Thin clients rebooting - error 26 - system shutting down in 45 seconds
Users using thin clients are getting this message and then their thin client terminal reboots.
This is the message in the event log of the server - server - Windows 2003 server - std edition -SP1
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 6/30/2006
Time: 11:24:30 AM
User: N/A
Computer: TS03
Description:
Application popup: System Shutdown : The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in 42 seconds. Shutdown message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Please help
This is the message in the event log of the server - server - Windows 2003 server - std edition -SP1
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 6/30/2006
Time: 11:24:30 AM
User: N/A
Computer: TS03
Description:
Application popup: System Shutdown : The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in 42 seconds. Shutdown message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Please help
Could also be a virus like blaster etc on your server. Does the same happen while working directly on the server? have you checked it thoroughly for malware?
you may have the blaster worm.
If your computer is infected, you may see this error message.
If your system is shutting down,>>Shutdown will begin in 42 seconds<<<
follow these steps to stop the cycle. Then proceed to Step 2 to remove the worm.
To end the Blaster worm process
1.
Press CTRL+ALT+DELETE.
2.
Click the Task Manager button.
3.
Click the Processes tab.
4.
Click the Image Name column heading to sort the processes alphabetically by name.
5.
Look for a process named Msblast.exe. If you find it, click the name to select the process, and then click the End Process button.
6.
Close the Task Manager.
Check For and Remove Blaster
Use the Microsoft Windows Malicious Software Removal Tool to search your hard disk for and remove Blaster variants.
Protect Your PC
To help secure your computer against Blaster and other threats on the Internet, follow our Protect Your PC guidance to set up a firewall, get software updates, and use up-to-date antivirus software.
What You Should Know About Blaster
http://www.microsoft.com/security/incident/blast.mspx
Blaster removal tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
If your computer is infected, you may see this error message.
If your system is shutting down,>>Shutdown will begin in 42 seconds<<<
follow these steps to stop the cycle. Then proceed to Step 2 to remove the worm.
To end the Blaster worm process
1.
Press CTRL+ALT+DELETE.
2.
Click the Task Manager button.
3.
Click the Processes tab.
4.
Click the Image Name column heading to sort the processes alphabetically by name.
5.
Look for a process named Msblast.exe. If you find it, click the name to select the process, and then click the End Process button.
6.
Close the Task Manager.
Check For and Remove Blaster
Use the Microsoft Windows Malicious Software Removal Tool to search your hard disk for and remove Blaster variants.
Protect Your PC
To help secure your computer against Blaster and other threats on the Internet, follow our Protect Your PC guidance to set up a firewall, get software updates, and use up-to-date antivirus software.
What You Should Know About Blaster
http://www.microsoft.com/security/incident/blast.mspx
Blaster removal tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Malicious Software Removal Tool
And live scan with download
http://www.microsoft.com/security/malwareremove/default.mspx
And live scan with download
http://www.microsoft.com/security/malwareremove/default.mspx
I suggest using this tool
http://www.windowsonecare.com/
It's free, has spyware, antivirus, file backups, even windows defender tools to let you see programs that run at startup, and programs running now, with admin tools to kill or manage them.
Great software.
http://www.windowsonecare.com/
It's free, has spyware, antivirus, file backups, even windows defender tools to let you see programs that run at startup, and programs running now, with admin tools to kill or manage them.
Great software.
ASKER
I didnt see MSblast.exe process running on my server. I'll scan for malware - but can it be something else or is it malware for sure?
I would install OneCare or Windows defender.
Let it run a full scan, if its malware or spyware, ti will find it, and OneCare will even tell you if it found a system error.
Let it run a full scan, if its malware or spyware, ti will find it, and OneCare will even tell you if it found a system error.
altaonemis if you see the Shutdown will begin in 42 seconds then yes. Have a look above at my first post I provided the step by step,
also at my link as it illistrates it with a snap. If you see the same use the removal tool designed for it.
Look here>>
What You Should Know About Blaster
http://www.microsoft.com/security/incident/blast.mspx
Blaster removal tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
This onecare is not for you unless you speak to the management there it would have to replace your current antivirus and firewall.
You cannot have two programs of the same.
also at my link as it illistrates it with a snap. If you see the same use the removal tool designed for it.
Look here>>
What You Should Know About Blaster
http://www.microsoft.com/security/incident/blast.mspx
Blaster removal tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
This onecare is not for you unless you speak to the management there it would have to replace your current antivirus and firewall.
You cannot have two programs of the same.
One piece of advice.
To abort a shutdown on a machine and or server
open the cmd.exe (Start-->run["cmd"]-->Retu
at prompt type "shutdown -a".
This will abort a current shutdown, 42 seconds is enough time.
However, that is a temp fix, you still need a solution
To abort a shutdown on a machine and or server
open the cmd.exe (Start-->run["cmd"]-->Retu
at prompt type "shutdown -a".
This will abort a current shutdown, 42 seconds is enough time.
However, that is a temp fix, you still need a solution
thanks Kelly already suggested that. But it never hurts to repeat it.
Cheers Merete
Cheers Merete
ASKER
I ran this on my server
Malicious Software Removal Tool
And did a live scan on my server
http://www.microsoft.com/security/malwareremove/default.mspx
but nothing came out as infected. So it shows that I don't have blaster worm. Any other ideas that could be helpful?
Thanks,
Abhi
Malicious Software Removal Tool
And did a live scan on my server
http://www.microsoft.com/security/malwareremove/default.mspx
but nothing came out as infected. So it shows that I don't have blaster worm. Any other ideas that could be helpful?
Thanks,
Abhi
Yes.
Please try this command on a remote machine wiht an account on it that has admin permission on the server.
Then compare the event log system message in System with the error you gave us.
Then tell us if they match.
As Admin for Server on a diff machine.
(Start-->run["cmd"]-->Ok)
in cmd.exe type
"shutdown -s -f -t 42 -m \\servername"
replacing servername of course with the real name.
I knwo this sounds silly, but I want to rule out human error.
Please try this command on a remote machine wiht an account on it that has admin permission on the server.
Then compare the event log system message in System with the error you gave us.
Then tell us if they match.
As Admin for Server on a diff machine.
(Start-->run["cmd"]-->Ok)
in cmd.exe type
"shutdown -s -f -t 42 -m \\servername"
replacing servername of course with the real name.
I knwo this sounds silly, but I want to rule out human error.
PS:
As I understand it.
RPC (Remote Proceedure Calling) is tied directly to internet activity.
It is used when GUI based web browsers want to access the internet, so no matter, what, dont disable RPC.
I quote from http://pub2.bravenet.com/forum/147685506/show/224512
"---
A buffer overrun is the cause of an issue affecting many versions of Windows to include NT, 2000, XP and 2003. The main indication of this is a 60 second shutdown counter just after connecting to the internet or "right after" an attack attempt. "Strange" network activity while you are not downloading or surfing is another key factor.
"--
Now you could try and follow directions on that page, but I think you are already up to date on your patches, if not, ill smack you.
So, I kept on googling that error.
Again, I found refrence to the ever so famous blaster worm.
http://8help.osu.edu/1383.html
Note: Just because Norton or others say it isnt there, doesn't mean it isnt.
Please install that patch anyways.
Moving on.
More googling ensued.
Then I found this.
http://supcontent.gateway.com/support.gateway.com/s/issues/2-976684501-01.gif
If that is exactly how your error message looks, then there is three possibilities.
a. you blew us off with the blaster thing
b. you actually ran the specific blaster removal patch and it still is happening leading to
1. there is a new blaster worm, changed to avoid the patch(very very very unlikely)
2. your RPC service executable was damaged somehow and requires repair.
c. the ghosts of christmas past are playing with you O.o
I am going to have to say its most likely option a or b.
If you want to replace your executable, simply pop in an XP SP2 disc and use the recovery console.
Also, check HKEY_CURRENT_USER\Software
Thats just common sense.
Last, but not least.
If you have changed your computer name manually lately, had a major DNS change, or been toying with your manual IP configuration, revert it, that can also cause this in rare instances.
and to take my leave,
I reallllly realllly realllly hope im stretching way out on a lim here.
However, ive seen alot.
If you have limewire or Kaaza or any of that crap on the machine, take it the hell off, that causes this sometimes as well.
really, dont take this as a mean or rude post.
Sincerely,
Kelly
As I understand it.
RPC (Remote Proceedure Calling) is tied directly to internet activity.
It is used when GUI based web browsers want to access the internet, so no matter, what, dont disable RPC.
I quote from http://pub2.bravenet.com/forum/147685506/show/224512
"---
A buffer overrun is the cause of an issue affecting many versions of Windows to include NT, 2000, XP and 2003. The main indication of this is a 60 second shutdown counter just after connecting to the internet or "right after" an attack attempt. "Strange" network activity while you are not downloading or surfing is another key factor.
"--
Now you could try and follow directions on that page, but I think you are already up to date on your patches, if not, ill smack you.
So, I kept on googling that error.
Again, I found refrence to the ever so famous blaster worm.
http://8help.osu.edu/1383.html
Note: Just because Norton or others say it isnt there, doesn't mean it isnt.
Please install that patch anyways.
Moving on.
More googling ensued.
Then I found this.
http://supcontent.gateway.com/support.gateway.com/s/issues/2-976684501-01.gif
If that is exactly how your error message looks, then there is three possibilities.
a. you blew us off with the blaster thing
b. you actually ran the specific blaster removal patch and it still is happening leading to
1. there is a new blaster worm, changed to avoid the patch(very very very unlikely)
2. your RPC service executable was damaged somehow and requires repair.
c. the ghosts of christmas past are playing with you O.o
I am going to have to say its most likely option a or b.
If you want to replace your executable, simply pop in an XP SP2 disc and use the recovery console.
Also, check HKEY_CURRENT_USER\Software
Thats just common sense.
Last, but not least.
If you have changed your computer name manually lately, had a major DNS change, or been toying with your manual IP configuration, revert it, that can also cause this in rare instances.
and to take my leave,
I reallllly realllly realllly hope im stretching way out on a lim here.
However, ive seen alot.
If you have limewire or Kaaza or any of that crap on the machine, take it the hell off, that causes this sometimes as well.
really, dont take this as a mean or rude post.
Sincerely,
Kelly
altaonemis running them does nothing for the blaster worm it is simply not enough please run housecalls from Trend,
http://housecall.trendmicro.com/
the Blaster worm is so notoriuos it has over 2000 varients yes I have typed it correctly..you cannot afford to not run this scan, for the time it takes to do this compared to try fixing it, you must eliminate this very high possibility ASAP. You coul dspread it to th entire server.
>>Look here it shows the "PICTURE" of the NT authority system shutting down in 45 secs..... is this what you are seeing??
Please let us know.. I am so sure that you have this and there is no point in trying anything else until you run a decent trojan scanner.
What You Should Know About Blaster
http://www.microsoft.com/security/incident/blast.mspx
Blaster removal tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
I found a couple of references, but you'll have to decide if these fit.
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Description:
Application popup: Service Control Manager : At least one service or driver failed during system startup. Use Event Viewer to examine the event log for details.
CAUSE
Active Directory requires the Kerberos Key Distribution Center service for authentication. The symptoms that are described earlier in this article may occur if the Kerberos Key Distribution Center service is disabled.
RESOLUTION
To turn on the Kerberos Key Distribution Center service:
1. Click Start, point to Programs, click Administrative Tools, and then click Services.
2. In the list of services, double-click Kerberos Key Distribution Center.
3. Change the Startup Type setting to Automatic.
4. Click OK.
5. Restart the server.
==========================
Basic Overview of Kerberos User Authentication Protocol in Windows 2000
http://support.microsoft.com/kb/217098/EN-US/
http://housecall.trendmicro.com/
the Blaster worm is so notoriuos it has over 2000 varients yes I have typed it correctly..you cannot afford to not run this scan, for the time it takes to do this compared to try fixing it, you must eliminate this very high possibility ASAP. You coul dspread it to th entire server.
>>Look here it shows the "PICTURE" of the NT authority system shutting down in 45 secs..... is this what you are seeing??
Please let us know.. I am so sure that you have this and there is no point in trying anything else until you run a decent trojan scanner.
What You Should Know About Blaster
http://www.microsoft.com/security/incident/blast.mspx
Blaster removal tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
I found a couple of references, but you'll have to decide if these fit.
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Description:
Application popup: Service Control Manager : At least one service or driver failed during system startup. Use Event Viewer to examine the event log for details.
CAUSE
Active Directory requires the Kerberos Key Distribution Center service for authentication. The symptoms that are described earlier in this article may occur if the Kerberos Key Distribution Center service is disabled.
RESOLUTION
To turn on the Kerberos Key Distribution Center service:
1. Click Start, point to Programs, click Administrative Tools, and then click Services.
2. In the list of services, double-click Kerberos Key Distribution Center.
3. Change the Startup Type setting to Automatic.
4. Click OK.
5. Restart the server.
==========================
Basic Overview of Kerberos User Authentication Protocol in Windows 2000
http://support.microsoft.com/kb/217098/EN-US/
Though you found no blaster etc
Just for information read this
http://www.thin-world.com/826955.htm
Symptoms of Infection
If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:
* You may receive the following error messages:
The Remote Procedure Call (RPC) service terminated unexpectedly.
The system is shutting down. Please save all work in progress and log off.
Any unsaved changes will be lost.
This shutdown was initiated by NT AUTHORITY\SYSTEM.
* The computer may shut down, or may restart repeatedly, at random intervals.
* On a Windows XP-based or on a Windows Server 2003-based computer, a dialog box may appear that gives you the option to report the problem to Microsoft. After you submit the error report, the following Microsoft Web page may be shown on your computer:
http://oca.microsoft.com/en/response.asp?sid=699
* If you are using Windows 2000 or Windows NT, you may receive a "Stop" error message on a blue screen.
* You may find a file that is named Msblast.exe, Nstask32.exe, Penis32.exe, Teekids.exe, Winlogin.exe, Win32sockdrv.dll, or Yuetyutr.dll in the Windows\System32 folder.
* You may find unusual TFTP* files on your computer.
Just for information read this
http://www.thin-world.com/826955.htm
Symptoms of Infection
If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:
* You may receive the following error messages:
The Remote Procedure Call (RPC) service terminated unexpectedly.
The system is shutting down. Please save all work in progress and log off.
Any unsaved changes will be lost.
This shutdown was initiated by NT AUTHORITY\SYSTEM.
* The computer may shut down, or may restart repeatedly, at random intervals.
* On a Windows XP-based or on a Windows Server 2003-based computer, a dialog box may appear that gives you the option to report the problem to Microsoft. After you submit the error report, the following Microsoft Web page may be shown on your computer:
http://oca.microsoft.com/en/response.asp?sid=699
* If you are using Windows 2000 or Windows NT, you may receive a "Stop" error message on a blue screen.
* You may find a file that is named Msblast.exe, Nstask32.exe, Penis32.exe, Teekids.exe, Winlogin.exe, Win32sockdrv.dll, or Yuetyutr.dll in the Windows\System32 folder.
* You may find unusual TFTP* files on your computer.
there is 2000 known varients of it, as I mentioned above. Unreal hey.
ASKER
Hi,
Thank you very much for your valuable suggestions. I have updated my server with the patch besides running all the scanning tools to find if there is any worm on the server. Though I havent found any, I havent got any call from any user being booted out. So I'll wait for some more time to hear from users if anybody connecting through thin client gets booted out after getting that pop-up message.
Thanks,
Abhi
Thank you very much for your valuable suggestions. I have updated my server with the patch besides running all the scanning tools to find if there is any worm on the server. Though I havent found any, I havent got any call from any user being booted out. So I'll wait for some more time to hear from users if anybody connecting through thin client gets booted out after getting that pop-up message.
Thanks,
Abhi
ASKER
It happened again today - Earlier server never rebooted - only thin clients connected to the server used to reboot - but this morning, server rebooted as well along with the thin clients. I am running a trend micro virus scan again to see if there is any worm still on the server.
Abhi
Abhi
gee it does seem to point to that.
Well there is also the removal tool
Blaster removal tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Well there is also the removal tool
Blaster removal tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
ASKER
I have tried this tool but it shows that there is no worm on the serve.
I scanned the server with trend micro, mcafee, ran windows malicious worm removal tool, they all reported that there is no worm.
Running out of ideas as to what to do?
I scanned the server with trend micro, mcafee, ran windows malicious worm removal tool, they all reported that there is no worm.
Running out of ideas as to what to do?
beats me,ok
This error is on one machine>>Computer: TS03 <, is this the server?
More events would also help.
can you take a snapshot of the error paste it in your own ftp or place you can store snaps.
or paste here
http://www.ee-stuff.com/ just follow the prompts upload your snap add this url to that snap
https://www.experts-exchange.com/questions/21905187/Thin-clients-rebooting-error-26-system-shutting-down-in-45-seconds.html#17074782
then copy that url back here.
No domain controllers issues?
Any computers set to go into hibernation mode
This error is on one machine>>Computer: TS03 <, is this the server?
More events would also help.
can you take a snapshot of the error paste it in your own ftp or place you can store snaps.
or paste here
http://www.ee-stuff.com/ just follow the prompts upload your snap add this url to that snap
https://www.experts-exchange.com/questions/21905187/Thin-clients-rebooting-error-26-system-shutting-down-in-45-seconds.html#17074782
then copy that url back here.
No domain controllers issues?
Any computers set to go into hibernation mode
ASKER
Hi Merete,
This is the error that I see in the System events on the server. Users connected to this server via thin-clients see this message pop up and then their thin-client machine reboots. This server is a 2003 Windows srv with std edition and it is a member server in our domain and there is no issue of hibernation mode.
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 7/7/2006
Time: 12:23:22 PM
User: N/A
Computer: TS03
Description:
Application popup: System Shutdown : The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in 42 seconds. Shutdown message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
This is the error that I see in the System events on the server. Users connected to this server via thin-clients see this message pop up and then their thin-client machine reboots. This server is a 2003 Windows srv with std edition and it is a member server in our domain and there is no issue of hibernation mode.
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 7/7/2006
Time: 12:23:22 PM
User: N/A
Computer: TS03
Description:
Application popup: System Shutdown : The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in 42 seconds. Shutdown message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
altaonemis I have looked thru all the NT authority errors and came across this one>
Windows - Remote Procedure Call Service Terminated
SYMPTOM
Shortly after booting into windows you receive the following error:
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT Authority/system.
Message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.
CAUSE
This error message is due to a buffer overrun vulnerability on Windows NT 4.0, 2000, XP, and Server 2003. The RPC service that runs on these systems does not properly check message inputs under certain circumstances. For more detailed information regarding this vulnerability see Microsoft Security Bulletin MS03-010. https://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-010.asp
Note: If an attacker is able to successfully exploit this vulnerability they could gain complete control over a remote computer. This would give the attacker the ability to take any action on the system that they want. For example, an attacker could change web pages, reformat the hard disk, and / or add new users to the local administrators group.
SOLUTION
To resolve this issue in Windows 2000 and XP you will need to perform the following steps:
Change the settings for the Remote Procedure Call (RPC) Service in order to connect to the internet without the computer shutting down
Note: This does not work in every case.
To change these settings you will need to perform the following:
Right-click the My Computer icon on the Windows desktop or in the Start menu.
Select Manage. The Computer Management window will open.
In the left pane, double-click on Services and Applications.
Select Services and a list of services should appear.
In the right pane, locate the Remote Procedure Call (RPC) service, it will have a Status of "Started".
Note: This will be the first in a listing of two Remote Procedure Call (RPS) services.
Right-click on the first Remote Procedure Call (RPC) service listed.
Select Properties.
Select the Recovery tab.
Using the drop-down lists, change First failure, Second failure, and Subsequent failures from Restart the Computer to Take No Action.
Click on Apply and then OK.
CAUTION: Make sure that you change these settings back after completing the final step to remove the worm.
Verify which service packs have been applied as well as which version of Windows you are running. To do this:
Right-click My Computer on the desktop.
Select Properties. Operating system information will be listed in the window that comes up. This will include what version of the operating system is running as well as what service packs have been applied to it.
The following service packs need to be applied right away:
Note: The service pack version will depend on what operating system you have on your computer.
If you are running Windows XP version 2002, Service Pack 1 will need to be installed. If this has not been applied to your system you can obtain it by doing one of the following:
If you are on campus, are connecting through our modem pool, or are accessing the campus network through WiscVPN, this can be downloaded from the Electronic Shelf at http://shelf.doit.wisc.edu/PC/WinXP-Fix/xpsp1.
If you connect through DSL, cable modem and / or another internet service provider this can be downloaded from https://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1. Be sure to select the Express Installation.
If you are running Windows 2000, you must have at the minimum, Service Pack 2 applied. Please note that Microsoft no longer supports this version and newer service packs such as service pack 3 and 4 are recommended and preferred. If this has not been applied to your system you can obtain it by doing one of the following:
If you are on campus or are connecting through our modem pool service packs 3 and 4 can be downloaded from the Electronic Shelf at http://shelf/PC/W2k-Fix
If you connect through DSL, cable modem and/or another internet service provider this can be downloaded from Windows 2000 Service Packs.
After performing the above and verifying the required service pack is in place the Patch can be applied.
Information and download links for your version of windows can be found at Microsoft Security Bulletin MS03-039.mspx.
Removal of W32.Blaster.Worm
After all of the steps listed above have been completed you will need to obtain and run the W32.Blaster.Worm Removal Tool that Symantec has made available. Be sure to read through removal instructions before running the removal tool.
--------------------------
Things to consider:
You will want to verify that all viruses have been removed from the system. Update your virus definitions and run a full system scan. If you do not have a virus scanner installed, Symantec has made an online scanner available. This can be accessed by going to Symantec Security Check and clicking on the Start button located below Virus Detection.
Be sure to change the settings back for the Remote Procedure Call (RPC) Service. This will need to be changed back from Take No Action to Restart the Computer.
--------------------------
Information adapted from Microsoft and Symantec Antivirus Research Center (SARC).
http://helpdesk.wisc.edu/page.php?id=2048
good Luck hope it helps.
Merete
Windows - Remote Procedure Call Service Terminated
SYMPTOM
Shortly after booting into windows you receive the following error:
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT Authority/system.
Message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.
CAUSE
This error message is due to a buffer overrun vulnerability on Windows NT 4.0, 2000, XP, and Server 2003. The RPC service that runs on these systems does not properly check message inputs under certain circumstances. For more detailed information regarding this vulnerability see Microsoft Security Bulletin MS03-010. https://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-010.asp
Note: If an attacker is able to successfully exploit this vulnerability they could gain complete control over a remote computer. This would give the attacker the ability to take any action on the system that they want. For example, an attacker could change web pages, reformat the hard disk, and / or add new users to the local administrators group.
SOLUTION
To resolve this issue in Windows 2000 and XP you will need to perform the following steps:
Change the settings for the Remote Procedure Call (RPC) Service in order to connect to the internet without the computer shutting down
Note: This does not work in every case.
To change these settings you will need to perform the following:
Right-click the My Computer icon on the Windows desktop or in the Start menu.
Select Manage. The Computer Management window will open.
In the left pane, double-click on Services and Applications.
Select Services and a list of services should appear.
In the right pane, locate the Remote Procedure Call (RPC) service, it will have a Status of "Started".
Note: This will be the first in a listing of two Remote Procedure Call (RPS) services.
Right-click on the first Remote Procedure Call (RPC) service listed.
Select Properties.
Select the Recovery tab.
Using the drop-down lists, change First failure, Second failure, and Subsequent failures from Restart the Computer to Take No Action.
Click on Apply and then OK.
CAUTION: Make sure that you change these settings back after completing the final step to remove the worm.
Verify which service packs have been applied as well as which version of Windows you are running. To do this:
Right-click My Computer on the desktop.
Select Properties. Operating system information will be listed in the window that comes up. This will include what version of the operating system is running as well as what service packs have been applied to it.
The following service packs need to be applied right away:
Note: The service pack version will depend on what operating system you have on your computer.
If you are running Windows XP version 2002, Service Pack 1 will need to be installed. If this has not been applied to your system you can obtain it by doing one of the following:
If you are on campus, are connecting through our modem pool, or are accessing the campus network through WiscVPN, this can be downloaded from the Electronic Shelf at http://shelf.doit.wisc.edu/PC/WinXP-Fix/xpsp1.
If you connect through DSL, cable modem and / or another internet service provider this can be downloaded from https://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1. Be sure to select the Express Installation.
If you are running Windows 2000, you must have at the minimum, Service Pack 2 applied. Please note that Microsoft no longer supports this version and newer service packs such as service pack 3 and 4 are recommended and preferred. If this has not been applied to your system you can obtain it by doing one of the following:
If you are on campus or are connecting through our modem pool service packs 3 and 4 can be downloaded from the Electronic Shelf at http://shelf/PC/W2k-Fix
If you connect through DSL, cable modem and/or another internet service provider this can be downloaded from Windows 2000 Service Packs.
After performing the above and verifying the required service pack is in place the Patch can be applied.
Information and download links for your version of windows can be found at Microsoft Security Bulletin MS03-039.mspx.
Removal of W32.Blaster.Worm
After all of the steps listed above have been completed you will need to obtain and run the W32.Blaster.Worm Removal Tool that Symantec has made available. Be sure to read through removal instructions before running the removal tool.
--------------------------
Things to consider:
You will want to verify that all viruses have been removed from the system. Update your virus definitions and run a full system scan. If you do not have a virus scanner installed, Symantec has made an online scanner available. This can be accessed by going to Symantec Security Check and clicking on the Start button located below Virus Detection.
Be sure to change the settings back for the Remote Procedure Call (RPC) Service. This will need to be changed back from Take No Action to Restart the Computer.
--------------------------
Information adapted from Microsoft and Symantec Antivirus Research Center (SARC).
http://helpdesk.wisc.edu/page.php?id=2048
good Luck hope it helps.
Merete
ASKER
Thanks a lot Merete for this detailed information.
I have checekd that but My server is a windows 2003 server and I have updated this server with the latest patches. I have even scanned this server with Trend micro online scan tool, symanted worm laster removal tool, windows malicious tool , but still nothing is detected.
Abhi
I have checekd that but My server is a windows 2003 server and I have updated this server with the latest patches. I have even scanned this server with Trend micro online scan tool, symanted worm laster removal tool, windows malicious tool , but still nothing is detected.
Abhi
Hello Abhi good to hear from you, well my friend I think we have hit a stand still.
Event Source: Application Popup<< and NT popup it is,
everything points to some kind of malware.
The source if we could find the source of this that would help.
Really the best option for intense deep scans is off line and in safemode disconnected from all other computers if you want any hope of finding it.
I have a couple of small tools to offer see if we can find the source.
first one>Active Ports - easy to use tool that enables you to monitor all open TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to close any port. Active Ports can help you to detect trojans and other malicious programs.
http://www.snapfiles.com/get/activeports.html
second one>Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you’ll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
http://www.sysinternals.com/Utilities/ProcessExplorer.html
third one just incase you can use it.>Command Line Process Viewer/Killer/Suspender
for Windows NT/2000/XP
http://www.beyondlogic.org/solutions/processutil/processutil.htm
Event Source: Application Popup<< and NT popup it is,
everything points to some kind of malware.
The source if we could find the source of this that would help.
Really the best option for intense deep scans is off line and in safemode disconnected from all other computers if you want any hope of finding it.
I have a couple of small tools to offer see if we can find the source.
first one>Active Ports - easy to use tool that enables you to monitor all open TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to close any port. Active Ports can help you to detect trojans and other malicious programs.
http://www.snapfiles.com/get/activeports.html
second one>Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you’ll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
http://www.sysinternals.com/Utilities/ProcessExplorer.html
third one just incase you can use it.>Command Line Process Viewer/Killer/Suspender
for Windows NT/2000/XP
http://www.beyondlogic.org/solutions/processutil/processutil.htm
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot for these valuable tools. I'll try this and will get back with a response.
Thank you,
Abhi
Thank you,
Abhi
thanks hope it helps something has to work :D
We have kind of hit a stand still with no feed back, I have no idea if the rootkits helped him even though he was pretty happy with the tools.
Comment from altaonemis
Date: 07/20/2006 03:35AM EST
Author Comment
Thanks a lot for these valuable tools. I'll try this and will get back with a response.
Thank you,
Abhi
Comment from altaonemis
Date: 07/20/2006 03:35AM EST
Author Comment
Thanks a lot for these valuable tools. I'll try this and will get back with a response.
Thank you,
Abhi
altaonemis
we tried to reach you.
It was my pleasure if I was able to assist you in anyway.
Thank you too rindi
regards Merete
we tried to reach you.
It was my pleasure if I was able to assist you in anyway.
Thank you too rindi
regards Merete
cmd.exe
--
shutdown -s -f -t 42 -m \\servername