New Blaster variant or what? RPC System Shutdown

[Zell777]

Hey guys... I've been having the same problem as so many other with this stupid RPC shutdown thing, supposedly caused by the Blaster worm or it's variants.

This was discussed already in the topic number 6651, but everyone is discussing the "amazing patch" that they have to fix the problem, BUT:

This does not work on my system, nor does it work in so many others (I've been reading other forums, and there are TONS of people with this same problem.

Here's some info:

1- I get the "Generic Host Process needs to close" screen, and when I click OK the shutdown timer starts (or it used to, I disabled the RPC shutdown manually on the System Configuration).

2- I have my WXP updated completely (I also installed the marvelous patch that did nothing at all. Antivirus and Firewall also updated (McAfee)

3- I tried different other quick things to fix it (like the Stinger, for the Blaster and variants and and the FixBlast and FixWelch files).

4- Full search for virus done, none found.

5- It is not the damn msblast.exe (there's no such file in my computer, nor the penis32 or teekids32, which are variants). There's no registry key thing (the msblast running on W Update and all that crap).

6- The shutdown screen comes up after around 5 minutes, sometimes after 2 hours, sometimes after 10 seconds... But usually after about 5.

7- I've got 3 svchost.exe running (sometimes 4, before it crashes), in ports 1025, 1294.

8- I'm sick and tired of this crap. When the shutdown window comes up, I get these bugs: Can't copy/paste in the explorer or outlook; can't browse websites that have redirects (they get stuck); can't copy/paste in Dreamweaver; Office XP crashes; I start crying.

Well.. I hope you guys can help me out with this one. I wrote a new topic since in the other one (6651) they are talking about the patchable/fixable version of this virus/worm/crap/whatever it is...

Thanks!

 

[curtiscrowell]

I'm getting similar activity. i cannot install the Oct. 2003 IE patch and the windows media player patch without getting the error "generic host process of win32 services..." then if I don't quick the install (hard to do, as the disk drive suggests something "heavy" is going on and doesn't want to be interrupted...I later get a "software you are installing has not passed Windows logo testing to verify compatibility with windows XP"

If I force a shut-down, the system boots ok, and everything seems Ok except for:
- XP keeps reminding me to install the same two updates
- if I examine a television segment (not live, an archived broadcast ) I get again the "generic host process..." error, only this time my audio driver has disappeared! Rebooting solves this, but I can't run the windows updates

Such excitement, such ......
/Curtis Crowell

 

[Rick]

Is XP or 2000 shutting down with the RPC error?

It's not going to fix your problem, but to keep your system from shutting down, to Start / Run / and type in: shutdown -a

This will make it less annoying until you can find a patch for it.

 

[curtiscrowell]

XP is not shutting down, specifically it is hanging up, and does not respond to control-alt-delete. I can hear a rythmic pattern of disk access going on, which is ominous, so after a minute or so I have just forced a power down. When it reboots, it does not appear to think that an abnormal shutdown occurred, since it does not come up in safe mode or do a disk scan or anything like that (just appears to boot normally, with nothing amiss, and the sound driver is working properly).

XP then posts once again the "updates are available" msg on the task bar...........

 

[Negative_Pulse]

Interesting this should come up. I just finished a format/fresh install today and within the first few minutes i noticed my cable modem light going on before i started any interenet apps(before i could even install any drivers/apps). A quick look at my task manager and mblast was running, i ended it, and it has'nt showed up again. But i know its running, my cable lights are going crazy from the second i login.

I installed the patch for windows and d/l'd norton's fix from their site, supposed to fix the worm and its variants, but it turned up nothing.

Right now im d/l difinition updates for F-Secure anti-virus trial, so far its the best virus app i have come across (it found mblast the first time, along with 5 other trojans and worms missed by norton).

edit: but my system is not acting funny in any way... yet...

 

[Mekolo]

to see if u have the ms bals virus:
start/run/regedit/HKEY_USERS/software/microsoft/internet explorer/explorer bars/{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}/FilesNamedMRU
thats where mine is check ther and if its not there search the registry for ms blast.

 

[Zell777]

I keep getting the same thing...

I checked with everything... Everywhere on the registry, for files, online, everywhere. I still have no clue about what this is. The average is around 5 minutes before the shutdown so far (I don't need the "shutdown -a" command since I disabled the system shutdown in case of RPC crashes already in the configuration).

I'm sure of one thing though, it's not the stupid msblast.exe file, it's either a variant from it, or something entirely new.

As I said before, I checked other forums and there are tons of people having this same problem, that can not find the msblast in their computers.

Have you guys heard of anything anywhere else? News? Forums?

Thanks for the help so far...

 

[grgrass]

i have that problem too. i haven't had internet for about a year and a half. i got back on (the net) last week and my computer imediately got infected. i didn't know what i had. i was literary running around like a chicken with its head cut off! anyways what i did tonight has been working so far.

i got an update on my 1 1/2 year old norton anti virus. i downloaded the 'systemactic worm blaster' same thing you dLed. and i dl the new microsoft patch. restarted the computer and its been fine since. one thing to remember is you have to disable you system restore. i didn't do that the first time and it happened to me again. (can you imagine waiting almost an hour for the blaster to scan all your files just to find out you forgot to disable system restore?!) pissed me off but i got it and its working fine so far. thats my story i hoped that helped a little.

 

[Zell777]

Yep, what grgrass did seems to work for most people, but not for all. That's why I'm really concerned about it. Neither Symantec nor McAfee pick this thing I got, and looking for files (msblast.exe or whatever) doesn't give any results. Registry is clean also...

I'm considering formatting right now, but I got waaay to much to backup before that and not a place to put all that info.

Just while I was typing this, the stupid window popped up... I gotta restart now, there's not much I can do after this thing shows up since it cancel some vital functions (copy/paste and such).

 

[SNGX1275]

This may be a long shot, but some lady called into Call for Help on Tech TV today and was saying she was getting some RPC error while being online. Leo didn't seem to want to tell her it was a blaster worm issue, the lady didn't know much about what she was talking about and Leo maybe just didn't want to go through a whole big explanation like that one thread we had on these forums when it first broke out. But here is what he told her to check.

Right click on My Computer
Properties
Remote Tab

Uncheck the box that allows remote connections.
Then he said to make sure WindowsXP's firewall is turned on, but thats more of a standard thing and is on by default I believe (unless maybe you upgraded).

Again this may be a long shot, but kind of a concidence that Leo didn't seem to think it was blaster related and you guys aren't having luck finding this blaster.

 

[rob2]

I also have a blaster variant - maybe a new more resilient blend.

I get the 'System Shutdown Initiated by NT Authority....60 second countdown' message before I have completely booted so I have NO access to the XP OS to install fixes, run scan or fix registry. Even if I attempt to boot in Safe mode I get the popup shutdown message

I just put a call in to Microsoft 1-866-PC SAFETY and they are escalating me to LEvel 2. (3 -5 day call back)

I so hope that I do not have to re-install and lose all my files.

If anyone else has any ideas on how I can apply a fix please let me know

Rob2

 

[Goalie]

Something I haven't seen yet in either thread on this topic: Does safemode impact the curious actions any?

 

[RealBlackStuff]

Trying to "kill" the MS-Blast worm and its variants alone is not going to solve the problem.
You have to be more selective where you browse and most important: switch over to another email-program such as Pegasus or Eudora.
It also seems that Win2000 users are less prone to the MSBlast stuff.

 

[Kajer]

RPC error when online

I've run into two different systems which were receiving the RPC error which shuts down the system within 60 seconds, however only when the person(s) were online, otherwise this did not occur as it did with the original MSblast virus. When scanning the system with Norton Antivirus, it found no virus.

I've fixed both systems by enabling Windows XPs built in firewall, which is not activated by default.

Hope this helps!

 

[Steverz]

For the original post on the Blaster.Worm: Any tool you use, including Norton, leaves one Blaster value in the registry ... that I did not see anyone checking for. Here is the path:

HKEY_LOCAL_MACHINE / SOFTWARE / MICROSOFT / WINDOWS / CURRENT VERSION / RUN . In the right-hand pane, there will be an Value Name"WindowUpdater" and a Value Entry of "msblast.exe". Also make certain that its variant "mslaugh.exe" is not there. Of course, if you find either of these values, highlight and delete. Note, if you have more than one profile on the machine, you MUST check EACH profile in the registry using the same above path.

 

[Mictlantecuhtli]

Some common sense when installing any operating system:

Unplug your modem / network cable when installing.

Plug it in after you've installed a firewall.

 

[Traveler]

Re: The HKEY... path-- I tried this several times, but each time the window just magically closes when I click software, if it even lets me does that. Windows also magically close when I'm trying to install these blaster patches.

 

[theruck]

i got the same prob

hi i have the same prob as you. i got it on 18 computers all running win xp sp1 and alal the security patches
if you ar enot vired by some blaster virus or equal you can avoid to shutdown it by enabling the firewall
as i noticed the "attack" comes trough port 137-139 tcp or udp (samba ports)
i got HP printer installed on that machines (hp 1010) and i read some articles about wrong hp drivers doing this.
if you come to some solution please send me a message

theruck

 

[greyhound]

what is this?

I have the same virus that everyone else does on my HP with XP, but it doesn't let me run the registry editor or any anti virus software, somehow the damned thing closes the windows before I can do anything in them. What the hell! its shutting me down now! HELP!!!

 

[theruck]

greyhound we are not talking about a virus...

 

[agissi]

Re: what is this?

Originally posted by greyhound
I have the same virus that everyone else does on my HP with XP, but it doesn't let me run the registry editor or any anti virus software, somehow the damned thing closes the windows before I can do anything in them. What the hell! its shutting me down now! HELP!!!

So you know you should probably start your own thread, and FYI my friend had this prob, u gotta boot info Safemode and run Nortan Anti-Virus.

 

[darron saayman]

RPC shutdown

I am running 3 programs that have stoped this problem on stand alone computers as well as 23 networked computers.

1) Ad-ware 6: (This Program comes with a programe called adwatch if you run this it gives you the option to block hkey_???? and all other types of spyware etc.)

2) I am also running uwclean regitary cleaner which alows you to clean unwanted registary entry's:grinthumb


Any questions can be mailed to me at darrons@fsmail.net

 

[Didou]

Well I can't help notice that you only listed two programs.

& Ad-Aware only has that feature in the pro version which you have to purchase, it does not come with the Free version most people use.