Remote Procedure Call (RPC) error! plz help!

[CinimoD]

Hey guys!

I have a big problem with my Windows XP. Sometimes while im surfing on the internet, I have this error that appear and force me to reboot my computer:

"This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT Authority\System

Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly"

Anyone know what's the problem??

thanks!

Dom

---

You have been hit by the W32.Blaster.Worm. See the Windows Update site, and our sticky thread in this forum.

 

[cleverhandle]

Try looking down the page for a thread about this. Short answer: you've been owned.

 

[Twista]

rofl i just got this omg i just got it right now wtf its happening on FAT32 and i just came from ntfs, so tel lme are you on fat32 or ntfs?

/Ok. Im back so do you have your windows updated which im about to do now and some other crap.


broken things:
copy and paste doesnt work?
right click menu doesnt work?

 

[NesuD]

this is happening like crazy in my area. I have people calling me left and right about it. I haven't seen it becuase my router seems to keep it out. hopped into the dmz just to see what would happen and got hit in less than a minute.

 

[NesuD]

Here is something from microsoft about it. RPC vulnerability

 

[apemanttt]

Just happened to me half an hour ago... Something big is going down online. I think this is happening around the country. This will definitely be making the news tonight/tomorrow.

 

[apemanttt]

30 seconds and counting to shutdown for me.

See you guys in a few minutes... I'm downloading the fixes but they won't work.


15 seconds.

 

[Kilrsat]

This made news on July 31st when it was new.

Now its just laziness.

Keep up to date on your patches and get a firewall.

A few links:

http://www.cert.org/advisories/CA-2003-19.html
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

 

[NesuD]

turn on the built in xp firewall it is supposed to block it

 

[Twista]

/edit: Why when i try to install windows xp during installtion now it says a error with COM part and im telling you this never happen before this rpc sh!t today so....... im not going to format till this sh!t is figured out some more.

now wtf is wrong i had to format to windows 2000 and fat32 didnt even format hmm wth its going on with this stuff. I was trying to patch my windows w/ windows update but than i got the damn error now wtf.

download this and no a format did not help! I formate like 3 times and 2 times for win2k so now im going to install xp again with fat32 and this patch is saved on the slave drive so i can quickly apply it.

Text

http://forums.anandtech.com/messageview.cfm?catid=32&threadid=1109350&FTVAR_MSGDBTABLE=

download this and no a format did not help! I formate like 3 times and 2 times for win2k so now im going to install xp again with fat32 and this patch is saved on the slave drive so i can quickly apply it.

 

[speed01]

Is the XP install stopping with a COM Port error? If so, do you have anything plugged in on a serial port or maybe a modem installed? Do you perhaps have Boot Sector Protection turned on in your BIOS (You may or may not have this option but it's worth checking IMHO)?

Speed

 

[AzNKiD]

people, just because you patch your windows doesnt mean your clean. if you ever saw the RPC popup, its liky that they got in already and planted a worm. this pass week, ALOT of people are being scanned and infected. so do us all a favor and check for virus after u patch, and see if u find files msconfig32.exe, webdav.exe and tftp around in your hd.

here is my firewall log the past 10mins.
1,[11/Aug/2003 16:07:38] Rule 'Generic Host Process for Win32 Services': Blocked: In TCP, 63.203.124.227:1684->localhost:135, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1,[11/Aug/2003 16:08:01] Rule 'Generic Host Process for Win32 Services': Blocked: In TCP, 63.204.164.107:4186->localhost:135, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1,[11/Aug/2003 16:08:09] Rule 'Generic Host Process for Win32 Services': Blocked: In TCP, 67.74.129.27:2932->localhost:135, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1,[11/Aug/2003 16:08:40] Rule 'Generic Host Process for Win32 Services': Blocked: In TCP, 63.204.190.142:2343->localhost:135, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1,[11/Aug/2003 16:08:43] Rule 'Generic Host Process for Win32 Services': Blocked: In TCP, adsl-63-204-190-142.vietnamesevalues.com [63.204.190.142:2343]->localhost:135, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1,[11/Aug/2003 16:10:23] Rule 'Generic Host Process for Win32 Services': Blocked: In TCP, 63.204.32.126:2191->localhost:135, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1,[11/Aug/2003 16:10:26] Rule 'Generic Host Process for Win32 Services': Blocked: In TCP, adsl-63-204-32-126.dsl.lsan03.pacbell.net [63.204.32.126:2191]->localhost:135, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1,[11/Aug/2003 16:12:52] Rule 'Generic Host Process for Win32 Services': Blocked: In TCP, 216.99.224.6:20835->localhost:135, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1,[11/Aug/2003 16:13:45] Rule 'Generic Host Process for Win32 Services': Blocked: In TCP, 63.202.241.52:3301->localhost:135, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1,[11/Aug/2003 16:13:48] Rule 'Generic Host Process for Win32 Services': Blocked: In TCP, adsl-63-202-241-52.dsl.sndg02.pacbell.net [63.202.241.52:3301]->localhost:135, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1,[11/Aug/2003 16:14:51] Rule 'Generic Host Process for Win32 Services': Blocked: In TCP, 80.179.185.148:4366->localhost:135, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1,[11/Aug/2003 16:17:20] Rule 'Generic Host Process for Win32 Services': Blocked: In TCP, 65.181.8.186:3363->localhost:135, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1,[11/Aug/2003 16:17:21] Rule 'Generic Host Process for Win32 Services': Blocked: In TCP, 81.49.255.253:4069->localhost:135, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

MAKE IT STOP PEOPLE

 

[Twista]

how are we getting msblat after formats wtf and in win2k its a error that doesnt reboot the pc but it does kill the servies b/c im still getting it.


/edit: i cant apply the patch (sp4) for win2k b/c of a error, now whos the brains behind this.

 

[speed01]

What error are you getting? You may have something different going on there..

Speed

 

[Mark R]

Tell me about it.

I just got owned so hard that I reformatted my comp. The attacks were so frequent that I couldn't get on the net long enough even to get onto AT forums or google - let alone download the security update. I got shut down at least 20 times while trying to work out what the problem was - my first thought was a faulty broadband modem, or damaged cable - because I would get nuked within about 2 minutes of getting online.

You can only imagine how pissed I was when exactly the same thing happened on the twice newly formatted comp.

The attacks were still going 4 hours after I first spotted the problem.

On Win 2k the error manifests itself as an application error in 'svchost.exe' after that your PC is totally screwed until you reboot.

Looking in the error log reveals the telltale signs of the attack:

System log:
The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.

Application log:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 42 of .\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BF from line 42 of .\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

The application, svchost.exe, generated an application error The error occurred on 08/12/2003 @ 00:19:32.656 The exception generated was c0000005 at address E03C3A68 (<nosymbols>)

 

[Twista]

Originally posted by: speed01
What error are you getting? You may have something different going on there..

Speed

nope the same thing in windows the 60 sec count down w/ the rpc error in the box. Im just saying i never got this one error while installign windows. I just did a fresh win2k and i just installed a firewall and AVS program and when i bootedit the FW prompted me to deney acess for "msblast.exe" the virus.


/edit the post above with this error "Application log:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 42 of .\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BF from line 42 of .\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error." same thing from win2k installtion wtf is this worm? Is it stuck in my mbr.

Thisis happening in all ms os!

from my fresh win2k- The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.

 

[NesuD]

this should help get rid of msblast. took this from trendmicros site.

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
?windows auto update" = MSBLAST.EXE
Close Registry Editor.

 

[NesuD]

LOL!!
Just gave charter pipelines tech support a call to see if they maybe could do something about all this coming on port 135 and i got a recording describing this problem and saying it is the fault of the operating system and to call microsoft.

 

[Twista]

http://pics.bbzzdd.com/users/twista/wtf.jpg

 

[speed01]

Twista did you download all of the MS patches? The problem you have now sounds a lot like this.

Speed

 

[speed01]

At least the firewall is blocking th MSBLAST problem now...

Speed

 

[Twista]

Originally posted by: speed01
Twista did you download all of the MS patches? The problem you have now sounds a lot like this.

Speed

naw im on windows 2k now but i just formated from xp like 1 hour ago and its the same as every one million of theses. Im just sayign windows 2000 is getting hit by it also but in a differnt matter.

same as this from here

 

[speed01]

I thought you were getting a COM+ event error now, or has that stopped as well?

Speed

 

[Twista]

Originally posted by: speed01
I thought you were getting a COM+ event error now, or has that stopped as well?

Speed

no only when i was installing windows xp after the rpc crap.

 

[Regs]

Download this patch.

Link -

If you have XP click the 32-bit one.