Announcement

az · 11 August 2003, 12:39

The message translates roughly to:

"The system will shut down. Save all data, and log off. All unsaved data will be lost. Resistance is futile (OK, I made this one up).

The shutdown was initiated by NT-AUTHORITY\SYSTEM

Time till shutdown: 00:00:44 (counts down from one minute, and when it reaches zero, closes all apps and restarts, shutting windows down before.

Message:

Windows has to be restarted, because the task remote procedure call (RPC) was killed unexpectedly."

AZ

**Rob(QG)** · 11 August 2003, 12:51

I've seen this.

In my case it was caused by the Sonicwall VPN client conflicting with Zone Alarm.
It was a few weeks after installing the VPN client before the problem occured. Happened to a colleague in an identical fashion.

Start in Safe Mode without networking and remove any non-essential network drivers/devices and see if that helps.

It's a real pain in the butt that it doesn't give you chance to fix the problem before shutting down

az · 11 August 2003, 13:11

funny thing is, i have almost no 3rd party software installed. nothing that runs in the background. no virus scanner, firewall, nothing (only the cfos dsl driver, but I've had this before, and have it installed now for a few months without problems).

AZ

**Rob(QG)** · 11 August 2003, 13:18

Anything else you have installed lately?

Any drivers updated?

az · 11 August 2003, 13:21

only games.. err... "trial versions". maybe I caught a virus.

AZ

**Nowhere** · 11 August 2003, 13:21

Well...install some good firewall. If it won't happen again it will lead you to some conclusions

Suffice to say, today (yes, today) few of my friends on XP (all of them don't have any firewall or I know it's poorly configured) reported exactly the same problem, ONLY when online (and to most of them this never happened before). And one reported (with some poor software firewall...) that just before shutdown someone connected to him in...not very usual way etc. (don't know exactly, svhost or something). This happened to him TWICE (and from the same host...)
Makes you think something's not right with...something in win

**agallag** · 11 August 2003, 13:22

considering you have no virus scanner, it could also be a virus causing this.

**Jon P. Inghram** · 11 August 2003, 13:26

If use task manager and kill the RPC service you'll get the same effect, wonder if you've got that DCOM virus?

**Ovi** · 11 August 2003, 13:36

Hi Az
I was just having the exact same problem! Till yesterday nothing of this sort was happening, but just an hour back, I got the same message after being online for a while. After I had rebooted and again connected to the net, the same thing happened after 5 min!
But I found the culprit.......its an executable file by the name of msblast.exe which I saw in the process list in task manager. It was located in windows/system32 and was being loaded through the registry's run key. In the run key, it was listed as "Windows auto update"! Now I've windows update turned off on my pc, so I was surprised. Also the file msblast.exe's date of creation was today itself! And moreover, it had no version info or anything, like other MS files. So I just deleted the file and removed its entry from the "run" key. I also scanned this msblast.exe with NAV2002 but it didn't find any viruses! But apparently something is spreading somewhere!
Hope this helps
Cheers
Ovi

**Taz** · 11 August 2003, 13:48

Here's some info and a patch from MS on this issue

Microsoft Support

http://support.microsoft.com/?kbid=823980

Microsoft support is here to help you with Microsoft products. Find how-to articles, videos, and training for Microsoft Copilot, Microsoft 365, Windows, Surface, and more.

**Rob(QG)** · 11 August 2003, 13:51

Wasn't sure that one actually killed of the RPC service, Taz.

Just heard of someone else getting the problem too

If it is that issue, or if it is something else, someone seems to have a good exploit going

And here it is:http://vil.nai.com/vil/content/v_100547.htm

Still only rated medium

**Taz** · 11 August 2003, 14:28

Originally posted by Rob(QG) Still only rated medium

I think that will change soon, there seem to be posts about it on every forum now

az · 11 August 2003, 14:36

Thanks everybody, especially ovi and dzeus!

AZ

**JohnnyBond** · 11 August 2003, 15:50

Its probably a worm called ms blaster

Symantec Security Center

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Symantec security research centers around the world provide unparalleled analysis of and protection from IT security threats that include malware, security risks, vulnerabilities, and spam.

It (probably) send nukes out to random ip's, generating them on the fly using your ips first packed (213 for me)

The worm is using a well known windows exploit, that used the RPC to couse the system to restart. And every infected computer is sending out nukes - its like judgment day

.

And thats my theory about it.

Thats how i protected myself:

Used kerio firewall to block all incoming traffic from any address to windows c:\windows\system32\svchost.exe, on the tcp 135 port.

And it works.

Announcement

HELP!!! BIG winXPO problem!!

HELP!!! BIG winXPO problem!!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment