Copyright 1999 - 2006, Sandra Hardmeier, All Rights Reserved Worldwide
Last updated 20/08/2006

Generic Host Process for Win32 Services has encountered a problem and needs to close
Svchost.exe has generated errors and will be closed by Windows
This shutdown was initiated by NT AUTHORITY/SYSTEM
Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly

Computer reboots over and over
msblast.exe

 

NOTE: The error "svchost.exe has generated errors and will be closed by Windows" can be caused by the Aventail Connect Client and Bearshare:
http://support.microsoft.com?scid=kb;EN-US;Q259275

http://support.microsoft.com?scid=kb;EN-US;Q308712

http://support.microsoft.com?scid=kb;EN-US;Q321024

 

The svchost.exe error message can also occur if Novell GroupWise is installed on the problem computer, and the gwtps1.dll file is dated earlier than July 2000:
http://support.microsoft.com?scid=kb;EN-US;Q319161

 

Or if you do not disconnect from a phone call before you restart your computer:
http://support.microsoft.com?scid=kb;EN-US;Q278718

 

NOTE: The error "this shutdown was initiated by NT AUTHORITY/SYSTEM is not unique to Blaster infection:

http://support.microsoft.com?scid=kb;EN-US;Q318447

http://support.microsoft.com?scid=kb;EN-US;Q318650

 

Original "blaster" worm:

Win32.Poza infection... also known as W32.BlasterWorm and W32/Lovsan worm.  More info at the "Internet Storm Centre"

 

It can be very hard to get rid of... advice can be found at the following links. The owners of the sites are updating as often as they can. Kellys-Korner has a script that is being constantly updated to try and keep with the the new varieties and problems as they appear.

 

http://www.bigblackglasses.com/Article.aspx?Article=342

http://www.microsoft.com/security/incident/blast.asp

http://www.kellys-korner-xp.com/xp_tweaks.htm (257 = PRC worm; 258 = w32.randex.e worm)

http://aumha.org/win5/a/blaster.htm

 

Worm removal scripts:

http://www.kellys-korner-xp.com/xp_w.htm#worm

 

Microsoft's page (regularly updated):

http://www.microsoft.com/security/incident/blast.asp

 

Microsoft has issued a new patch addressing the original Blaster vulnerability and three newly discovered vulnerabilities. Download and install the new patch as soon as possible, even if you installed the original "Blaster" patch:

http://support.microsoft.com/?scid=kb;en-us;824146

 

KB Article: Virus Alert about the Blaster Worm and its variants:
http://support.microsoft.com?scid=kb;EN-US;Q826955

KB Article: Virus Alert about the Nachi work:
http://support.microsoft.com?scid=kb;EN-US;Q826234

 

The related Technet article is at the URL below:

http://www.microsoft.com/security/security_bulletins/ms03-039.asp

 

Screen shots of the original virus in action are here:

Important Information on Win32.Poza

 

Do you have a firewall?  If not, why not? ZoneAlarm is free and XP has a built in firewall (not perfect, but better than nothing).

 

WARNING - WIN98 AND WIN.ME SYSTEMS NOW AFFECTED BY VARIATION ON THE THEME

Files created - nstask32.exe; winlogin.exe; win32sockdrv.dll; yuetyutr.dll.  Preliminary information available here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html

 

Stop the rebooting

Start, run - services.msc

Right click RPC (Remote Procedure Call), choose 'properties' (or just double click the entry). Go to Recovery tab.

Change to 'restart SERVICE'.

 

[penis32.exe; teekids.exe; win32.poza; w32.blasterworm; w32/Lovsan; ntask32.exe; winlogin.exe; win32sockdrv.dll; yuetyutr.dll; nstask32.exe; winlogin.exe; irc-bbot; worm_rpcsdbot.a; w32.randex.e; dcom rpc vulnerability; lovesan; msblast.exe; root32.exe; wuaumgr.exe (w32.spybot.worm) sometimes loaded; can't run task manager;