[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1415
  • Last Modified:

XP reboots from RPC service terminating and svchost.exe faulting... what to do?

Hi there,

I'm having a problem with intermittent reboots on my XP machine.  It seems to happen a lot when I VPN into my work and then start Remote Desktop to connect to a machine there.  But it also happens at other times, when I have not VPN'd or used Remote Desktop.

The sequence of events is that I get a dialog saying that (I think) Generic Host Services has failed.  Do I want to contact Microsoft, etc.  If I leave that dialog up and don't click "OK" the machine still works.  But as soon as I click "Don't Send" or "OK" the machine gives me 60 seconds and will reboot (nothing I can do to stop it).

I looked in the event viewer and this is what is going on, only I don't know how to interpret it or fix it.  I did a Google search and found something that tells me how to change the reboot behavior.  That is, there is a setting that says if a Remote Procedure Call fails, to reboot in 60 seconds, which is what happens now.  I could change that setting, but that is fixing the symptom, not curing the disease.  I would like some help curing the disease.

Anybody have any ideas?

Here are the errors in the Event Log:

In Event Viewer, under Application, there are 2:

1) Faulting application svchost.exe, version 5.1.2600.2180, faulting module rpcss.dll, version 5.1.2600.2726, fault address 0x0001f4f9.

2) The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 800706BE from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.

In Event Viewer, under System there is 1:

1) The Remote Procedure Call (RPC) service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

Thanks for any advice,
-Dave
0
JediBecker
Asked:
JediBecker
  • 5
  • 3
2 Solutions
 
carceneaCommented:
Have you installed all of Windows updates? This sounds to me like one of the worms that was released in the past couple of years...

Also, in order to stop the computer from shutting down when you get a prompt that says this all you need to do is go to command prompt and type "shutdown -a".

Hope this helps!
0
 
Farhan KaziSystems EngineerCommented:
Agreed with carcenea,  these are MSBlast Worm symptoms.

Goto following sire and download removal tool, and follow the instructions on the site.
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081119-5051-99

After cleaning your system with above tool update Windows online.
0
 
JediBeckerAuthor Commented:
That's great info.  Thanks to both of you.

I do have all the updates (I do auto-updates) and there is Symantec Anti-Virus on here.  So I'm pretty confused how I could have gotten this.  But in the meantime, I'm running a full virus scan (yes, Symantec does auto-update its virus definition files and it was up-to-date) and making sure I have the MS patch.

I'll post back when that's done if it found anything.  I do VPN into work -- could this suggest that there are computers at work that have the same worm?  No one has reported these reboots from happening.  The machines at work are similarly setup with auto-updates and Symantec Anti-Virus.

-Dave
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
JediBeckerAuthor Commented:
Well, sure enough, I started a complete Virus scan and it already found W32.Netsky.B@mm and cleaned it.  You guys rock for the help.  Given that I have Microsoft auto-update and Symantec LiveUpdate running, I don't need to go through all the steps on the Symantec site, I'm figuring.  Would you concur?

The change I'll make on my system is this: I get email on this computer via fetchmail running with Cygwin.  I always figured Symantec would scan those emails because they come over the normal POP port, but I'm guessing that Cygwin fetchmail is somehow falling under the Symantec "radar."  I don't normally run full virus scans everyday on computers since they are doing real-time surveillance, but in this case, maybe it is worth it.  I'll see if I can get it to pick up the fetchmail email to scan, too -- that would be even better.

Does that sound like a reasonable plan?

Thanks,
-Dave
0
 
JediBeckerAuthor Commented:
Incidentally, another oddity about how I even got this: not only do I use fetchmail under Cygwin to get my email, but I actually use Pine (cygwin version) to read it.  So all text-based.  In general, that makes me feel pretty safe with virus as I'm not even viewing HTML emails with Outlook or anything.  My guess is that a buddy of mine did send me his resume to review for him as a Word document and I did open that.  I'm guessing that was perhaps the payload to deliver the worm?  Can't imagine how else I got it.  

The virus scan said it found it in nomoney.zip inside a pine mbox where that resume was.

You can't get infected by a worm if fetchmail downloads but the email never gets opened, can you?
0
 
JediBeckerAuthor Commented:
It is odd -- I don't see any of the "signs" of the worm (services.exe or anything in the registry to start when Windows boots).  Maybe Symantec already got rid of those things.  

In any case, I'm accepting the two answers to give you the well-deserved points.  But if anyone has comments on the other follow-up clarifications I posted above, I'd appreciate it.

Thanks,
-Dave
0
 
carceneaCommented:
To my knowledge, Symantec only scans emails automatically for MS Outlook, MS Outlook Express, and Lotus Notes. As far as how you got the worm... You are connected to the internet which always leaves some vulnerability. However, as long as you keep up with your Windows and Antivirus updates you shouldn't have as much problems. :)
0
 
carceneaCommented:
Oh, and if you are only viewing text mail and not HTML then you could actually open the email without doing any harm, however, anything in attachments is fair game.
0
 
JediBeckerAuthor Commented:
That all makes sense.  Thanks carcenea.  Seems like everything is clear for the moment.  I'm going to make sure I scan all attachments before opening, in addition to a regular full system scan.

Incidentally, the Symantec Anti-Virus on here WILL scan all POP connections on a given port.  The problem which I ran into before and was reminded of when I tried to set this back up is that fetchmail uses as SSL connection to my ISP to get and send email and Symantec doesn't support that. That's the problem.

In any case, thanks for your help!
-Dave
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now