# Shutdown of computer, caused by RPC - if this happens to you, read this..



## tnik

This is caused by a recent RPC exploit that microsoft has actually owned up to.. This problem can be solved by a quick patch and reboot.. THIS EXPLOIT AFFECTS ALL MICROSOFT OPERATING SYSTEMS THAT CAME OUT AFTER WINDOWS ME. (and windows 2000, even tho it came out prior to ME) so.. that includes, some versions of NT, win2K, winXP home and pro and gold and 2003.. if your reading this forum.. its probably means YOU 

click here for the fix


----------



## JohnWill

Actually, W2K came out before ME.  This patch should be picked up in a normal Windows Update run. I checked my patches, and it's been installed from my Update run the other day.


----------



## ~Candy~

But I refuse to do normal Windows Update runs


----------



## JohnWill

> _Originally posted by AcaCandy:_
> *But I refuse to do normal Windows Update runs   *


Well, I guess you should do it the hard way.


----------



## Guest

Ya. AcaCandy, I bet you make hackers happy leaving your door wide open lol. But seriously AcaCandy, if you don't do updates reguarly like us, you won't have installed the security patches releaesed by Microsoft, which leaves your "door" wide open for hackers to come in.


----------



## ~Candy~

What, my router will allow that?


----------



## Bvr01Fvr

Nevertheless, this is good info for some who have their own preferences. Thanks AcaCandy!

I use the Windows Update feature. However, I have the automatic update feature turned off and just visit the website manually on a regular basis.


----------



## Guest

Oh, well now you mention you have a router lol. It may not, but nevertheless it's ALWAYS a good practice to atleast install the newest security patches.


----------



## TheWeaselBoy

Thanks to microsoft for making my workday even better.... guess who has to personally patch 300 machines because of this RPC stuff.......
oh well, a monday is a monday
-wb


----------



## dasnk

Thanks for posting the linking to that Patch. And don't listen to these other guys. The windows update is a 34 minute download. And my PC was being shutdown by this exploit every 3 minutes. It would of been impossible for me to fix this problem if I had to use a "Windows update run".

Even while I was downloading this small patch the RPC shutdown countdown was going. Luckily i was able to download it before the countdown was up! Thanks!


----------



## TheWeaselBoy

Dasnk, you are missing the point... the key is preventative maint. NOT reactive. if you keep your system updated, you stand a much better chance of staying out of the funk. I knew about this rpc issue several weeks ago, and its just today that i have seen a massive influx of problems pertaining to this.... enough time for every two bit hacker and script kiddie to figure out how to work it. 

36 minutes?!?!? the whole patch takes up about 600k... it fits on a floppy. Does your isp transmit via smoke signals  
My guess is that you were downloading the whole Service pack 4 instead of just the hotfix. Which DOES take forever and a day.
-WB


----------



## carmelross

TY TY I LOVE YA TY


----------



## SlimeyPsycho

Woohoo! Sovled my problem ;-)


----------



## qblitz

At the same time frame, i was getting a popup at startup saying that there was no application associated witht the file TFTPnnnn, where nnnn was some 4 digit number. It gave me radio buttion to select an application or go on the web to find the associated application. I would simply kill the popup and move on.

It coming back.,.. the spyware and adware did not dectect anything. I did a search and killed the TFTPnnnn files and a an executable that launched it. they were all under the my documents folder.


I then got this shut down mesage.

Recently McAfee virus scan, reports trapping an TFTPnnnn file.

Are they related to this shutdown.. Is it something else?????

Help!!!


----------



## chadfitz

do u have to install anything, when it was finished downloading i double clicked it and then it loaded for like 2 secs and went away? is that suppose to happen


----------



## Antigrok

BTW - you can disable the automatic restart to give you enough time to download the patch if you are having problems with this:

Run services.msc
In the right-hand list, right click on 'remote procedure call' and select 'properties.'
Click on 'recovery' tab.
Change first, second, and subsequent failures to 'Take No Action.' 
Click apply, then ok.

After you install the patch and reboot, make sure you change the computer response actions back to 'Restart the Computer.'


----------



## GyBear

> ISS X-Force has captured active samples of an automated Internet worm that propagates via the MS RPC DCOM vulnerability documented in ISS X-Force Alert titled "Flaw in Microsoft Windows RPC Implementation" (http://xforce.iss.net/xforce/alerts/id/147).
> This worm is currently propagating aggressively across the Internet.
> 
> Impact: Any vulnerable desktop or server connected to the Internet may be vulnerable to attack. All Windows 2000, Windows XP and Windows NT 4.0 computers that have not been patched are vulnerable to attack from the automated worm, or manual attack. X-Force believes that hundreds of thousands of computers may still be vulnerable. Unsuccessful propagation attempts may crash vulnerable computers, or render them unstable. Successful worm outbreaks have been known to cause significant localized network latency, and widespread denial of service.
> 
> For the complete ISS X-Force Security Alert, please visit:


 http://xforce.iss.net/xforce/alerts/id/150


----------



## Psycosis

OMG MAN TY SO MUCH!!!!!


----------



## JohnO28356

The first time the RPC/Shutdown box came up, I got an virus warning on my eTrust AV: DcomRpc.exploit in the MS\Dr Watson\User.dmp file. I deleted the file. After that, the shutdowns started coming fast and furious. Thanks for the link to the patch- who ever posted it. I thought it was a prob on my comp tied to the virus report until my brother called from OR to say he had the same prob. Then I talked to my next door neighbor, same prob. I've passed on the link. Thanks again.


----------



## chadfitz

what did u download to fix it


----------



## tnik

check the first post on this thread chad..


----------



## valley

I just got here to ask about this very thing and here is the answer at the very top of the page! Awesome. Thanks


----------



## rachtacular

I patched my box, and everything works fine, but I still have one problem. When I tried to format my comp (clean install), this rpc thing appeared after the clean install, and during the format COM+ could not be registered...does anyone know what is happening?


----------



## JohnO28356

Stop and think about it. It was a Windows patch, and you've re-installed Windows--- Therefore you have to re-install the patch.


----------



## Rollin' Rog

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

http://www.symantec.com/avcenter/security/Content/8205.html

http://story.news.yahoo.com/news?tm...e=1&u=/nm/20030812/tc_nm/tech_windows_worm_dc

For those of you that can use XPs native firewall: Enable it!!

Network Connections > your connection > Advanced


----------



## tnik

ya no crap.. I've been running the xp firewall ever since I've had XP, and I hate to say it, but its as good of a port blocker as the others out there


----------



## JamesBone

Thanks I guess. I remember hearing on TechTV saying that you NEED to download and update windows to to security issues. I'm glad I wasn't the only one with the problem. It doesn't do anything. I changed the service to take no action and I thought I the patch ran fine. It completed, but I restart, I still get errors, I redo the patch and it sits there doing nothing. And I had that ms blast thing on my pc


----------



## severian

Antigrok! Thats the key to getting the patch installed. Thanks for the tip. Its no good to know what to do if the computer shuts down before you can finish the download. Nice for dialup users.

Here is a rough draft for XP Home/Pro users: Its a compilation from several sources, but it should do the trick for most people: Revisions and suggestions would be nice. My goal here is to take somebody from "help why is my computer restarting.. something about RPC..." to a working, worm free computer in as few steps as possible. Also, it needs to be as simple as possible. I need to communicate this to people over the phone. What do you think?

1) Buy some time: Keep RPC from shutting the computer down:

Open Control pannel:
Open Administrative Tools:
Open Services:
In the right-hand list, right click on 'remote Procedure call' and select 'properties.'
Click on 'recovery' tab.
Change first, second, and subsequent failures to 'Take No Action.' 
Click apply, then ok.

2) Patch Windows XP RPC DCOM Vulnerability:

http://support.microsoft.com/default.aspx?scid=kb;en-us;823980
(some mirrors for the XP patch would be very nice as well. Its so hard to take somebody to that page over the phone... )

3) Remove the msblaster.exe worm:

start->run->regedit->ok
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
delete: in the "windows auto update"="msblast.exe"

a) Ctrl+Alt+Delete 1x:
click task manager
click the PROCESSES tab
Click the Image Name Column (sorts alphabetically)
look for MSBLAST.EXE, select it:
Click END TASK:

b) Delete the file in C:\windows\system32\msblast.exe
c) Run a full system scan. (http://housecall.antivirus.com), or update installed virus scan program

Hope that does it, Its getting some live testing right now via OEM phone support, thanks for all contributions!


----------



## live2ski173

I installed the patch but it didn`t work, is there anything else i need to do besides download the patch and install it?


----------



## valley

goodness...this is more of a problem than I first thought. My mom just called me about it saying that her neighbor called her and told her that a nasty virus was taking over people's computers..

I downloaded the patch on a floppy to take over tomorrow. I feel bad for the people who wont know what to do.


----------



## monus

thank you so much, it really helps.

I have problem with installation the patches, it keeped on stopping running.


but when i tried the 3rd time, it worked.

thx.


----------



## Howlrunner

There's an engine out by McAfee called McAfee AVERT Stinger which has been updated to get rid of this virus. I'm sure there are a ton of others as well, every little bit helps though, right? Ciao!


----------



## Wuerffel

severian, I want to thank you from the bottom of my heart for that great post. It helped me get rid of that blood sucking virus that had caused me 10 shutdowns in about 20 minutes. 

I don't usually post here, just read, but I had to register and tell you how grateful I was for somebody showing me how to stop the killing machine. You are the man!


----------



## jb123

thanks for the fix....i was pullin my hair out,ready to rid of xp


----------



## ghostofzion

thanx guys so damn much ive spent the last 3 hours pulling my hair out cause the damn worm did what u guys told me too and it worked perfectly. thanx


----------



## dasnk

TheWeaselBoy: No the patch took under a minute too download. 

The entire windows update that was suggested here would of took 34 minutes. 

That's why Im grateful the thread starter posted a direct link to the patch, rather than to the windows update page, like was suggested.


----------



## lbeau

I have tried to install the patch and it says the cryptographic service is not running. I cannot start it manually. I cannot right click on the RPC service as I had also disabled it in the main profile and now cannot right click on it to get the properties up. I did run AV scan and found a WAA.EXE in system32 directory but still am experiencing problems after deleting that file. Any suggestions would be greatly appreciated.


----------



## adrmore

NEed help.....
When ever I log on to the net, my windows XP has a message stating that it needs to restart .
Something about RPC / Svchost....
Pls help me.......getting frustrated with the constant restarting


----------



## TheWeaselBoy

it should run you thru a set up wizard. the patch will ask you to accept the lisence agreement and then run. A window asking you to reboot will finish the process. i can take a screen shot if you need to see.


----------



## lbeau

The wizard flashes for 1 second then message about cryptographic service could not be started. I cannot start that service manually as it gives error .


----------



## valley

> _Originally posted by adrmore:_
> *NEed help.....
> When ever I log on to the net, my windows XP has a message stating that it needs to restart .
> Something about RPC / Svchost....
> Pls help me.......getting frustrated with the constant restarting *


Hi admore....go to the first page of this thread here: http://forums.techguy.org/showthread.php?s=&threadid=152866 and in the first post by tnik, click where it says "click here for the fix" to download the patch from microsoft. It will stop the problem you are having


----------



## RyderKim

Hi Everyone,

First I want to Thank you for the RPC shutdown fix!
I was going crazy, computer shutting down every few minutes.
I don't know if this has been posted on here yet or not, but mine was caused from being hacked....that God I did a factory restore right before this happened and I had basically nothing on my hard drive. I suggest anyone with this problem go into your network connections and make sure there isn't one if you don't use networking...someone was having a ball on my computer. If you find a connection, make sure you go in and delete the driver and get it off your system even if you do the patch!
Kim


----------



## Kaox

I was infected with the MSBlast version of the little bugger, managed to get the patch and stop the shutdowns (thank you).. managed to scan with Housecall and single it out (thank you). But there's a problem. Actually, there's several. Since I caught the worm I have been unable to keep the Task Manager or Regedit open. I open them and they close themselves immediately. So I am unable to end the Process to delete the file and unable to use Regedit to tear it out by the roots. It was an interesting worm, when I tried to open IExplore before the patch it would give me an error and close it down. It would kill GHP when I tried to update via Windows Update. And it closes TM and RegEd.. kinda cuts off all your avenues. Any suggestions?

Kaox


----------



## Rollin' Rog

Kaox, yes; just start a NEW thread for the problem, identify it clearly in the topic and include a copy/paste of a HijackThis Scanlog:

http://www.tomcoyote.org/hjt/


----------



## onyx

well i just downloaded and started up... it goes for 2 secs and then opens a normal wizard. so u may start again... 

btw: thx guyz... i was about to drive mad!

u heard about the new W32/.... worm? i just run antivir, will that solve or should i start up a firewall, too?


----------



## onyx

nevermind. just tell me a good one... *g*

and i meant, i only run antiVir...


----------



## tnik

maybe you should repost the first post on this forum, stick and lock it, lol.. sure is alot of ppl trying to post here with their problems rather than starting a new thread..

P.S. Rog, do you ever sleep?!


----------



## Darylman

Thank you for the help, however I am still having trouble.

I disabled the rebooting of my machine (THANK YOU GUYS) but when I try to install the patch it tells me I am installing it to an incorrect version of windows...So I tried to download the WIndows Updates (service packs etc..) and they go to the Accept Declaration stage and then just do nothing. 

What can I do? Is it necessary for me to reactivate RPC shutdown eventually?

Thanks alot!

Daryl


----------



## kpxppp

Thanks so much for all the help! i used severian's advice. this website is sooo helpful.


----------



## bobtracie

Once I have the patch copied on to a floppy (I couldn't get it to download on my computer, even after I disabled the auto shut down feature in the admin. tools/services/RPC/properties panel), *then what do I do? How do I get the patch to run and/or install on my computer?

Also, my husband's computer runs ME, and so far does not appear to have the worm. (I am using it to get the patch on to floppy) We tried to download the patch to his computer, and it appears to be incompatible with ME--of course, life is incompatible with ME...

Ideas? suggestions? your thread is great--at least now we know what we're dealing with.


----------



## damirding

hi sorry about this i`m not very computer minded i followed the link and downloaded the file i think when a error message appeared the message reads


KB823980 Setup could not verify the integrity of the file update.inf. make sure the cryptographic service is running on this computer.

please help and what is the cryptographic service


----------



## BitWizrd

Strange days indeed.

I downloaded the patch from MS (directly, not from Windows Update), installed it, cleaned the infected files off of the box using Symantec's tool, but it hasn't stopped the shutdowns. 

Wonder what this could mean ...


----------



## tnik

damirding.. this will help with the cryptographic service..

http://support.microsoft.com/default.aspx?scid=kb;en-us;326815


----------



## patel_anu

> 3) Remove the msblaster.exe worm:
> 
> start->run->regedit->ok
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> delete: in the "windows auto update"="msblast.exe"
> 
> a) Ctrl+Alt+Delete 1x:
> click task manager
> click the PROCESSES tab
> Click the Image Name Column (sorts alphabetically)
> look for MSBLAST.EXE, select it:
> Click END TASK:
> 
> b) Delete the file in C:\windows\system32\msblast.exe
> c) Run a full system scan. (http://housecall.antivirus.com), or update installed virus scan program
> 
> Hope that does it, Its getting some live testing right now via OEM phone support, thanks for all contributions! [/B]


is this procedure necesarry?  ...and by the way, thanks, it got rid of my problem too....and i had a question, has any damage been done while the virus was on my computer?


----------



## severian

Be sure you get the right patch for your system! There are two patches available for windows XP, one is for the 64 bit version. If you have to ask, you don't have the 64 bit version.

I posted a revised solution to the problem here: Again ONLY for windows XP.

http://home1.gte.net/res06pns/

**edit**

That last step should not be necessary if the Mcafee tool gets the worm off. Found and posted the Symantec removal utility as well.


----------



## aquavia

"There are only 10 types of people in this world. people who understand binary, and those who don't".

Pretty stupid remark if you know 10 actually equals 3 options.... no?


----------



## BitWizrd

Thanks, severian. I've passed your URL to others who are having problems. Thanks for putting that together.


----------



## bobtracie

Thanks so much for the step-by-step instructions. I downloaded the patch on to floppy, ran it, and then deleted the file as suggested. I think it works now.


----------



## billy2k3

*Check out what I've found:* 
http://rpc_xpl.kit.net/

*isn't it ridiculous?* We´re here trying to fix the problem and this guy come and say to download the worm and execute it!
WTF?!?

Can anyone give me an explanation?!


----------



## Guest

RPC SHUTDOWN xp flaw.. 
Well experts,, 
Thanks cnn for providing early alerts about the xp rpc flaw. I hv read the whole thread . Really impressed by response. I m working for Dell tech Support. Dell support lines are jammed becoz of issue. Nearly 85% of dell systems( Home and small business) are infected by this . Now we have received a lot of mails from dell experts . I just want to know from u guys which one of them is the best solution.

I KNOW DOWNLOADING THE LATEST PATCH, BUT WHICH ONE OF THEM IS BEST TO PREVENT ABNORMAL SHUTDOWN.

i hv gone thru these threads also

http://www.security-forums.com/foru...opic.php?t=7266

http://www.security-forums.com/foru...opic.php?t=7105

Some Fixes 
======== 
1. <http://vil.mcafee.com/dispVirus.asp?virus_k=100499> 
**** 
2. 
**** 
Run Dcomcnfg.exe.

If you are running Windows XP or Windows Server 2003, perform these additional steps:

Under Console Root, click Component Services. 
Open the Computers subfolder. 
For a local computer, right-click My Computer, and then click Properties. 
For a remote computer, right-click the Computers folder, point to New, and then click Computer. Type the computer name. Right-click the computer name, and then click Properties. 
Click the Default Properties tab. 
Click to select (or click to clear) the Enable Distributed COM on this Computer check box. 
If you will be setting more properties for this computer, click the Apply button to enable (or to disable) DCOM. Otherwise, click OK to apply the changes.

3. 
**** 
Try this goto safe mode disable all under startup and then also under services. Recheck Plug and play , RPC and RPC locater, and system restore services.

Then reboot to normal mode. 
This is not a Virus it is a hacking attempt. 
removing the cable for the cable modem and the phone line will help.

5. 
***** 
Disconnect the system from the internet. 
Reboot the system 
Enable the Internet Connection Firewall ( XPs inbuilt firewall-- Advanced settings in the properties of the LAN or the Dial up connection)

Reconnect to the internet 
Then download the patch from http://microsoft.com/technet/treevi...in/MS03-026.asp

Apply the patch.

6 
*****

http://securityresponse.symantec.co...aster.worm.html

7 
*******

Boot in Safe Mode-->Go to Start>Control Pannel. 
Click on the Switch to Classic veiw. 
Goto Administrative tools 
Go to Service. 
Select the Remote Procedure Call and Double click on the service. 
Go to Recovery. 
Go to First Failure: Change it to take no action. 
Click on Apply and ok. 
Click on the network connections 
right click on the LAN or the dial up Connection. 
Click on the Properties. 
Click on the check box which enables the XP-Firewall. 
Click on Apply and Ok. 
Reboot the system in the normal mode.

Then Guide the customer to download the patch from microsoft site. 
http://microsoft.com/downloads/deta...&displaylang=en

============================================== 
Sometimes it gives an error regarding TFTP

******************************************************* 
Any answer for tftp error 
Some IMP Info from a newsgroup 
=====================

FYI, the presence of the files Dcomx.exe or the other files mentioned below along with a "Remote Procedure Call" or TFTP popup message on your system and/or system lockups or reboots are signs you may have been hacked by a tool such as Autorooter. [TFTP.EXE is a normal file that comes with many versions of Windows, but it should usually not be running on most systems.]

To fix this: 
4. Click on "Start, Find/Search, Files or Folders" to search your hard drive 
for any of the following file names. If any of the files below are found, 
you may need additional help getting rid of them and determining what else 
if anything was changed on your computer. 
rpc.exe 
rpctest.exe 
tftpd.exe 
dcomx.exe 
lolx.exe 
worm.exe

I do believe there may be new variants of Autorooter that possibly have not yet been fully discovered. Unlike an automated event like a worm, this event may indicate that someone personally ran a tool against you and may have done things to your computer.

There are a number of posts mentioning a quick "registry fix" to close "port 135." This does very little to secure your computer, as it only closes one of the 130,000 ports on your computer. Get a firewall first, even a free one.

Also, note that the presence of new files such as TFTPxxxx or DCOMX.EXE etc. means that just installing the latest Microsoft patches, editing the registry, etc. may no longer be sufficient. Installing the Microsoft patch, editing the registry, closing ports, disabling services, etc. do absolutely nothing to block the back door that has probably now been installed, so that your computer can still be compromised using other ports.

Once your computer has been hacked, these are some things I might recommend 
doing are here:

http://securityadmin.info/faq.htm#hacked 
http://securityadmin.info/faq.htm#re-secure 
http://securityadmin.info/faq.htm#harden

The Autorooter Trojan has been given several different names by various 
anti-virus 
companies [although I believe some people are being attacked by something 
that is similar but not exactly the same as Autorooter]:

RPC Worm (F-Secure) 
Downloader-DM (McAfee) 
Autorooter (Panda) 
Worm.Win32.Autorooter (AVP) 
Backdoor.IRC.Cirebot (Symantec)

References:

http://www.europe.f-secure.com/v-descs/rpc.shtml 
http://vil.nai.com/vil/content/v_100524.htm 
http://securityresponse.symantec.co...oor.irc.cirebot 
..html 
http://news.com.com/2100-1009-5059263.html 
http://www.microsoft.com/technet/se...in/MS03-026.asp 
http://www.microsoft.com/security/s...ns/MS03-026.asp 
http://support.microsoft.com/?kbid=823980

Here are some signs of infection, though these do not necessarily match all 
the variants that might be out there:

"Signs of infection: 
- the existence of one or more of the following files: 
rpc.exe 
rpctest.exe 
tftpd.exe 
dcomx.exe 
lolx.exe 
worm.exe

Signs that a network is being attacked: 
- traffic on port 445 to sequential IP addresses.

Signs that an attack has succeeded (allowing a remote shell and downloading 
of the backdoor): 
- port 57005 open; 
- an ftp [tftp] connection on port 69."


----------



## scottb721

> _Originally posted by severian:_
> *
> 1) Buy some time: Keep RPC from shutting the computer down:
> 
> Open Control pannel:
> Open Administrative Tools:
> Open Services:
> In the right-hand list, right click on 'remote Procedure call' and select 'properties.'
> Click on 'recovery' tab.
> Change first, second, and subsequent failures to 'Take No Action.'
> Click apply, then ok.
> *


Severian, after I've done the patch and virus removal should the above instruction be reveresed so the RPC recovery is changed back to "Restart"
My PC is staying on-line again but I'm not sure if I should just leave the RPC as "Take no action"

thanks
Scott


----------



## lithiumdeute

running WinXP Pro

the problem started in much the same way as the others i've seen on this thread. "Remote Procedure Call [RPC] service terminated unexpectedly", 60 seconds until restart. i went to Services and changed the Fail action to "Restart Service" instead of "Restart Computer". This eliminated the forced restart, so the computer no longer shuts down without my permission. However, i do frequently get the following error message (which didn't start right when i changed the Fail action, but had been going on before):

"Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience."

I have left the computer sitting for a few hours, and returned to find several of this error message stacked on top of each other. I guess this is due to the fact that i set RPC to Restart the Service each time it fails.

After doing some research, i found that RPC and Generic Host Process are the same service, or at least very closely intertwined. I checked the dependencies among services and found that nearly everything depends upon RPC. Its continued failing prompted me to do a full-system Ad-Aware and Norton Anti-Virus scan. Both turned up nothing.

I reinstalled the OS, thinking it must be an internal problem. This did not remedy the situation. I then backed up my data, Formatted my OTHER hard drive (which previously had Win2k Pro on it), and installed WinXP Pro in the new partition. I thought for SURE i had killed the problem, seeing as how practically nothing can live through a format...but there, 5 minutes after booting up the fresh OS, the same damn error message!

Normally, i could live with the small annoyance of these Generic Host Process failure messages, but that's not all that fails. Sometimes after a restart, but even before i get the first message, all kinds of things simply do not work on my computer. the "Paste" function doesn't work, EXCEPT in some 3rd-party programs that incorporate a browser. The "Drag and Drop" function doesn't work at all. The InstallShield installer fails when i try to install sound card drivers. The "Find" function in IE sometimes doesn't work. Windows Media Player aborts instantly whenever i try to play a file, but other programs play the file fine (besides the lack of sound drivers). It seems to only effect system functions that depend upon RPC, which is almost everything.

More remedies i've tried: I thought maybe data from my larger hard drive (the one whose OS initially experienced the problem) was somehow corrupting my other hard drive (which i formatted and installed WinXP Pro to). I disconnected the larger drive's power and IDE cables, and restarted. It couldn't find the boot.ini menu at all after that, so it didn't even start up. I disconnected all devices except for Monitor, Keyboard , and Mouse (currently running with only Monitor, Keyboard, Mouse, and Cable Modem connected), and that lasted a while without an error message (though Paste, Drag and Drop, etc. still didn't work). I can't work without internet access, though, so i was forced to put the Ethernet back in. It failed soon after, and is continuously failing even as i write this post.

If anyone has experienced anything like this, or knows how to get to the bottom of it, please reply.

Thanks.

Update: Perhaps my problem is solved. I tried Microsoft's patch, and things have progressed smoothly so far. The sound driver installation went well, also Paste, Drag, and Drop work again. I guess Microsoft has pulled another one out of their ***. The problem is that all their foresight is hindsight.


----------



## severian

Actually, I found that that step is not needed scottb721.

Instead,

1) Ctrl+Alt+Delete 1x:
click task manager
click the PROCESSES tab
Click the Image Name Column (sorts alphabetically)
look for MSBLAST.EXE, select it:
Click END TASK:

Thats easier and does not require that you go back and change anything later. I updated the fix I posted earlier.

http://home1.gte.net/res06pns/


----------



## tnik

> _Originally posted by aquavia:_
> *"There are only 10 types of people in this world. people who understand binary, and those who don't".
> 
> Pretty stupid remark if you know 10 actually equals 3 options.... no? *


ok.. binary lesson..

00000001 = 1
00000010 = 2
00000011 = 3

class over


----------



## Vicarios

I know this has already been resolved and this might be a little late, but I thought it might also be helpful to mention that on XP you can enable Internet Connection Firewall for your network connection to the internet. Its already on any XP computer and its free.

This will allow you to kill msblast.exe and prevent another attack from the virus/worm from rebooting your machine while you download appropriate patches/anti virus updates.

To enable, go to the network (or dial-up) connection's properties form, click the Advanced tab, and check "Protect my computer..." More senior members can correct me if I'm wrong, but I think its a probably a good idea to do in general if you have a direct connection to the internet on your machine. Its a new feature in XP and its not automatically enabled unless you turn it on.

Of course, don't use it if you are already behind a firewall or on a local network as this will interfere with normal LAN services, and you might need to configure it to allow things like messenger and file sharing programs to work.

-- Ron


----------



## Vicarios

Ooops -- just realized Internet Connection Firewall was already coverd... sorry!


----------



## scottb721

Thanks Severian. I'll go back and change it back to original setting and see how it goes.

Some instructions for the virus clean up say to turn off System Restore before doing anything. I neglected to do this before cleaning my PC. 
What consequences will I face for not turning off Sys Restore first ?


----------



## SnipeUout

what caused this rpc thing to happen?


----------



## tnik

just something over looked by a programmer.. so what happend was someone figured out they could do a buffer overflow on the RPC and volia, a new exploit for windows.. this was actually addressed July 14th i belive, but by the time it propogates to everyone, every idiot and script kiddie out there had the exploit and is pretending to be a hacker.. Im sure if you search the net a bit you can find more info out if you want..


----------



## NiteHawk

> _Originally posted by SnipeUout:_
> *what caused this rpc thing to happen? *


Short answer: Microsoft.


----------



## swa004

I can not restart my laptop and apply the patch. It says \windows\system32\config\system is corrupt. Is there any way to fix it other than reinstall XP (home edition)?
The recovery disk can NOT reinstall OS without formatting HD. Don't buy any Toshiba!


----------



## Visartusa

Thank you! Whew!
I'm tapping this on my son-in-law's laptop; can I go to the patch and put it on a floppy or cdr to install to the computer with the rpc??? (Not a techie...not a techie...not a techie...)
Thanks again, all!


----------



## tnik

lol.. ya.. I belive the patch will fit on a floppy..


----------



## brucedl

> _Originally posted by Vicarios:_
> *
> 
> Of course, don't use it if you are already behind a firewall or on a local network as this will interfere with normal LAN services
> -- Ron *


...which renders the thing effectively useless for a lot of people.


----------



## Visartusa

So, well, good! Thanks.
Now I'm wondering after reading the related threads here, d'ya suppose Microsoft employees are creating these worms so they'll have jobs??? Lame..I know.


----------



## Dman901

If you are a network administirator, you can do an RPC scan using Retina Network Security Scanner to find all vulnerable computers on the network.


----------



## Bulldog

Too funny....I thought I would share. 
msblast.exe mutated to *****32.exe 
http://www.sarc.com/avcenter/venc/data/w32.blaster.b.worm.html


----------



## @Ease

To stop your machine from being shutdown do the following:

In the run box type "shutdown -a" minus quotes.


----------



## Habez

also try this to stop the shut down its alittle simpler and works the same

start>run> " shutdown -a " > ok


----------



## DonsRuleOK

I picked the perfect day to get my new computer up and running - I can laugh now - I wasn't at the time - I was ready to chuck it out the window - flippin viruses


----------



## js73

I down loaded WindowsXP-KB821557-x86-ENU.exe from Windowsupdate site. This is a 5.08 Mb file, and too big for a floppy, so I put it on a jumpdrive.


----------



## tnik

do I win a prize if this thread hits 30,000 views?!


----------



## alwaysme

i think thats what was mentioned, what it is? i'm a new user. i was wondering if anyone has this problem, lately under win xp when im on the net i suddenly get a black screen with letters everyone and it resets itself! its done it for a while, i have a firewall. does anyone have a soulution for this? or had it done to them? thanks for your help!


----------



## Guest

Getting cryptographic errors. deleted catroot2 folder

No go..


----------



## BoWillis

I have seen alot of these symptons relating to the mblast worm.
Do your updates for OS and Virus and then run McAfee's Stinger removal. (It's free and works great)

and as for SP4....yea right....I DO NOT RECOMMEND SP4....famous last words....you'll need more patches to fix SP4 then SP4 is worth....wait give it time and let them work out the kinks....SP4 caused almost all of my shortcuts to break....


----------



## triplexjames

I don't have a filewall on my computer, so can someone tell me how to get one?

Cheers.

(btw you saved my computer lol, and my computer has WinXP home edition)


----------



## pogomonster

congrats to your record threat with more than 30.000 views
tnik :up: 

thx for the good threat

themonstawhohadtheevilwormie


----------



## compstudent

> _Originally posted by scottb721:_
> *Thanks Severian. I'll go back and change it back to original setting and see how it goes.
> 
> Some instructions for the virus clean up say to turn off System Restore before doing anything. I neglected to do this before cleaning my PC.
> What consequences will I face for not turning off Sys Restore first ? *


i only know one thing...that the virus removal procedure might be unsuccessful if windows xp system restore is not turned off.

any other information from the experts?


----------



## tnik

Thats exactly the reason. If there was a restore point made when the virus was in the system,and you need to restore the system for some un-godly reason.. [email protected]# re-infection..


----------



## Torquin

Hehe... Guess I'm lucky... so far I haven't gotton the blaster virus yet I DID get the 'good' win32/nachi virus which seems to have been designed to get rid of the blaster virus and d/l the appropriate updates (all w/o asking you) and it infects the file svchost.exe and makes another copy which it infests of dllhost.exe in //winnt/system32/wins/dllhost.exe. It was designed to remove itself at Jan 1st 2004. I ended up getting rid of it myself but b4 d/ling the patch (which i later found out can result in having a corrupt svchost.exe. I was hoping if anyone knows how I can remedy this situation or at the very very very least send me a non corrupt file so I can replace mine thru linux copying . BTW I got rid of it by changing my clock in the BIOS =D


----------



## tnik

will "SFC /SCANNOW" work at command line? if not, you should be able to replace it from your installation CD..


----------



## tnik

I just got wind, if this thread hits 100,000 hits, I win an [email protected]#[email protected] hehe  

Oh, and to future posters, If you have a problem, PLEASE start a fresh thread. There are many people that are here to help, but I bet they don't check this thread for problems.


----------



## Torquin

Very well... I've gotton rid of the SVCHOST.exe problem... all that remains is to rid myself of the 2nd OS but its no biggy... I haven't found any bugs after updating.. which is a MAJOR relief considering its been months since i've run my computer w/o running to a time consuming problem.


----------



## mnsaint

I downloaded the patch from microsoft and when opening it stated that it wasn't a valid windows application??? Any ideas??


----------



## BabyG

UMMMM Guys? At the risk of sounding like a real sterotype BLONDE ...... What the heck does "RPC" mean??

I don't have time to read all these posts before my computer will shut down. (which is why I started the other thread, before I jumped in to read some of the other threads) So sorry if my problem is addressed here. I just have to be quick. My computer has done the restart thing twice while trying to post this. (Thank God for notepad with ability to "save" often.)

Thanksm
BabyG


----------



## ~Candy~

Remote Procedure Call (RPC) interface

Did you follow the procedures outlined in the MS article?

http://support.microsoft.com/default.aspx?scid=kb;en-us;823980


----------



## jonnyhamp

I am going nuts. Please help. I installed the patch as well as running symantec blaster removal tool. The tool says it can't find the worm, so I ran it in safe mode, and the same thing happens. My norton AV picked up the blaster but only quarintined it and did not repair it. How can I get rid of this ?? Help would be greatly appreciated!!


----------



## NiteHawk

Delete it from quarintine. Then empty the recycle bin.


----------

