Jump to content
xisto Community
alan

Rpc In Windows Xp System shutdown in XP

Recommended Posts

Dear Friends, I use Windows XP Pro SP1. When I connect to the Internet, a Notification box comes with countdown of 60 Seconds saying that "This System is shutting down. Please save the work and log off. Any unsaved changes will be lost. This shutdown is initiated by NT/Authority System (Remote procedure call has shutdown unexpectedly)". And after the countdown, the system Restarts. This occurs very often. First of all what is NT/Authority system?. Is this is a hacking or a virus or OS Problem?. I have norton antivirus 2004 and it is up to date. Is there any solution to get rid from this Problem??? :)B):)

Share this post


Link to post
Share on other sites

I just did a quick google and it came up with this as an answer...

 

NT Authority\System RPC Exploit Worm

 

Here's the text:

 

By: Borrow -A- Geek @ ozzu.com

this is an important notice. as some of you may know iwork tech support for a cable internet provider. today was a living hell here at work, because litterally 10's of thousands of people flooded the call center with this worm that has unleashed its fury on ALL versions of windows, mostly windows XP and window 2000.

 

i was hit by this thing and it was a *BLEEP* to remove. (i didnt remove it my girlfriend actually did while i was stuck at work,(yup she is a guru like me, lol)) but it got taken care of. look for a post below real soon for the removal instructions.

 

Symptoms:

 

you get a windows message that says

 

System Shutdown:

This System is Shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by the NT AUTHORITY\SYSTEM

 

TIME BEFORE SHUTDOWN 00:00:60

 

Message:

Windows must now be restarted because the Remote Procedure Call (RPC) service. terminated unexpectedly

 

Technical Details

The Remote Procedure Call (RPC) protocol on the Windows operating systems provides a mechanism for a program running on one machine to execute code on another machine. Windows uses the Distributed Component Object Model (DCOM) to help manage communications of Windows components over a network, typically (but not always) the TCP/IP networks used in most environments. The DCOM interface to RPC accepts network connections on TCP port 135, and fails to validate message inputs during the instantiation of DCOM objects. By sending an appropriately malformed RPC message, an attacker can cause a vulnerable machine to execute arbitrary code within the security context of the RPC service, typically the SYSTEM context [1,2].

 

The researchers who discovered the vulnerability were able to create proof of concept exploits for Windows 2000/XP (running SP4 and SP1 respectively). They were also able to bypass the buffer overflow protections included as part of Windows 2003, and gain SYSTEM privileges there as well.

 

The vulnerable components of the Windows operating system are installed by default on all versions of Windows, and cannot be disabled without crippling a number of core Windows components.

 

 

references:

 

http://www.microsoft.com/err/technet/security/

 

http://forums.xisto.com/no_longer_exists/

 

http://forums.xisto.com/no_longer_exists/

 

 

finding and identifying the problem:

 

Go and get the patch from here, choose the right version for your system. If

you don't know whether your system is "32 bit" or "64 bit" then its 32 bit.

https://support.microsoft.com/en-us/kb/823980

 

Next check your system for unusual processes that may be running. In

particular watch out for:

(NOTE, THIS LIST IS NOT EXCLUSIVE, KEEP AN EYE OUT FOR ANY UNUSUAL ACTIVITY)

MSBlast.exe

rpc.exe

rpctest.exe

dcomx.exe

lolx.exe

worm.exe

 

Scan with an up-to-date virus scanner to help with removal of nasties that

might be left on your system.

Next, visit http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx and grab hold of all

critical updates. Yes, all of them. Try to make a habit of doing this on a

regular basis. note tht critical updates are mentioned. not the standard updates. critical updates usually fix exploits to your computer that can cause problems by hackers or viruses.

 

Share this post


Link to post
Share on other sites

Dear dexter, I have just checked the system processes and found msblast.exe is running.Even I give end task, I reappears after restart. So instead of making so much work to remove this worm, I have ordered XP SP2 CD from Microsoft and I hope that this will solve the Problem. :) ---Thank you for Reply.

Share this post


Link to post
Share on other sites

Remove that worm first before installing SP2! Besides, it may take a while before you receive it!

 

First, end the msblast.exe task to make sure that your PC won't restart.

 

Then, go to this web site and scroll down to the bottom of the page where you will find the instructions on how to remove the worm:

 

http://www.pchell.com/virus/msblast.shtml

 

There are patches available from Microsoft also right here:

 

http://www.microsoft.com/en-us/download

 

PS: Try not to double post please...

Share this post


Link to post
Share on other sites

See the above posts, you are infected with an virus.Also if you find you do not have enough time to complete the above procedure to remove the virus, do the following:start -> Run --> type: "CMD" --> clic ok.type the following in the black box (dosscreen):shutdown -a <press enter>The message will now disapear and you will have enough time to complete all the rest.good luck.

Share this post


Link to post
Share on other sites

Theres another way of getting rid of that, not installing SP2 or typing shutdown -a ...Open the Start Menu > Run .. > type "services.msc"In that list find the "Remote Procedure Call (RPC)" item. Right click > Properties > 'Recovery' tabIn First, Second and Subsequent Failures choose "Restart the service". Apply and you're done.Note: I cant recommend this method with the LSASS bug/exploit. I tried it already but Windows started acting funny. Keep your firewall on for this one.

Share this post


Link to post
Share on other sites

I have faced the same problem last week, I never thought that it would be a virus problem or windows XP bug. My computer has not been upgraded to XP SP2. But, when I installed Avast virus home edition and also upgraded my mozila firefox to 1.0.2 the message disapeared.I don't know, which one acted. During installation avast antivirus has found one virus that was lovegate, which have been removed now.

Share this post


Link to post
Share on other sites

In my old Win98 days I had that once (whilst trying to connect to my VPN). Left it and it went away! No virus/trojan e.t.c. scan picked it up.

Share this post


Link to post
Share on other sites

Wow, is the msblast worm still circulating around? I rember having to deal with it more than a year ago, but then it eventually died out.

Share this post


Link to post
Share on other sites
avast AAVM subsystem RPC errorRpc In Windows Xp

Can anybody has the instant solution to this very intriguing and time consuming process of removing this piece of **** error. I'm using Vista service pack 1.I would greatly appreciate your compassion and solution.

-reply by noel

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.