>-----Original Message-----
>When we are online for a few minutes, we get a error
>shutdown message that says RPC service terminated
>unexpectedly. What do we do to solve the error?
>.
>
I have the exact same problem and I've read the replies.
The only problem is that since I cannot stay online I had
to go to a library to look up this help forum.I cannot
download any security patches or update virus definitions.
They do not allow any downloads at the public library.
Since I cannot stay online for more than 30 seconds at
home,what can I do?Any other suggestions.Do I have to
erase my hard drive and reinstall Windows XP?
Please help asap.Thank you.

Have you tried through Safe Mode. Boot the system, start tapping F8, at the
menu, select safe mode then see if you can stay connected.

Failing that, I picked up the following but I can't be real specific as I'm
not doing this.
Start with the following:
In Task Manager, terminate the Executable, ctrl-alt-delete then terminate
the executable in the list, I'm guessing, MSBLAST.exe. Then, run a virus
scan on your system, preferably with the latest definitions. Then return
to my previous instructions as follows:
The following "fix" procedure is courtesy of Ron Martell, MVP

'This is caused by a new and rapidly spreading virus.

To clear up the "NT Authority\System" and RPC call errors:

1. Go to http://support.microsoft.com/?kbid=823980 and download the security
patch. If at all possible do this on a clean machine and copy the patch to a
3.5 inch diskette.

2. Boot the infected machine into Safe Mode (use the F8 key multiple times
before and during the boot menu). Insert the 3.5 inch diskette with the
patch on it and run it. Do not reboot yet.

3. Use Start - Run - MSCONFIG and go to the Startup tab. Locate the entry
for MSBLAST.EXE and clear the checkbox for it.

4. Use Start - Search and check all your hard drives for the file
MSBLAST.EXE and delete all copies of it.

5. Shut down and restart the computer normally.

6. Immediately do an update of your antivirus software and when the updates
are installed do a complete virus scan of your hard drive. So far
Symantec/Norton, Trend Micro (PC-Cillin) and Sophos seems to be the only
major companies with an update for this specific virus (4:30 p.m. PDT 11 Aug
2003) but the others will undoubtedly follow within 24 hours.



--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

"E.B." > wrote in message
...
>
> >-----Original Message-----
> >When we are online for a few minutes, we get a error
> >shutdown message that says RPC service terminated
> >unexpectedly. What do we do to solve the error?
> >.
> >
> I have the exact same problem and I've read the replies.
> The only problem is that since I cannot stay online I had
> to go to a library to look up this help forum.I cannot
> download any security patches or update virus definitions.
> They do not allow any downloads at the public library.
> Since I cannot stay online for more than 30 seconds at
> home,what can I do?Any other suggestions.Do I have to
> erase my hard drive and reinstall Windows XP?
> Please help asap.Thank you.

MS Support Services Security Team is now recommending that all compromised
systems be formatted:

PSS Security Response Team Alert - New Virus: W32.Blaster.worm
SEVERITY: CRITICAL

DATE: August 11, 2003

PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT
4.0, NT 4.0 Terminal Services Edition

WHAT IS IT?

The Microsoft Product Support Services Security Team is issuing this alert
to inform customers about a new worm named W32.Blaster.Worm which is
spreading in the wild. This virus is also known as: W32/Lovsan.worm
(McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer
Associates). Best practices, such as applying security patch MS03-026 should
prevent infection from this worm.

Customers that have previously applied the security patch MS03-026 before
today are protected and no further action is required.

IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine gets
re-booted or has mblast.exe exists on customer's system.

TECHNICAL DETAILS: This worm scans a random IP range to look for vulnerable
systems on TCP port 135. The worm attempts to exploit the DCOM RPC
vulnerability patched by MS03-026.

Once the Exploit code is sent to a system, it downloads and executes the
file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates
the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

"windows auto update" = msblast.exe I just want to say LOVE YOU SAN!!

bill

Symptoms of the virus: Some customer may not notice any symptoms at all.

A typical symptom is the system is rebooting every few minutes without user
input. Customers may also see:

- Presence of unusual TFTP* files

- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
directory or download the latest anti-virus software signature from your
anti-virus vendor and scan your machine.

For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please visit
the following links:

Network Associates:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

Trend Micro:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB

LAST.A

Symantec:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm

..html

Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265

For more information on Microsoft's Virus Information Alliance please visit
this link: http://www.microsoft.com/technet/security/virus/via.asp



Please contact your Antivirus Vendor for additional details on this virus.

PREVENTION: Turn on Internet Connection Firewall (Windows XP or Windows
Server 2003) or use a third party firewall to block TCP ports 135, 139,

445 and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for zombie
bits download and TCP 4444 for remote command shell. To enable the Internet
Connection Firewall in Windows:

http://support.microsoft.com/?id=283673

1. In Control Panel, double-click Networking and Internet Connections, and
then click Network Connections.

2. Right-click the connection on which you would like to enable ICF, and
then click Properties.

3. On the Advanced tab, click the box to select the option to Protect my
computer or network.

This worm utilizes a previously-announced vulnerability as part of its
infection method. Because of this, customers must ensure that their
computers are patched for the vulnerability that is identified in Microsoft
Security Bulletin MS03-026.

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp. Install the
patch MS03-026 from Windows Update http://windowsupdate.microsoft.com

As always, please make sure to use the latest Anti-Virus detection from your
Anti-Virus vendor to detect new viruses and their variants.

RECOVERY: Security best practices suggest that previously compromised
machine be wiped and rebuilt to eliminate any undiscovered exploits that can
lead to a future compromise. See Cert Advisory:

Steps for Recovering from a UNIX or NT System Compromise.

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

For additional information on recovering from this attack please contact
your preferred anti-virus vendor.

RELATED MICROSOFT SECURITY BULLETINS:

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955

This article will be available within 24 hours.

RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp

As always please make sure to use the latest Anti-Virus detection from your
Anti-Virus vendor to detect new viruses and their variants.

If you have any questions regarding this alert please contact your Microsoft
representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of
the US please contact your local Microsoft Subsidiary.

Support for virus related issues can also be obtained from the Microsoft
Virus Support Newsgroup which can be located by clicking on the following
link news://msnews.microsoft.com/microsoft.public.security.virus.

PSS Security Response Team
--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/


"E.B." > wrote in message
...
>
> >-----Original Message-----
> >When we are online for a few minutes, we get a error
> >shutdown message that says RPC service terminated
> >unexpectedly. What do we do to solve the error?
> >.
> >
> I have the exact same problem and I've read the replies.
> The only problem is that since I cannot stay online I had
> to go to a library to look up this help forum.I cannot
> download any security patches or update virus definitions.
> They do not allow any downloads at the public library.
> Since I cannot stay online for more than 30 seconds at
> home,what can I do?Any other suggestions.Do I have to
> erase my hard drive and reinstall Windows XP?
> Please help asap.Thank you.