Terminated RPC Process. Can't boot PC now

Status
Not open for further replies.

ImmortalFreak

Posts: 17   +0
So today I was on my computer and I randomly started hearing random audio. I was looking through the processes and when I went to delete what I thought it was, I clicked the wrong thing not knowing and terminated it.

It then told me my computer was shutting down in "X" seconds, and it counted down. I then deleted the Iexplore process the problem was, but was unable to do anything about the restart.

My computer restarted and now I get this - "STOP: c0000218 unknown hard error" right when I get to where I would normally log in.

Now, I can get into safe mode, but I can't get into regular mode. When I checked my event manager, it said winlogon.exe has initiated the restart and there was no title... It said it was a minor error 0xff, and the comments were that it restarted becuase the Remote Procedure Call (RPC) service was unexpectedly terminated.


Any suggestions?
 

Bobbye

Posts: 16,321   +36
Find the Error(s)in the Event Viewer that correspond to the crash:

Start> Run> cmd> type in eventvwr

Description of the Event Viewer:
Unfortunately, many Windows XP users aren't aware of the Event Viewer, what it is, where it is, how it can help with a problem:
The Event Viewer has logs for everything that happens on the computer. There are three sets of logs: System, Applications and Security. By opening the first two to display the Events, you can look for Errors that correspond to the time of the problem- in your case, the crash.

There are three types of Events in the System and Apps logs:
1. Information (white circle w/blue i): this is just basic documentation of the normal working of the System or Apps.
2. Warnings (yellow triangle w/black exclamation mark) noting some problem at that moment. Warnings usually resolve on their own. If they do not, they become>>>
3. Errors (red circle w/white X- they document something that didn't work or isn't happening as it should. Each Errors has three parts: an ID#, a Source and a Description. By doing a right click> Properties, the Error will open to a screen that can be copied. These three parts taken together can usually lead to cause and resolution.
Do this on each the System and the Applications logs:
Click to open the log> look for the Error> right click on the Error> Properties> Click on Copy button, top right, below the down arrow and Paste here (Ctrl V)

You can ignore the Categories 1 and 2. If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed. You don't need to include the lines of code in the box below the Description, if any.

Please do not copy the entire Event log. Only the corresponding Errors. The RPC Service is one that needs to be set to Automatic. Other Services depend on it to run, so let's check that:
Start> Run> services.msc> find RPC (Remote Procedure Call) and right click> Properties> set Startup type to Automatic> Start the Service. If you click on the Dependencies tab, you will note all the other Services that depend on RPC to run.

NOTE: you will see several 'Remote' words. When you do the right click, you will see the full name. You don't want the RPC Locator (the is set to Manual)- you want just the RPC.
 

ImmortalFreak

Posts: 17   +0
  • Thread Starter Thread Starter
  • #3
Thanks for the reply!

The stuff I posted was not an error, it was "Information" from the event viewer.

I was unable to find any errors that would correspond with this crash. There was an error regarding AVG Watch Dog, but I highly doubt that was it. :)

However, I will double check that when I get home today, I'll be back aroudn by 2:30 PST.

I really appreciate your help.
 

almcneil

Posts: 1,236   +1
Restart in Safe Mode and disable your audio device. Then restart in Normal Mode and see if you reach the Dessktop.

I think you messed up something to do with your audio device accidentally. Or it may be a Windows service that is not being started or corrupted.

Repost with results pls.

Best,
-- Andy
 

Bobbye

Posts: 16,321   +36
The stuff I posted was not an error, it was "Information" from the event viewer.
As you now realize, Information Events go on all the time, are 'normal' and are not investigated for problems.

Even
"STOP: c0000218 unknown hard error
doesn't give us anything to work with.

Check the RPC Service, make sure of the setting as advised. It is possible that a system Restore to date right before you tried to solve the sound problem might also work.
 

ImmortalFreak

Posts: 17   +0
  • Thread Starter Thread Starter
  • #6
I have had System Restore off. =\ And I the Remote Procedure Call (RPC) was already Started and set to automatic.

But anyway, you were right, there're quite a few of the exact same errors. All starting last night after it happened.

System errors:
**I’ve gotten 12+ errors containing this same ID.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 10/27/2008
Time: 9:24:26 PM
User: N/A
Computer: SPECTER
Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
A device attached to the system is not functioning.

**This is likely irrelevant, but I figured I’d include it just incase.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 10/27/2008
Time: 9:05:17 PM
User: NT AUTHORITY\SYSTEM
Computer: SPECTER
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}


Application errors:
Event Type: Error
Event Source: EventSystem
Event Category: (50)
Event ID: 4609
Date: 10/27/2008
Time: 7:40:26 PM
User: N/A
Computer: SPECTER
Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070005 from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Type: Error
Event Source: VSS
Event Category: None
Event ID: 8193
Date: 10/27/2008
Time: 7:40:26 PM
User: N/A
Computer: SPECTER
Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Application warnings:
Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 10/27/2008
Time: 7:41:51 PM
User: NT AUTHORITY\SYSTEM
Computer: SPECTER
Description:
Windows saved user SPECTER registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Thanks in advance, guys!

By the way, I disabled my audio device and that didn't work.
 

Bobbye

Posts: 16,321   +36
As alarming as it was to see all those Errors, here's the breakdown:

Time: 7:40:26 PM- 2 Also indicate you were in Safe Mode.
Time: 9:05:17 PM and 9:24:26 PM indicate that your were in Safe Mode at the time. So these are negligible as they don't start in Safe Mode and are therefore not an 'error'.
Re: Event #4609: Usually this event is followed by Event #8193 from "VSS". From a Microsoft support person (from a newsgroup post): "If the events occurred on a machine that was running in Safe Mode, these events are benign and you can ignore them - unfortunately they will always appear whenever you reboot the machine in Safe Mode.

Re: Event #10005 (DCOM) and Event #7001- Service Control Manager for IPSEC: neither of these Services start in Safe Mode. Therefore they are not actually 'Errors'.
This isn't good news. I believe you are experiencing what is called a Trojan.Shutdown. This is actually a virus. This threat copies its file(s) to your hard disk. Its typical file name is Trojan.Shutdown. Then it creates new startup key with name Trojan.Shutdown and value (?). You can also find it in your processes list with name (?) or Trojan.Shutdown. This is also referred to as '(fake Shutdown Virus) -

Malwarebytes combined with SuperAntispyware will remove this malware. Can you download the programs to a flash drive and run them from there on your system? You will find directions for both programs in Step 4 and 4 here: https://www.techspot.com/vb/post645589-1.html

It will also be helpful if you follow these two programs with HijackThis in Step 7, then attach all three logs

I must admit that this is the first time I have I've been in on what are the obvious symptoms of this malware. I usually see it on the other end- in the logs when it's removed. But putting together the 60 second countdown along with your inability to boot into Normal Mode, it paints the picture describing this infection. If you can get the program on a flash drive and run them, we should be able to clean the malware out and get you running full speed!
 

ImmortalFreak

Posts: 17   +0
  • Thread Starter Thread Starter
  • #8
And you know what... Just the day before I found a Trojan on my computer... That's why I went into Task Manager and started ending processes, because I saw no programs open, yet I was hearing this random audio.

Good news, though. I have the first two programs already on my computer, I don't have the Hijack one, though. I'm starting my scans right now, I'll report back here.

Man, this seems pretty coincidental, huh? I end a task and it makes me think it was me, but really a virus, haha.
 

Bobbye

Posts: 16,321   +36
Good job! We have a better handle on it now:
Mbam found and removed a Registry key with antispywarexp2009.
SAS shows just about every Tracking Cookie available. Have SAS remove all.
You need to reset the Cookies:
Internet Options (from Tools in IE or Control panel)> Privacy tab> Advanced button> CHECK 'override automatic Cookies handling'> Check 'Allow first party Cookies'> CHECK Block third party Cookies> CHECK 'allow per session Cookies'> Apply> OK.
Java:
Your Java is out of date. Update Java to v6u10 here: http://java.com/en/download/manual.jsp
Adobe:
The Adobe Reader is out of date: Update Adobe Reader to v9 here: http://www.adobe.com/products/acrobat/readstep2.html
Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adversityguild.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
Questionable:

Determine which program this is. There is no program information in the log:
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork>> Adult content dialer. This infection should not be confused with the legitimate Fileplanet Download Manager program, which has the same filename.
The really bad guys:
O20 - AppInit_DLLs: karna.dat>> Added by the Troj/FakeVir-GL Trojan. (we may have to use KillBox on this, but remove in HijackThis.)
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll>> An illegal software crack used to bypass copy protection for Windows.
(This program uses the Winlogon Notify key to automatically start. This key is used to run certain programs when specific actions occur such as computer starting up, a user logging in or logging off, or a computer shutting down).
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot back into Safe Mode:

Start> Run> type in ''msconfig' without the quotes> Selective Start-up> Startup tab> UNCHECK everything EXCEPT antivirus and firewall> Apply> OK.

Start> Run> services.msc> find both Adobe Services and on each: right click> Properties> change Start up Type to Disabled.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):
(there may be more when you can run in Normal Mode and show programs)
DAEMON Tools
Dial33
Adobe 7
Java v5u9 and any other Java except v6u10
If you can, reboot into Normal Mode- you will get a nag message which you can close after checking 'don't show this message again'. Stay in Selective Startup.

Scan with HijackThis again and attach the new log.
 

almcneil

Posts: 1,236   +1
BINGO!! You've Been Hit by Spyware!!

And you know what... Just the day before I found a Trojan on my computer... That's why I went into Task Manager and started ending processes, because I saw no programs open, yet I was hearing this random audio.

Good news, though. I have the first two programs already on my computer, I don't have the Hijack one, though. I'm starting my scans right now, I'll report back here.

Man, this seems pretty coincidental, huh? I end a task and it makes me think it was me, but really a virus, haha.
Immortal,

I recognize this. It's actually a spyware program that tries to install a music player on your computer (illicitedly) but messes it up. I've had two customers in the past who had this spyware infection.

I recommend running the following 3 anti-spyware utilities (click on the name to get the download page at this site):


Once you're done, repost with results and we'll proceed from there if necessary.

Best,
-- Andy
 

ImmortalFreak

Posts: 17   +0
  • Thread Starter Thread Starter
  • #12
Good deal, I will go through all of those steps when I get home from school today.

I have all three of the programs mentioned in the previous post, and I will run them while I'm gone.

Thanks guys!
 

ImmortalFreak

Posts: 17   +0
  • Thread Starter Thread Starter
  • #13
Just did the hijack this fix, and the Spybot scan has been completed. AVG is in progress. Spybot foudn and fixed "MediaPlex" and it also found "Excite" but that's just one of my emails.

Regarding AdAware and the Java/Adobe update, the computer is not recognizing my flash drive... It's not the drive, as it works on other computers, it just seems to be that one. I'm gonna restart after the AVG scan is done and check it then.

About the antiWPA thing, when I bought the computer it had the illegal copy. I bought it for a friend for dirt cheap, so I can't necessarily say "Hey, buy the windows copy for the computer"... My brother gets them from his work for fairly cheap, so when he gets back from Texas we're going to get a copy for the computer here, maybe even Vista.

That said, I removed all the stuff but that antiWPA thing with Hijackthis.
 

ImmortalFreak

Posts: 17   +0
  • Thread Starter Thread Starter
  • #14
Scans are done, I cannot remove Java or Adobe because "The windows installer service could not be accessed. Could also be safe mode, or the installer service is not installed correctly" Something to that effect.

As far as Dial33 and DAEMON, those aren't listed. That said, I'm going to reboot.

About the "Uncheck everything but AntiVirus & Firewall", I'm assuming that didn't mean critical things like the RPC and stuff, right?

Anyways, I did all that stuff, tried restarting into regular, and it was a no go.. Same thing.

Youguys sure it's a virus? It happened as I deleted the task, I don't remember which it was, though. =\ But after that the audio turned off when I deleted "iexplore something". So it was a hidden internet popup, or something. You know way more than me, but I figured it would be as simple as restarting the process I ended.
 

almcneil

Posts: 1,236   +1
At this point, the malwayre (virus and.or spyware) is probably gone. What's left the corruption from it or the removal of it. I'd perform a Windows repair. Do you have the Windows installation CD for your computer?

-- Andy
 

ImmortalFreak

Posts: 17   +0
  • Thread Starter Thread Starter
  • #16
I don't have one, but I can get one.

Does the Windows Repair have to do with the Recovery Console? Because I can run that without the CD, apparently.
 

almcneil

Posts: 1,236   +1
No, the Windows repair is a feature within the Windows installation CD. Recovery Console is also a feature within the Windows installation CD but can be obtained separately.

What CD do you have?

Make sure you get a copy of the Windows installation CD that MATCHES the Windows version you have.

Best,
-- Andy
 

ImmortalFreak

Posts: 17   +0
  • Thread Starter Thread Starter
  • #18
I just called someone and they're going to bring it with them when they come over today... I personally have no CD yet.

So when I get the CD, run the repair, and everything should be okay, or?
 

almcneil

Posts: 1,236   +1
What the Windows repair does is check that the Windows system directory is correct and up to date. It checks for any files that are missing or corrupt and replaces it with the one from the CD. It also makes sure all the software pointers to the system files are up to date. Windows repair does not touch your personal files, programs or settings.

If this is a system corruption problem, it's highly likely Windows repair nca fix it. Sometimes it doesnt. You just have to try it and see if it works. You have little to lose by trying it since you can't boot to Normal Mode anyway.

Best,
-- Andy
 

ImmortalFreak

Posts: 17   +0
  • Thread Starter Thread Starter
  • #20
True that. Alright bro, the CD should be here in the next hour. I'll run it as soon as it gets here. Thanks a tun for all your help!
 

almcneil

Posts: 1,236   +1
I won't be around at that time as I have a customer call. But either look up the Windows repair guide at this site or have someone else here help you.

Best,
-- Andy
 

Bobbye

Posts: 16,321   +36
Andy, I've said this before and I will say it again- please do not come in in the middle of a malware cleaning process and suggest your 3 different programs. I have already begun with this and once again, you have interrupted. Our cleaning processes is structured as it is because it works well that way. And once it has begun and is in progress, your interruptions disturb that process and confuse the user as he now has to try and deal with 3 different programs.

Yes, this is an open board. But that does not mean interrupting a work in process to send a user off in a different direction. This has gotten so bad, I have brought it to the attention of the moderators- again.

The programs you are suggesting are good spyware/adware programs. But they are not for deep cleaning- rather for running on the systems regularly. Once malware access a system- especially when it's multiple infections, these programs are usually not sufficient to remove all of them.
 

ImmortalFreak

Posts: 17   +0
  • Thread Starter Thread Starter
  • #23
I'm sorry, I didn't mean to mess anything up by taking multiple sets of advice. I thought youguys were a team, hehe.

On a side note, I did the repair and now I get a different error loading into regular mode. My brother had me go ahead and start the reinstall and see if that did anything, because after the repair I couldn't even access safemode. He said I'd just have to blow off my computer if all went well and I was able to get in to regular mode, or live with the cracked out settings. He said if not that, it's more than likely a hardware issue.

But about the new error I get: Well, I went over to the other computer and now I can't even get that far, hehe.

It's looping, it goes to the setup to install windows, and then I get this error:
Error:
Sxs.dll:Syntax error in manifest of policy file D:\1386\asms\10\msft\windows\gdiplus\gdiplus.man" on line 4

Error:
Install failed D:\l386\ASMS (Data Error) Cyclic Redundancy Check

Fatal Error:
one of the components windows needs to continue the setup couldn't be installed (Data Error) Cyclic Redundancy Check

It repeats the exact or very close to those same 3 errors several times in the log.

So I exit the setup, reboot the PC and it loops right back to the "Installing Windows" step of the setup. If I boot in safemode it says it cannot continue setup in safe mode and then loops me back there.
 

Bobbye

Posts: 16,321   +36
I thought youguys were a team
Teamwork is often seen on computer boards- the reason? We are not all of the same expertise and knowledge.However, when someone comes in to the middle of a malware cleaning thread and points a user to different programs to run, it is not teamwork and it causes confusion for the user.

Since I did not advise the Windows repair, I am going to have to leave you with the person who did and hope he can get you out of the mess he caused.

IF this does not get solved, please start a new thread, with reference to this thread, and we'll try to take it from the top again,. hopefully without interference.

FYI: Re the syntax error: XP Upgrade Install problem - sxs.dll syntax error in manifest.
Possible causes:
1. a bad windows CD,or a bad CD-ROM drive !
2. some sort of hardware issue.
3. It appears that there's an issue with the dll recognizing your networking software. Is this a genuine Microsoft CD, a manufacturer's CD, or one that you got from someone else?
4. the download or copying to a CD was corrupted

From Bleeping Computer:
Some suggestions from a google search for a part of the error message:
http://www.hardwareanalysis.com/content/topic/15875/
http://www.pcreview.co.uk/forums/thread-565378.php
http://forums.pcworld.co.nz/archive/index.php/t-30558.html
Please note that some of the links refer to other filenames in the error message, so the fix will also reflect the error message.

Probably the best link for real technical info: http://blogs.msdn.com/matt_pietrek/archive.../12/407752.aspx

All of this having been said, I still suspect a faulty CD - and the fix is to try other CD's.
 

momok

Posts: 2,127   +6
Are you able to boot normally without the CD? What kind of errors, if any, do you face? Please list them out specifically and we'll see what we can do to help.
 
Status
Not open for further replies.