Solved

Thin clients rebooting  - error 26 - system shutting down in 45 seconds

Posted on 2006-06-30
34
1,390 Views
Last Modified: 2008-01-09
Users using thin clients are getting this message and then their thin client terminal reboots.
This is the message in the event log of the server - server - Windows 2003 server - std edition -SP1

Event Type:      Information
Event Source:      Application Popup
Event Category:      None
Event ID:      26
Date:            6/30/2006
Time:            11:24:30 AM
User:            N/A
Computer:      TS03
Description:
Application popup: System Shutdown : The system is shutting down.  Please save all work in progress and log off.  Any unsaved changes will be lost.  This shutdown was initiated by NT AUTHORITY\SYSTEM.  Shutdown will begin in 42 seconds.  Shutdown message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Please help
0
Comment
Question by:altaonemis
  • 14
  • 8
  • 6
  • +2
34 Comments
 
LVL 4

Expert Comment

by:KellyCraig
Comment Utility
Sounds to me as though someone with admin rights on those machines are issueing shutdown commands remotely pointed to those machines.

cmd.exe
--
shutdown -s -f -t 42 -m \\servername
0
 
LVL 87

Expert Comment

by:rindi
Comment Utility
Could also be a virus like blaster etc on your server. Does the same happen while working directly on the server? have you checked it thoroughly for malware?
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
you may have the blaster worm.
If your computer is infected, you may see this error message.

If your system is shutting down,>>Shutdown will begin in 42 seconds<<<

 follow these steps to stop the cycle. Then proceed to Step 2 to remove the worm.

To end the Blaster worm process

1.
 Press CTRL+ALT+DELETE.
 
2.
 Click the Task Manager button.
 
3.
 Click the Processes tab.
 
4.
 Click the Image Name column heading to sort the processes alphabetically by name.
 
5.
 Look for a process named Msblast.exe. If you find it, click the name to select the process, and then click the End Process button.
 
6.
 Close the Task Manager.
 
 
 Check For and Remove Blaster

Use the Microsoft Windows Malicious Software Removal Tool to search your hard disk for and remove Blaster variants.
 
 Protect Your PC

To help secure your computer against Blaster and other threats on the Internet, follow our Protect Your PC guidance to set up a firewall, get software updates, and use up-to-date antivirus software.

What You Should Know About Blaster
 http://www.microsoft.com/security/incident/blast.mspx

Blaster removal tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
Malicious Software Removal Tool
And live scan with download

http://www.microsoft.com/security/malwareremove/default.mspx
0
 
LVL 4

Expert Comment

by:KellyCraig
Comment Utility
I suggest using this tool

http://www.windowsonecare.com/

It's free, has spyware, antivirus, file backups, even windows defender tools to let you see programs that run at startup, and programs running now, with admin tools to kill or manage them.

Great software.
0
 

Author Comment

by:altaonemis
Comment Utility
I didnt see MSblast.exe process running on my server. I'll scan for malware - but can it be something else or is it malware for sure?
0
 
LVL 4

Expert Comment

by:KellyCraig
Comment Utility
I would install OneCare or Windows defender.
Let it run a full scan, if its malware or spyware, ti will find it, and OneCare will even tell you if it found a system error.
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
altaonemis if you see the Shutdown will begin in 42 seconds then yes. Have a look above at my first post I provided the step by step,
also  at my link as it illistrates it with a snap. If you see the same use the removal tool designed for it.
Look here>>
What You Should Know About Blaster
 http://www.microsoft.com/security/incident/blast.mspx

Blaster removal tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

This onecare is not for you unless you speak to the management there it would have to replace your current antivirus and firewall.
You cannot have two programs of the same.
0
 
LVL 4

Expert Comment

by:KellyCraig
Comment Utility
One piece of advice.

To abort a shutdown on a machine and or server
open the cmd.exe (Start-->run["cmd"]-->Return) as an Administrator on that machine/server

at prompt type "shutdown -a".
This will abort a current shutdown, 42 seconds is enough time.

However, that is a temp fix, you still need a solution
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
thanks Kelly already suggested that. But it never hurts to repeat it.
Cheers Merete
0
 

Author Comment

by:altaonemis
Comment Utility
I ran this on my server
Malicious Software Removal Tool
And did a  live scan on my server
http://www.microsoft.com/security/malwareremove/default.mspx

but nothing came out as infected. So it shows that I don't have blaster worm. Any other ideas that could be helpful?

Thanks,
Abhi

0
 
LVL 4

Expert Comment

by:KellyCraig
Comment Utility
Yes.
Please try this command on a remote machine wiht an account on it that has admin permission on the server.
Then compare the event log system message in System with the error you gave us.
Then tell us if they match.

As Admin for Server on a diff machine.
(Start-->run["cmd"]-->Ok)
in cmd.exe type
"shutdown -s -f -t 42 -m \\servername"

replacing servername of course with the real name.

I knwo this sounds silly, but I want to rule out human error.
0
 
LVL 4

Expert Comment

by:KellyCraig
Comment Utility
PS:
As I understand it.
RPC (Remote Proceedure Calling) is tied directly to internet activity.
It is used when GUI based web browsers want to access the internet, so no matter, what, dont disable RPC.

I quote from http://pub2.bravenet.com/forum/147685506/show/224512
"---
A buffer overrun is the cause of an issue affecting many versions of Windows to include NT, 2000, XP and 2003. The main indication of this is a 60 second shutdown counter just after connecting to the internet or "right after" an attack attempt. "Strange" network activity while you are not downloading or surfing is another key factor.
"--

Now you could try and follow directions on that page, but I think you are already up to date on your patches, if not, ill smack you.

So, I kept on googling that error.
Again, I found refrence to the ever so famous blaster worm.
http://8help.osu.edu/1383.html

Note: Just because Norton or others say it isnt there, doesn't mean it isnt.
Please install that patch anyways.


Moving on.
More googling ensued.
Then I found this.
http://supcontent.gateway.com/support.gateway.com/s/issues/2-976684501-01.gif

If that is exactly how your error message looks, then there is three possibilities.

a. you blew us off with the blaster thing
b. you actually ran the specific blaster removal patch and it still is happening leading to
  1. there is a new blaster worm, changed to avoid the patch(very very very unlikely)
  2. your RPC service executable was damaged somehow and requires repair.
c. the ghosts of christmas past are playing with you O.o

I am going to have to say its most likely option a or b.
If you want to replace your executable, simply pop in an XP SP2 disc and use the recovery console.

Also, check HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run for any odd programs in your reg.
Thats just common sense.

Last, but not least.
If you have changed your computer name manually lately, had a major DNS change, or been toying with your manual IP configuration, revert it, that can also cause this in rare instances.

and to take my leave,
I reallllly realllly realllly hope im stretching way out on a lim here.
However, ive seen alot.
If you have limewire or Kaaza or any of that crap on the machine, take it the hell off, that causes this sometimes as well.

really, dont take this as a mean or rude post.
Sincerely,
Kelly
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
altaonemis running them does nothing for the blaster worm it is simply not enough please run housecalls from Trend,
http://housecall.trendmicro.com/
the Blaster worm is so notoriuos  it has over 2000 varients yes I have typed it correctly..you cannot afford to not run this scan, for the time it takes to do this compared to try fixing it, you must eliminate this very high possibility ASAP. You coul dspread it to th entire server.
>>Look here it shows the "PICTURE" of the NT authority system shutting down in 45 secs..... is this what you are seeing??
 Please let us know.. I am so sure that you have this and there is no point in trying anything else until you run a decent trojan scanner.
What You Should Know About Blaster
 http://www.microsoft.com/security/incident/blast.mspx

Blaster removal tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html




I found a couple of references, but you'll have to decide if these fit.

Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Description:
Application popup: Service Control Manager : At least one service or driver failed during system startup. Use Event Viewer to examine the event log for details.
CAUSE
Active Directory requires the Kerberos Key Distribution Center service for authentication. The symptoms that are described earlier in this article may occur if the Kerberos Key Distribution Center service is disabled.
RESOLUTION
To turn on the Kerberos Key Distribution Center service:
1. Click Start, point to Programs, click Administrative Tools, and then click Services.
2. In the list of services, double-click Kerberos Key Distribution Center.  
3. Change the Startup Type setting to Automatic.
4. Click OK.
5. Restart the server.
==================================================================
Basic Overview of Kerberos User Authentication Protocol in Windows 2000
http://support.microsoft.com/kb/217098/EN-US/
0
 
LVL 7

Expert Comment

by:imacgouf
Comment Utility
Though you found no blaster etc
Just for information read this
http://www.thin-world.com/826955.htm

Symptoms of Infection
If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

    * You may receive the following error messages:
      The Remote Procedure Call (RPC) service terminated unexpectedly.
      The system is shutting down. Please save all work in progress and log off.
      Any unsaved changes will be lost.
      This shutdown was initiated by NT AUTHORITY\SYSTEM.
    * The computer may shut down, or may restart repeatedly, at random intervals.
    * On a Windows XP-based or on a Windows Server 2003-based computer, a dialog box may appear that gives you the option to report the problem to Microsoft. After you submit the error report, the following Microsoft Web page may be shown on your computer:

      http://oca.microsoft.com/en/response.asp?sid=699
    * If you are using Windows 2000 or Windows NT, you may receive a "Stop" error message on a blue screen.
    * You may find a file that is named Msblast.exe, Nstask32.exe, Penis32.exe, Teekids.exe, Winlogin.exe, Win32sockdrv.dll, or Yuetyutr.dll in the Windows\System32 folder.
    * You may find unusual TFTP* files on your computer.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 69

Expert Comment

by:Merete
Comment Utility
there is 2000 known varients of it, as I mentioned above. Unreal hey.
0
 

Author Comment

by:altaonemis
Comment Utility
Hi,
Thank you very much for your valuable suggestions. I have updated my server with the patch besides running all the scanning tools to find if there is any worm on the server. Though I havent found any, I havent got any call from any user being booted out. So I'll wait for some more time to hear from users if anybody connecting through thin client gets booted out after getting that pop-up message.

Thanks,
Abhi
0
 

Author Comment

by:altaonemis
Comment Utility
It happened again today - Earlier server never rebooted - only thin clients connected to the server used to reboot - but this morning, server rebooted as well along with the thin clients. I am running a trend micro virus scan again to see if there is any worm still on the server.

Abhi
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
gee it does seem to point to that.
Well there is also the removal tool
Blaster removal tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
0
 

Author Comment

by:altaonemis
Comment Utility
I have tried this tool but it shows that there is no worm on the serve.
I scanned the server with trend micro, mcafee, ran windows malicious worm removal tool, they all reported that there is no worm.
Running out of ideas as to what to do?
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
beats me,ok
This error is on one machine>>Computer:     TS03 <, is this the server?
More events would also help.

 can you take a snapshot of the error paste it  in your own ftp or place you can store snaps.
or paste here
http://www.ee-stuff.com/  just follow the prompts upload your snap add this url to that snap
 http://www.experts-exchange.com/Operating_Systems/Q_21905187.html#17074782
then copy that url back here.

No domain controllers issues?
Any computers set to go into hibernation mode
0
 

Author Comment

by:altaonemis
Comment Utility
Hi Merete,
This is the error that I see in the System events on the server. Users connected to this server via thin-clients see this message pop up and then their thin-client machine reboots. This server is a 2003 Windows srv with std edition and it is a member server in our domain and there is no issue of hibernation mode.

Event Type:      Information
Event Source:      Application Popup
Event Category:      None
Event ID:      26
Date:            7/7/2006
Time:            12:23:22 PM
User:            N/A
Computer:      TS03
Description:
Application popup: System Shutdown : The system is shutting down.  Please save all work in progress and log off.  Any unsaved changes will be lost.  This shutdown was initiated by NT AUTHORITY\SYSTEM.  Shutdown will begin in 42 seconds.  Shutdown message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
altaonemis I have looked thru all the NT authority errors and came across this one>
Windows - Remote Procedure Call Service Terminated
SYMPTOM
Shortly after booting into windows you receive the following error:
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT Authority/system.
Message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.

CAUSE
This error message is due to a buffer overrun vulnerability on Windows NT 4.0, 2000, XP, and Server 2003. The RPC service that runs on these systems does not properly check message inputs under certain circumstances. For more detailed information regarding this vulnerability see Microsoft Security Bulletin MS03-010. https://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-010.asp

Note: If an attacker is able to successfully exploit this vulnerability they could gain complete control over a remote computer. This would give the attacker the ability to take any action on the system that they want. For example, an attacker could change web pages, reformat the hard disk, and / or add new users to the local administrators group.

SOLUTION
To resolve this issue in Windows 2000 and XP you will need to perform the following steps:

Change the settings for the Remote Procedure Call (RPC) Service in order to connect to the internet without the computer shutting down
Note: This does not work in every case.
To change these settings you will need to perform the following:


Right-click the My Computer icon on the Windows desktop or in the Start menu.
Select Manage. The Computer Management window will open.
In the left pane, double-click on Services and Applications.
Select Services and a list of services should appear.
In the right pane, locate the Remote Procedure Call (RPC) service, it will have a Status of "Started".
Note: This will be the first in a listing of two Remote Procedure Call (RPS) services.


Right-click on the first Remote Procedure Call (RPC) service listed.
Select Properties.
Select the Recovery tab.
Using the drop-down lists, change First failure, Second failure, and Subsequent failures from Restart the Computer to Take No Action.
Click on Apply and then OK.
CAUTION: Make sure that you change these settings back after completing the final step to remove the worm.


Verify which service packs have been applied as well as which version of Windows you are running. To do this:

Right-click My Computer on the desktop.
Select Properties. Operating system information will be listed in the window that comes up. This will include what version of the operating system is running as well as what service packs have been applied to it.
The following service packs need to be applied right away:
Note: The service pack version will depend on what operating system you have on your computer.


If you are running Windows XP version 2002, Service Pack 1 will need to be installed. If this has not been applied to your system you can obtain it by doing one of the following:


If you are on campus, are connecting through our modem pool, or are accessing the campus network through WiscVPN, this can be downloaded from the Electronic Shelf at http://shelf.doit.wisc.edu/PC/WinXP-Fix/xpsp1.
If you connect through DSL, cable modem and / or another internet service provider this can be downloaded from https://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1. Be sure to select the Express Installation.



If you are running Windows 2000, you must have at the minimum, Service Pack 2 applied. Please note that Microsoft no longer supports this version and newer service packs such as service pack 3 and 4 are recommended and preferred. If this has not been applied to your system you can obtain it by doing one of the following:


If you are on campus or are connecting through our modem pool service packs 3 and 4 can be downloaded from the Electronic Shelf at http://shelf/PC/W2k-Fix
If you connect through DSL, cable modem and/or another internet service provider this can be downloaded from Windows 2000 Service Packs.



After performing the above and verifying the required service pack is in place the Patch can be applied.

Information and download links for your version of windows can be found at Microsoft Security Bulletin MS03-039.mspx.

Removal of W32.Blaster.Worm
After all of the steps listed above have been completed you will need to obtain and run the W32.Blaster.Worm Removal Tool that Symantec has made available. Be sure to read through removal instructions before running the removal tool.


--------------------------------------------------------------------------------
Things to consider:


You will want to verify that all viruses have been removed from the system. Update your virus definitions and run a full system scan. If you do not have a virus scanner installed, Symantec has made an online scanner available. This can be accessed by going to Symantec Security Check and clicking on the Start button located below Virus Detection.


Be sure to change the settings back for the Remote Procedure Call (RPC) Service. This will need to be changed back from Take No Action to Restart the Computer.

--------------------------------------------------------------------------------

Information adapted from Microsoft and Symantec Antivirus Research Center (SARC).
http://helpdesk.wisc.edu/page.php?id=2048

good Luck hope it helps.
Merete
0
 

Author Comment

by:altaonemis
Comment Utility
Thanks a lot Merete for this detailed information.
I have checekd that but My server is a windows 2003 server and I have updated this server with the latest patches. I have even scanned this server with Trend micro online scan tool, symanted worm laster removal tool, windows malicious tool , but still nothing is detected.

Abhi
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
Hello Abhi good to hear from you, well my friend I think we have hit a stand still.
Event Source:     Application Popup<< and NT popup it is,
everything points to some kind of malware.
The source if we could find the source of this that would help.
Really the best option for intense deep scans is off line and in safemode disconnected from all other computers if you want any hope of finding it.

I have a couple of small tools to offer see if we can find the source.
first one>Active Ports - easy to use tool that enables you to monitor all open TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to close any port. Active Ports can help you to detect trojans and other malicious programs.
http://www.snapfiles.com/get/activeports.html

second one>Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you’ll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
http://www.sysinternals.com/Utilities/ProcessExplorer.html

third one just incase you can use it.>Command Line Process Viewer/Killer/Suspender
for Windows NT/2000/XP
http://www.beyondlogic.org/solutions/processutil/processutil.htm


0
 
LVL 69

Accepted Solution

by:
Merete earned 50 total points
Comment Utility
What is a Rootkit?
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.
RootkitRevealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender
http://www.sysinternals.com/Utilities/RootkitRevealer.html

Rootkits are powerful tools to compromise computer systems without detection. Learn why virus scanners and desktop firewalls are not enough. Learn how attackers can get in and stay in for years, without detection.
http://www.rootkit.com/
0
 

Author Comment

by:altaonemis
Comment Utility
Thanks a lot for these valuable tools. I'll try this and will get back with a response.

Thank you,
Abhi
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
thanks hope it helps something has to work :D
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
We have kind of hit a stand still with no feed back, I have no idea if the rootkits helped him even though he was pretty happy with the tools.

Comment from altaonemis
Date: 07/20/2006 03:35AM EST
 Author Comment  
Thanks a lot for these valuable tools. I'll try this and will get back with a response.

Thank you,
Abhi
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
altaonemis
we tried to reach you.
It was my pleasure if I was able to assist you  in anyway.
Thank you too rindi
regards Merete
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Hello I read in a discussion about a person who configured a very simple mirror RAID with two hard drives; the system and data were on the same partition. He asked how to repair the system as it was not booting up anymore. In his case running …
Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now