RPC Shutdown Error Virus-Do I Have It?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
About once a month I get the Remote Procedure Shutdown error which I've been
told by net research is the Blaster Worm Virus. I cannot find any evidence
of this virus. I have downloaded MS Removal Tool, Symantec FixBlast Tool
(which took like 2 hours to run and didn't find anything either). Tried a
couple of other site scans and everything tells me I don't have this virus.
I went through this last month when it happened and it just happened again a
few days ago. My NOD32 is up to date and full scan turned up nothing. Is
this a symptom of something else? I am running Win XP and have a home
network of 3 computers total (all Win XP) and none of the other computers
displayed this or any unusual behavior.

Distressed Louie



Re: RPC Shutdown Error Virus-Do I Have It?

Luigi wrote:

Quoted text here. Click to load it

Louie,

Since NOD32 doesn't find Blaster, I would look elsewhere first. On my
WinXP HE box I have the Remote Procedure Call service disabled.

   (http://www.ntsvcfg.de/ntsvcfg_eng.html )

If you have this service enabled, check out the other services that
use it (there are tons of them).

1a) Start -> Run -> services.msc, or
1b) Right-click My Computer -> Manage -> select Services
  2) Right-click Remote Procedure Call -> select Properties
  3) Select the RPC Dependencies Tab

If your problem does indeed have to do with the RPC service, it could
be caused by any of the other services/devices that use it. Since you
have a LAN set up, you probably need a few services that I don't need,
but you still want to disable those that you don't need.

Ron :)

Re: RPC Shutdown Error Virus-Do I Have It?


| About once a month I get the Remote Procedure Shutdown error which I've been
| told by net research is the Blaster Worm Virus. I cannot find any evidence
| of this virus. I have downloaded MS Removal Tool, Symantec FixBlast Tool
| (which took like 2 hours to run and didn't find anything either). Tried a
| couple of other site scans and everything tells me I don't have this virus.
| I went through this last month when it happened and it just happened again a
| few days ago. My NOD32 is up to date and full scan turned up nothing. Is
| this a symptom of something else? I am running Win XP and have a home
| network of 3 computers total (all Win XP) and none of the other computers
| displayed this or any unusual behavior.
|
| Distressed Louie
|

You need to be exact and specific.
Are you using XP SP2 on the affected PC ?

Do you get the following 60 sec shutdown message ?

NT AUTHORITY\SYSTEM

"Windows must now restart becuase the Remote Procedure Call (RPC) Service
terminated
unexpectedly"

Even if you do it is NOT indicative of a RPC/RPCSS DCOM Exploitation of the
buffer overflow
vulneraility worms take advantage of using TCP Port 135.

You indicate you have a SOHO LAN which means a NAT Router so the likely of an
Internet worm
exploiting TCP port 135 is extremely low.

I doubt it is such an exploit.  Even still, the Lovsan/Blaster is a dead/dying
worm with
extremly low indcidents now.  There are however many BOTs that will exploit the
RPC/RPCSS
DCOM buffer overflow vulneraility and the so-called Blaster removeal tools are
worthless on
them.  The RadeBOT, SDBot, GAOBot, RBot are just a few that now take advantage
of this
exploitation metod.

Please run the following command...

Go to;  Start --> Run
Type;  notepad  %windir%\KB828741.log
Hit the enter key.

Does NOTEPAD show a LOG file or does it generate an error that KB828741.log was
not found ?

Plaese answer and respond to ALL of my questions.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: RPC Shutdown Error Virus-Do I Have It?

I am using XP SP2 and I do get the 60sec shutdown msg you mentioned. The run
command did generate a log file.
Louie


Quoted text here. Click to load it



Re: RPC Shutdown Error Virus-Do I Have It?


| I am using XP SP2 and I do get the 60sec shutdown msg you mentioned. The run
| command did generate a log file.
| Louie


Then your vulnerability has been plugged and the source of the RPC Shutdown is
not due TCP
port 135 and worm activity attempting exploitation of the noted buffer overflow
vulnerability.

I have seen this happen before.  I was cleaning a PC heavily infected with
non-viral malware
and using Ad-aware SE.  During the scan the 60 sec. shutdown was generated.
This was
consistent.  It is assumed that an identified malware was using this as a self
preservation
method.

When you get the 60 sec. shutdown message, you can stop the shutdown process by
executing...

shutdown -a

What the cause and the problem source is I don't know but you can conclude the
problem is
with the RPC Service itself if it is auto-generated and not caused by a service
or action
dependant upon the RPC NT Service.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: RPC Shutdown Error Virus-Do I Have It?

Thank you very much for your help.
Louie

Quoted text here. Click to load it



Re: RPC Shutdown Error Virus-Do I Have It?

Hi Louie,

    If you have occasion to remove a copy of svchost.exe using Taskmgr =
and End Process, it creates the exact error you are posting about.When =
you have another computer available that is working, compare the Startup =
Type settings in Services for each Service and change the Startup Type =
in the computer you are having problems with, to match the computer =
Settings with the computer you aren't having problems with. See what =
happens.


--=20
thecreator

Quoted text here. Click to load it

Site Timeline