NT Authority\System Error Message: "This system is shutting down. Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly."
Affected Products: Software, System CD/DVDs
Affected Operating Systems: Windows NT® 4.0, Windows® 2000, Windows® XP
ISSUE:
Note: If you have a Gateway Server,
click here. When starting your computer, you may see the following error message:
System Shutdown
This system is shutting down. Please save all work in progress
and log off. Any unsaved changes will be lost. This shutdown
was initiated by NT AUTHORITY\SYSTEM
Time before shutdown:
Message:
Windows must now restart because the Remote Procedure Call
(RPC) service terminated unexpectedly
Note: If you disconnect your computer from its broadband connection, it does not shut down. Remove the cable from the network card or unplug the USB cable modem.
Note: This is in reference to issue number 2-976684501.
Note: There are currently, and may continue to be, variants to this worm virus. Your computer may also be infected with other viruses, yet this worm virus has made the issue known. Please check with your antivirus software manufacturer to obtain the latest updates for your antivirus software, as well as instructions for the removal of all viruses.
To help avoid these types of issues in the future, be sure to schedule regular updates for both your antivirus software and Windows critical updates. It is also recommended that on a regular basis you make a backup copy of all important data.
This document is intended for a computer that is not infected with any other viruses other than this worm virus. Gateway technical support does not normally support virus removal or any other virus issue. However, since this worm virus widely affects many computer users, we wanted to provide assistance as a courtesy.
RESOLUTION: Note: Gateway does not support viruses. All customers affected by this should be directed to Symantec or Answers by Gateway for support and resolution. We initially provided support for this virus because of the impact to our customers, however we now need to adhere to our virus policy.
Note: Please read all information in this document before attempting to clean your computer. You may also want to print a copy of this document to have at your disposal when attempting to clean your computer. For best printing results, in your Internet browser, from the
File menu, click
Print.
There is a lot of information contained in the document on combating what you may see, including how to stop the shut down process so that you can complete the steps. Also, you must install the Microsoft patch to prevent this type of issue from reoccurring.
There are four resolution options available.
Note: Follow Resolution #1 first, and then proceed to either Resolution #2 or #3, depending on your antivirus software.
Note: If the computer attempts to shut down, use the following steps to prevent the forced shut down. This allows you to complete one of the resolutions without the computer restarting.
- From the Start menu, click Run.
- In the Run dialog box, type: shutdown -a. Click OK.
Resolution #1: Download and install the Symantec W32.Blaster.Worm Removal Tool.
Note: You need to be logged in with Administrative rights to run this tool in Windows 2000 or Windows XP.
- Download the FixBlast.exe file from the Symantec Web site.
- Save the file to a convenient location, such as the Downloads folder or the Windows Desktop, or to removable media that is known to be uninfected, if possible.
- If you would like, check the authenticity of the digital signature. This step is optional.
- Close all open windows and programs before running the tool.
- If you are using Windows XP, disable System Restore. CAUTION: If you are running Windows XP, it is strongly recommend that you do not skip this step. The removal procedure may be unsuccessful if Windows XP System Restore is not disabled, as Windows prevents outside programs from modifying System Restore.
- End task on msblast.exe.
- On your keyboard, press the CTRL+ALT+DELETE keys.
- In the Windows Security window, click Task Manager.
- In the Windows Task Manager window, click the Processes tab.
- On the Processes tab, click msblast.exe, and then click End Process.
View Picture
- Locate and double-click the FixBlast.exe file to start the removal tool.
- In the Symantec W32.Blaster.Worm Fix Tool dialog box, click Start to begin the process.
- Allow the tool to run. Note: When running the tool, if you see a message that the tool was unable to remove one or more files, run the tool in Safe mode. Shut down the computer, turn off the power, and wait 30 seconds. Restart the computer in Safe mode, and then run the tool again.
- For Windows XP, download and install the "Blaster Worm: Critical Security Patch for Windows XP" patch from the Microsoft Web site to prevent this type of attack. Windows XP shipped with Gateway computers is a 32-bit operating system.
- For Windows 2000, download and install the "Blaster Worm: Critical Security Patch for Windows 2000" patch from the Microsoft Web site to prevent this type of attack.
- For Windows NT, download and install the "Blaster Worm: Critical Security Patch for Windows NT 4.0" patch from the Microsoft Web site to prevent this type of attack.
- Run the FixBlast.exe removal tool again to ensure that the computer is clean of the virus.
- If you are running Windows XP, reenable System Restore if the computer is clean.
- Run LiveUpdate to make sure that you are using the most current virus definitions.
When the tool has finished running, a message displays indicating whether W32.Blaster.Worm infected the computer. In the case of a worm removal, the program displays the following results:
- Total number of the scanned files
- Number of deleted files
- Number of terminated viral processes
- Number of fixed registry entries
Resolution #2: If you have a current subscription to Norton AntiVirus:
Note: Please see the
Symantec Web site for additional information.
- Disable System Restore.
- Run LiveUpdate to update the virus definitions. Note: If you are unable to download the update, follow step number 2 in Resolution #3 below, and then attempt to run LiveUpdate again.
- Restart the computer in Safe mode.
- End task on msblast.exe.
- On your keyboard, press the CTRL+ALT+DELETE keys.
- In the Windows Security window, click Task Manager.
- In the Windows Task Manager window, click the Processes tab.
- On the Processes tab, click msblast.exe, and then click End Process.
View Picture
- Use Norton AntiVirus to scan for and delete any infected files.
- Run a full system scan.
- If any files are detected as infected with W32.Blaster.Worm, click Delete.
- Delete the registry value.
- From the Start menu, click Run.
- In the Run dialog box, type: Regedit. Click OK.
- In the Registry Editor window, locate the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Delete the following entries, if present: Windows Auto Update and msblast.exe.
- Click to select the registry name.
- From the Edit menu, click Delete.
- In the Confirm Value Delete dialog box, click Yes.
- Repeat these steps for each registry name entry.
- If applicable, repeat steps c and d, this time checking for the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. If this key is not found, you can skip this step.
- In the Registry Editor window, from the File menu, click Exit.
- For Windows XP, download and install the "Blaster Worm: Critical Security Patch for Windows XP" patch from the Microsoft Web site to prevent this type of attack. Windows XP shipped with Gateway computers is a 32-bit operating system.
- For Windows 2000, download and install the "Blaster Worm: Critical Security Patch for Windows 2000" patch from the Microsoft Web site to prevent this type of attack.
- For Windows NT, download and install the "Blaster Worm: Critical Security Patch for Windows NT 4.0" patch from the Microsoft Web site to prevent this type of attack.
- Use Norton AntiVirus again to scan for and remove any infected files.
- Run another full system scan.
- If any additional files are detected as infected with W32.Blaster.Worm, click Delete.
- If you are running Windows XP, reenable System Restore if the computer is clean.
- Run Windows Update, and then download and install all critical updates. Note: You may need to run Windows Update more than once. Run this step until no more critical updates are listed.
Note: To make sure that your current is up to date with critical updates, run Windows Update on a regular basis. Also, be sure to regularly use an updated antivirus program, such as Norton AntiVirus.
Resolution #3: If you do not have a current Norton AntiVirus subscription:
- Disable System Restore.
- Enable the Microsoft Firewall. You should be able to complete this step without losing your current Internet connection.
- Open Control Panel.
- From the Windows XP default Start menu, click Control Panel.
- From the Windows XP classic Start menu, point to Settings, and then click Control Panel .
- In Control Panel, open Network Connections.
- If the computer is in Category View, click Network and Internet Connections, and then click Network Connections.
- If the computer is in Classic View, double-click the Network Connections icon.
- In the Network Connections window, click to select the local area connection.
- From the File menu, click Properties.
- In the Local Area Connection Properties window, click the Advanced tab.
- On the Advanced tab, click the Protect my computer and network by limiting or preventing access to this computer from the Internet check box, and then click OK.
- Close Control Panel.
- For Windows XP, download and install the "Blaster Worm: Critical Security Patch for Windows XP" patch from the Microsoft Web site to prevent this type of attack. Windows XP shipped with Gateway computers is a 32-bit operating system.
- For Windows 2000, download and install the "Blaster Worm: Critical Security Patch for Windows 2000" patch from the Microsoft Web site to prevent this type of attack.
- For Windows NT, download and install the "Blaster Worm: Critical Security Patch for Windows NT 4.0" patch from the Microsoft Web site to prevent this type of attack.
- Delete the registry value.
- From the Start menu, click Run.
- In the Run dialog box, type: Regedit. Click OK.
- In the Registry Editor window, locate the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Delete the following entries, if present: Windows Auto Update and msblast.exe.
- Click to select the registry name.
- From the Edit menu, click Delete.
- In the Confirm Value Delete dialog box, click Yes.
- Repeat these steps for each registry name entry.
- If applicable, repeat steps c and d, this time checking for the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. If this key is not found, you can skip this step.
- In the Registry Editor window, from the File menu, click Exit.
- End task on msblast.exe.
- On your keyboard, press the CTRL+ALT+DELETE keys.
- In the Windows Security window, click Task Manager.
- In the Windows Task Manager window, click the Processes tab.
- On the Processes tab, click msblast.exe, and then click End Process.
- Delete msblast.exe.
- From the Start menu, point to Search, and then click For Files or Folders.
- In the Search Results window, in the What do you want to search for list, click All files and folders.
- In the All or part of the file name area, type: msblast.
- Verify that the Look in field lists Local Hard Drives.
- Click Search.
- When the msblast.exe file is found, click to select it, and then from the File menu, click Delete.
- In the Confirm File Delete dialog box, click Yes.
- In the Search Results window, from the File menu, click Exit.
- Empty the Recycle Bin.
- If you are running Windows XP, reenable System Restore if the computer is clean.
- Run Windows Update, and then download and install all critical updates. Note: To make sure that your current is up to date with critical updates, run Windows Update on a regular basis. Also, be sure to regularly use an updated antivirus program, such as Norton AntiVirus.
Resolution #4:
This is to be used as a last resort when all other attempts have failed. Turn off the computer, and then disconnect the Internet connection from the computer. Write zeros to the hard drive, Fdisk, format, and then reload the computer. Enable the firewall before reconnecting to the Internet, and then immediately run Windows Update for critical updates and the virus scan updates.
Note: To make sure that your computer is up to date with critical updates, run Windows Update on a regular basis. Also, be sure to regularly use an updated antivirus program, such as Norton AntiVirus.
Note: You may need to run Windows Update more than once. Run this step until no more critical updates appear.
Note: Please read all information in this document before attempting to clean your computer. You may also want to print a copy of this document to have at your disposal when attempting to clean your computer. For best printing results, in your Internet browser, from the File menu, click Print.
There is a lot of information contained in the document on combating what you may see, including how to stop the shut down process so that you can complete the steps. Also, you must install the Microsoft patch to prevent this type of issue from reoccurring.
There are three resolution options available.
Note: Follow Resolution #1 first, and then proceed to either Resolution #2 or #3, depending on your antivirus software.
Note: If the computer attempts to shut down, use the following steps to prevent the forced shut down. This allows you to complete one of the resolutions without the computer restarting.
- From the Start menu, click Run.
- In the Run dialog box, type: shutdown -a. Click OK.
Resolution #1: Download and install the Symantec W32.Blaster.Worm Removal Tool.
Note: You need to be logged in with Administrative rights to run this tool in Windows 2000 or Windows XP.
- Download the FixBlast.exe file from the Symantec Web site.
- Save the file to a convenient location, such as the Downloads folder or the Windows Desktop, or to removable media that is known to be uninfected, if possible.
- If you would like, check the authenticity of the digital signature. This step is optional.
- Close all open windows and programs before running the tool.
- If you are using Windows XP, disable System Restore. CAUTION: If you are running Windows XP, it is strongly recommend that you do not skip this step. The removal procedure may be unsuccessful if Windows XP System Restore is not disabled, as Windows prevents outside programs from modifying System Restore.
- End task on msblast.exe.
- On your keyboard, press the CTRL+ALT+DELETE keys.
- In the Windows Security window, click Task Manager.
- In the Windows Task Manager window, click the Processes tab.
- On the Processes tab, click msblast.exe, and then click End Process.
View Picture
- Locate and double-click the FixBlast.exe file to start the removal tool.
- In the Symantec W32.Blaster.Worm Fix Tool dialog box, click Start to begin the process.
- Allow the tool to run. Note: When running the tool, if you see a message that the tool was unable to remove one or more files, run the tool in Safe mode. Shut down the computer, turn off the power, and wait 30 seconds. Restart the computer in Safe mode, and then run the tool again.
- For Windows XP, download and install the "Blaster Worm: Critical Security Patch for Windows XP" patch from the Microsoft Web site to prevent this type of attack. Windows XP shipped with Gateway computers is a 32-bit operating system.
- For Windows 2000, download and install the "Blaster Worm: Critical Security Patch for Windows 2000" patch from the Microsoft Web site to prevent this type of attack.
- For Windows NT, download and install the "Blaster Worm: Critical Security Patch for Windows NT 4.0" patch from the Microsoft Web site to prevent this type of attack.
- Run the FixBlast.exe removal tool again to ensure that the computer is clean of the virus.
- If you are running Windows XP, reenable System Restore if the computer is clean.
- Run LiveUpdate to make sure that you are using the most current virus definitions.
When the tool has finished running, a message displays indicating whether W32.Blaster.Worm infected the computer. In the case of a worm removal, the program displays the following results:
- Total number of the scanned files
- Number of deleted files
- Number of terminated viral processes
- Number of fixed registry entries
Resolution #2: If you have a current subscription to Norton AntiVirus:
Note: Please see the
Symantec Web site for additional information.
- Disable System Restore.
- Run LiveUpdate to update the virus definitions. Note: If you are unable to download the update, follow step number 2 in Resolution #3 below, and then attempt to run LiveUpdate again.
- Restart the computer in Safe mode.
- End task on msblast.exe.
- On your keyboard, press the CTRL+ALT+DELETE keys.
- In the Windows Security window, click Task Manager.
- In the Windows Task Manager window, click the Processes tab.
- On the Processes tab, click msblast.exe, and then click End Process.
View Picture
- Use Norton AntiVirus to scan for and delete any infected files.
- Run a full system scan.
- If any files are detected as infected with W32.Blaster.Worm, click Delete.
- Delete the registry value.
- From the Start menu, click Run.
- In the Run dialog box, type: Regedit. Click OK.
- In the Registry Editor window, locate the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Delete the following entries, if present: Windows Auto Update and msblast.exe.
- Click to select the registry name.
- From the Edit menu, click Delete.
- In the Confirm Value Delete dialog box, click Yes.
- Repeat these steps for each registry name entry.
- If applicable, repeat steps c and d, this time checking for the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. If this key is not found, you can skip this step.
- In the Registry Editor window, from the File menu, click Exit.
- For Windows XP, download and install the "Blaster Worm: Critical Security Patch for Windows XP" patch from the Microsoft Web site to prevent this type of attack. Windows XP shipped with Gateway computers is a 32-bit operating system.
- For Windows 2000, download and install the "Blaster Worm: Critical Security Patch for Windows 2000" patch from the Microsoft Web site to prevent this type of attack.
- For Windows NT, download and install the "Blaster Worm: Critical Security Patch for Windows NT 4.0" patch from the Microsoft Web site to prevent this type of attack.
- Use Norton AntiVirus again to scan for and remove any infected files.
- Run another full system scan.
- If any additional files are detected as infected with W32.Blaster.Worm, click Delete.
- If you are running Windows XP, reenable System Restore if the computer is clean.
- Run Windows Update, and then download and install all critical updates. Note: You may need to run Windows Update more than once. Run this step until no more critical updates are listed.
Note: To make sure that your current is up to date with critical updates, run Windows Update on a regular basis. Also, be sure to regularly use an updated antivirus program, such as Norton AntiVirus.
Resolution #3: If you do not have a current Norton AntiVirus subscription:
Note: If you would like to purchase a copy of Norton AntiVirus, please visit the
Gateway Accessory Store.
- Disable System Restore.
- Enable the Microsoft Firewall. You should be able to complete this step without losing your current Internet connection.
- Open Control Panel.
- From the Windows XP default Start menu, click Control Panel.
- From the Windows XP classic Start menu, point to Settings, and then click Control Panel .
- In Control Panel, open Network Connections.
- If the computer is in Category View, click Network and Internet Connections, and then click Network Connections.
- If the computer is in Classic View, double-click the Network Connections icon.
- In the Network Connections window, click to select the local area connection.
- From the File menu, click Properties.
- In the Local Area Connection Properties window, click the Advanced tab.
- On the Advanced tab, click the Protect my computer and network by limiting or preventing access to this computer from the Internet check box, and then click OK.
- Close Control Panel.
- For Windows XP, download and install the "Blaster Worm: Critical Security Patch for Windows XP" patch from the Microsoft Web site to prevent this type of attack. Windows XP shipped with Gateway computers is a 32-bit operating system.
- For Windows 2000, download and install the "Blaster Worm: Critical Security Patch for Windows 2000" patch from the Microsoft Web site to prevent this type of attack.
- For Windows NT, download and install the "Blaster Worm: Critical Security Patch for Windows NT 4.0" patch from the Microsoft Web site to prevent this type of attack.
- Delete the registry value.
- From the Start menu, click Run.
- In the Run dialog box, type: Regedit. Click OK.
- In the Registry Editor window, locate the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Delete the following entries, if present: Windows Auto Update and msblast.exe.
- Click to select the registry name.
- From the Edit menu, click Delete.
- In the Confirm Value Delete dialog box, click Yes.
- Repeat these steps for each registry name entry.
- If applicable, repeat steps c and d, this time checking for the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. If this key is not found, you can skip this step.
- In the Registry Editor window, from the File menu, click Exit.
- End task on msblast.exe.
- On your keyboard, press the CTRL+ALT+DELETE keys.
- In the Windows Security window, click Task Manager.
- In the Windows Task Manager window, click the Processes tab.
- On the Processes tab, click msblast.exe, and then click End Process.
- Delete msblast.exe.
- From the Start menu, point to Search, and then click For Files or Folders.
- In the Search Results window, in the What do you want to search for list, click All files and folders.
- In the All or part of the file name area, type: msblast.
- Verify that the Look in field lists Local Hard Drives.
- Click Search.
- When the msblast.exe file is found, click to select it, and then from the File menu, click Delete.
- In the Confirm File Delete dialog box, click Yes.
- In the Search Results window, from the File menu, click Exit.
- Empty the Recycle Bin.
- If you are running Windows XP, reenable System Restore if the computer is clean.
- Run Windows Update, and then download and install all critical updates. Note: To make sure that your current is up to date with critical updates, run Windows Update on a regular basis. Also, be sure to regularly use an updated antivirus program, such as Norton AntiVirus.