RPC Service Fatal Error (crash/reboot), XP Pro. Help please!

jc0 · #1 07-29-2003, 08:59 PM

XP Pro 5.1 2600
650mb Kingston DDR
Athlon xp 1800 @ 1.53ghz
ecs K7s5a mobo
40gb C:, 60GB D: (not installed)
52x cdrw
16x dvdrom

Every few minutes (it varies) i get the following error message:

The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

The above text was copied from Event Viewer.
It always says "1 time(s)" but it has happened about 20. This just started happening within the last couple of days. I am running PC Cillin and it's up to date. It doesn't detect anything. Also, I have no suspicious connections to my pc. I also use Spybot regularly.

I uninstalled all software I recently installed to see if maybe one of them was causing the error.

Here are a couple of screenshots of the original error:
Error box (cropped - 67KB) | Error Box & Task Manager (cropped - 160KB)

I have searched for info on this error, but didn't find much at all. If anyone has any suggestions or tips to offer, I would really appreciate it.
Thanks in advance.

UPDATE:I got that same error a few minutes ago, and my machine rebooted. When i came and noticed, I saw a "Disconnected Network Drive" as my N: drive. I also had 2 connections to my PC on ports 445 and also 40450 from 2 different IPs. I did a "ipconfig /release" to disconnect whatever was connected to my machine. As soon as I did this, I got that RPC error.

Also, I had what appeared to be a trojan of some sort recently. It
didn't let me open task manager, msconfig or regedit. I got rid of
that, but is it possible this is related? I am getting pretty concerned now.

LooseChippings · #2 07-30-2003, 02:21 AM

Are you running Kazaa or a similar Peer to Peer service?

jc0 · #3 07-30-2003, 09:16 PM

I am running an older version of kazaa lite. It has never given me problems. I didn't download any type of software either from it.
I just remembered that I upgraded Soulseek recently after having not used it for a long time. I don't know if this could be the problem, but the problem did start around the same time as I started to use it again.

The other programs I use most are SecureCRT for SSH connections and Trillian for ICQ/AIM. These programs have never given me a problem though. Also games. The ones I play most often are: Midnight Club2, Half-Life mods (CS, DOD etc), and GTA: Vice City. I doubt it has anything to do with games though.

I scanned with the following programs:
PC-Cillin (latest)
Housecall from Trend Micro (online)
ActiveScan from Panda Software (online)
Anti-Trojan 5.5

The only thing these picked up were stuff PC-Cillin had already previously found and quarantined.

beeboy · #4 07-31-2003, 10:19 AM

"Also, I had what appeared to be a trojan of some sort recently."

"The only thing these picked up were stuff PC-Cillin had already previously found and quarantined."
What was the trojan and what files were quarantined?

jc0 · #5 07-31-2003, 06:37 PM

Quote:

Originally posted by beeboy
"Also, I had what appeared to be a trojan of some sort recently."

"The only thing these picked up were stuff PC-Cillin had already previously found and quarantined."
What was the trojan and what files were quarantined?

The trojan that prevented me from opening Task Manager etc was never detected. I did a little research online and found it and removed it by hand. It was most likely some sort of spyware. It was an exe in \system32\ that started up with windows.

The stuff PC Cillin quarantined is months old. They were mostly spyware files and javascript BS.

I posted my problem on another forum, and received the following reply:

Quote:

There is a major vulnerability in the RPC service (on by default, can't be turned off) of all NT-based versions of Windows. There are at least 5 or 6 different exploits out there, though I haven't heard of an automated worm, yet.

[edit]
Here's one message regarding the behavior of one of the first "proof of concept" exploits that seems relevant. The interesting thing there is that the exploit, having spawned a shell, incidentally makes the RPC service crash when the connection drops, like yours did when you /released.

You may still be ok, assuming you patch up, because the exploits out there don't themselves install any persistent backdoors or anything, but it's possible that whoever was connected to you could've done so manually.

I installed the MS patch and I guess I will leave my computer on for a while and see if I get any of the same problems.

COBSteele · #6 08-05-2003, 05:51 AM

I have this same problem, and I dont know why im just a gamer, I dont have any valuable information on my computer about myself like credit card numbers etc, why would somebody want to give me a virus.

Anyway I get that stuff all the time RPC blah blah blah. And when windows restarts always in my start menu under startup I get a file named tftp272 and webdav. When windows first startups I got that unknown file association for tftp272 and it gives you the choice of open file from program in the list or use web service to find file association. Norton tells me nothing. Its the only virus program I have. Whats going on here?

Also I have not use kazaa execept kazaa lite. If that even makes a difference.

My computer is about 3 years old its an Amd 900mgz 512 ram, Geforce 4, Win Xp Professional. Cable Internet.

No firewalls or any other virus scanners.

Playboy™ · #7 08-05-2003, 08:13 AM

i am having the same problem, (my computer getting shutdown thru RPC ) (same exact warning message ) also had the same problem getting to my task manager , it opens the closes right away( to fix that just rename your taskmanager to something else ), also the wbdav.exe file on the startup menu , and the tftp temp file trying to load on start ( the tftp is Trivial File Transfer Protocol tftp.exe in windows )

I did a little digging and i found a temp fix for this problem..

in your control panel, go to administrative tools then to components services. then under the folder on the left you will see something that says Services ( local )

then on the right hand side scroll down to the "remote procedure call" highlight it right click and go to properties, then you can choose what happens when your rpc has a problem. it is automatically set to reboot in 30 seconds or something, but u can set it to do nothing or to run a program or a command line .

Im hoping this works (it has so far ), if it works for you tell me..

i have run thru my computer pretty good and no virus yet so i have no idea what it is, i ran my computer at www.antivirus.com on the fresh virus def's ??

ninja · #8 08-05-2003, 12:33 PM

ok im geting the same problem and i dont know what the hell it is but is annoying, i can open my taskmannager and stuff but this message keeps popin up and it reboots my come the rpc message i dont know how to fix it so if some 1 can help me my sn on aim is akjoker47 plz help and thnx in advance

Bulls420 · #9 08-05-2003, 02:42 PM

im having this problemalso i did what playboy said to keep my pc from rebooting but dont know how to fix still.

Playboy™ · #10 08-05-2003, 04:53 PM

okay well mine was getting shut down every 6 hours or so and after i changed that setting for the RPC it hasnt shutdown once.

So i suggest going thru the steps i mentioned earlier and set your computer not to reboot when the rpc has a problem.

I have read about a few rpc exploits like the ones mentioned/experienced.

I highly doubt that its coincidence we all have some sort of trojan worm virus problem etc along with the rpc problem, BUT that being said, From what i have read about rpc( remote procedure calls ) exploits the fact that the computer reboots tells us that the "HACK" wasnt succesfull.( kind of ,

it was succesfull in killing the computer but that prob wasnt the original intent )

Setting your RPC so it wont reboot when it has a problem hasnt seemed to cause any error and im watching closely !!

But just because we dont reboot doesnt mean there isnt something malicious still on our computer that we need to remove/fix/patch.

I will search around and if i find a perm fix i will let everyone know.

btw there is many variations to this problem/virus going around right now, so be sure to try all the suggestions mentioned even if your symptoms arent exactly the same. ( ask first if your unsure )

Playboy™ · #11 08-05-2003, 06:53 PM

i think this would be the first thing to patch

Windows XP Security Patch: Buffer Overrun In RPC Interface Allows Code Execution

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

read that and download the patch for your machine.

but chances are the root of the problem is still on your machine so keep updating/checking for virii, i suggest doing a free ONLINE scan at www.antivirus.com as they always catch the stuff that nortons misses.

speaking of nortons , wtf my aunt has the newest paid version with all the features on and i recently ran a scan on antivirus.com and found a bunch of trojans on her box. what the hell is she paying them for. I might understand if it was new strange stuff but it was all old virii like nimda and pe_spaces and stuff like that

swtcollegeguy · #12 08-06-2003, 03:27 AM

Allright, to all who are having the RPC problem:

These problems may be related to a hack that uses the exploit in the RPC. Follow these steps:

1) Click on "Start", "All Programs", "Start Up" and look for the program called "webdav.exe". If you have this little jewl, supposedly you've been HACKED. This program allows the attacker to gain complete and total control of your system.

2) Now, if you have an anti-virus programing running, update it and scan your PC. "Webdav" may or may not be detected. If it is not then send a sample of it to your anti-virus program vendor so they can start detecting it.

3) Most important, install Microsoft's latest patch for the RPC problem. From what I can tell though, if your running Win XP, you have to have "gold" edition (I think it is called) or you must have "Service Pack 1" installed and running. Full details are at Microsoft's site.

Here is all the info on Webdav

Webdav Info

Now if you don't have the Webdav prgram on your PC then you still need to install the patch. Supposedly the RPC error is triggered through a hack attempt. There's some instructions on how to disable the shutdown that occurs when the RPC error happens in one of the post above.

I hope this helps you all. I'll update if I get any new info

Playboy™ · #13 08-06-2003, 12:27 PM

webdav is a legitimate piece of software, as well as tftp they are just being mis-used.

to turn off the RPC automatic shutdown follow these steps

in your control panel, go to administrative tools then to components services. then under the folder on the left you will see something that says Services ( local )

then on the right hand side scroll down to the "remote procedure call" highlight it right click and go to properties, then you can choose what happens when your rpc has a problem. it is automatically set to reboot in 60 seconds , but u can set it to do nothing or to run a program or a command line .

here is the patch for the RPC exploit

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

njovin · #14 08-06-2003, 12:52 PM

new info, check this thread:

http://www.softwaretipsandtricks.com...&threadid=5023

eclipse · #15 08-09-2003, 08:35 PM

Ok im new here but im having the exact same prob. Everything u guys have mentiod so far but, I am unable to DL and run the patch. I was like wow i have a lot of windows updates recently till i noticed i was dling the same one(the patch for this exact prob) over and over and i would install it and reboot but 30 min later it would ask to dl it again?!?. I dl'ed it manually and it says unable to verify the update.inf or something like that. What can u guys help me with here.

also i have home if that makes any diff.