NT Authority / System shutdown? 11

[SinisterX]

Whenever I start up windows xp about a minute later, a message appears stating this is from the NT Authority / System and that "windows must now restart because the Remote Procedure Call (RPC) terminated unexpectedly." It goes into a 50 sec. countdown and windows just restarts automatically everythime? I can't get rid of this message or this error problem. What can I do?

Thanks,
Omar

 

[Helgi]

Interesting.

Test bedded the following.

Disconnect.

CTRL/ALT/DELETE and bring up the processes tab. Killed MSBLAST

Searched for the file MSBLAST.EXE and delete it.

Turned on the XP version of firewall.

And then connected fine without re-infection. (No reg-hack, no noughting else (it's easier to explain to moron...er customers).

Telling them to connect straight away and get the update works fine.

Maybe a problem with sygate?

 

[bcastner]

stikman,

Run a repair on his Winsock service stacks:

http://members.shaw.ca/techcd/VB_Projects/WinsockFix.zip

It should restore his DUN functionality.

 

[stikman]

Thx.. was planning to do just that in the morning.


You have been a great help.

THANKS !!

 

[ricpinto]

I have an idea on how to beat the 60 secs. goto Remote Procedure Call (RPC) service, click properties,goto recovery tab. On the "first failure" box, make sure it's "Restart the computer". Now click "Restart Computer Options" then key how many minutes, put as many as you want. But I'm not sure if you can solve your problem

 

[Yogi39]

Thank God for this site and all of you.

Had the same problem with my XP pro on my NEW PC...*lol*
I managed to install the patch B4 the showtdown and no mre problem !

http://www.microsoft.com/security/security_bulletins/ms03-026.asp

thanks to bcastner and all the posts for helping me get though this !

 

[bcastner]

You are welcome Yogi39 and all. It is interesting to see the evolution of this worm. Both Linney and I responded as early as August 5th to RPC failures and strange TFTP payloads. It is really impressive to watch the geometric spread of a worm over the internet.

Code Red all over again. It is a little odd because many ISPs were blocking at least 135 after the Code Red worm, and I thought still were. This of course does not absolve the user from taking firewall precautions, but it is amazing to see large managed sites effected by this MSBLAST worm. I expect to see some people fired over this one.

 

[tav1035]

bcastner,
You mentioned TFTP.
I posted that I had two new files added to my startup folder called TFTP1800 and TFTP? can't remember the name?
Do you know why these were created?
And everyone might want to check their startup folder /all users, for these 2 files. I couldn't see them from the task manager.
Two other things to ponder...
Did you disable SystemRestore before deleting the virus?
And did you turn it back on?
And is it possible to delete the restore points prior to 8/11?
tav

 

[bcastner]

MSBLAST comes in through TCP port 135 and initates an agent. The agent then contacts through TFTP on port 4444 to obtain a payload. (Those are the two TFTP files you see). The payload is executed to install MSBLAST.exe in c:\windows\system32, and to make the registry edit to have MSBLAST.exe run on startup. Finally the agent makes direct RPC service calls with faulty packets to force a buffer overflow. (This is what the MS security patch stops, the RPC buffer overflow). On an unpatched system the RPC buffer overflow causes a critical error and after a timeout setting (which can be changed in the properties of the RPC service) the system reboots.

The TFTP payload files are evidence that you were infected far enough for the agent to use port 4444 to receive the payload. Delete the files, but they are in a sense harmless just by themselves.

 

[allis]

When should I - in the process of getting rid of this worm and downloading patches, etc. - turn off system restore? And how do I do this?

Do I have to do this, or if the other steps work, then what?

Also, how do I get to RPC and to safe mode if I need to?

 

[bcastner]

If you have been infected, your most recent restore points are suspect. Use Start, Help and Support to access the System Restore facility and delete suspect restore points.

Remove the infection, if present.

Immediately set manually a new restore point.


To get to safe Mode you can Start, Run, MSCONFIG and enable Safe Mode on Startup and reboot; or just reboot and hit the F8 key early and often.

To modify RPC settings (not recommended) Start, Run, services.msc and double-click the Remote Procedure Call Service.

 

[allis]

What should I set the restore points to????

If I just get everything cleaned up, get the patch, enable the firewall connection, etc - do I still need to mess with system restore?

If so, what should I set it to?

 

[tav1035]

allis,
bcastner has a great thread that worked for most people.
Look at my post above (18th post).

It says first disable your system restore.
Probably in this order->
Follow his instructions for stopping msblast, editing the register and deleting the files.
(instead of using virus scan, for now look in your windows32 folder for msblast and delete, then edit the register).
Next as soon as you plug into the net Follow his link straight to the patch. (it's the quickest way there), this is the only way to beat the 59 second shutdown.
The link he gave was

http://microsoft.com/downloads/deta...6C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

Note: don't plug into the internet until your ready to download the patch.
tav

 

[ricpinto]

So welcome me to the club, I thought it won't happen to me, I'm a new member already. Lucky I'm reading this post last night that's why I'm ready.

Things that I've done:

1. unplug the NIC cable
2. delete msblast.exe
3. remove the entry in the registry
4. update svc pack for win2k pro(I got a cd version sp3), no need for XP pro.
5. reboot and applied corresponding patches from Microsoft

http://www.microsoft.com/security/security_bulletins/ms03-026.asp

6. reboot again then plug back the NIC cable. All seems OK.

So that's what I did.. did I miss something

 

[bcastner]

ricpinto,

Install firewall.

 

[ricpinto]

bcastner,

Firstly another start for you.. The truth is I've been convincing the other site to purchase a router but I can't put it in a convincing way that's why they ignore it. On my current site we have it that's why we're not affected but sadly, one of my job is to support the other site. Right now they asking get a firewall as fast as possible. I got three quotation already from different companies. Firewall companies will really benefit from this outbreak.

I think we're not-aware/ignoring the tcp/udp filtering that comes together with tcp/ip protocol because maybe we are not sure of ports assignments that we need to filter and allow. Like HTTP is 80. smtp is 25, pop3 is 110 etc. This is the complete list

http://www.iana.org/assignments/port-numbers

For the benefit of people wihtout a firewall, can anybody suggest what are the ports that we need to allow to connect to internet? Maybe basically first as a start?

Thanks

 

[darthsaber]

ok i cannt find msblast.exe. could someone for 1 last time summarise how to fix the shutdown problem? or even email it to me. i would really appreciate your help. im only 15 lol so coudl you try and make it a bit easier?im not computer illiterate but not a master. darthsaber88@hotmail.com for anyone who would like to lend me a hand. thanks alot
aj

 

[bcastner]

darthsaber,

Dowload and use any of these:

Symantec

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Trend Micro

http://www.trendmicro.com/download/tsc.asp

F-Secure

http://www.f-secure.com/v-descs/msblast.shtml

Computer Associates

http://www3.ca.com/virusinfo/virus.aspx?ID=36265

Panda Software

http://www.pandasoftware.com/download/utilities/

Gladiator AV

http://forum.gladiator-antivirus.com/index.php?showtopic=5882

 

[PenelopeC]

Hi All, This is a GREAT thread but I believe I have a different set of circumstances that causes the fix (ANY fix) to be impossible to install. PLEASE see if you can help!!

This is for my Dad (MY system has a firewall and all Windows Updates) he's only been a computer user for 8 mos. and he's bummed...he's got an IBM NetVision 8311. IBM seems to have a software level BEFORE the Windows XP boots...something about "System Utilities". The IBM stuff comes up black screen white letters - like maybe its DOS?? Then the WXP splash screen appears for 15 - 20 sec then it goes BACK to the IBM screen. I tried to F8 to log in to safe mode but when I choose safe mode (NO networking -- and yes the network connection is physically unplugged) a big list of WINDOWS\SYSTEM32\DRIVERS scrolls across the screen then it goes back to flipping between the IBM splash screen and the WXP splash screen.

Is he screwed? Am I gonna be Formatting his hard drive soon?

Please let me know if any one has any ideas. You tek people ROCK (lets here it for the SQL folks !)

Thanks in Advance!!!

PenelopeC
~~~>-/O~~~~~swimming right along

 

[bcastner]

PenelopeC,

This does not sound like the msblast worm.

It sounds like bad RAM.

It does not sound like a hard disk issue.

When you see the IBM System Utilities Screen, hit F10 (I think, or try F1 and try F2) If I remember from (this is IBM laptop experience) there should be a menu appear that includes a system test utility. You want to run that utility if you can get to it.

 

[bcastner]

PenelopeC,

And if it is not bad ram, it sounds awfully like a corrupt registry.

See this article and you decide how well it fits your father's case:

http://www.digitalwebcast.com/2002/03_mar/tutorials/cw_boot_toot.htm