Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NT Authority / System shutdown? 11

Status
Not open for further replies.

SinisterX

Technical User
Jun 23, 2003
4
US
Whenever I start up windows xp about a minute later, a message appears stating this is from the NT Authority / System and that "windows must now restart because the Remote Procedure Call (RPC) terminated unexpectedly." It goes into a 50 sec. countdown and windows just restarts automatically everythime? I can't get rid of this message or this error problem. What can I do?

Thanks,
Omar
 
Did you try booting into safe mode? Look at the event viewer, that should give you a better idea of what the actual error is.
 
This is a very hard one to figure out, only that there has been a flurry of these recently.

I honestly believe it is a deliberate attack on port 139 that is being launched. This CNN Report of last week is typical of the warnings now being issued in the US:
There is a recent hotfix that addresses this RPC vulnerability:
 
My XP is now doing it as of today.
Although I did delete 2 files that were in the startup.
TFTP1800 and another TFTP? something.

I called into Comcast because I couldn't access the internet from my XP, but I could from other computers on the same modem.
They had me uninstall broadjump. Then checked few other things, but didn't delete anything. Next time I booted up I got error message with cannot open TFTP1800, so I took them out of startup folder. Next time I booted up I got NT Authority shut down message.
Any more ideas?
tav
 
Install or enable a firewall immediately.

Run an updated virus scan.
Or Scan for Viruses online:

Also be sure to update immediatly to prevent this in the future:

This will tell you more:
 
I also am having the same problem; after connecting to the internet, and being logged on for approximately 60 seconds, a box appears and says NT Authority/System is shutting down, save all unsaved files". It then counts down from 50 seconds and restarts my computer. I have tried McAfee Virus Scan with no luck. I tried to go to Windows Update, but cannot stay logged on to the internet to detect any updates.

Can anyone help?
 
I have a current fix (XP only (cause XP has an inbuilt firewall))

The current worm using this hole is MSBLAST.exe

FIX

Disconnect.

CTRL/ALT/DELETE and bring up the processes tab. Kill MSBLAST

Search for the file MSBLAST.EXE and delete it (it's a new trojan worm).

turn on the XP version of firewall (or other firewall)

Connect and get the security update ASAP.
 
Oh! BTW. Next time you guys in MIS dis us plebs in tech. support when it comes around to payrise time.

RTFM and make sure that guy you employed as "Network Admin" actually knows what he's talking about :)
 
Can't delete it even after ending process.
Says access denied.
Already disabled AutoRestore.
Already Deleted from registry.
tav
 
Belive me when I say. It's still running as a process. If you're still connected when you try this, then you are still reciving infected packets.

You must disconnect (try restarting without your modem plugged in)

Kill the process (yes it will be there)
Delete the file (it's in system32)
Make sure you have a firewall running (apparently the XP version is good for something)
Reconnect

And get the security update.
 
AHHH !!

This virus has just killed two systems at different customer sites today.

I killed the process & reg entry.
Updated definition, scanned etc etc(in safe mode)

Seems like its gone BUT the aftermath is still present.

In one case DUNS is dead and in the other it gets the RPC crash and shuts down.

Anyone worked out a COMPLETE fix ?
 
How to make sure your connection is fire walled.

Start

Then (depending on how you have XP set up)

Control Panel
OR
Settings>Control Panel

If you have large letters at the top of the window saying "Pick a category" then on the left column click on "switch to classic view"

Now go into "Network connections"

On the normal connection you use (or to be safe all of them), right mouse click on the connection and in the drop down menu, left click properties.

With the properties up, goto the "advanced" tab.

Make sure the "protect my computer" firewall IS ticked and click OK

You can now connect (so long as you've already removed MSBLAST) and get the security update.
 
There is no complete fix (other than giving your accountant a heart attack for having to pay for the security fix to be mailed to you on CD, or buying an off the shelf fire wall to block re-infection until you get the fix downloaded)

The reason for this is. Each PC infected (yes the MAC users can laugh now) is sending out more copies of the infection (that's why your network traffic is going crazy)

So even if you remove the infection, the 1,000's of PC's still infected will re-infect your computer as soon as you connect to the internet.

Don't you wish you'd listened to the tech. support guy when he said "you need a firewall?"
 
stikman,
you ask for a complete fix....
to make it simple see
thread779-627674 you only need the 8th post
this post almost says it all.
It's by bcastner.

But first disable your system restore.
Follow his instructions for stopping msblast, editing the register and deleting the files.
Next as soon as you plug into the net Follow his link straight to the patch. (it's the quickest way there), this is the only way to beat the 59 second shutdown.


Again the 8th post is the direct link to the patch...

Only after installing the patch did it stop having the RPC error.

Note: there are 2 files in system32 folder, one shortcut to DOS called msblast and msblast.exe
If you can't delete these files, then reboot after editing the registry and try to delete msblast files.
tav
 
Either that or make sure you have a firewall in place after you remove MSBLAST and you can download at leisure.

Test bedded 7 times and a firewall will block re-infection allowing you to download the patch.
 
It's funny I have a firewall (sygate) and disabled msblast.exe, deleted it from the reg., ended the process, I even tried to block all on the firewall but still got the error up until the patch took place.
tav
 
Thanks tav. bcastner's post did do the trick for one but not the other.

Still working out how to bring his DUNs back to life.

cheers
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top