Copyright © 1999 - 2006, Sandra Hardmeier, All
Rights Reserved Worldwide
Last updated
20/08/2006
Generic Host Process for Win32 Services has encountered a
problem and needs to close
Svchost.exe has generated errors and will be closed by Windows
This shutdown was initiated by NT AUTHORITY/SYSTEM
Windows must now restart because the Remote Procedure Call (RPC) service
terminated unexpectedly
Computer reboots over and over
msblast.exe
NOTE: The
error "svchost.exe has generated errors and will be closed by Windows" can be
caused by the Aventail Connect Client and Bearshare:
http://support.microsoft.com?scid=kb;EN-US;Q259275
http://support.microsoft.com?scid=kb;EN-US;Q308712
http://support.microsoft.com?scid=kb;EN-US;Q321024
The svchost.exe
error message can also occur if Novell GroupWise is installed on the problem
computer, and the gwtps1.dll file is dated earlier than July 2000:
http://support.microsoft.com?scid=kb;EN-US;Q319161
Or if you do not
disconnect from a phone call before you restart your computer:
http://support.microsoft.com?scid=kb;EN-US;Q278718
NOTE: The error "this shutdown was initiated by NT AUTHORITY/SYSTEM is not unique to Blaster infection:
http://support.microsoft.com?scid=kb;EN-US;Q318447
http://support.microsoft.com?scid=kb;EN-US;Q318650
Original "blaster" worm:
Win32.Poza infection... also known as W32.BlasterWorm and W32/Lovsan worm. More info at the "Internet Storm Centre"
It can be very hard to get rid of... advice can be found at the following links. The owners of the sites are updating as often as they can. Kellys-Korner has a script that is being constantly updated to try and keep with the the new varieties and problems as they appear.
http://www.bigblackglasses.com/Article.aspx?Article=342
http://www.microsoft.com/security/incident/blast.asp
http://www.kellys-korner-xp.com/xp_tweaks.htm (257 = PRC worm; 258 = w32.randex.e worm)
http://aumha.org/win5/a/blaster.htm
Worm removal scripts:
http://www.kellys-korner-xp.com/xp_w.htm#worm
Microsoft's page (regularly updated):
http://www.microsoft.com/security/incident/blast.asp
Microsoft has issued a new patch addressing the original Blaster vulnerability and three newly discovered vulnerabilities. Download and install the new patch as soon as possible, even if you installed the original "Blaster" patch:
http://support.microsoft.com/?scid=kb;en-us;824146
KB Article: Virus Alert about the Blaster Worm and its variants:
http://support.microsoft.com?scid=kb;EN-US;Q826955
KB Article: Virus Alert about the Nachi work:
http://support.microsoft.com?scid=kb;EN-US;Q826234
The related Technet article is at the URL below:
http://www.microsoft.com/security/security_bulletins/ms03-039.asp
Screen shots of the original virus in action are here:
Important Information on Win32.Poza
Do you have a firewall? If not, why not? ZoneAlarm is free and XP has a built in firewall (not perfect, but better than nothing).
WARNING - WIN98 AND WIN.ME SYSTEMS NOW AFFECTED BY VARIATION ON THE THEME
Files created - nstask32.exe; winlogin.exe; win32sockdrv.dll; yuetyutr.dll. Preliminary information available here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html
Stop the rebooting
Start, run - services.msc
Right click RPC (Remote Procedure Call), choose 'properties' (or just double click the entry). Go to Recovery tab.
Change to 'restart SERVICE'.
[penis32.exe; teekids.exe; win32.poza; w32.blasterworm; w32/Lovsan; ntask32.exe; winlogin.exe; win32sockdrv.dll; yuetyutr.dll; nstask32.exe; winlogin.exe; irc-bbot; worm_rpcsdbot.a; w32.randex.e; dcom rpc vulnerability; lovesan; msblast.exe; root32.exe; wuaumgr.exe (w32.spybot.worm) sometimes loaded; can't run task manager;