?
Solved

"RPC Terminated" Causes Continuous Re-Boot - Even in Safe Mode !

Posted on 2005-03-10
15
Medium Priority
?
2,836 Views
Last Modified: 2012-06-27
Hardware/Software:
Dell OptiPlex GX110, P-III, 512MB RAM, CD-R, WinXP Pro, NIC

Situation:
Client reports and I witnessed first hand - PC boots - very, very slowly (~5-7 minutes) - Windows Desktop begins to appear - before much of anything else loads - Message window appears and says (approximately:) "Must restart now - Remote Procedure Call (RPC) Service Terminated Unexpectedly." The PC then slowly re-boots and does the same thing over again.

Client reports that this occurred directly after installing Google Desktop Search tool. Also reports he installed the same Google software on a home PC - and the home PC is also getting RPC related errors.

Actions Taken to Date:
Booted into Safe Mode - it took almost as long to boot into Safe Mode (~5 Minutes) as it did to do an ordinary boot!  I never have seen this before!?!?!  (Tried this multiple times.) SAME ERROR comes up in Safe Mode - obviously the issue is on a pretty fundamental level.

Obtained a WinXP Pro (Upgrade) disk - attempted to get to Recovery Mode - but stops after password at C: prompt. Somehow I recall Recovery mode replacing files, etc - without C: prompt involvement - no?

Has anyone seen this before - and more importantly - what suggestions do you have for repair?

Thanks in Advance,
Mark
0
Comment
Question by:reMarkable
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
  • +2
15 Comments
 
LVL 35

Assisted Solution

by:Nirmal Sharma
Nirmal Sharma earned 540 total points
ID: 13505220
>>>Has anyone seen this before - and more importantly - what suggestions do you have for repair?

Let the screen come upto Login screen...goto another computer user Registry Editor > File Menu > Connect Network Registry and remove all unwanted from the following registry keys: -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

and also look in the following keys to just make sure nothing anything unusual that can cuase this problem because any malware process can cause this problem if it hides itself in the following keys: -

Look in the following locations for startup programs that may be suspect:
START-UP FOLDER Windows opens every item in the Start Menu's Start Up folder.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Default User\Start Menu\Programs\Startup
C:\Documents and Settings\YourUserName\Start Menu\Programs\Startup
REGISTRY

Windows executes all instructions in the "Run", "RunServices", "RunOnce", and "RunServicesOnce" sections of the Windows Registry.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]

Windows executes instructions in the shell and classes sections of the Registry. Any command imbedded here will open when any exe file is executed. Look for anything other than "\"%1\" %*", if they are changed to something like "\"badboy.exe %1\" %*", then they are automatically invoking the specified file.
[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\" %*"

Look in the System location of the registry to locate all suspect services running including Type 1 services that do not normally appear in the GUI display.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]
Explorer registry entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\User Shell Folders]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]  
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]

Other miscellaneous possible registry locations include:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap object" "NeverShowExt"=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Currentversion\Windows\AppInit_Dlls]

BATCH FILES Windows executes instructions in the winstart.bat and autoexec.bat batch files.
INITIALIZATION FILES

Win.ini Look for a "run=" or "load=" line with a suspect program.

System.ini Look for a "shell=" line with a suspect program.

TASK SCHEDULER Windows executes autorun instructions in the Windows Task Scheduler (or any other third party scheduler that supplements or replaces the Task Scheduler). Look in the c:\windows\tasks folder for suspect programs.

EXPLORER.EXE Windows loads explorer.exe as a shell the first time it is executed during the boot process which is typically located in the c:\windows directory. However, if c:\explorer.exe exists, it will be executed instead of the c:\windows\explorer.exe. If c:\explorer.exe is corrupt or a Trojan, bad things can happen. Just delete the file to fix the problem.

Let us know.

Thanks

0
 

Author Comment

by:reMarkable
ID: 13505380
SystmProg-
Thanks for the speedy response - but I'm a bit confused by some of your instructions:

>>Let the screen come upto Login screen...

I can't get to a Login screen - execpt a prompt for the Administrative password in Recovery mode, where it then leaves me at the DOS prompt at c:\Windows - is that what you mean?

>>goto another computer user Registry Editor...
 I don't have another computer on-site.

Can you clarify these two steps please? Beyond that I have no problem searching /editing the registry if given instructions on what to look for/change.

Thanks,
Mark
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13505603
I mean to say take this pc to a network and then connect this pc to hub and access the registry (This is called Accessing Network Registry).

If you have a Cross Over cable then you can connect two PC directly means NIC to NIC.
0
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

 
LVL 16

Accepted Solution

by:
mdiglio earned 600 total points
ID: 13505665
Hello,
I cant tell if you can get to the desktop or not.
If you can follow these instructions.
If you cannot then ignore them :)

In order to start troubleshooting we need to change the service for RPC.
If you get this RPC message before you are done w/ the instructions below open a command prompt and type
shutdown -a
this will stop the shutdown sequence
 
login to the computer >> right click My Computer >> manage >> expand 'services and applications' >> click 'services' >>
double click 'Remote Procedure Call' >> on the recovery tab set all three failures to 'take no action'

Is this computer patched? This has the symptoms of a mydoom virus.
Run a virus scan if you have the software and it is updated
or go here for a free opnline virus scan
HouseCall
http://housecall.trendmicro.com/

check for spyware:
microsoft antispyware
http://www.microsoft.com/athome/security/spyware/software/default.mspx
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13505970
mdiiglio..

His pc reboots as soon as he logs on..then when he will issue Shutdown command.?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 13506060
Hey Buddy,
Yea, like I said I couldn't tell if he can get to the desktop or not.

If he can he'll have 30 seconds to click start >> run >> cmd
shutdown -a

If he can't then I said to just ignore my instructions.
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13506275
:)
0
 

Author Comment

by:reMarkable
ID: 13509334
I can't seem to take any action on the desktop - or try gaining control when it boots - machine is either responding so slowly it apprears to be locked or it actually is "locked." Remember this PC is taking more than 5 minutes to get to the desktop - even in Safe Mode.

Also - it's a solo desktop PC in a single person office - so there is not abilty to network it with another PC.

Best I seem to be able to do is get into Recovery Mode with the WinXP Pro CD were I reach a DOS prompt - so potentially I could run something under DOS.
Is there any way to check the registry under DOS?

 I've also prepared a Boot Disk with the DOS version of F_Secure on it (w/the latest virus defs on it.)

Any further thoughts on how to retake this PC.

0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13514341
>>>Is there any way to check the registry under DOS?

That's what i was thining and could not find..so i posted the soluton using Network Registry.
0
 
LVL 2

Assisted Solution

by:cmegson
cmegson earned 240 total points
ID: 13523596
If you beleive this is a registry related error, which it definitely appears to be, do a manual system restore.

This will restore the registry back to before the problem occured.

Instructions available at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;307545


Cheers
Chris
0
 
LVL 22

Expert Comment

by:senad
ID: 13607082
This is probably a script virus (msblaster related) that keeps shutting the rcp process.
Go to symantec and download the removal tool.
0
 
LVL 22

Assisted Solution

by:senad
senad earned 120 total points
ID: 13607092
0
 

Author Comment

by:reMarkable
ID: 13607918
Thanks all for the suggestions. Here's the long story of how this was resolved - on both PCs:
The first part of the puzzle was solved by taking mdiglio's suggestion of using "shutdown -a" - which originally I didn't think I couldn't do - for two reasons:
One was I didn't think the PC allowed time before it shut down to get the command in there and the second was I couldn't get the Task Bar to come up. BUT I WAS WRONG ON THE FIRST ASSUMPTION - it turned out that I had a very short window (maybe 20 seconds) when I could gain control over the PC - but I still had the second problem - there was no access to a Task Bar - hence Start Button etc.  A quick call to a buddy reminded me that Windows-Key + R opens the command prompt - so after a 5+ minute boot-up, at just the right moment I could hit that key combination - then type "shutdown -a" - and stop the system shut down. It turns out that a minute or two later it came up with the same shut down message all over again. What I learned to do was keep the command prompt window open - with the "shutdown -a" already typed in - and as soon as the message would reappear - which it did every couple of minutes - then I'd toggle to the window and hit enter.

Next I tried SystmProg's suggestion of scouring the PC's Registry and Startup areas etc, etc - but I came up empty. Then I decided to uninstall the Google Desktop Search - which is what the client had reported installing just before the problem started. For good measure, I also uninstalled GoToMyPC - as I figured that it might also be involved with the RPC error - being I believe an app that uses that - and poof - the RPC shutdown message had stopped!! I can’t say if it was the removal of which application or both that seemed to stop the message. Next I went to System Restore - and restored the PC to the day before install - just for good measure - and the machine returned to it's normal happy self! Once  completed that - my client said – “Great, now let's go do the same thing on my PC at home” - and that's exactly what we did - and that machine (which was physically identical to the office PC - and had virtually identical software too) was completely cured as well.

For those of you who accuse a virus/worm – both PCs were running SP2, completely up-to-date on all OS patches and had properly updated and active antivirus programs running – further making the case for a problem somewhere else – although given the original symptoms – I did join in and diagnosed it (as I did to the client) as a probably virus/worm. This was also based on the fact I couldn’t find anything on the web relating the Google Desktop with installation problems or PC lock ups – still can’t. However…

Here in the New York City area, I was listening to WCBS 880AM which has a brief PC segment a couple of times a day – and the guy who does it mentioned that he had previously touted the Google Desktop app -  but had gotten feedback from a number of listeners that it clobbered their PCs. That’s as much as he said – but I really think that somehow the Google Desktop screws up something – maybe something related to GoToMyPC – I don’t know. I do know that I have a very happy client now

As to distributing points – that ‘s a bit tricky – but many of you had valid points:
180 for SystmProg for a quick & logical response - and some measure of persistence, even though in this case it didn't solve the problem.
200 for mdiglio for giving me the key method that helped me turn things around - that "shutdown -a" I'll keep that in my mental bag of WinXP tricks.
80 for cmegson for providing a great link on Registry Restoration - even though it turned out not to be my solution this time.
40 for senad for providing a logical link about worm removal - even though it wasn't part of the mix this time either.

Thanks again - one and all who helped me get though this challenge.
-Mark
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 13607947
Hey...good job fixing this Mark.
Thanks for letting us know how you did it and thanks for the points
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13608514
Thanks!
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month14 days, 14 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question