TechSpot

New Blaster variant or what? RPC System Shutdown

By Zell777
Oct 8, 2003
  1. Hey guys... I've been having the same problem as so many other with this stupid RPC shutdown thing, supposedly caused by the Blaster worm or it's variants.

    This was discussed already in the topic number 6651, but everyone is discussing the "amazing patch" that they have to fix the problem, BUT:

    This does not work on my system, nor does it work in so many others (I've been reading other forums, and there are TONS of people with this same problem.

    Here's some info:

    1- I get the "Generic Host Process needs to close" screen, and when I click OK the shutdown timer starts (or it used to, I disabled the RPC shutdown manually on the System Configuration).

    2- I have my WXP updated completely (I also installed the marvelous patch that did nothing at all. Antivirus and Firewall also updated (McAfee)

    3- I tried different other quick things to fix it (like the Stinger, for the Blaster and variants and and the FixBlast and FixWelch files).

    4- Full search for virus done, none found.

    5- It is not the damn msblast.exe (there's no such file in my computer, nor the penis32 or teekids32, which are variants). There's no registry key thing (the msblast running on W Update and all that crap).

    6- The shutdown screen comes up after around 5 minutes, sometimes after 2 hours, sometimes after 10 seconds... But usually after about 5.

    7- I've got 3 svchost.exe running (sometimes 4, before it crashes), in ports 1025, 1294.

    8- I'm sick and tired of this crap. When the shutdown window comes up, I get these bugs: Can't copy/paste in the explorer or outlook; can't browse websites that have redirects (they get stuck); can't copy/paste in Dreamweaver; Office XP crashes; I start crying.

    Well.. I hope you guys can help me out with this one. I wrote a new topic since in the other one (6651) they are talking about the patchable/fixable version of this virus/worm/crap/whatever it is...

    Thanks!
     
  2. curtiscrowell

    curtiscrowell TS Rookie

    I'm getting similar activity. i cannot install the Oct. 2003 IE patch and the windows media player patch without getting the error "generic host process of win32 services..." then if I don't quick the install (hard to do, as the disk drive suggests something "heavy" is going on and doesn't want to be interrupted...I later get a "software you are installing has not passed Windows logo testing to verify compatibility with windows XP"

    If I force a shut-down, the system boots ok, and everything seems Ok except for:
    - XP keeps reminding me to install the same two updates
    - if I examine a television segment (not live, an archived broadcast ) I get again the "generic host process..." error, only this time my audio driver has disappeared! Rebooting solves this, but I can't run the windows updates

    Such excitement, such ......
    /Curtis Crowell
     
  3. Rick

    Rick TechSpot Staff Posts: 4,573   +65

    Is XP or 2000 shutting down with the RPC error?

    It's not going to fix your problem, but to keep your system from shutting down, to Start / Run / and type in: shutdown -a

    This will make it less annoying until you can find a patch for it.
     
  4. curtiscrowell

    curtiscrowell TS Rookie

    XP is not shutting down, specifically it is hanging up, and does not respond to control-alt-delete. I can hear a rythmic pattern of disk access going on, which is ominous, so after a minute or so I have just forced a power down. When it reboots, it does not appear to think that an abnormal shutdown occurred, since it does not come up in safe mode or do a disk scan or anything like that (just appears to boot normally, with nothing amiss, and the sound driver is working properly).

    XP then posts once again the "updates are available" msg on the task bar...........
     
  5. Negative_Pulse

    Negative_Pulse TS Rookie Posts: 16

    Interesting this should come up. I just finished a format/fresh install today and within the first few minutes i noticed my cable modem light going on before i started any interenet apps(before i could even install any drivers/apps). A quick look at my task manager and mblast was running, i ended it, and it has'nt showed up again. But i know its running, my cable lights are going crazy from the second i login.

    I installed the patch for windows and d/l'd norton's fix from their site, supposed to fix the worm and its variants, but it turned up nothing.

    Right now im d/l difinition updates for F-Secure anti-virus trial, so far its the best virus app i have come across (it found mblast the first time, along with 5 other trojans and worms missed by norton).

    edit: but my system is not acting funny in any way... yet...
     
  6. Mekolo

    Mekolo TS Rookie

    to see if u have the ms bals virus:
    start/run/regedit/HKEY_USERS/software/microsoft/internet explorer/explorer bars/{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}/FilesNamedMRU
    thats where mine is check ther and if its not there search the registry for ms blast.
     
  7. Zell777

    Zell777 TS Rookie Topic Starter

    I keep getting the same thing...

    I checked with everything... Everywhere on the registry, for files, online, everywhere. I still have no clue about what this is. The average is around 5 minutes before the shutdown so far (I don't need the "shutdown -a" command since I disabled the system shutdown in case of RPC crashes already in the configuration).

    I'm sure of one thing though, it's not the stupid msblast.exe file, it's either a variant from it, or something entirely new.

    As I said before, I checked other forums and there are tons of people having this same problem, that can not find the msblast in their computers.

    Have you guys heard of anything anywhere else? News? Forums?

    Thanks for the help so far...
     
  8. grgrass

    grgrass TS Rookie

    i have that problem too. i haven't had internet for about a year and a half. i got back on (the net) last week and my computer imediately got infected. i didn't know what i had. i was literary running around like a chicken with its head cut off! anyways what i did tonight has been working so far.

    i got an update on my 1 1/2 year old norton anti virus. i downloaded the 'systemactic worm blaster' same thing you dLed. and i dl the new microsoft patch. restarted the computer and its been fine since. one thing to remember is you have to disable you system restore. i didn't do that the first time and it happened to me again. (can you imagine waiting almost an hour for the blaster to scan all your files just to find out you forgot to disable system restore?!) pissed me off but i got it and its working fine so far. thats my story i hoped that helped a little.
     
  9. Zell777

    Zell777 TS Rookie Topic Starter

    Yep, what grgrass did seems to work for most people, but not for all. That's why I'm really concerned about it. Neither Symantec nor McAfee pick this thing I got, and looking for files (msblast.exe or whatever) doesn't give any results. Registry is clean also...

    I'm considering formatting right now, but I got waaay to much to backup before that and not a place to put all that info.

    Just while I was typing this, the stupid window popped up... I gotta restart now, there's not much I can do after this thing shows up since it cancel some vital functions (copy/paste and such).
     
  10. SNGX1275

    SNGX1275 TS Forces Special Posts: 10,714   +397

    This may be a long shot, but some lady called into Call for Help on Tech TV today and was saying she was getting some RPC error while being online. Leo didn't seem to want to tell her it was a blaster worm issue, the lady didn't know much about what she was talking about and Leo maybe just didn't want to go through a whole big explanation like that one thread we had on these forums when it first broke out. But here is what he told her to check.

    Right click on My Computer
    Properties
    Remote Tab

    Uncheck the box that allows remote connections.
    Then he said to make sure WindowsXP's firewall is turned on, but thats more of a standard thing and is on by default I believe (unless maybe you upgraded).

    Again this may be a long shot, but kind of a concidence that Leo didn't seem to think it was blaster related and you guys aren't having luck finding this blaster.
     
  11. rob2

    rob2 TS Rookie

    I also have a blaster variant - maybe a new more resilient blend.

    I get the 'System Shutdown Initiated by NT Authority....60 second countdown' message before I have completely booted so I have NO access to the XP OS to install fixes, run scan or fix registry. Even if I attempt to boot in Safe mode I get the popup shutdown message

    I just put a call in to Microsoft 1-866-PC SAFETY and they are escalating me to LEvel 2. (3 -5 day call back)

    I so hope that I do not have to re-install and lose all my files.

    If anyone else has any ideas on how I can apply a fix please let me know

    Rob2
     
  12. Goalie

    Goalie TS Booster Posts: 616

    Something I haven't seen yet in either thread on this topic: Does safemode impact the curious actions any?
     
  13. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Trying to "kill" the MS-Blast worm and its variants alone is not going to solve the problem.
    You have to be more selective where you browse and most important: switch over to another email-program such as Pegasus or Eudora.
    It also seems that Win2000 users are less prone to the MSBlast stuff.
     
  14. Kajer

    Kajer TS Rookie

    RPC error when online

    I've run into two different systems which were receiving the RPC error which shuts down the system within 60 seconds, however only when the person(s) were online, otherwise this did not occur as it did with the original MSblast virus. When scanning the system with Norton Antivirus, it found no virus.

    I've fixed both systems by enabling Windows XPs built in firewall, which is not activated by default.

    Hope this helps!
     
  15. Steverz

    Steverz TS Rookie Posts: 51

    For the original post on the Blaster.Worm: Any tool you use, including Norton, leaves one Blaster value in the registry ... that I did not see anyone checking for. Here is the path:

    HKEY_LOCAL_MACHINE / SOFTWARE / MICROSOFT / WINDOWS / CURRENT VERSION / RUN . In the right-hand pane, there will be an Value Name"WindowUpdater" and a Value Entry of "msblast.exe". Also make certain that its variant "mslaugh.exe" is not there. Of course, if you find either of these values, highlight and delete. Note, if you have more than one profile on the machine, you MUST check EACH profile in the registry using the same above path.
     
  16. Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,345   +11

    Some common sense when installing any operating system:

    Unplug your modem / network cable when installing.

    Plug it in after you've installed a firewall.
     
  17. Traveler

    Traveler TS Rookie

    Re: The HKEY... path-- I tried this several times, but each time the window just magically closes when I click software, if it even lets me does that. Windows also magically close when I'm trying to install these blaster patches.
     
  18. theruck

    theruck TS Booster Posts: 104   +20

    i got the same prob

    hi i have the same prob as you. i got it on 18 computers all running win xp sp1 and alal the security patches
    if you ar enot vired by some blaster virus or equal you can avoid to shutdown it by enabling the firewall
    as i noticed the "attack" comes trough port 137-139 tcp or udp (samba ports)
    i got HP printer installed on that machines (hp 1010) and i read some articles about wrong hp drivers doing this.
    if you come to some solution please send me a message

    theruck
     
  19. greyhound

    greyhound TS Rookie

    what is this?

    I have the same virus that everyone else does on my HP with XP, but it doesn't let me run the registry editor or any anti virus software, somehow the damned thing closes the windows before I can do anything in them. What the hell! its shutting me down now! HELP!!!
     
  20. theruck

    theruck TS Booster Posts: 104   +20

    greyhound we are not talking about a virus...
     
  21. ---agissi---

    ---agissi--- TechSpot Paladin Posts: 1,977   +15

    Re: what is this?

    So you know you should probably start your own thread, and FYI my friend had this prob, u gotta boot info Safemode and run Nortan Anti-Virus.
     
  22. darron saayman

    darron saayman TS Rookie

    RPC shutdown

    I am running 3 programs that have stoped this problem on stand alone computers as well as 23 networked computers.

    1) Ad-ware 6: (This Program comes with a programe called adwatch if you run this it gives you the option to block hkey_???? and all other types of spyware etc.)

    2) I am also running uwclean regitary cleaner which alows you to clean unwanted registary entry's:grinthumb


    Any questions can be mailed to me at darrons@fsmail.net
     
  23. Didou

    Didou Bowtie extraordinair! Posts: 4,274

    Well I can't help notice that you only listed two programs.;)

    & Ad-Aware only has that feature in the pro version which you have to purchase, it does not come with the Free version most people use.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...