"RPC Terminated" Causes Continuous Re-Boot - Even in Safe Mode !

Hardware/Software:
Dell OptiPlex GX110, P-III, 512MB RAM, CD-R, WinXP Pro, NIC

Situation:
Client reports and I witnessed first hand - PC boots - very, very slowly (~5-7 minutes) - Windows Desktop begins to appear - before much of anything else loads - Message window appears and says (approximately:) "Must restart now - Remote Procedure Call (RPC) Service Terminated Unexpectedly." The PC then slowly re-boots and does the same thing over again.

Client reports that this occurred directly after installing Google Desktop Search tool. Also reports he installed the same Google software on a home PC - and the home PC is also getting RPC related errors.

Actions Taken to Date:
Booted into Safe Mode - it took almost as long to boot into Safe Mode (~5 Minutes) as it did to do an ordinary boot!  I never have seen this before!?!?!  (Tried this multiple times.) SAME ERROR comes up in Safe Mode - obviously the issue is on a pretty fundamental level.

Obtained a WinXP Pro (Upgrade) disk - attempted to get to Recovery Mode - but stops after password at C: prompt. Somehow I recall Recovery mode replacing files, etc - without C: prompt involvement - no?

Has anyone seen this before - and more importantly - what suggestions do you have for repair?

Thanks in Advance,
Mark
reMarkableAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nirmal SharmaSolution ArchitectCommented:
>>>Has anyone seen this before - and more importantly - what suggestions do you have for repair?

Let the screen come upto Login screen...goto another computer user Registry Editor > File Menu > Connect Network Registry and remove all unwanted from the following registry keys: -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

and also look in the following keys to just make sure nothing anything unusual that can cuase this problem because any malware process can cause this problem if it hides itself in the following keys: -

Look in the following locations for startup programs that may be suspect:
START-UP FOLDER Windows opens every item in the Start Menu's Start Up folder.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Default User\Start Menu\Programs\Startup
C:\Documents and Settings\YourUserName\Start Menu\Programs\Startup
REGISTRY

Windows executes all instructions in the "Run", "RunServices", "RunOnce", and "RunServicesOnce" sections of the Windows Registry.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]

Windows executes instructions in the shell and classes sections of the Registry. Any command imbedded here will open when any exe file is executed. Look for anything other than "\"%1\" %*", if they are changed to something like "\"badboy.exe %1\" %*", then they are automatically invoking the specified file.
[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\" %*"

Look in the System location of the registry to locate all suspect services running including Type 1 services that do not normally appear in the GUI display.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]
Explorer registry entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\User Shell Folders]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]  
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]

Other miscellaneous possible registry locations include:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap object" "NeverShowExt"=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Currentversion\Windows\AppInit_Dlls]

BATCH FILES Windows executes instructions in the winstart.bat and autoexec.bat batch files.
INITIALIZATION FILES

Win.ini Look for a "run=" or "load=" line with a suspect program.

System.ini Look for a "shell=" line with a suspect program.

TASK SCHEDULER Windows executes autorun instructions in the Windows Task Scheduler (or any other third party scheduler that supplements or replaces the Task Scheduler). Look in the c:\windows\tasks folder for suspect programs.

EXPLORER.EXE Windows loads explorer.exe as a shell the first time it is executed during the boot process which is typically located in the c:\windows directory. However, if c:\explorer.exe exists, it will be executed instead of the c:\windows\explorer.exe. If c:\explorer.exe is corrupt or a Trojan, bad things can happen. Just delete the file to fix the problem.

Let us know.

Thanks

0
reMarkableAuthor Commented:
SystmProg-
Thanks for the speedy response - but I'm a bit confused by some of your instructions:

>>Let the screen come upto Login screen...

I can't get to a Login screen - execpt a prompt for the Administrative password in Recovery mode, where it then leaves me at the DOS prompt at c:\Windows - is that what you mean?

>>goto another computer user Registry Editor...
 I don't have another computer on-site.

Can you clarify these two steps please? Beyond that I have no problem searching /editing the registry if given instructions on what to look for/change.

Thanks,
Mark
0
Nirmal SharmaSolution ArchitectCommented:
I mean to say take this pc to a network and then connect this pc to hub and access the registry (This is called Accessing Network Registry).

If you have a Cross Over cable then you can connect two PC directly means NIC to NIC.
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

mdiglioCommented:
Hello,
I cant tell if you can get to the desktop or not.
If you can follow these instructions.
If you cannot then ignore them :)

In order to start troubleshooting we need to change the service for RPC.
If you get this RPC message before you are done w/ the instructions below open a command prompt and type
shutdown -a
this will stop the shutdown sequence
 
login to the computer >> right click My Computer >> manage >> expand 'services and applications' >> click 'services' >>
double click 'Remote Procedure Call' >> on the recovery tab set all three failures to 'take no action'

Is this computer patched? This has the symptoms of a mydoom virus.
Run a virus scan if you have the software and it is updated
or go here for a free opnline virus scan
HouseCall
http://housecall.trendmicro.com/

check for spyware:
microsoft antispyware
http://www.microsoft.com/athome/security/spyware/software/default.mspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Nirmal SharmaSolution ArchitectCommented:
mdiiglio..

His pc reboots as soon as he logs on..then when he will issue Shutdown command.?
0
mdiglioCommented:
Hey Buddy,
Yea, like I said I couldn't tell if he can get to the desktop or not.

If he can he'll have 30 seconds to click start >> run >> cmd
shutdown -a

If he can't then I said to just ignore my instructions.
0
Nirmal SharmaSolution ArchitectCommented:
:)
0
reMarkableAuthor Commented:
I can't seem to take any action on the desktop - or try gaining control when it boots - machine is either responding so slowly it apprears to be locked or it actually is "locked." Remember this PC is taking more than 5 minutes to get to the desktop - even in Safe Mode.

Also - it's a solo desktop PC in a single person office - so there is not abilty to network it with another PC.

Best I seem to be able to do is get into Recovery Mode with the WinXP Pro CD were I reach a DOS prompt - so potentially I could run something under DOS.
Is there any way to check the registry under DOS?

 I've also prepared a Boot Disk with the DOS version of F_Secure on it (w/the latest virus defs on it.)

Any further thoughts on how to retake this PC.

0
Nirmal SharmaSolution ArchitectCommented:
>>>Is there any way to check the registry under DOS?

That's what i was thining and could not find..so i posted the soluton using Network Registry.
0
cmegsonCommented:
If you beleive this is a registry related error, which it definitely appears to be, do a manual system restore.

This will restore the registry back to before the problem occured.

Instructions available at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;307545


Cheers
Chris
0
senadCommented:
This is probably a script virus (msblaster related) that keeps shutting the rcp process.
Go to symantec and download the removal tool.
0
reMarkableAuthor Commented:
Thanks all for the suggestions. Here's the long story of how this was resolved - on both PCs:
The first part of the puzzle was solved by taking mdiglio's suggestion of using "shutdown -a" - which originally I didn't think I couldn't do - for two reasons:
One was I didn't think the PC allowed time before it shut down to get the command in there and the second was I couldn't get the Task Bar to come up. BUT I WAS WRONG ON THE FIRST ASSUMPTION - it turned out that I had a very short window (maybe 20 seconds) when I could gain control over the PC - but I still had the second problem - there was no access to a Task Bar - hence Start Button etc.  A quick call to a buddy reminded me that Windows-Key + R opens the command prompt - so after a 5+ minute boot-up, at just the right moment I could hit that key combination - then type "shutdown -a" - and stop the system shut down. It turns out that a minute or two later it came up with the same shut down message all over again. What I learned to do was keep the command prompt window open - with the "shutdown -a" already typed in - and as soon as the message would reappear - which it did every couple of minutes - then I'd toggle to the window and hit enter.

Next I tried SystmProg's suggestion of scouring the PC's Registry and Startup areas etc, etc - but I came up empty. Then I decided to uninstall the Google Desktop Search - which is what the client had reported installing just before the problem started. For good measure, I also uninstalled GoToMyPC - as I figured that it might also be involved with the RPC error - being I believe an app that uses that - and poof - the RPC shutdown message had stopped!! I can’t say if it was the removal of which application or both that seemed to stop the message. Next I went to System Restore - and restored the PC to the day before install - just for good measure - and the machine returned to it's normal happy self! Once  completed that - my client said – “Great, now let's go do the same thing on my PC at home” - and that's exactly what we did - and that machine (which was physically identical to the office PC - and had virtually identical software too) was completely cured as well.

For those of you who accuse a virus/worm – both PCs were running SP2, completely up-to-date on all OS patches and had properly updated and active antivirus programs running – further making the case for a problem somewhere else – although given the original symptoms – I did join in and diagnosed it (as I did to the client) as a probably virus/worm. This was also based on the fact I couldn’t find anything on the web relating the Google Desktop with installation problems or PC lock ups – still can’t. However…

Here in the New York City area, I was listening to WCBS 880AM which has a brief PC segment a couple of times a day – and the guy who does it mentioned that he had previously touted the Google Desktop app -  but had gotten feedback from a number of listeners that it clobbered their PCs. That’s as much as he said – but I really think that somehow the Google Desktop screws up something – maybe something related to GoToMyPC – I don’t know. I do know that I have a very happy client now

As to distributing points – that ‘s a bit tricky – but many of you had valid points:
180 for SystmProg for a quick & logical response - and some measure of persistence, even though in this case it didn't solve the problem.
200 for mdiglio for giving me the key method that helped me turn things around - that "shutdown -a" I'll keep that in my mental bag of WinXP tricks.
80 for cmegson for providing a great link on Registry Restoration - even though it turned out not to be my solution this time.
40 for senad for providing a logical link about worm removal - even though it wasn't part of the mix this time either.

Thanks again - one and all who helped me get though this challenge.
-Mark
0
mdiglioCommented:
Hey...good job fixing this Mark.
Thanks for letting us know how you did it and thanks for the points
0
Nirmal SharmaSolution ArchitectCommented:
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.