Remote Procedure Call (RPC) service terminated unexpectedly (Not Blast)

Do you have SP3? Also, have you checked your event viewer for anything related to your problem? Also, send us your HijackThis (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) log.

Fully updated!

HijackThis enclosed.

Thanks for looking.

Paul

hijackthis.log

Did you check your event viewer?

The previous event was about 10 minutes before, just an info, no seeming significance.

Following events seem to be caused by this one.

Paul

Can you send them to us?

I didn't notice that the information in your original post was from the event viewer but can you send the other events anyway?

Even log, reverse time order.


Looks like startup from here on up ...

7:39:22 Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free.

7:38:17 The Event log service was stopped.

7:37:02 The FileDisk Protector Kernel Driver service failed to start due to the following error:
Cannot create a file when that file already exists.

7:36:03 The Print Spooler service entered the running state.

7:36:03 The Print Spooler service was successfully sent a start control.

7:36:03 The Remote Procedure Call (RPC) service entered the running state.

7:36:01 The Remote Procedure Call (RPC) service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

7:36:01 The Print Spooler service was successfully sent a stop control.

7:36:01 The Print Spooler service entered the stopped state.

*7:36:01 The process winlogon.exe has initiated the restart of PAULSLAPTOP for the following reason: No title for this reason could be found
 Minor Reason: 0xff
 Shutdown Type: reboot
 Comment: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly
 
6:52:12 The system failed to update and remove host (A) resource records (RRs) for network adapter
with settings:

6:41:57 The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter
with settings:

6:41:42 The system failed to update and remove host (A) resource records (RRs) for network adapter
with settings:

6:38:39 The ATWPKT2 service was successfully sent a start control.


...

On it! Thanks for the advice. :)

I've already run the BlasterWorm script. It found nothing.

MalwareBytes (I hadn't heard of that one, thanks) found a few seemingly insignificant things. If I'm back tomorrow it didn't fix the problem.

SuperAntiSpyware running now. Will be back tomorrow if it didn't fix it. So far it's found 5 tracking cookies. That's about average for one launch of IE. I Normally use FireFox but sometimes you just have to "go Commando" don't you. :)

Paul

I think its fixed. No restarts today. :)

MWB found Hijack.StartMenu and Adware.Hotbar in the registry.

S&D Found 5 tracking cookies.

No idea what it could have been.

Thanks for the help. MWB looks like a keeper. :)

Paul

Can you send the MWB scan log? Thank you

This is all it found:

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.


Paul

Its back!!

Started yesterday. I ran a full virus scan (Corporate McAfee), nothing found,.

MalwareBytes and Spybot find nothing. I even left MWB running all day on on an 'all fixed disks' scan. Nothing.!!

Still the same pattern in the system logs.

If this is not Malware, what else could it be?

Paul

Yeah, I was wondering how deleting those items could have fixed the problem. Let me do some more research on your problem.

A little progress!

I left FileMon running to see if I could track what was going on at reboot time an it showed something that may be interesting.

Just about the last thing recorded was:

svchost creates dts12.exe in WINDOWS\System32

MCShield.exe takes a peek at dts12.exe

dts12.exe executes

I'm running Kaspersky online scan to see it it finds anything. Spyware S&D, SuperAntiSpyware and MalwareBytes still find nothing.

Paul

Here's an interesting thread:

http://www.bwhacks.com/forums/hardware-software/35630-computer-forces-restard-every-hour.html

Someone else is having the same problem ... and dts12.exe IS writing to \Inclick.txt and it DOES create and call mspush.dll.

This looks like at least spyware but why aren't any of the checkers spotting it???

Please don't read too much of that thread ... it will make your blood run cold. :)

From a suggestion on another thread I found I have quit spoolsvr (and the svchost child it had???). I'll wait a while to see if that has stopped my reboots.

Paul

I hope you dont mind. I've opened another question about his here:

https://www.experts-exchange.com/questions/23783156/System-reboot-every-few-hours-Probably-malware-but-nothing-found.html

Thanks very much for your help. Perhaps you could pitch in over there. I wish I could reopen this question and attach it to the Malware pages.

Paul

I am having the same issue, I'm not finding anything about this on google...no virus scanners pick up ANYTHING, but I have the same symptoms and the same inclick.txt in my root directory.  I signed up and paid for this experts exchange thing so I could get this fixed.  

My 2 cents:

This is some blaster derivitate...it's a worm, because it started on my work computer, then when I remoted to my box at home, and mounted drives from work, it spread.  Same inclick.txt file @ home now too, and same RPC / restart box.  Pissing me F off.  I have sp3 and all updates, used bitdefender and Kaspersky..says I'm clean.  Hope someone can figure this out soon.

Did you check:
https://www.experts-exchange.com/questions/23783156/System-reboot-every-few-hours-Probably-malware-but-nothing-found.html
?

You can try this to stop the shutdown, from the run box type without the quotes "shutdown /a /m \\127.0.0.1"

If that works you will have more time to fix the problem!

I'm not sure this will help but I have had the same problem for several months now. My machine was going down several times a day. The only protection I was running at the time was MacAfees corporate antivirus with the anti spy ware add on. Everything pointed to a worm so I scanned the machine with Malwarebytes ... nothing significant. I finally broke out the artillery and installed Symantec Endpoint Security but again nothing significant was found.

After the SES installation the machine quit restarting for the most part. I found removing the intrusion prevention component made the problem return. Not having time to dissect the issue I reactivated the intrusion component and went about my business. Around a month later the problem returned. It would always whack the machine between 8:30 and 8:33 am after which it would run fine until the next morning. It finally occurred to me the problem return coincided with the turn up of a new Altiris server. After checking the Altiris schedule I realized that the ping discovery was kicking off at 8:30

Not believing that a ping could cause this I went to another machine and pinged the laptop. Immediately the machine shuts down with the 1 minute warning RPC error.  That doesnt sound like a worm to me.