NT Authority\System Error Message: "This system is shutting down. Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly."

Affected Products: Software, Servers
Affected Operating Systems: Windows NT® 4.0 Server, Windows® 2000 Advanced Server, Windows® 2000 Server, Windows® Server 2003

ISSUE:

When starting your computer, you may see the following error message:

System Shutdown

This system is shutting down. Please save all work in progress
and log off. Any unsaved changes will be lost. This shutdown
was initiated by NT AUTHORITY\SYSTEM

Time before shutdown:

Message:
Windows must now restart because the Remote Procedure Call
(RPC) service terminated unexpectedly

Note: If you disconnect your computer from its broadband connection, it does not shut down. Remove the cable from the network card or unplug the USB cable modem.

RESOLUTION: There are two resolution options available.

Note: Follow Resolution #1 first, and then proceed to Resolution #2.

Note: If the computer attempts to shut down, use the following steps to prevent the forced shut down. This allows you to complete one of the resolutions without the computer restarting.

  1. From the Start menu, click Run.

  2. In the Run dialog box, type: shutdown -a. Click OK.

Resolution #1: Download and install the Symantec W32.Blaster.Worm Removal Tool.

Note: You need to be logged in with Administrative rights to run this tool in Windows NT®, Windows 2000 Server, or Windows 2003 Server.

  1. Download the FixBlast.exe file from the Symantec Web site.

  2. Save the file to a convenient location, such as the Downloads folder or the Windows Desktop, or to removable media that is known to be uninfected, if possible.

  3. If you would like, check the authenticity of the digital signature. This step is optional.

  4. Close all open windows and programs before running the tool.

  5. If you are using Windows XP, disable System Restore.

    CAUTION: If you are running Windows XP, it is strongly recommend that you do not skip this step. The removal procedure may be unsuccessful if Windows XP System Restore is not disabled, as Windows prevents outside programs from modifying System Restore.

  6. End task on msblast.exe.

    • On your keyboard, press the CTRL+ALT+DELETE keys.
    • In the Windows Security window, click Task Manager.
    • In the Windows Task Manager window, click the Processes tab.
    • On the Processes tab, click msblast.exe, and then click End Process.
      View Picture

  7. Locate and double-click the FixBlast.exe file to start the removal tool.

  8. In the Symantec W32.Blaster.Worm Fix Tool dialog box, click Start to begin the process.

  9. Allow the tool to run.

    Note: When running the tool, if you see a message that the tool was unable to remove one or more files, run the tool in Safe mode. Shut down the computer, turn off the power, and wait 30 seconds. Restart the computer in Safe mode, and then run the tool again.

  10. Run the FixBlast.exe removal tool again to ensure that the computer is clean of the virus.

When the tool has finished running, a message displays indicating whether W32.Blaster.Worm infected the computer. In the case of a worm removal, the program displays the following results:

  • Total number of the scanned files
  • Number of deleted files
  • Number of terminated viral processes
  • Number of fixed registry entries

To ensure that your server will not be remotely infected again, download and install the appropriate operating system patch. The patch can be downloaded from the Microsoft Web site.

Resolution #2: If you do not have a current antivirus subscription:

  1. Enable the Microsoft Firewall. You should be able to complete this step without losing your current Internet connection.

    • Open Control Panel.

      • From the Windows XP default Start menu, click Control Panel.
      • From the Windows XP classic Start menu, point to Settings, and then click Control Panel .

    • In Control Panel, open Network Connections.

      • If the computer is in Category View, click Network and Internet Connections, and then click Network Connections.
      • If the computer is in Classic View, double-click the Network Connections icon.

    • In the Network Connections window, click to select the local area connection.
    • From the File menu, click Properties.
    • In the Local Area Connection Properties window, click the Advanced tab.
    • On the Advanced tab, click the Protect my computer and network by limiting or preventing access to this computer from the Internet check box, and then click OK.
    • Close Control Panel.

  2. Download and install the appropriate operating system patch. The patch can be downloaded from the Microsoft Web site.

  3. Delete the registry value.

    • From the Start menu, click Run.
    • In the Run dialog box, type: Regedit. Click OK.
    • In the Registry Editor window, locate the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Delete the following entries, if present: Windows Auto Update and msblast.exe.

      • Click to select the registry name.
      • From the Edit menu, click Delete.
      • In the Confirm Value Delete dialog box, click Yes.
      • Repeat these steps for each registry name entry.

    • If applicable, repeat steps c and d, this time checking for the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. If this key is not found, you can skip this step.
    • In the Registry Editor window, from the File menu, click Exit.

  4. End task on msblast.exe.

    • On your keyboard, press the CTRL+ALT+DELETE keys.
    • In the Windows Security window, click Task Manager.
    • In the Windows Task Manager window, click the Processes tab.
    • On the Processes tab, click msblast.exe, and then click End Process.

  5. Delete msblast.exe.

    • From the Start menu, point to Search, and then click For Files or Folders.
    • In the Search Results window, in the What do you want to search for list, click All files and folders.
    • In the All or part of the file name area, type: msblast.
    • Verify that the Look in field lists Local Hard Drives.
    • Click Search.
    • When the msblast.exe file is found, click to select it, and then from the File menu, click Delete.
    • In the Confirm File Delete dialog box, click Yes.
    • In the Search Results window, from the File menu, click Exit.
    • Empty the Recycle Bin.

  6. Run Windows Update, and then download and install all critical updates.

    Note: To make sure that your current is up to date with critical updates, run Windows Update on a regular basis. Also, be sure to regularly use an updated antivirus program, such as Norton AntiVirus.

To permanently prevent any threat of other viruses that may utilize this method of attack, enable your firewall to block TCP ports 135, 139, 445 593, and 4444, as well as UDP ports 69, 135, 137, and 138. It is suggested that you use a dedicated firewall device (either a stand-alone firewall device, or a server that is not used to hold important data) to prevent possible loss of data.