(RPC) service terminated unexpectedly 1

[acetylyne]

Hello,

I have two users both running XP on our network who, have had their computers suddenly pup up with a 'your computer will re-boot in 60 (then proceeds to count down) seconds'

I know that this is the automatic reboot on system error, however, I'm wondering if anyone can help me figure out why I got this error in the event log:

The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

The only thing I know the users had open was (novell's) Groupwise, Microsofts knowledgebase has nothing, any help would be greatly appreciated.

 

[linney]

This site is good for checking Event Log errors.

http://www.eventid.net/events.asp

Make sure you have written down the Event error number.

Also while in The Event Viewer check any "Information" line that mentions "savedump" and you should find reference to "recovered from a bug check". This is the Stop Error that caused your problem.

Exact copies of any Event ID or Stop Error will assist others in assisting you.

 

[davidmichel]

acetylyne,

I have a friend who has come up with the same problem. How did you solved it?

 

[shaner66]

You just caught the latest worm that is in circulation.

Here, do this...

While DISCONNECTED from the net, search for msblast.exe and delete that file.

If your comfortable going into the registry the bug lives here:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update'

Delete it and reboot

Go to the Windows update site and get all the critical updates.

Install a firewall immediately!!!

Update your virus scan utility, and run a virus scan, or run one online at

http://www.housecall.antivirus.com

Here is what has been found so far

- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot

Here is a list of known TFTP servers for this worm

204.210.57.87
217.211.179.193
24.147.64.171
24.147.64.205
24.147.64.208
24.147.65.146
24.147.65.45
24.147.65.9
61.254.65.159
67.119.36.219
68.112.65.38
68.166.102.136
68.166.107.21
68.166.111.175
68.166.120.34
68.166.121.135
68.166.123.4
68.166.124.186
68.166.124.93
68.166.139.155
68.166.139.210
68.166.141.66
68.166.142.194
68.166.142.215
68.166.36.178
68.166.56.123
68.166.60.51
68.166.98.3

Good luck

 

[tav1035]

Yes file TFTP1800 and TFTP? can't remember the other name, but it created these 2 files in my startup folder.
Does anyone else have them?
tav

 

[shaner66]

Yes, many, many people have them. You're not alone. Just take a look at some of the posts on this board, it's a pretty big issue.

 

[davewalsh]

HI

I also have a a computer running windows XP Pro but it does not have Novell installed, All I can find on the Microsoft site is problems relating to Win XP and Novell. I have carried out a search of both files and registry but can not find any sign of the msblast.exe worm. Nor do I have anyfiles in the startup folder as mentioned by TAV1035Is there something I am missing. The PC has been continually producing the error of Event ID 4609 for two days, whenever the internet is accessed. I get the same message as the original post on this thread. Does anyone have any ideas of where to go now?

 

[bcastner]

thread779-627534

 

[acetylyne]

It has turned out to be an explotation of microsoft's RPC DCOM security flaw, if you're un aware of it, you can get information about the patch here:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

it's very importatnt that this patch be on all NT/2K/XP boxes (NT/2K server's also) also, check this website

http://security.msu.edu/cgi-bin/index.pl?dcom.html

for instructions on how to clean your system of the two most common back door installations related to this compromise.