Remote Procedure Call

Discussion in 'Computer Support' started by Dan, Jan 21, 2004.

  1. Dan

    Dan Guest

    For the past 3 days, I've been, patiently working on this lousy computer.
    Had several Agobot worms. Have followed all the instructions on the Trend
    Micro web site for these worms. I now get clean virus scans. (no viruses).
    Yet the RPC keeps shutting me down. When I go to regedit it only stays open
    for about 10 seconds then closes it automaticly. From
    regedit_HKEY_Local_Machine_Software_Microsoft_Windows_Currentversion_Run
    I have listed;Default-value not set; Microsoft
    Configuration-Msconfig32.exe;Ms Security Hot Fix-Spoolsrv32.exe;Symantec
    Configuration-CcApp32.exe and Windows explorer-Lsas.exe
    Are these all supposed to be here? I've just freshly installed xp pro with
    no software installed.
    System restore is disabled. Luckily I still have Win 98 running as well, so
    I can get help!!!!
    Any advice would be greatly appreciated. Thanx.
     
    Dan, Jan 21, 2004
    #1
    1. Advertising

  2. Dan

    why? Guest

    On Wed, 21 Jan 2004 04:24:09 GMT, Dan wrote:

    >For the past 3 days, I've been, patiently working on this lousy computer.
    >Had several Agobot worms. Have followed all the instructions on the Trend
    >Micro web site for these worms. I now get clean virus scans. (no viruses).
    >Yet the RPC keeps shutting me down. When I go to regedit it only stays open
    >for about 10 seconds then closes it automaticly. From


    Sounds like you have may have the Blaster worm, here is some info.

    <snip>
    >Any advice would be greatly appreciated. Thanx.


    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

    Here is most of the article -

    W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability
    (described in Microsoft Security Bulletin MS03-026) using TCP port 135.

    The MS link above is,
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
    which was replaced by
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp


    The worm targets only Windows 2000 and Windows XP machines. While
    Windows NT and Windows 2003 Server machines are vulnerable to the
    aforementioned exploit (if not properly patched), the worm is not coded
    to replicate to those systems. This worm attempts to download the
    msblast.exe file to the %WinDir%\system32 directory and then execute it.
    W32.Blaster.Worm does not have a mass-mailing functionality.

    <very big snip>

    Removal using the W32.Blaster.Worm Removal Tool
    Symantec Security Response has developed a removal tool to clean the
    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html


    Manual Removal
    As an alternative to using the removal tool, you can manually remove
    this threat. The following instructions pertain to all current and
    recent Symantec antivirus products, including the Symantec AntiVirus and
    Norton AntiVirus product lines.

    1. Restore Internet connectivity.
    2. End the worm process.
    3. Obtain the latest virus definitions.
    4. Scan for and delete the infected files.
    5. Reverse the changes made to the registry.
    6. Obtain the Microsoft HotFix to correct the DCOM RPC vulnerability.



    For specific details, refer to the following instructions:

    1. Restoring Internet connectivity
    In many cases, on both Windows 2000 and XP, changing the settings for
    the Remote Procedure Call (RPC) service may allow you to connect to the
    Internet without the computer shutting down. To restore Internet
    connectivity to your PC, follow these steps:

    1. Click Start > Run. The Run dialog box appears.
    2. Type:

    SERVICES.MSC /S

    in the open line, and then click OK. The Services window
    opens.

    3. In the right pane, locate the Remote Procedure Call (RPC)
    service.

    CAUTION: There is also a service named Remote Procedure Call
    (RPC) Locator. Do not confuse the two.
    4. Right-click the Remote Procedure Call (RPC) service, and
    then click Properties.
    5. Click the Recovery tab.
    6. Using the drop-down lists, change First failure, Second
    failure, and Subsequent failures to "Restart the Service."
    7. Click Apply, and then OK.

    CAUTION: Make sure that you change these settings back once
    you have removed the worm.

    2. Ending the Worm process

    1. Press Ctrl+Alt+Delete once.
    2. Click Task Manager.
    3. Click the Processes tab.
    4. Double-click the Image Name column header to alphabetically sort
    the processes.
    5. Scroll through the list and look for Msblast.exe.
    6. If you find the file, click it, and then click End Process.
    7. Exit the Task Manager.

    3. Obtaining the latest virus definitions
    Symantec Security Response fully tests all the virus definitions for
    quality assurance before they are posted to our servers. There are two
    ways to obtain the most recent virus definitions:

    <snip>


    4. Scanning for and deleting the infected files

    1. Start your Symantec antivirus program and make sure that it is
    configured to scan all the files.
    * For Norton AntiVirus consumer products: Read the document,
    "How to configure Norton AntiVirus to scan all files."
    * For Symantec AntiVirus Enterprise products: Read the
    document, "How to verify that a Symantec corporate antivirus product is
    set to scan all files."
    2. Run a full system scan.
    3. If any files are detected as infected with W32.Blaster.Worm, click
    Delete.


    5. Reversing the changes made to the registry
    CAUTION: Symantec strongly recommends that you back up the registry
    before making any changes to it. Incorrect changes to the registry can
    result in permanent data loss or corrupted files. Modify the specified
    keys only. Read the document, "How to make a backup of the Windows
    registry," for instructions.

    1. Click Start, and then click Run. (The Run dialog box appears.)
    2. Type regedit

    Then click OK. (The Registry Editor opens.)

    3. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    4. In the right pane, delete the value:

    windows auto update

    5. Exit the Registry Editor.


    6. Obtaining the Microsoft HotFix to correct the DCOM RPC vulnerability
    W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability
    using TCP port 135 to infect your PC. The W32.Blaster.Worm also attempts
    to perform a DoS on the Microsoft Windows Update Web server
    (windowsupdate.com) using your PC. To fix this, it is important to
    obtain the Microsoft Hotfix at: Microsoft Security Bulletin MS03-039.



    Me
     
    why?, Jan 21, 2004
    #2
    1. Advertising

  3. Dan

    Dan Guest

    No. Clean scans. Am at the end of my rope. Tried AVG anti virus, which found
    lovsan.a??? Why didn't trend micros online scan find it???? Still getting
    RPC. Tried to disable RPC from con. pan.- ad. settings-settings. Now I
    can't bring up properties to enable it???? It's really screwy now.
    "Dan" <> wrote in message
    news:J9nPb.199647$X%5.92627@pd7tw2no...
    > For the past 3 days, I've been, patiently working on this lousy computer.
    > Had several Agobot worms. Have followed all the instructions on the Trend
    > Micro web site for these worms. I now get clean virus scans. (no viruses).
    > Yet the RPC keeps shutting me down. When I go to regedit it only stays

    open
    > for about 10 seconds then closes it automaticly. From
    > regedit_HKEY_Local_Machine_Software_Microsoft_Windows_Currentversion_Run
    > I have listed;Default-value not set; Microsoft
    > Configuration-Msconfig32.exe;Ms Security Hot Fix-Spoolsrv32.exe;Symantec
    > Configuration-CcApp32.exe and Windows explorer-Lsas.exe
    > Are these all supposed to be here? I've just freshly installed xp pro with
    > no software installed.
    > System restore is disabled. Luckily I still have Win 98 running as well,

    so
    > I can get help!!!!
    > Any advice would be greatly appreciated. Thanx.
    >
    >
     
    Dan, Jan 22, 2004
    #3
  4. Dan

    Mara Guest

    On Thu, 22 Jan 2004 02:49:07 GMT, Dan wrote:

    >No. Clean scans. Am at the end of my rope. Tried AVG anti virus, which found
    >lovsan.a??? Why didn't trend micros online scan find it???? Still getting
    >RPC. Tried to disable RPC from con. pan.- ad. settings-settings. Now I
    >can't bring up properties to enable it???? It's really screwy now.


    http://www.sophos.com/virusinfo/analyses/w32blastera.html
    http://www.sophos.com/support/disinfection/blastera.html

    <snip>

    --
    If you would be a real seeker after truth, it is necessary that at least once
    in your life you doubt, as far as possible, all things. --Rene Descartes
     
    Mara, Jan 22, 2004
    #4
  5. Dan

    why? Guest

    On Thu, 22 Jan 2004 02:49:07 GMT, Dan wrote:

    >No. Clean scans. Am at the end of my rope. Tried AVG anti virus, which found


    No what? You say clean scans, then found another problem.

    >lovsan.a??? Why didn't trend micros online scan find it???? Still getting


    Ask them.

    >RPC. Tried to disable RPC from con. pan.- ad. settings-settings. Now I


    Well your message wasn't a lot to go on. What's the exact wording?

    >can't bring up properties to enable it???? It's really screwy now.


    Because you disabled RPC and it's not screwy.

    Look for the Mike (maybe Boomer as well) posts listing other AV products
    and the online scanners. You may just be able to get a scan started lond
    enough to ID something else.

    NAI also have a small standalone scanner for a *limited* set of worms,
    trojans etc.

    http://vil.nai.com/vil/stinger/
    the download is
    http://download.nai.com/products/mcafee-avert/stinger.exe

    >"Dan" <> wrote in message
    >news:J9nPb.199647$X%5.92627@pd7tw2no...
    >> For the past 3 days, I've been, patiently working on this lousy computer.
    >> Had several Agobot worms. Have followed all the instructions on the Trend
    >> Micro web site for these worms. I now get clean virus scans. (no viruses).
    >> Yet the RPC keeps shutting me down. When I go to regedit it only stays

    >open
    >> for about 10 seconds then closes it automaticly. From
    >> regedit_HKEY_Local_Machine_Software_Microsoft_Windows_Currentversion_Run
    >> I have listed;Default-value not set; Microsoft
    >> Configuration-Msconfig32.exe;Ms Security Hot Fix-Spoolsrv32.exe;Symantec
    >> Configuration-CcApp32.exe and Windows explorer-Lsas.exe
    >> Are these all supposed to be here? I've just freshly installed xp pro with
    >> no software installed.


    So when did you connect XP Pro to the Internet? To download the patches
    you need.

    >> System restore is disabled. Luckily I still have Win 98 running as well,

    >so
    >> I can get help!!!!
    >> Any advice would be greatly appreciated. Thanx.
    >>
    >>

    >


    Me
     
    why?, Jan 22, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Patrick D.
    Replies:
    18
    Views:
    7,921
    °Mike°
    Aug 12, 2003
  2. Jill Sharp

    Remote Procedure Call Message

    Jill Sharp, Aug 15, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    498
    Philip SC
    Aug 15, 2003
  3. fokker
    Replies:
    7
    Views:
    1,130
    Fokker
    Sep 11, 2003
  4. MaryL

    Windows Remote Call Procedure

    MaryL, Jan 3, 2004, in forum: Computer Support
    Replies:
    13
    Views:
    717
    °Mike°
    Jan 5, 2004
  5. bpgordon

    Remote Procedure Call

    bpgordon, Feb 16, 2004, in forum: Computer Support
    Replies:
    10
    Views:
    3,360
    lisa nicholl
    Feb 23, 2004
Loading...

Share This Page