Solved

RPC Error and then windows shuts down after 60 secs

Posted on 2004-04-26
5
294 Views
Last Modified: 2013-12-04
RPC Error and then windows shuts down after 60 secs is this the root cause of the virus? if so please tell me a way to stop it
0
Comment
Question by:japh55
5 Comments
 
LVL 44

Accepted Solution

by:
CrazyOne earned 125 total points
ID: 10917977
It is a worm that causes this problem

What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

first do this

Start > Run services
Double Click on Remote Procedure Call (RPC)
Click the Recovery tab
Set all three failure boxes to "Take No Action"

Then open the task manager Start > Run taskmgr and under the Processes tab look for msblaster.exe and if you find it end the task.

then

Removal tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Download
http://securityresponse.symantec.com/avcenter/FixBlast.exe

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp using TCP port 135. It will attempt to download and run the file Msblast.exe.

You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.

Click here http://securityresponse.symantec.com/avcenter/security/Content/8205.html for more information on the vulnerability being exploited by this worm and to find out which Symantec products can help mitigate risk from this vulnerability

Restarting the computer in Safe mode or ending the Worm process
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."

Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry, http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617 " for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"windows auto update"="msblast.exe"

Exit the Registry Editor.


Now apply the patch
0
 
LVL 2

Assisted Solution

by:JBinRI
JBinRI earned 125 total points
ID: 10921364
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10923830
All those tools will remove it, but if you are using Xp or WinME you MUST turn off system restore to get rid of it for good...
http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm (turn off sys restore)
http://vil.nai.com/vil/stinger/ A FREE standalone util that will scan your PC for lot's of the latest viri. You still must patch your systems, and get an antivirus solution or a good firewall lik ZoneAlarm. After turning off sys restore, scan with Stinger.exe, then eradicate the viri you have, then visit windows update and get patched...
http://www.microsoft.com/security/incident/blast.asp
-rich
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Suggested Solutions

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now