RPC shutdown
Results 1 to 7 of 7

Thread: RPC shutdown

  1. #1
    Senior Member
    Join Date
    May 2004
    Posts
    519

    RPC shutdown

    I installed Windows Server 2003 on one of my computers at home this morning and the svchost.exe keeps making the RPC service shutdown unexpectedly. This means Windows wants to do a reboot and as inconvenient as that is it also means i have to dialup to the net again (yes dialup sucks ) If anyone here knows how to correct this or at least could help out a little bit it would be muchly appreciated ..

    thanks guys

  2. #2
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    sounds like you got blaster or something. do a virus scan and check running processes and look for somethin like msblast.exe. also check your registry (the run at startup folder) for suspicious things starting up. get the latest patches from MS too.

  3. #3
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    666
    Hi

    This has been answered at least 100 times ............ A simple AO search of "RPC shutdown" whould have been helpful....

    To Keep Windows from Shutting Down :

    Originally posted here by allenb1963
    To keep RPC from shutting down Windows:
    Start---->Control Panel---->Administrative tool---->Services---->RPC (there are 2 services with the RPC label, DO NOT CHOOSE THE LOCATOR SERVICE!!!). Highlight RPC and right click, choose properties from the menu. Select the recovery tab in the properties window, and for first, second and subsequent failures have your system restart the service (restart the system is selected by default).

    Hope this helped!
    Might be Blaster worm or it's varients To remove Blaster :

    W32.Blaster.Worm Removal Tool

    How to Tell If the Worm Is Affecting Your Computer


    # And don't forget to get all the Windows Security Updates .

    # Do a Complete AV Scan I recommend Online Scan from HouseCall.

    # And A Scan By trojan Removal Tools Such as TDS-3 or Moosoft The Cleaner because these AV's are not good at removing Trojans.


    Hope that would Solve your Problem........

    --Good Luck--

  4. #4
    Senior Member
    Join Date
    May 2004
    Posts
    519
    ok well I didnt have the blaster worm (which i knew i wouldnt as i just installed the OS and connected to the net when it happened straight away) i finally after a few attempts downloaded the patches from M$ and it all seems to be going ok ........._so far_

    thanks for ya help guys

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    And above all PATCH THE BOX..

    If you don't have the needed patches you are open to attack

    here are the ones I load on machines b4 they go out the door.. that is if i dont do anything else.

    ok this list is valid for Win XP.. BUT if you follow the link given by swordfish you will be given links to the MS download site..

    Q810833_WXP_SP2_x86_ENU.exe
    Q815021_WXP_SP2_x86_ENU.exe
    WindowsXP-KB823980-x86-ENU.exe
    WindowsXP-KB828035-x86-ENU.exe
    WindowsXP-KB835732-x86-ENU.EXE

    the last on the list is the "Sasser" patch it is the only one larger than 1.3MB..
    Q810833 patch 380kb
    Q815021 patch 525kb
    KB823980 patch 1261kb (RPC-DCOM or MSBlaster)
    KB828035 patch 385kb
    KB835732 patch 2647kb (LSASS or Sasser)

    BTW: the restart is invoked as the RPC service crashes.. from the external attack.. it dosen't mean the virus is in the machine.. the crash just means you need the patch and are prone to being infected.. sasser was less likly to infect than msblast.. just recieved better media..



    Cheers

    didnt have the blaster worm (which i knew i wouldnt as i just installed the OS and connected to the net when it happened straight away) i
    but you probably could have got it with in 30secs of being connected to the net.. it is a worm it propagates via the net.. not from connected sites or file transfers, not by bloody kazaa.. but from other infected machines scanning for UNPATCHED boxes like yours..
    so if the fxmsblast tool said you didn't have blaster..
    you may also have one of a number of virii/worms.. like gaobot.xxx do a search of www.symantec.com for rpc, dcom, webdav, lsass, gaobot and see what comes up..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #6
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    how do you know you didnt have the blaster worm? did you scan for it? if you think that you didnt have it cuz it happend right when you hooked it up again, then think again. thats what happens with the blaster, they search for random IP's and try and find an unpatched one, and when you connected and got your IP one could have hit yours and made the RPC shutdown. id still scan for it if you havent, thats good you patched your box though.

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    Originally posted here by fyrewall
    ok well I didnt have the blaster worm (which i knew i wouldnt as i just installed the OS and connected to the net when it happened straight away) i finally after a few attempts downloaded the patches from M$ and it all seems to be going ok ........._so far_

    thanks for ya help guys

    it may seem like its going ok because your not going down repetedly but that doesn't mean you are not the proud owner of a backdoor already installed.

    get and run stinger:

    http://vil.nai.com/vil/stinger/

    install an antivirus program and a firewall wouldn't hurt.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •