the error is:
remote procedure service terminated.
¶àлÁË

ÿ´Î¿ª»úÒ»½øÈ¥¹ýÁË1·ÖÖÓ×óÓÒÖ®ºó,»á³öÏÖÒ»¸ö¶Ô»°¿ò:
windows must restart because the remote procedure call service terminated unexpectedly.
ÇëÎʸÃÔõô°ì?
¿É·ñ²»ÖØװϵͳ½øÐнâ¾ö?
Áí¼Ç:´ËÈË֮ǰÉϹýÖйú»¥¶¯ÓÎÏ·ÔÚÏßÖÐÐÄ,ÊÇ·ñ¿ÉÄܸúÆä·þÎñÆ÷µÄbugÓйØ?

ÎÒ¾õµÃÊÇvirus.ͨ¹ýmsn´«µÄ¡£

ÎҵĵçÄÔÒ²Óöµ½Õâ¸öÎÊÌâÁË£¬¸Õ¸Õ»¹ÌæÅóÓÑÎÊÄØ¡£
±»Ëý´«ÉÏÁË¡£¡£¡£

Norton·¢Ïֵġ£¡£

Object name: C:\Windows\system32\TFTP3516
virus name: W32.Blaster.worm
Action taken: unable to repair this file

¸ÃÔõô°ì£¿¸ßÊÖÖ¸½Ì£¡

make updates of the virus definations frequently enought(usually no less than once per 8 hours)

do not open any unauthorised material and suspective mails and application programs---even some documents.

and, do not trust others' abolity to prevent virus, the virus usually spread between trusted people.

²»¹ýÎÒÖÐÕеÄʱºòû¿ªmsn°¢£¬ºÃÔÚÓÐŵ¶Ù

no matter how powerful it is.

no matter how famous the authors were.....

actually, some virus are targeting to the antivirus process and end it before itself has been detected and written into the virus definations.......

msn ÏȲ»ÓÃÁË£¬£¬ ȾÉÏ»¹Í¦Âé·³µÄ¡£

·¢ÐÅÈË: Willematte (willematte), ÐÅÇø: NoteBook
±ê Ìâ: [ÑÏÖØ]windows rpc ©¶´£¬¸Ï½ô´ò²¹¶¡!!!
·¢ÐÅÕ¾: BBS ˮľÇ廪վ (Tue Aug 12 03:20:26 2003), תÐÅ



windows³öÏÖÓÐÊ·ÒÔÀ´×î´ó©¶´£¬xp,2000,2003,nt¾ùÊÜÓ°Ï죡£¡


CCERT ¹ØÓÚwindow RPCϵÁЩ¶´µÄ°²È«¹«¸æ


7ÔÂ16ÈÕ²¨À¼µÄÒ»¸ö°²È«×éÖ¯LSD¹«²¼ÁËÒ»¸öWindows²Ù×÷ϵͳµÄÒ»¸ö°²È«Â©¶´£¬Õâ¸ö©¶´ºÅ
³Æ

Æù½ñΪֹwindowϵͳÖз¢ÏÖµÄ×îÑÏÖصÄÒ»¸öϵͳ©¶´
£¨Â©¶´µÄÏêÇé²Î¼ûhttp://www.ccert.edu.cn/advisories/all.php?ROWID=48£©
Ëæºó¸÷°²È«×éÖ¯¶Ô¸Ã©¶´Õ¹¿ªÁËÏà¹ØµÄÑо¿£¬ÔÚÑо¿µÄ¹ý³ÌÖйúÄڵݲȫ×éÖ¯ÓÖ·¢ÏÖÁËÓë
Ö®Ïà
¹ØµÄÁ½¸öͬÀàÐ͵Ä©¶´£¬²¢Éϱ¨ÁË΢Èí£¬µ«ÊÇÄ¿Ç°³§ÉÌ»¹Ã»ÓÐÌṩÏà¹ØµÄ²¹¶¡³ÌÐò¡£Òò´Ë
µ½Ä¿
ǰΪֹÕë¶Ôwindow rpcϵÁÐʵ¼ÊÉÏ´æÔÚÈý¸öÀàËƵÄ©¶´£¬ËüÃÇ·Ö±ðÊÇ£º

1¡¢Microsoft RPC½Ó¿ÚÔ¶³ÌÈÎÒâ´úÂë¿ÉÖ´ÐЩ¶´

©¶´ÃèÊö£º
Remote Procedure Call(RPC)ÊÇWindows²Ù×÷ϵͳʹÓõÄÒ»ÖÖÔ¶³Ì¹ý³Ìµ÷ÓÃЭÒé,RPCЭ
ÒéÌṩ
Ò»ÖÖ½ø³Ì¼äµÄ½»»¥Í¨ÐÅ»úÖÆ£¬ËüÔÊÐí±¾µØ»úÆ÷ÉϵijÌÐò½ø³ÌÎÞ·ìµÄÔÚÔ¶³ÌϵͳÖÐÔËÐдú
Âë¡£
¸ÃЭÒéµÄÇ°ÉíÊÇOSF RPCЭÒ飬µ«ÊÇÔö¼ÓÁË΢Èí×Ô¼ºµÄһЩÀ©Õ¹¡£

×î½ü·¢ÏÖ²¿·ÖRPCÔÚʹÓÃTCP/IPЭÒé´¦ÀíÐÅÏ¢½»»»Ê±²»ÕýÈ·µÄ´¦Àí»ûÐεÄÏûÏ¢µ¼Ö´æÔÚ
Ò»¸ö
°²È«Â©¶´¡£¸Ã©¶´Ó°ÏìʹÓÃRPCµÄDCOM½Ó¿Ú£¬Õâ¸ö½Ó¿ÚÓÃÀ´´¦ÀíÓÉ¿Í»§¶Ë»úÆ÷·¢Ë͸ø·þ
ÎñÆ÷
µÄDCOM¶ÔÏ󼤻îÇëÇó(ÈçUNC·¾¶)¡£Èç¹û¹¥»÷Õ߳ɹ¦ÀûÓÃÁ˸鶴½«»ñµÃ±¾µØϵͳȨÏÞ
£¬Ëû
½«¿ÉÒÔÔÚϵͳÉÏÔËÐÐÈÎÒâÃüÁÈç°²×°³ÌÐò¡¢²é¿´»ò¸ü¸Ä¡¢É¾³ýÊý¾Ý»òÕßÊǽ¨Á¢ÏµÍ³¹Ü
ÀíÔ±
ȨÏÞµÄÕÊ»§µÈ¡£

ÒªÀûÓÃÕâ¸ö©¶´£¬¹¥»÷ÕßÐèÒª·¢ËÍÌØÊâÐÎʽµÄÇëÇóµ½Ô¶³Ì»úÆ÷ÉϵÄ135¶Ë¿Ú.

2¡¢Microsoft DCOM RPC½Ó¿Ú¾Ü¾ø·þÎñ¼°È¨ÏÞÌáÉý©¶´
©¶´ÃèÊö£º
Remote Procedure Call(RPC)ÊÇWindows²Ù×÷ϵͳʹÓõÄÒ»ÖÖÔ¶³Ì¹ý³Ìµ÷ÓÃЭÒé,RPCЭ
ÒéÌṩ
Ò»ÖÖ½ø³Ì¼äµÄ½»»¥Í¨ÐÅ»úÖÆ£¬ËüÔÊÐí±¾µØ»úÆ÷ÉϵijÌÐò½ø³ÌÎÞ·ìµÄÔÚÔ¶³ÌϵͳÖÐÔËÐдú
Âë¡£
¸ÃЭÒéµÄÇ°ÉíÊÇOSF RPCЭÒ飬µ«ÊÇÔö¼ÓÁË΢Èí×Ô¼ºµÄһЩÀ©Õ¹¡£

×î½ü·¢ÏÖMS RPCÔÚ´¦Àí»ûÐÎÏûϢʱ´æÔÚÎÊÌ⣬Զ³Ì¹¥»÷Õß¿ÉÒÔÀûÓÃÕâ¸ö©¶´½øÐоܾø·þ
Îñ¹¥
»÷£¬ÔÚRPC·þÎñ±ÀÀ£ºó£¬¿ÉÓÃÀ´È¨ÏÞÌáÉý¹¥»÷¡£¹¥»÷Õß·¢ËÍ»ûÐÎÏûÏ¢¸ø
DCOM __RemoteGetClassObject½Ó¿Ú£¬RCP·þÎñ¾Í»á±ÀÀ££¬ËùÓÐÒÀ¿¿RPC·þÎñµÄÓ¦ÓóÌÐò
ºÍ·þÎñ
¾Í»á±äµÄ²»Õý³£¡£

Èç¹û¹¥»÷ÕßÓµÓкϷ¨ÕÊ»§£¬ÔÚRPC·þÎñ±ÀÀ£ºóËû»¹¿ÉÒԽٳֹܵÀºÍ135¶Ë¿Ú½øÐÐȨÏÞÌáÉý
¹¥»÷¡£

3¡¢window RPC½Ó¿Úδ֪©¶´
©¶´ÃèÊö£º
ÓÉÓڸ鶴ӰÏìÃæÌ«´ó¶ø³§ÉÌÓÖδÍƳöÏàÓ¦µÄ²¹¶¡³ÌÐò£¬Òò´ËÄ¿Ç°²¢Î´¹«²¼¸Ã©¶´µÄÏê
ϸ¼¼Êõ
ϸ½Ú£¬µ«ÊÇ·¢Ïָ鶴µÄ×éÖ¯ÖÐÁªÂÌÃËÐÅÏ¢¼¼Êõ(±±¾©)ÓÐÏÞ¹«Ë¾ÔÚ±¨¸æÖÐÓÐÌáµ½ÈçϾ¯
¸æ£º

¸Ã©¶´¿ÉÒÔʹÈëÇÖÕßÇá¶øÒ׾ٵĽøÈëWindows 2000¡¢Windows XP¡¢Windows2003 Serve
rϵͳ¡£
¹¥»÷Õß¿ÉÒÔͨ¹ý¸Ã©¶´È¡µÃϵͳµÄ¿ØÖÆȨ£¬ÍêÈ«¿ØÖƱ»ÈëÇÖµÄϵͳ£¬ÇÔÈ¡Îļþ£¬ÆÆ»µ×Ê
ÁÏ¡£
ÒòΪ¸Ã©¶´ºÍÒÔÍù·¢Ïֵݲȫ©¶´²»Í¬£¬²»½öÓ°Ïì×÷Ϊ·þÎñÆ÷µÄWindowsϵͳ£¬Í¬ÑùÒ²

»áÓ°Ïì¸ö
È˵çÄÔ£¬ËùÒÔDZÔÚµÄÊܺ¦ÕßÊýÁ¿·Ç³£¶à¡£


©¶´Î£º¦£º
7ÔÂ23ºÅÍøÂçÉÏ·¢²¼ÁËDCOM RPC½Ó¿Ú¾Ü¾ø·þÎñ¹¥»÷µÄ³ÌÐò´úÂ룬7ÔÂ26ÈÕwindow RPC½Ó¿Ú
Ô¶³Ì»º
³åÒç³öµÄ¹¥»÷³ÌÐò´úÂë±»¹«²¼£¬ÕâÑù¾Íµ¼Ö¼´±ãÊÇÒ»¸ö¶Ô¸Ã©¶´¼¼Êõϸ½ÚºÁ²»Á˽âµÄÈË
Ò²ÄÜʹ
ÓÃÕâЩ´úÂëÈ¥¹¥»÷ÍøÂçÉϵÄÆäËû»úÆ÷ÒÔ´ïµ½¾Ü¾ø·þÎñ¹¥»÷µÄÄ¿µÄ»òÊÇ»ñµÃÏàÓ¦µÄϵͳȨ
ÏÞ¡£Ä¿
Ç°¹«²¼µÄ´úÂëÊǶÔϵͳ°æ±¾ÓÐÕë¶ÔÐԵģ¬µ«ÊÇͨÓÃÓÚ¸÷ϵͳ°æ±¾ÖеĹ¥»÷´úÂëÕýÔÚ²âÊÔ
ÖУ¬Ïà
ÐÅÔÚÉÔºóµÄ¼¸ÌìÄÚ±ã»á±»¹«²¼³öÀ´£¬Ò»µ©ÕâÖÖ¹¥»÷´úÂë±»¹«²¼³öÀ´£¬Ö»ÐèÒªºÜСµÄ¼¼Êõ
ÉϵĸÄ

Ôì¾Í¿ÉÒԸıà³ÉÈä³æ£¬Èç¹ûÀûÓÃÕâ¸ö©¶´Èä³æ±»·¢²¼³öÀ´£¬ËüµÄÍþÁ¦½«Ô¶Ô¶³¬¹ýcoder
edºÍ
slammer£¬¿ÉÄÜ»á¸øÕû¸ö»¥ÁªÍøÂç´øÀ´ÖÂÃüµÄ´ò»÷¡£


½â¾ö°ì·¨£º
Õë¶ÔÒÔÉÏ©¶´£¬CCERT½¨ÒéÓû§¶ÔÄúµÄ»úÆ÷²ÉÈ¡ÒÔÏ´ëÊ©£º
1¡¢ÏÂÔØ°²×°ÏàÓ¦µÄ²¹¶¡³ÌÐò£º
Õë¶ÔµÚÒ»¸ö©¶´Î¢ÈíÒѾ­·¢²¼ÁËÏàÓ¦µÄ°²È«¹«¸æÓë²¹¶¡³ÌÐò£¬Äã¿ÉÒÔµ½ÎÒÃǵÄÍøÕ¾ÏÂÔØ
£º
winnt
win2000
winxp
win2003

Õë¶ÔÆäËûÁ½¸ö©¶´£¬Î¢ÈíÄ¿Ç°»¹Ã»Óз¢²¼ÏàÓ¦µÄ²¹¶¡³ÌÐò£¬ÎÒÃǽ¨ÒéÄúʹÓÃwindow×Ô¶¯
update
¹¦ÄÜ£¬Ëæʱ¹Ø×¢³§É̵Ķ¯Ì¬£¬ÄãÒ²¿ÉÒÔ¹Ø×¢ÎÒÃǵÄÖ÷Ò³http://www.ccert.edu.cn
ÎÒÃÇ»áÔÚµÚһʱ¼äÌṩÏàÓ¦µÄ²¹¶¡³ÌÐòÏÂÔØ

2¡¢Ê¹Ó÷À»ðǽ¹Ø±ÕËùÓв»±ØÒªµÄ¶Ë¿Ú£¬¸ù¾ÝÎÒÃÇÏÖÔÚÕÆÎÕµÄÐÅÏ¢£¬ÕâЩ©¶´²»½ö½öÓ°Ïì
135¶Ë¿Ú£¬
ËüÓ°Ïìµ½´ó²¿·Öµ÷ÓÃDCOMº¯ÊýµÄ·þÎñ¶Ë¿Ú£¬Òò´ËCCERT½¨ÒéÓû§Ê¹ÓÃÍøÂç»òÊǸöÈË·À»ð
ǽ¹ýÂËÒÔ
϶˿ڣº
135/TCP epmap
135/UDP epmap
139/TCP netbios-ssn
139/UDP netbios-ssn
445/TCP microsoft-ds
445/UDP microsoft-ds
593/TCP http-rpc-epmap
593/UDP http-rpc-epmap

3¡¢Ê¹ÓÃIDSϵͳ¼ì²âÀ´×ÔÓÚÍøÂçÉϵĹ¥»÷£¬IDS¹æÔòÈçÏÂ:
alert tcp $EXTERNAL_NET any -> $HOME_NET 445
(msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,establ
ished;
content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance
:56;
within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; wit
hin:12;
content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1;
byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 0
0 00 46|";
distance:29; within:16; reference:cve,CAN-2003-0352;classtype:
attempted-admin; sid:2193; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135
(msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,establishe
d;

content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; b
yte_test:
1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|";

distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin
;

sid:2192; rev:1;)


×¢Ò⣺
1¡¢Õë¶ÔµÚÒ»¸ö©¶´µÄ²¹¶¡²¢Ã»ÓаüÀ¨ÔÚwindow 2000 sp4ÖУ¬ÄãÐèÒªÏÂÔص¥¶ÀµÄÈÈÐÞ²¹
²¹¶¡¡£
2¡¢ÓÉÓÚrpc·þÎñÒѾ­±»ÏâǶµ½windowµÄÄں˵±ÖУ¬Òò´ËÎÒÃDz»½¨ÒéÄúʹÓùرÕrpc·þÎñ
µÄ·½
·¨À´·ÀÖ¹¸Ã©¶´±»ÀûÓã¬ÒòΪ¹Ø±Õrpc·þÎñ¿ÉÄܻᵼÖÂÄúµÄϵͳ³öÏÖÐí¶àδ֪µÄ´íÎó

3¡¢µ±ÄúµÄϵͳͻȻµ¯³öÁËsvchost.exe³öÏÖÒì³£´íÎóµÄ¶Ô»°¿ò»òÕßÊÇ135¶Ë¿ÚͻȻ±»¹Ø
±Õ£¬ºÜ
¿ÉÄܱíʾÄãÒѾ­Êܵ½ÁËÕâÀ๥»÷£¬Ç뾡¿ì²ÉÈ¡ÏàÓ¦µÄ´ëÊ©¡£


×¢Ò⣬¸Ï½ô´ò²¹¶¡£¬¸üÏêϸµÄÇé¿öÇëÈ¥virus°æ»ònttech °æ£¡

I tried. the system seems ok.

you can do the following to remove it.

-> download lastest trend office scan virus definition, so u can find the virus

-> download a patch from https://security.nus.edu.sg, and install it

-> remove the file MSBLAST.exe, once u find the virus with trend office scan. if u can not remove it, then try to kill the process name msblast from task bar

-> good luck!

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

1 Open Windows Task Manager press
CTRL+SHIFT+ESC, and click the Processes tab.

2 In the list of running programs*, locate the process:
MSBLAST.EXE

3 Select the malware process, then press either the the End Process button.

4 To check if the malware process has been terminated, close Task Manager, and then open it again.

5 Close Task Manager.


Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

1 Open Registry Editor.

To do this, click Start>Run, type Regedit, then press Enter.

In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run

In the right panel, locate and delete the entry:
¡±windows auto update" = MSBLAST.EXE
Close Registry Editor.



NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.


More --->http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A