Spyware, Viruses, & Security forum

General discussion

Remote Procedure Call Errors

by Kiowa44 / November 26, 2004 4:01 AM PST

i just got through reading through the post PCDreamer made here on 9/06/04 regarding his RPC shutdown issue problems and while I could not see if that issue was resolved I wanted to see if I could get some information on a problem I am currently having and can't seem to fix.

Specs: Windows XP SP1

Yesterday before leaving for thanksgiving I had noticed that my preview pane in outlook was suddenly gone. When I returned later that night my toolbar had changed from it's normal beveled XP look to the more classic windows style and my computer was at 100% utilization.

I assumed some sort of odd memory leak, and rebooted the machine. I received an inordinately long saving settings message while windows restarted and then a long wait to log back in to my profile.

When I got started back up I was greeted with the RPC has terminated unexpectedly, restarting in 1:00 message. I've been killing this message as it pops up with the shutdown -a command.

Additionally my taskbar had now shrunk (it looked like it was on autohide or something). I can right click the small portion that's left and get to the taskbar options, but I can't seem to get the taskbar to function normally. Other issues include:

-No network connections or connectivity
-Cannot drag and drop or copy and paste files
-Cannot access service properties (to alter RPC recovery options)
-Most Automatic services aren't starting
-Cannot install windows patches (hangs on Inspecting Current Setup, probably because the crytographic service isn't running and won't start automatically)
-Cannot install virus scanning software (all have hung on install)
-Issues are not affected by running in safe mode.
-Computer is now using pc speaker, not sound card.

Everyone I've talked to so far says blaster and moves on. I've used fixblast and stinger. I've also used tools to detect sasser, lovesan and welch. None of these tools have found anything. I have no blaster.exe or msblast.exe in my processes list. I also don't see any of the corresponding registry settings in the /run folder.

Does anyone have any idea how to fix this? I'm in dire need of my computer to be working. Any help would be greatly appreciated. Thanks.

-Kiowa

Discussion is locked
You are posting a reply to: Remote Procedure Call Errors
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Remote Procedure Call Errors
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Since tools fail, you get to find new tools.
by R. Proffitt Forum moderator / November 26, 2004 4:35 AM PST
http://reviews.cnet.com/5208-6132-0.html?forumID=32&threadID=27234&messageID=306550

My thoughts here are you need to identify your new pest. The link above details where you can post a hijackthis log for review.

I'd also consider why you left the machine unprotected or if you use P2P software or opened some email (or even viewed bad email) that some new pests can invade your system, knock out the firewall and antivirus and send you to support forums.

May you find your pest's name so others can help you.

Bob
Collapse -
Re: Remote Procedure Call Errors
by Donna Buenaventura / November 26, 2004 4:42 AM PST

Check the Event Viewer for any system or application error. If you find any errors, take note of the Source and event ID. Go to http://www.eventid.net to find a possible solution.

Try to check also the status of Remote Procedure Call (RPC) service
From Start, type Services.msc then look for RPC service. Make sure that it "Started" and the startup type is "Automatic". If it isn't, open it to start the service.

You are receiving advise about Blaster removal because the symptoms is similar to Blaster worm infection http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Collapse -
Re: Remote Procedure Call Errors
by Kiowa44 / November 26, 2004 5:12 AM PST

Yes, I have seen the similarities with the Blaster Worm, but a few of the key symptoms are missing including the .exe files and the registry entries.

In the services window (standard tab, extended doesn't appear to be working), Remote Procedure Call is set as automatic but is always listed as Starting... A double click or right click>properties is not getting me access to it either. If I try to start in manually it prompts the RPC error and starts to try to shutdown. So RPC never gets started properly.

As for the event log, I am seeing two DCOM 10010 events during a timeframe where the computer was idle, a Service Control Manager 7000, and 7034 event, and a UserEnv 1715. I'm not sure what the DCOM entails, but the SCM and UserEnv both deal with services failing to start (which is happening) and improper logouts (are also happening due to long save settings during shutdown)

Collapse -
Re: Remote Procedure Call Errors
by Donna Buenaventura / November 26, 2004 6:17 AM PST

Not sure if this will help but give it a try.

Go to Service console again. Highlight RPC service then click Stop at the left pane. Once Windows stopped the service, click Start at the left pane. See what happens.

If no luck, try to start and stop the RPC service using command line by typing:

C:\> net [start/stop] rpclocator

As for Event ID and Source name that you noted, go to http://www.eventid.net for possible solution or at least an idea what those event mean or what application caused to have an error.

Collapse -
Re: Remote Procedure Call Errors
by Kiowa44 / November 26, 2004 7:07 AM PST

In regards to starting the service from the command prompt, did you mean to reference the rpcss (Remote Procedure Call) service instead of the RPCLocator service?

If so, a net start rpcss immediately pops up the Terminated Unexpectedly window and starts the shutdown timer.

As for the event log, I looked up the ID's and the DCOM error is as follows "This happens when the server was launched but there was no reply from the server. The application may be configured incorrectly and you should check that the application is configured properly". The following case studies didn't have much in common with my problem. I also can't access the events individually (similar to the service window) so I can't troubleshoot the GUID directly.

I appreciate the assistance, I realize this is not a simple issue.

Collapse -
Re: Remote Procedure Call Errors
by Donna Buenaventura / November 26, 2004 6:29 AM PST
Collapse -
Re: Remote Procedure Call Errors
by Kiowa44 / November 26, 2004 2:09 PM PST

Ok, gave that a shot. It stated that RPCSS was already Auto Start enabled.

Collapse -
Re: Remote Procedure Call Errors
by Donna Buenaventura / November 26, 2004 4:19 PM PST

Opps! Sorry that the first command I asked you to type is for RPC Locator. The 2nd one is for RPC service only which is correct.

RPCSS is the Remote Procedure Call (RPC) Service

Can you please check if you have this registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_RPCSS
Don't do anything if you have or don't have this key please.

Since you are not yet using XP SP2, I suggest that you disable DCOM service. Download DCOMbobulator from http://grc.com/dcom/
Use it to disable DCOM automatically if it found it is vulnerable. Note: XP SP2 is not vulnerable.

Restart the system once done. See if RPC Service will start after disabling DCOM which seems the caused as per your Event Log IDs.

Collapse -
Same Problem
by amyb01 / January 2, 2005 6:42 AM PST

I have the exact same problem--I have also run stinger and fixblast with no success. Have you solved the problem?

Collapse -
Same Problem Here
by gone3d / January 3, 2005 5:42 AM PST

I have Windows XP Home SP1. I am having the exact same problem. It just started yesterday.

I think the only questionable thing I did was download a .zip file from some German site. I did not install it but I did view the contents and then delete the file. It was just a map pack for counter strike source.

I am going to troubleshoot this when I get home tonight. Any help would be appreciated.

Thank you.

Collapse -
remote call procedure error
by amyb01 / January 3, 2005 6:31 AM PST
In reply to: Same Problem Here

when I ran dcombolulator, I lost all of my icons on the screen. I am still getting the error but can't find any viruses. I'm close to just zapping the hard drive, but I'm willing to try anything.

Collapse -
Remote Procedure Call Error
by gone3d / January 3, 2005 7:06 AM PST

Im Just curious. What Anti Virus Software did you run? Unfortunatly I do not have any antivirus software running on the compromised computer at this time. And I know it will be a pain to install it while in this state. Since you say it didnt find any viruses then I will just move on to the next step. Formatting is not an option for me so I will try the dcombolulator tonight. I am at work and just reasearching it all day today.

Anyone else got any ideas?

On a side note. I did try safe mode last night and it is exactly the same.

Collapse -
remote call procedure error---can't find msblast
by amyb01 / January 3, 2005 7:19 AM PST

I am running Norton Anti-virue 2005 with Internet security---I've run Stinger and fixblast, but nothing comes up. Microsoft and Symantec insist that it is the msblaster virus, but I don't know where it is. HELP

Collapse -
Try the same thing
by roddy32 / January 3, 2005 8:21 AM PST
Collapse -
Try Housecall
by roddy32 / January 3, 2005 8:19 AM PST
Collapse -
Try Housecall
by gone3d / January 3, 2005 4:53 PM PST
In reply to: Try Housecall

I am unable to get online so this will not work. I tried installing Norton 2003 but it says that required services are not available or something like that. I ran decom, fixblast, fxsassar, and nothing is working.

I am getting a combination of this error.


'C:\windows/system32\lsass.exe' terminated unexpectedly with status code -1073741819 the system will now shutdown and restart.


And this one:
System Shutdown

This system is shutting down. Please save all work in progress
and log off. Any unsaved changes will be lost. This shutdown
was initiated by NT AUTHORITY\SYSTEM

Time before shutdown:

Message:
Windows must now restart because the Remote Procedure Call
(RPC) service terminated unexpectedly

I have no taskbar still but i do have icons.
I am able to Start the RPC manually but i cannot view the properties of it.

I basically still have the exact same problem as the original poster only mine says lasass is the cause now.

Any help?

Collapse -
This is what I have
by roddy32 / January 3, 2005 8:37 PM PST
In reply to: Try Housecall

found about SOME of the things that can cause that.
quote
"lsass - lsass.exe - Process Information
Process File: lsass or lsass.exe
Process Name: Local Security Authority Service

Description:
lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. Note: lsass.exe also relates to the Windang.worm, irc.ratsou.b, Webus.B, MyDoom.L, Randex.AR, Nimos.worm which spread via floppy disk drives, mass-mailing and peer-to-peer sharing. Please review file path for clarification of this."

See if you can download Stinger onto a disc a another computer and load it onto the infected one and run it and see if it finds anything.
http://vil.nai.com/vil/stinger/

Collapse -
More on RPC
by roddy32 / January 3, 2005 9:02 PM PST
In reply to: Try Housecall

I'm not sure if this was posted earlier in this thread or not. You might find some more info on this link here.
http://www.kellys-korner-xp.com/xp_abc.htm

Go to the "R" and a litttle more than half way down the page is a lot of information for this problem, from Doug Knox and Mike Kolitz. Read everything under where is says this.

quote
"Remote Procedure Call (RPC) Exploit - Updated!
Special thanks to MVP Doug Knox and Mike Kolitz"

Collapse -
I have this one too. Here's what I have done so far...
by jferrell01 / January 27, 2005 4:15 PM PST
In reply to: More on RPC

I will just say that this is the first post anywhere I have found where other people's computer are experienceing the EXACT same symptoms as mine. Everyone is saying oh you have msblaster download the tool...blah, blah, blah. I ran fixblast and stinger they found NOTHING! THIS IS NOT MSBLASTER! It is either a very good variant or an entirely new virus that no one has reported (or been able to report).

There are some differences in our circumstances however. My system had Windows XP w/SP2 installed. Symantec Antivirus v9.0.3.1000 corporate edition with the defs updated on 1/19/05. Supposedly MS fixed the RPC exploit in SP2 but....I guess NOT!

I know exactly how my computer was infected. I downloaded a file that was an .exe that was supposed to be a demo of a shareware program. I right clicked on the folder containing it and selected "scan for viruses" Symantec popped up and scanned the .exe and found nothing. So of course I ran it. However it was the mother of all viruses! This thing installed at least 15 very bad spyware programs like DyFuCA and WinTools in addition to this virus that Symantec AV is unable to detect. I was able to use Microsoft Antispyware to delete the spyware and when it asked to reboot I said ok. My computer has acted the way you each describe ever since. I also have a copy of Computer Associates eTrust Innoculate 7.0 Antivirus and I installed it. I am going to try and get the latest updates on it somehow and do a scan. I'll let you guys know if I have any luck.

- JF

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?