(RPC) Service terminated unexpectedly

When on the internet I am getting the following on my XP box:

This system is shutting down. Please save all work in progress
and log off. Any unsaved changes will be lost. This shutdown
was initiated by NT AUTHORITY\SYSTEM

Time before shutdown: 00:00:59

Message:
Windows must now restart because the Remote Procedure Call
(RPC) service terminated unexpectedly


I am on dial-up and would rather not download the Sevice Pack.

Any fixes out there?

Thanks in advance.

 

same problem help

I have a client that got the same problem today so if anyone has a fix or knows what is happening please help me and the original poster.

Thanks.

 

Look at this thread:

http://www.windowsbbs.com/showthread.php?s=&threadid=20928

Most people seem to have these multiple problems.

 

RPC services shutting down

I have the same issue starting today. The post you suggested doesn't mention this occuring. Is it related to the virus? I use McAfee and it didn't detect a virus.

 

I think even after you download the fix, you will need to get the latest virus definitions and remove the virus that is causing the problem. The fix from microsoft only patches the vulnerability, right?

I just hope I can stay online long enough to download the latest updates to McAfee...

 

Arie

What is the name of the virus ??? This one client is a new and I mean new XP install with the latest Norton definitions so how did it get though ???

Also, in looking at the msconfig I noticed an executable called msblast.exe that wasnt there when I set the machine up at the clients site. I looked on the web and I cant find anything that mentions msblast.exe. Is this the virus's executable ???

 

for anyone that hasn't gone there yet, check the SRC at Symantec. Just downloaded the fix and cleaned two computers. Worked great.

Both computers are on DSL and connected to a company through VPN. Looks like it spread from the company outward. Hmmm.

Now have to get them to clean up and lock down the ports TCP 135, and 4444. UDP 69.

 

w32.blaster.worm

The Patch

 

W32.Lovsan.worm Aliases include Win32.Poza (Computer
Associates), Lovsan (F-Secure) and W32.Blaster.Worm (Symantec)

From what I read, if you've been infected there may not be a real good way to be sure you have cleaned it up completely.

Try start~run~cmd and then netstat -A. If you find a listing that you are listening on port 33571 you are probably infected. Good stuff (but technical) at http://isc.sans.org/diary.html?date=2003-08-09

The latest info I have is that even though the critter likes to come in via port 135, blocking that port can cause some problems and you should be OK blocking TCP/UDP port 69 and TCP port 4444 since the worm /vvirus uses 4444 to FTP out and get the rest of it's payload and until then is fairly harmless.

 

I don't know what fixed this same problem I had.
I downloaded the FIX from microsoft (refer to a previous reply above) and then updated my (AVG) virus signature file (it was only 10 days old) to the latest and it then found the LOVSAN WORM virus in C:\WINDOWS\SYSTEM32\MSBLAST.EXE file and 'cleaned' it.
All now seems to be working ok.
This (worm) virus must be very new as my virus signature file was only 10 days old!

Tell everyone to keep their virus signature files up to date!
Cheers
John

 

All fixed

Same here, got the virus on 8/04, virus dat came out a few days later. I've applied the microsoft patch, scanned for viruses with the new .dat file, and deleted the msblast.exe (after i stopped it from running, busy little sucker). I also had to delete the TFTPxxxx file from the startup folder, and disable and remove my previous system restore points (which contained the virus).

From what I understand, this virus will also start a DOS attack on the windows update server after August 15th. Hope people get the word and get this thing cleaned up!

 

EXCELLENT THINKING

BillyBob

 

just want to thank you for helping all the lost souls like me who did,nt have a clue what to do thanks guys and gals

 

Safe Mode Worked for me

Hello All,

I had to reboot into safe mode after downloading the newest Norton's definitions. From Safe mode I ran and removed the virus. When I rebooted it was somehow still working. I found it in the registry. Deleted that. To my amazement I ran Norton's again and it said it was gone, yet I still had the problem. I went to Symantec and downloaded a nice "REMOVING" program they had.
Removal using the W32.Blaster.Worm Removal Tool
Symantec Security Response has developed a removal tool to clean infections of W32.Blaster.Worm. This is the easiest way to remove this threat and should be tried first.

Quotes from site above.

That said it found and removed one more part! Then it tried to get me to install the patch from Microsoft. That would not install. "CRYPTOGRAPHIC" not turned on?
I read to rename the \Windows\System32\CatRoot2 folder to CatRoot2OLD. My computer would NOT let me do this. ACCESS Denied! So I deleted all the files in it that I could. Then the Microsoft patch worked great.

This seems to have fixed it for me. Thanks you all with your advice and help. I don't know what I would have done without this BBS group.

 

Plz tell me how to disable the restore and remove restore points...

thanks

 

the way I got rid from my sisters comp was just to re format, I did all the patches and other bits.
Seems it only happens on dial up?

How do you block port 4444, I know a few have said to do that but know one has said how?

 

Trend micro lists 3 variants of the blaster & a trojan

WORM_MSBLAST.A
WORM_MSBLAST.B
WORM_MSBLAST.C
WORM_MSBLAST.DRP
WORM_MSBLAST.GEN

paddyslammer - if you are running a firewall you just need to make sure that ports 69 & 4444 are not open outbound. Good idea to block both the UDP and TCP ports. If you aren't running a good firewall, you can't do it. The built-in XP one will only allow blocking inbound stuff for instance.