Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

(RPC) service terminated unexpectedly

(RPC) service terminated unexpectedly

(RPC) service terminated unexpectedly


I have two users both running XP on our network who, have had their computers suddenly pup up with a 'your computer will re-boot in 60 (then proceeds to count down) seconds'

I know that this is the automatic reboot on system error, however, I'm wondering if anyone can help me figure out why I got this error in the event log:

The Remote Procedure Call (RPC) service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The only thing I know the users had open was (novell's) Groupwise, Microsofts knowledgebase has nothing, any help would be greatly appreciated.

RE: (RPC) service terminated unexpectedly

This site is good for checking Event Log errors.


Make sure you have written down the Event error number.

Also while in The Event Viewer check any "Information" line that mentions "savedump" and you should find reference to "recovered from a bug check".  This is the Stop Error that caused your problem.

Exact copies of any Event ID or Stop Error will assist others in assisting you.

RE: (RPC) service terminated unexpectedly


I have a friend who has come up with the same problem. How did you solved it?

RE: (RPC) service terminated unexpectedly

You just caught the latest worm that is in circulation.  

Here, do this...

While DISCONNECTED from the net, search for msblast.exe and delete that file.

If your comfortable going into the registry the bug lives here:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update'

Delete it and reboot

Go to the Windows update site and get all the critical updates.  

Install a firewall immediately!!!

Update your virus scan utility, and run a virus scan, or run one online at www.housecall.antivirus.com

Here is what has been found so far

- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot

Here is a list of known TFTP servers for this worm

Good luck

RE: (RPC) service terminated unexpectedly

Yes file TFTP1800 and TFTP? can't remember the other name, but it created these 2 files in my startup folder.
Does anyone else have them?

RE: (RPC) service terminated unexpectedly

Yes, many, many people have them.  You're not alone.  Just take a look at some of the posts on this board, it's a pretty big issue.

RE: (RPC) service terminated unexpectedly


I also have a a computer running windows XP Pro but it does not have Novell installed, All I can find on the Microsoft site is problems relating to Win XP and Novell. I have carried out a search of both files and registry but can not find any sign of the msblast.exe worm. Nor do I have anyfiles in the startup folder as mentioned by TAV1035Is there something I am missing. The PC has been continually producing the error of Event ID 4609 for two days, whenever the internet is accessed. I get the same message as the original post on this thread. Does anyone have any ideas of where to go now?

RE: (RPC) service terminated unexpectedly

It has turned out to be an explotation of microsoft's RPC DCOM security flaw, if you're un aware of it, you can get information about the patch here:


it's very importatnt that this patch be on all NT/2K/XP boxes (NT/2K server's also) also, check this website


for instructions on how to clean your system of the two most common back door installations related to this compromise.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close