Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Remote Procedure Call

Reply
Thread Tools

Remote Procedure Call

 
 
Dan
Guest
Posts: n/a
 
      01-21-2004
For the past 3 days, I've been, patiently working on this lousy computer.
Had several Agobot worms. Have followed all the instructions on the Trend
Micro web site for these worms. I now get clean virus scans. (no viruses).
Yet the RPC keeps shutting me down. When I go to regedit it only stays open
for about 10 seconds then closes it automaticly. From
regedit_HKEY_Local_Machine_Software_Microsoft_Wind ows_Currentversion_Run
I have listed;Default-value not set; Microsoft
Configuration-Msconfig32.exe;Ms Security Hot Fix-Spoolsrv32.exe;Symantec
Configuration-CcApp32.exe and Windows explorer-Lsas.exe
Are these all supposed to be here? I've just freshly installed xp pro with
no software installed.
System restore is disabled. Luckily I still have Win 98 running as well, so
I can get help!!!!
Any advice would be greatly appreciated. Thanx.


 
Reply With Quote
 
 
 
 
why?
Guest
Posts: n/a
 
      01-21-2004

On Wed, 21 Jan 2004 04:24:09 GMT, Dan wrote:

>For the past 3 days, I've been, patiently working on this lousy computer.
>Had several Agobot worms. Have followed all the instructions on the Trend
>Micro web site for these worms. I now get clean virus scans. (no viruses).
>Yet the RPC keeps shutting me down. When I go to regedit it only stays open
>for about 10 seconds then closes it automaticly. From


Sounds like you have may have the Blaster worm, here is some info.

<snip>
>Any advice would be greatly appreciated. Thanx.


http://securityresponse.symantec.com...ster.worm.html

Here is most of the article -

W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability
(described in Microsoft Security Bulletin MS03-026) using TCP port 135.

The MS link above is,
http://www.microsoft.com/technet/tre...n/MS03-026.asp
which was replaced by
http://www.microsoft.com/technet/tre...n/MS03-039.asp


The worm targets only Windows 2000 and Windows XP machines. While
Windows NT and Windows 2003 Server machines are vulnerable to the
aforementioned exploit (if not properly patched), the worm is not coded
to replicate to those systems. This worm attempts to download the
msblast.exe file to the %WinDir%\system32 directory and then execute it.
W32.Blaster.Worm does not have a mass-mailing functionality.

<very big snip>

Removal using the W32.Blaster.Worm Removal Tool
Symantec Security Response has developed a removal tool to clean the
http://securityresponse.symantec.com...oval.tool.html


Manual Removal
As an alternative to using the removal tool, you can manually remove
this threat. The following instructions pertain to all current and
recent Symantec antivirus products, including the Symantec AntiVirus and
Norton AntiVirus product lines.

1. Restore Internet connectivity.
2. End the worm process.
3. Obtain the latest virus definitions.
4. Scan for and delete the infected files.
5. Reverse the changes made to the registry.
6. Obtain the Microsoft HotFix to correct the DCOM RPC vulnerability.



For specific details, refer to the following instructions:

1. Restoring Internet connectivity
In many cases, on both Windows 2000 and XP, changing the settings for
the Remote Procedure Call (RPC) service may allow you to connect to the
Internet without the computer shutting down. To restore Internet
connectivity to your PC, follow these steps:

1. Click Start > Run. The Run dialog box appears.
2. Type:

SERVICES.MSC /S

in the open line, and then click OK. The Services window
opens.

3. In the right pane, locate the Remote Procedure Call (RPC)
service.

CAUTION: There is also a service named Remote Procedure Call
(RPC) Locator. Do not confuse the two.
4. Right-click the Remote Procedure Call (RPC) service, and
then click Properties.
5. Click the Recovery tab.
6. Using the drop-down lists, change First failure, Second
failure, and Subsequent failures to "Restart the Service."
7. Click Apply, and then OK.

CAUTION: Make sure that you change these settings back once
you have removed the worm.

2. Ending the Worm process

1. Press Ctrl+Alt+Delete once.
2. Click Task Manager.
3. Click the Processes tab.
4. Double-click the Image Name column header to alphabetically sort
the processes.
5. Scroll through the list and look for Msblast.exe.
6. If you find the file, click it, and then click End Process.
7. Exit the Task Manager.

3. Obtaining the latest virus definitions
Symantec Security Response fully tests all the virus definitions for
quality assurance before they are posted to our servers. There are two
ways to obtain the most recent virus definitions:

<snip>


4. Scanning for and deleting the infected files

1. Start your Symantec antivirus program and make sure that it is
configured to scan all the files.
* For Norton AntiVirus consumer products: Read the document,
"How to configure Norton AntiVirus to scan all files."
* For Symantec AntiVirus Enterprise products: Read the
document, "How to verify that a Symantec corporate antivirus product is
set to scan all files."
2. Run a full system scan.
3. If any files are detected as infected with W32.Blaster.Worm, click
Delete.


5. Reversing the changes made to the registry
CAUTION: Symantec strongly recommends that you back up the registry
before making any changes to it. Incorrect changes to the registry can
result in permanent data loss or corrupted files. Modify the specified
keys only. Read the document, "How to make a backup of the Windows
registry," for instructions.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit

Then click OK. (The Registry Editor opens.)

3. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

4. In the right pane, delete the value:

windows auto update

5. Exit the Registry Editor.


6. Obtaining the Microsoft HotFix to correct the DCOM RPC vulnerability
W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability
using TCP port 135 to infect your PC. The W32.Blaster.Worm also attempts
to perform a DoS on the Microsoft Windows Update Web server
(windowsupdate.com) using your PC. To fix this, it is important to
obtain the Microsoft Hotfix at: Microsoft Security Bulletin MS03-039.



Me
 
Reply With Quote
 
 
 
 
Dan
Guest
Posts: n/a
 
      01-22-2004
No. Clean scans. Am at the end of my rope. Tried AVG anti virus, which found
lovsan.a??? Why didn't trend micros online scan find it???? Still getting
RPC. Tried to disable RPC from con. pan.- ad. settings-settings. Now I
can't bring up properties to enable it???? It's really screwy now.
"Dan" <(E-Mail Removed)> wrote in message
news:J9nPb.199647$X%5.92627@pd7tw2no...
> For the past 3 days, I've been, patiently working on this lousy computer.
> Had several Agobot worms. Have followed all the instructions on the Trend
> Micro web site for these worms. I now get clean virus scans. (no viruses).
> Yet the RPC keeps shutting me down. When I go to regedit it only stays

open
> for about 10 seconds then closes it automaticly. From
> regedit_HKEY_Local_Machine_Software_Microsoft_Wind ows_Currentversion_Run
> I have listed;Default-value not set; Microsoft
> Configuration-Msconfig32.exe;Ms Security Hot Fix-Spoolsrv32.exe;Symantec
> Configuration-CcApp32.exe and Windows explorer-Lsas.exe
> Are these all supposed to be here? I've just freshly installed xp pro with
> no software installed.
> System restore is disabled. Luckily I still have Win 98 running as well,

so
> I can get help!!!!
> Any advice would be greatly appreciated. Thanx.
>
>



 
Reply With Quote
 
Mara
Guest
Posts: n/a
 
      01-22-2004
On Thu, 22 Jan 2004 02:49:07 GMT, Dan wrote:

>No. Clean scans. Am at the end of my rope. Tried AVG anti virus, which found
>lovsan.a??? Why didn't trend micros online scan find it???? Still getting
>RPC. Tried to disable RPC from con. pan.- ad. settings-settings. Now I
>can't bring up properties to enable it???? It's really screwy now.


http://www.sophos.com/virusinfo/anal...2blastera.html
http://www.sophos.com/support/disinf.../blastera.html

<snip>

--
If you would be a real seeker after truth, it is necessary that at least once
in your life you doubt, as far as possible, all things. --Rene Descartes
 
Reply With Quote
 
why?
Guest
Posts: n/a
 
      01-22-2004

On Thu, 22 Jan 2004 02:49:07 GMT, Dan wrote:

>No. Clean scans. Am at the end of my rope. Tried AVG anti virus, which found


No what? You say clean scans, then found another problem.

>lovsan.a??? Why didn't trend micros online scan find it???? Still getting


Ask them.

>RPC. Tried to disable RPC from con. pan.- ad. settings-settings. Now I


Well your message wasn't a lot to go on. What's the exact wording?

>can't bring up properties to enable it???? It's really screwy now.


Because you disabled RPC and it's not screwy.

Look for the Mike (maybe Boomer as well) posts listing other AV products
and the online scanners. You may just be able to get a scan started lond
enough to ID something else.

NAI also have a small standalone scanner for a *limited* set of worms,
trojans etc.

http://vil.nai.com/vil/stinger/
the download is
http://download.nai.com/products/mca...rt/stinger.exe

>"Dan" <(E-Mail Removed)> wrote in message
>news:J9nPb.199647$X%5.92627@pd7tw2no...
>> For the past 3 days, I've been, patiently working on this lousy computer.
>> Had several Agobot worms. Have followed all the instructions on the Trend
>> Micro web site for these worms. I now get clean virus scans. (no viruses).
>> Yet the RPC keeps shutting me down. When I go to regedit it only stays

>open
>> for about 10 seconds then closes it automaticly. From
>> regedit_HKEY_Local_Machine_Software_Microsoft_Wind ows_Currentversion_Run
>> I have listed;Default-value not set; Microsoft
>> Configuration-Msconfig32.exe;Ms Security Hot Fix-Spoolsrv32.exe;Symantec
>> Configuration-CcApp32.exe and Windows explorer-Lsas.exe
>> Are these all supposed to be here? I've just freshly installed xp pro with
>> no software installed.


So when did you connect XP Pro to the Internet? To download the patches
you need.

>> System restore is disabled. Luckily I still have Win 98 running as well,

>so
>> I can get help!!!!
>> Any advice would be greatly appreciated. Thanx.
>>
>>

>


Me
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Remote Procedure Call bpgordon Computer Support 10 02-23-2004 11:30 AM
Windows Remote Call Procedure MaryL Computer Support 13 01-05-2004 08:49 AM
(RPC)Remote Procedure Call has closed and windows needs to shut down!!!!!!! fokker Computer Support 7 09-11-2003 07:50 AM
Remote Procedure Call Message Jill Sharp Computer Support 2 08-15-2003 11:20 AM
Remote Procedure Call Service terminated unexpectedly? Patrick D. Computer Support 18 08-12-2003 07:32 PM



Advertisments