S
simes
Hi,
I have a serious problem with a laptop running Windows XP SP2. Soon
after the laptop is booted up (which is very slow), and a user account
entered, a pop-up box appears with the following message:
"Windows must now restart because the Remote Procedure Call (RPC)
Service terminated unexpectedly". It has a countdown to reboot in 60
seconds.
In addition, the taskbar is missing.
I've read a lot of web pages on this error, which mention the Blast
Worm and how to diagnose it - for example, finding msblast (or
variants) in the system32 directory, but I can't find any of the files
they mention. I've done a process list and there appear to be are no
suspicious processes running. These are listed below.
Can anyone help with some information. I'm pretty desparate!
Many thanks
Simon
--- PROCESS LIST
StartupList report, 13/10/2007, 09:43:40
StartupList version: 1.52
Started from : C:\Documents and Settings\Maria\Local Settings\Temp
\wz57ba\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Maria\Local Settings\Temp\wz57ba
\StartupList.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
Digital Line Detect.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office
\Office10\OSA.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Apoint = C:\Program Files\Apoint\Apoint.exe
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_03\bin
\jusched.exe
(Default) =
IntelWireless = C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf
Intel PROSet/Wireless
Dell QuickSet = C:\Program Files\Dell\QuickSet\quickset.exe
DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager
\sgtray.exe" /r
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB
\realsched.exe" -osboot
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Google Desktop Search = "C:\Program Files\Google\Google Desktop Search
\GoogleDesktop.exe" /startup
TrueImageMonitor.exe = C:\Program Files\Acronis\TrueImageHome
\TrueImageMonitor.exe
AcronisTimounterMonitor = C:\Program Files\Acronis\TrueImageHome
\TimounterMonitor.exe
Acronis Scheduler2 Service = "C:\Program Files\Common Files\Acronis
\Schedule2\schedhlp.exe"
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not
found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not
found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not
found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not
found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not
found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not
found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not
found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:
\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssmypics.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX
\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll -
{5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - c:\program files\google\googletoolbar2.dll -
{AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier
\2.0.301.7164\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
--------------------------------------------------
Enumerating Task Scheduler jobs:
AppleSoftwareUpdate.job
--------------------------------------------------
Enumerating Download Program Files:
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
--------------------------------------------------
End of report, 7,457 bytes
Report generated in 0.235 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of
platform
/history - to list version history only
I have a serious problem with a laptop running Windows XP SP2. Soon
after the laptop is booted up (which is very slow), and a user account
entered, a pop-up box appears with the following message:
"Windows must now restart because the Remote Procedure Call (RPC)
Service terminated unexpectedly". It has a countdown to reboot in 60
seconds.
In addition, the taskbar is missing.
I've read a lot of web pages on this error, which mention the Blast
Worm and how to diagnose it - for example, finding msblast (or
variants) in the system32 directory, but I can't find any of the files
they mention. I've done a process list and there appear to be are no
suspicious processes running. These are listed below.
Can anyone help with some information. I'm pretty desparate!
Many thanks
Simon
--- PROCESS LIST
StartupList report, 13/10/2007, 09:43:40
StartupList version: 1.52
Started from : C:\Documents and Settings\Maria\Local Settings\Temp
\wz57ba\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Maria\Local Settings\Temp\wz57ba
\StartupList.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
Digital Line Detect.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office
\Office10\OSA.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Apoint = C:\Program Files\Apoint\Apoint.exe
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_03\bin
\jusched.exe
(Default) =
IntelWireless = C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf
Intel PROSet/Wireless
Dell QuickSet = C:\Program Files\Dell\QuickSet\quickset.exe
DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager
\sgtray.exe" /r
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB
\realsched.exe" -osboot
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Google Desktop Search = "C:\Program Files\Google\Google Desktop Search
\GoogleDesktop.exe" /startup
TrueImageMonitor.exe = C:\Program Files\Acronis\TrueImageHome
\TrueImageMonitor.exe
AcronisTimounterMonitor = C:\Program Files\Acronis\TrueImageHome
\TimounterMonitor.exe
Acronis Scheduler2 Service = "C:\Program Files\Common Files\Acronis
\Schedule2\schedhlp.exe"
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not
found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not
found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not
found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not
found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not
found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not
found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not
found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:
\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssmypics.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX
\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll -
{5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - c:\program files\google\googletoolbar2.dll -
{AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier
\2.0.301.7164\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
--------------------------------------------------
Enumerating Task Scheduler jobs:
AppleSoftwareUpdate.job
--------------------------------------------------
Enumerating Download Program Files:
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
--------------------------------------------------
End of report, 7,457 bytes
Report generated in 0.235 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of
platform
/history - to list version history only