microsoft Windows
and
gain complete control over it. You can help protect your
computer
by installing this update from Microsoft.
http://www.microsoft.com/downloads/details.aspx?
FamilyId=2354406C-C5B6-44AC-9532-
3DE40F69C074&displaylang=en

Above courtesy of MVP Carey
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

***Install a good firewall. ZoneAlarm is a free one you
can install.
Install a good anti-virus program making sure you keep
it's definitions up to date! ***
- - - - - - - - - - - - -
Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

Protect Your PC
http://www.microsoft.com/security/protect/default.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm
..html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm
..removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32
..welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm
..removal.tool.html

 

[David H. Lipman]

Please don't quote someone else's posts as they may be incorrect or out-dated.

You need to know the subject matter and if you want to help, post information that YOU know
is correct.

In this case Carey's information is out-of-date !

The URL for KB823980 (RPC Buffer Overflow Vulnerability) @
http://www.microsoft.com/downloads/...6C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

Was superceded by the URL for KB824146 (RPC/RPCSS Buffer Overflow Vulnerability) @
http://www.microsoft.com/downloads/...ae-a1ba-4d4a-b424-95d32cfc8cba&displaylang=en

{ http://support.microsoft.com/?kbid=824146#WinXP }

Dave



| Your computer is now infected with the W32.Blaster.Worm or
| one of its variants. This happened because you have not
| been using an internet connection firewall and have
| apparently neglected to install the critical updates
| available at the Windows Update website.
| -----------------------------------------------------------
| -------
| If your computer is constantly attempting to shutdown
| or reboot, quickly go to:
|
| Start > Run and type: CMD , and hit enter.
| This opens the Command Prompt window.
|
| Then type: shutdown -a , and hit enter.
|
| This should halt the rebooting problem.
| -----------------------------------------------------------
| -------
| Then immediately turn-on Windows XP's built-in Firewall:
| http://www.microsoft.com/security/protect/
| (To enable the built-in firewall, go to:
| Control Panel, double-click Networking and Internet
| Connections, then click Network Connections. Right-click
| your connection, then
| Click Properties, and on the Advanced tab, click the option
| "Protect my computer and network..." Note: the built in
| firewall only monitors incoming traffic not outgoing (ie
| spyware, trojans, etc.. you may have on your system).)
|
| Special note if you use AOL:
| America Online installs its own connection settings that
| override
| the ones that come with Windows XP. America Online's
| connection settings don't include a way to turn on Windows
| XP's
| built-in firewall.
|
|
| What You Should Know About the Blaster Worm and Its
| Variants
| http://www.microsoft.com/security/incident/blast.asp
|
| A tool is available to remove Blaster worm and Nachi worm
| infections from computers
| that are running Windows 2000 or Windows XP
| http://support.microsoft.com/?kbid=833330
|
| A security issue has been identified that could allow an
| attacker to
| remotely compromise a computer running Microsoft Windows
| and
| gain complete control over it. You can help protect your
| computer
| by installing this update from Microsoft.
| http://www.microsoft.com/downloads/details.aspx?
| FamilyId=2354406C-C5B6-44AC-9532-
| 3DE40F69C074&displaylang=en
|
| Above courtesy of MVP Carey
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
| ***Install a good firewall. ZoneAlarm is a free one you
| can install.
| Install a good anti-virus program making sure you keep
| it's definitions up to date! ***
| - - - - - - - - - - - - -
| Microsoft Security Bulletin MS03-39
| http://support.microsoft.com/?kbid=824146
|
| What You Should Know About the Blaster Worm
| http://www.microsoft.com/security/incident/blast.asp
|
| Protect Your PC
| http://www.microsoft.com/security/protect/default.asp
|
| W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
| http://www.symantec.com/avcenter/venc/data/w32.blaster.worm
| .html
|
| W32.Blaster.Worm Removal Tool
| http://www.symantec.com/avcenter/venc/data/w32.blaster.worm
| .removal.tool.html
|
| W32.Welchia.Worm a.k.a. W32/Nachi.Worm
| http://securityresponse.symantec.com/avcenter/venc/data/w32
| .welchia.worm.html
|
| W32.Welchia.Worm Removal Tool
| http://www.symantec.com/avcenter/venc/data/w32.welchia.worm
| .removal.tool.html
|
| >-----Original Message-----
| >I had to use the system restore utility to reinstall
| >windows after my PC locked up and could not restart
| >windows. I now have a problem whenever I dial into the
| >internet using dial-up networking.
| >
| >I get repeated System Shutdown attributed to Remote
| >Procedure Call, Initiated by NT AUTHORITY/SYSTEM.
| >
| >I am not connected to a LAN but have two network
| adapters.
| >I tried uninstalling them (hoping to stop the RPCs) but
| >this made no difference.
| >
| >Please advise how to troubleshoot this. E-mail replies
| >GREATLY appreciated as I am using a loaner PC since I
| >cannot maintain internet connections on the machine in
| >question. Besure to remove the "removethis" from the e-
| >mail address above.
| >
| >Thanks in advance.
| >.
| >

 

[Bruce Chambers]

Greetings --

If you connected the PC to the Internet without having first
enabled a firewall, without having first installed an antivirus
application with current virus definition files, and before installing
the KB824146 Hotfix, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH