Blaster Worm-Virus or Its Variants Cause the Computer to Shutdown with an NT AUTHORITY\SYSTEM Error Message Regarding Remote Procedure Call (RPC) Service
The "Blaster" worm-virus and its variants are affecting the entire personal computer industry and might impact any computer system running Microsoft Windows XP or Windows 2000.
This document will help you resolve the error associated with the virus, remove the virus from your system, and prevent the virus from reoccurring in the future.
NOTE:These worms are designed to increase Web traffic to targeted Web sites. If an increase in Web traffic occurs at the Microsoft Windows Update site, it might take a long time to download your updates, or the Web site might not display at all when you try to access it. Please be patient and try to connect to the site at another time if this happens.
Overview of the worm-virus
The following error message or similar error displays before the computer automatically shuts down:
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Time before shutdown: 00:00:XX Message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.
Other symptoms might include system instability, system crashes, and vulnerability.
This error is probably caused by a worm-type virus known as Blaster, LoveSan, MSBlaster, or Welchia (might also have other names and variations). The worm can exploit a security vulnerability on unprotected Microsoft Windows XP or Windows 2000 computers. It affects systems without the Microsoft update MS03-039 installed. Finding the file "Msblast.exe" is an indicator that the virus is active on your computer. However, this file is not present in all variants of the worm. Even if you do not find this file on your computer, the worm might still be residing on your system.
Use the steps below to update your computer with the latest security update from Microsoft and to remove the virus from your system.
Resolving the worm-virus
Use the following steps to prevent the computer from restarting, to remove the virus, and to prevent the virus from reinfecting the computer. HP does not guarantee the success of this procedure as the virus might exist in different forms.
NOTE:The following steps require virus scanning software (Norton AntiVirus or McAfee VirusScan) and that the person logged on have Windows XP administrative privileges.
NOTE:When the computer is serviced or when a system recovery has been run, the software is changed back to its original configuration, meaning it is set to the same condition as when the computer was first purchased. All software and driver updates you have installed on your computer since first turning it on are lost. In this like-new condition, the computer is more susceptible to viruses because all previously installed security updates are removed. Perform the steps in this section after the computer returns from service or after a system recovery has been run.
- Click Start, click Run, and then type: shutdown -aThis prevents the system from automatically restarting long enough to download and install the Microsoft security update.
- Click OK.
- If the "shutdown -a" command fails to keep the computer from restarting, use the following steps:
- Click Start, click Run, and type: services.msc in the Open box.
- Click OK.A Services window displays.
- Double-click Remote Procedure Call (RPC) and select the Recovery tab. Be careful to not use the Remote Procedure Call (RPC) Locator item.Figure 2: Remote Procedure Call service
- Set the First Failure, Second Failure, and Subsequent Failures items to Take No Action.
- Click OK to apply the settings.
- Install the latest critical updates using Windows Update. For more information, see the following: Microsoft's Security Bulletin: MS03-039 and How to use Windows Update .NOTE:These worms are designed to increase Web traffic to targeted Web sites. If an increase in Web traffic occurs at the Microsoft Windows Update site, it might take a long time to download your updates, or the Web site might not display at all when you try to access it. Try to connect to the site at another time if this happens.
- Remove the worm using your antivirus software. Do this by attaining the latest virus definitions and then performing a scan. For software removal tools and more detailed information on removing this worm and its variants use the following links:If all went well, the computer is now clean and protected. If these steps did not resolve the problem, contact Microsoft and your antivirus software vendor for more assistance.
- If you used the services.msc command (as explained in Step 3) to prevent your computer from restarting, restore your RPC recovery settings to their original state as follows:
- Click Start, click Run, and type: services.msc
- Click OK.
- Double-click Remote Procedure Call (RPC) and select the Recovery tab. Be careful to not use the Remote Procedure Call (RPC) Locator item.
- Set the First Failure, Second Failure, and Subsequent Failures items to Restart the Computer.
- Click OK to apply the settings.NOTE:It is also a good idea to open System Restore and delete dates that occurred while the virus was active. This prevents the computer from being reinfected when System Restore is used. To open System Restore, click Start, All Programs, Accessories, System Tools, and then click System Restore.
NOTE:One or more of the links above will take you outside the Hewlett-Packard Web site. HP does not control and is not responsible for information outside of the HP Web site.
Other solutions customers found helpful
HP and Compaq PCs -- Sasser Worm-Virus or Its Variants Cause the Computer to Shutdown with an "LSA Shell" Error Message