D
Dave
I keep getting error messages Remote Procedure Call
Service terminated unexpectedly NT authority system.
then in one minute the system reboots.
Service terminated unexpectedly NT authority system.
then in one minute the system reboots.
M
Michael Solomon \(MS-MVP Windows Shell/User\)
I think you need to do a virus scan. Check the following and note, the
patch is to prevent the problem it doesn't remove it once the problem
begins:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
03-026.asp
patch is to prevent the problem it doesn't remove it once the problem
begins:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
03-026.asp
C
Chris Lanier
Thanks for looking around alittle 
MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution
http://support.microsoft.com/?kbid=823980
Enable the windows XP Firewall
https://www.microsoft.com/technet/t...nol/winxppro/proddocs/hnw_enable_firewall.asp
MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution
http://support.microsoft.com/?kbid=823980
Enable the windows XP Firewall
https://www.microsoft.com/technet/t...nol/winxppro/proddocs/hnw_enable_firewall.asp
M
Michael Solomon \(MS-MVP Windows Shell/User\)
Chris, the XP firewall won't help with this situation. Once the worm is on
the system, the firewall would have to block an outgoing call and the XP
firewall doesn't do that.
The best defense in this case is a firewall that blocks both incoming and
outgoing such as Zone Alarm, Sygate Personal Firewall, Kerio, Tiny, etc.
the system, the firewall would have to block an outgoing call and the XP
firewall doesn't do that.
The best defense in this case is a firewall that blocks both incoming and
outgoing such as Zone Alarm, Sygate Personal Firewall, Kerio, Tiny, etc.
D
Derrick Robinson
Mike - I run my virus scan which is current. If I install the patch will it
solve the problem?
Derrick
solve the problem?
Derrick
M
Michael Solomon \(MS-MVP Windows Shell/User\)
Install the patch and let's see. It has solved it for some, even many but
we're getting some mixed messages and MS Security seems to be advising that
affected systesm should be formatted.
If after the patch is applied you run the scan and it is clear, you should
be all right but you might want to check task manager and be sure
MSBLAST.exe isn't listed...ctrl-alt-delete.
You might also check the following "fix" procedure courtesy of Ron Martell,
MVP
'This is caused by a new and rapidly spreading virus.
To clear up the "NT Authority\System" and RPC call errors:
1. Go to http://support.microsoft.com/?kbid=823980 and download the security
patch. If at all possible do this on a clean machine and copy the patch to a
3.5 inch diskette.
2. Boot the infected machine into Safe Mode (use the F8 key multiple times
before and during the boot menu). Insert the 3.5 inch diskette with the
patch on it and run it. Do not reboot yet.
3. Use Start - Run - MSCONFIG and go to the Startup tab. Locate the entry
for MSBLAST.EXE and clear the checkbox for it.
4. Use Start - Search and check all your hard drives for the file
MSBLAST.EXE and delete all copies of it.
5. Shut down and restart the computer normally.
6. Immediately do an update of your antivirus software and when the updates
are installed do a complete virus scan of your hard drive. So far
Symantec/Norton, Trend Micro (PC-Cillin) and Sophos seems to be the only
major companies with an update for this specific virus (4:30 p.m. PDT 11 Aug
2003) but the others will undoubtedly follow within 24 hours.
we're getting some mixed messages and MS Security seems to be advising that
affected systesm should be formatted.
If after the patch is applied you run the scan and it is clear, you should
be all right but you might want to check task manager and be sure
MSBLAST.exe isn't listed...ctrl-alt-delete.
You might also check the following "fix" procedure courtesy of Ron Martell,
MVP
'This is caused by a new and rapidly spreading virus.
To clear up the "NT Authority\System" and RPC call errors:
1. Go to http://support.microsoft.com/?kbid=823980 and download the security
patch. If at all possible do this on a clean machine and copy the patch to a
3.5 inch diskette.
2. Boot the infected machine into Safe Mode (use the F8 key multiple times
before and during the boot menu). Insert the 3.5 inch diskette with the
patch on it and run it. Do not reboot yet.
3. Use Start - Run - MSCONFIG and go to the Startup tab. Locate the entry
for MSBLAST.EXE and clear the checkbox for it.
4. Use Start - Search and check all your hard drives for the file
MSBLAST.EXE and delete all copies of it.
5. Shut down and restart the computer normally.
6. Immediately do an update of your antivirus software and when the updates
are installed do a complete virus scan of your hard drive. So far
Symantec/Norton, Trend Micro (PC-Cillin) and Sophos seems to be the only
major companies with an update for this specific virus (4:30 p.m. PDT 11 Aug
2003) but the others will undoubtedly follow within 24 hours.
D
Derrick Robinson
It seems like its working for me. Online for over an hour after installing
the patch and locating the MSBLAST.EXE files (2) and renaming them with a
..junk extension as suggested by. I am wondering if I should delete them
instead of changing the extension. My virus scan is current and did not
detect any virus. What was the function of the MSBLAST files?
Derrick
the patch and locating the MSBLAST.EXE files (2) and renaming them with a
..junk extension as suggested by. I am wondering if I should delete them
instead of changing the extension. My virus scan is current and did not
detect any virus. What was the function of the MSBLAST files?
Derrick
M
Michael Solomon \(MS-MVP Windows Shell/User\)
This virus is a worm executed from remote system. I believe they are using
MSBLAST.exe as the file they hook into. In other words, they first have to
plant the file on your system, usually by means of an e-mail attachment or
something you've downloaded. Once on your system, they are apparently able
to use this to take control of your system in some fashion which may be one
of the reasons Microsoft Security is now recommending users format.
Just be sure you have a good firewall. The XP firewall only blocks incoming
but to be truly effective against this worm you must be able to block
incoming and outgoing. Most free firewalls can do that, Zone Alarm, Sygate
Personal Firewall, Kerio, Tiny, etc.
MSBLAST.exe as the file they hook into. In other words, they first have to
plant the file on your system, usually by means of an e-mail attachment or
something you've downloaded. Once on your system, they are apparently able
to use this to take control of your system in some fashion which may be one
of the reasons Microsoft Security is now recommending users format.
Just be sure you have a good firewall. The XP firewall only blocks incoming
but to be truly effective against this worm you must be able to block
incoming and outgoing. Most free firewalls can do that, Zone Alarm, Sygate
Personal Firewall, Kerio, Tiny, etc.
D
Derrick Robinson
Thanks a lot for the heads up.
Derrick.
Derrick.
Michael Solomon (MS-MVP Windows Shell/User) said: