System Shutdown RPC Service Terminated

[Guest]

I have encountered a problem I can not seem to fix. When I scan my system for
spyware/other unwanted crap with Ad-Aware a "System Shutdown" prompt comes up
and proceeds to restart my computer after 1 minute. The top text of the
prompt basically says to save all work currently open and "The Shutdown was
initiated by NT AUTHORITY\SYSTEM". The bottom text of the prompt says
"Windows must now restart because the Remote Procedure Call (RPC) service
terminated unexpectedly. I have scanned my system with Ad-Aware on numerous
occasions without this failure occuring. Can someone please help me determine
what is causing this problem. Thanks.

 

[Jupiter Jones [MVP]]

Mark;
Sounds like you have Blaster or Sasser.
Follow this to remove:
http://www3.telus.net/dandemar/blaster.htm

 

[NoNoBadDog!]

Your computer is infected with the Sasser worm...You allowed yourself to be
infected because:



1. You connected to the internet without enabling the Windows firewall.



2. You also have no antivirus software installed.



3. You did not update your version of windows...if you had, the patch to

prevent infection from the SASSER worm would have been on your system (it's

been available for months).



The reason that your machine is infected is because of all of the above.

You must educate yourself on basic computer security.



Here's what you need to do now, in this exact order...



1. Disconnect the computer from the internet...If you have broadband,

physically disconnect the cable from the back of the computer.





2. Turn the computer on. When the message appears, START>Run>'Shutdown -a"



3. Enable the windows firewall. It is very rudimentary as firewalls go,

but it is better than nothing.



4. Install a reputable Antivirus program. You will have to update it after

re-connecting to the internet, and thereafter you MUST KEEP IT UPDATED.



5. Connect to the internet.



6. Update your antivirus software.



7. Run a scan and let the antivirus software will clean your system.



8. Connect to Windows Update and download ALL Critical downloads. Install

them. You may have to repeat this more than once in order to download and

install all Critical Updates.



9. Never, ever connect to the internet, even briefly, without having met

all of the above requirements.



You not only allowed you machine to be infected, but you turned it into a

tool that is/was looking for other unprotected computers to connect. It has

been recently announced that an unprotected computer can be infected in as

little as 40 seconds.



I would venture a bet that your computer has more than just the latest

variant of the SASSER worm.



Once you begin to practice basic computer security, you can become a

responsible "netizen"



Bobby

 

[Bruce Chambers]

Greetings --

If you connected the PC to the Internet without having first
enabled a firewall, without having first installed an antivirus
application with current virus definition files, and before installing
the KB828471 Hotfix, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

MS04-012 Cumulative Update for Microsoft RPC-DCOM
http://support.microsoft.com/default.aspx?scid=kb;en-us;828741

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH

 

[Ed Jay]

On occasion, a "System Shutdown" prompt comes up and proceeds to restart
my computer after 1 minute. The top text of the prompt basically says to
save all work currently open, etc.". The bottom text of the prompt says
"Windows must now restart because the Remote Procedure Call (RPC) service
terminated unexpectedly."

I know this is symptomatic of a couple of viruses, e.g., blaster; however,
this system is clean.

Some time ago someone offered a fix by changing some key in the Registry
that essentially allowed multiple errors before the RPC service
terminated. Does anyone know what it might be?

Ed

 

[guestuser]

If the machine is clean then you should not be getting these RPC shutdowns.
You have kept the system patched with all the critical updates released by
Microsoft? Your firewall, anti-virus software and spyware and adware are
all updated? You have run the specific worm detection and removal tools for
the blaster family of worms?

 

[Ed Jay]

If the machine is clean then you should not be getting these RPC shutdowns.
You have kept the system patched with all the critical updates released by
Microsoft? Your firewall, anti-virus software and spyware and adware are
all updated? You have run the specific worm detection and removal tools for
the blaster family of worms?

As I said, the system is clean and up-to-date.

Ed