alan 0 Report post Posted March 31, 2005 Dear Friends, I use Windows XP Pro SP1. When I connect to the Internet, a Notification box comes with countdown of 60 Seconds saying that "This System is shutting down. Please save the work and log off. Any unsaved changes will be lost. This shutdown is initiated by NT/Authority System (Remote procedure call has shutdown unexpectedly)". And after the countdown, the system Restarts. This occurs very often. First of all what is NT/Authority system?. Is this is a hacking or a virus or OS Problem?. I have norton antivirus 2004 and it is up to date. Is there any solution to get rid from this Problem??? Share this post Link to post Share on other sites
dexter 0 Report post Posted March 31, 2005 I just did a quick google and it came up with this as an answer... NT Authority\System RPC Exploit Worm Here's the text: By: Borrow -A- Geek @ ozzu.com this is an important notice. as some of you may know iwork tech support for a cable internet provider. today was a living hell here at work, because litterally 10's of thousands of people flooded the call center with this worm that has unleashed its fury on ALL versions of windows, mostly windows XP and window 2000. i was hit by this thing and it was a *BLEEP* to remove. (i didnt remove it my girlfriend actually did while i was stuck at work,(yup she is a guru like me, lol)) but it got taken care of. look for a post below real soon for the removal instructions. Symptoms: you get a windows message that says System Shutdown: This System is Shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by the NT AUTHORITY\SYSTEM TIME BEFORE SHUTDOWN 00:00:60 Message: Windows must now be restarted because the Remote Procedure Call (RPC) service. terminated unexpectedly Technical Details The Remote Procedure Call (RPC) protocol on the Windows operating systems provides a mechanism for a program running on one machine to execute code on another machine. Windows uses the Distributed Component Object Model (DCOM) to help manage communications of Windows components over a network, typically (but not always) the TCP/IP networks used in most environments. The DCOM interface to RPC accepts network connections on TCP port 135, and fails to validate message inputs during the instantiation of DCOM objects. By sending an appropriately malformed RPC message, an attacker can cause a vulnerable machine to execute arbitrary code within the security context of the RPC service, typically the SYSTEM context [1,2]. The researchers who discovered the vulnerability were able to create proof of concept exploits for Windows 2000/XP (running SP4 and SP1 respectively). They were also able to bypass the buffer overflow protections included as part of Windows 2003, and gain SYSTEM privileges there as well. The vulnerable components of the Windows operating system are installed by default on all versions of Windows, and cannot be disabled without crippling a number of core Windows components. references: http://www.microsoft.com/err/technet/security/ http://forums.xisto.com/no_longer_exists/ http://forums.xisto.com/no_longer_exists/ finding and identifying the problem: Go and get the patch from here, choose the right version for your system. If you don't know whether your system is "32 bit" or "64 bit" then its 32 bit. https://support.microsoft.com/en-us/kb/823980 Next check your system for unusual processes that may be running. In particular watch out for: (NOTE, THIS LIST IS NOT EXCLUSIVE, KEEP AN EYE OUT FOR ANY UNUSUAL ACTIVITY) MSBlast.exe rpc.exe rpctest.exe dcomx.exe lolx.exe worm.exe Scan with an up-to-date virus scanner to help with removal of nasties that might be left on your system. Next, visit http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx and grab hold of all critical updates. Yes, all of them. Try to make a habit of doing this on a regular basis. note tht critical updates are mentioned. not the standard updates. critical updates usually fix exploits to your computer that can cause problems by hackers or viruses. Share this post Link to post Share on other sites
alan 0 Report post Posted March 31, 2005 Dear dexter, I have just checked the system processes and found msblast.exe is running.Even I give end task, I reappears after restart. So instead of making so much work to remove this worm, I have ordered XP SP2 CD from Microsoft and I hope that this will solve the Problem. ---Thank you for Reply. Share this post Link to post Share on other sites
bureX 0 Report post Posted March 31, 2005 Remove that worm first before installing SP2! Besides, it may take a while before you receive it! First, end the msblast.exe task to make sure that your PC won't restart. Then, go to this web site and scroll down to the bottom of the page where you will find the instructions on how to remove the worm: http://www.pchell.com/virus/msblast.shtml There are patches available from Microsoft also right here: http://www.microsoft.com/en-us/download PS: Try not to double post please... Share this post Link to post Share on other sites
ramon 0 Report post Posted March 31, 2005 See the above posts, you are infected with an virus.Also if you find you do not have enough time to complete the above procedure to remove the virus, do the following:start -> Run --> type: "CMD" --> clic ok.type the following in the black box (dosscreen):shutdown -a <press enter>The message will now disapear and you will have enough time to complete all the rest.good luck. Share this post Link to post Share on other sites
guangdian 0 Report post Posted April 1, 2005 I think if you have get the SP1 then this bug will not displayed.but you have dink sp1. it's just a Xp bug but not a virus don't worry. Share this post Link to post Share on other sites
Izlude 0 Report post Posted April 4, 2005 Theres another way of getting rid of that, not installing SP2 or typing shutdown -a ...Open the Start Menu > Run .. > type "services.msc"In that list find the "Remote Procedure Call (RPC)" item. Right click > Properties > 'Recovery' tabIn First, Second and Subsequent Failures choose "Restart the service". Apply and you're done.Note: I cant recommend this method with the LSASS bug/exploit. I tried it already but Windows started acting funny. Keep your firewall on for this one. Share this post Link to post Share on other sites
Binod Singh 0 Report post Posted April 6, 2005 I have faced the same problem last week, I never thought that it would be a virus problem or windows XP bug. My computer has not been upgraded to XP SP2. But, when I installed Avast virus home edition and also upgraded my mozila firefox to 1.0.2 the message disapeared.I don't know, which one acted. During installation avast antivirus has found one virus that was lovegate, which have been removed now. Share this post Link to post Share on other sites
Matt1eD 0 Report post Posted April 6, 2005 In my old Win98 days I had that once (whilst trying to connect to my VPN). Left it and it went away! No virus/trojan e.t.c. scan picked it up. Share this post Link to post Share on other sites
Casanova 0 Report post Posted April 8, 2005 Wow, is the msblast worm still circulating around? I rember having to deal with it more than a year ago, but then it eventually died out. Share this post Link to post Share on other sites
iGuest 3 Report post Posted April 12, 2009 avast AAVM subsystem RPC errorRpc In Windows XpCan anybody has the instant solution to this very intriguing and time consuming process of removing this piece of **** error. I'm using Vista service pack 1.I would greatly appreciate your compassion and solution.-reply by noel Share this post Link to post Share on other sites