System Shutdown

  • Thread starter Thread starter jamie
  • Start date Start date
J

jamie

I installed the MS Spyware beta program and all was
working fine - detecting spyware and removing it. Then
the computer went into this shut down mode and will not
stop!

This is the message that displays:

This shutdown was initiated by NT Authority/System.
Windows must now restart because the Remote Procedure
Call Service (RPC) service terminated unexpectedly.

I have no clue what this means and would really
appreciate anyones HELP!
 
This shutdown was initiated by NT Authority/System.
Windows must now restart because the Remote Procedure
Call Service (RPC) service terminated unexpectedly.
Click to expand...

My guess is that the spyware corrupted some file which has caused it to be
removed by AntiSpyware. Unfortunately, this was a file needed by Windows.
Some more info might be helpful. For example, what version of Windows? What
spyware did AntiSpyware detect? etc.
 
Sounds like the blaster worm.

To resolve this issue in Windows 2000 and XP you will need
to perform the following steps:

Change the settings for the Remote Procedure Call (RPC)
Service in order to connect to the internet without the
computer shutting down
To change these settings you will need to perform the
following:


Right-click the My Computer icon on the Windows desktop or
in the Start menu.
Select Manage. The Computer Management window will open.
In the left pane, double-click on Services and
Applications.
Select Services and a list of services should appear.
In the right pane, locate the Remote Procedure Call (RPC)
service, it will have a Status of "Started".
Note: This will be the first in a listing of two Remote
Procedure Call (RPC) services.


Right-click on the first Remote Procedure Call (RPC)
service listed.
Select Properties.
Select the Recovery tab.
Using the drop-down lists, change First failure, Second
failure, and Subsequent failures from Restart the Computer
to Take No Action.
Click on Apply and then OK.
CAUTION: Make sure that you change these settings back
after completing the final step to remove the worm.


Verify which service packs have been applied as well as
which version of Windows you are running. To do this:

Right-click My Computer on the desktop.
Select Properties. Operating system information will be
listed in the window that comes up. This will include what
version of the operating system is running as well as what
service packs have been applied to it.
The following service packs need to be applied right away:
Note: The service pack version will depend on what
operating system you have on your computer.


If you are running Windows XP version 2002, Service Pack 1
will need to be installed. If this has not been applied to
your system you can obtain it by connecting to:

http://windowsupdate.microsoft.com


If you are running Windows 2000, you must have at the
minimum, Service Pack 2 applied. Please note that
Microsoft no longer supports this version and newer
service packs such as service pack 3 and 4 are recommended
and preferred. If this has not been applied to your system
you can obtain it by connecting to:

http://windowsupdate.microsoft.com

After performing the above and verifying the required
service pack is in place the Patch can be applied.

Information and download links for your version of windows
can be found at:

http://www.microsoft.com/security/bulletins/200309_windows.
mspx


Removal of W32.Blaster.Worm

http://www.microsoft.com/security/incident/blast.mspx

Ron Kinner MVP Servers
 
THANKS... you were right I think we got the blaster worm!

I tried your procedures and no menue would come up when I
Right-click on the first Remote Procedure Call (RPC)
service listed and select Properties.

I also went to the webpage you recommend and tried the
procedures "To end the Blaster worm process":

Press Ctrl+Alt+Delete.
Click the Task Manager button.
Click the Processes tab.
Click the Image Name column header to sort the processes
alphabetically by name.
Look for a process named Msblast.exe. If you find it,
click the name to select the process, and then click the
End Process button.
Close the Task Manager.

And did not see the Msblast.exe.


If I put in the Restore CD, will it remove the worm and
return eveything back to normal??
 
Jamie said:
THANKS... you were right I think we got the blaster worm!

I tried your procedures and no menue would come up when I
Right-click on the first Remote Procedure Call (RPC)
service listed and select Properties.

I also went to the webpage you recommend and tried the
procedures "To end the Blaster worm process":

Press Ctrl+Alt+Delete.
Click the Task Manager button.
Click the Processes tab.
Click the Image Name column header to sort the processes
alphabetically by name.
Look for a process named Msblast.exe. If you find it,
click the name to select the process, and then click the
End Process button.
Close the Task Manager.

And did not see the Msblast.exe.


If I put in the Restore CD, will it remove the worm and
return eveything back to normal??
Click to expand...

No.

Perhaps you have Sasser.
What You Should Know About the Sasser Worm and Its Variants
http://www.microsoft.com/security/incident/sasser.asp
Microsoft has updated the cleanup tool for W32.Sasser.worm to remove the C
and D variants of the Sasser worm. The Sasser removal tool now removes
Sasser A, B, C and D. The updated removal tool is located at
http://www.microsoft.com/downloads/...B6B-4FC3-90D4-9FA42D14CC17&displaylang=en
and is documented in Knowledge Base article KB841720
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
 
I have the same issue.

I have tried safe mode, etc, but both have the same
symptoms. That RPC message, and almost nothing is able to
run correctly. Explorer.exe experiences heavy
lockup/crashes, etc.

I use shutdown -a to cancel the RPC issue, but i have no
network connectivity, no copy/paste.. almost nothing works

This was a clean XP install (SP2) from two days ago. I
installed some nasty stuff from http://www.negativebeats.com/

Computer worked fine for a while.. I used MS AntiSpyware to
remove everything found, and then it wanted to reboot.. I
let it and it never recovered.
 
I finally got the computer to stop shutting down and was
able to install the security update (#835732).

Now, I can not log onto the internet because it seems all
my network connections have been deleted?

Any advice????
-----Original Message-----


No.

Perhaps you have Sasser.
What You Should Know About the Sasser Worm and Its Variants
http://www.microsoft.com/security/incident/sasser.asp
Microsoft has updated the cleanup tool for
Click to expand...
W32.Sasser.worm to remove the C
 
Back
Top