Blaster Worm Relapse?????

[brian_mosher]

I have posted this in an XP OS group, but this is a bit more trafficed
so I'm posting here as well.....




My laptop has me stumped. It's Windows XP Home SP2 and I have a cable
internet connection. Recently I noticed on bootup that I got an error
": Cannot connect to RPC Server" and my company's dialup
solution(iPass) gives errors on startup. I then get the dreaded "RPC
Procedure Call Shutdown" that everyone was getting when the Blaster
worm came around. I use "shutdown -a" to stop that. Here are some other

issues...


1) I have no network connections allegedly. Or so the control panel
tells me.


2) I cannot bring up ONLY CERTAIN sites. I can navigate to many sites
fine: msn, yahoo, google, cnn, etc. However if I go to hotmail, or log
into a site I gamble on, it's a blank page that says "done". Windows
update is another site I cannot get to.


3) I cannot use system restore. It just will never come up in safe mode

or normal mode.


I'm sure there are more random issues, but this names a few.


So I keep up with updates. I patched for Blaster a while back, I have
all current windows updates, I have an up to date antivirus solution,
and can find nothing. I have run the blaster removal tool, it doesn't
find it. I have run a virus scan, nothing. I have run ad-aware and
spybot, nothing. I ran the McAfee Stinger, nothing.


Does anyone have any ideas on this at all? It totally has me stumped.


Thanks,


Brian Mosher

 

[David H. Lipman]

From: <[email protected]>

| I have posted this in an XP OS group, but this is a bit more trafficed
| so I'm posting here as well.....
|
| My laptop has me stumped. It's Windows XP Home SP2 and I have a cable
| internet connection. Recently I noticed on bootup that I got an error
| ": Cannot connect to RPC Server" and my company's dialup
| solution(iPass) gives errors on startup. I then get the dreaded "RPC
| Procedure Call Shutdown" that everyone was getting when the Blaster
| worm came around. I use "shutdown -a" to stop that. Here are some other
|
| issues...
|
| 1) I have no network connections allegedly. Or so the control panel
| tells me.
|
| 2) I cannot bring up ONLY CERTAIN sites. I can navigate to many sites
| fine: msn, yahoo, google, cnn, etc. However if I go to hotmail, or log
| into a site I gamble on, it's a blank page that says "done". Windows
| update is another site I cannot get to.
|
| 3) I cannot use system restore. It just will never come up in safe mode
|
| or normal mode.
|
| I'm sure there are more random issues, but this names a few.
|
| So I keep up with updates. I patched for Blaster a while back, I have
| all current windows updates, I have an up to date antivirus solution,
| and can find nothing. I have run the blaster removal tool, it doesn't
| find it. I have run a virus scan, nothing. I have run ad-aware and
| spybot, nothing. I ran the McAfee Stinger, nothing.
|
| Does anyone have any ideas on this at all? It totally has me stumped.
|
| Thanks,
|
| Brian Mosher

I doubt it's the Lovsan/Blaster. It is more like a corruption in the RPC RPCSS/DCOM
software modules/DLLs.

Just to make sure...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti Virus Command
Line Scanners to remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[brian_mosher]

No good Dave. I ran the StartMenu.bat and it just bring up a command
prompt briefly, beeps, and kills the command prompt window. If I open
the command prompt myself and run it from there it will beep and kill
the window. I had to wait to come to work to reply to you this morning
because if i hit reply on my machine it just brings me back to the top
of the page. I believe there may be something screwy with Java as well
because it seems like any page I try to access that utilized java in
any way is all screwed up. I have no idea though, again, I'm stumped. I
have Trend as my corporate anti-virus solution if that's what your
program was trying to accomplish. When I run a scan, I get no viruses.
Any other ideas?

Thanks,

Brian

 

[David H. Lipman]

From: <[email protected]>

| No good Dave. I ran the StartMenu.bat and it just bring up a command
| prompt briefly, beeps, and kills the command prompt window. If I open
| the command prompt myself and run it from there it will beep and kill
| the window. I had to wait to come to work to reply to you this morning
| because if i hit reply on my machine it just brings me back to the top
| of the page. I believe there may be something screwy with Java as well
| because it seems like any page I try to access that utilized java in
| any way is all screwed up. I have no idea though, again, I'm stumped. I
| have Trend as my corporate anti-virus solution if that's what your
| program was trying to accomplish. When I run a scan, I get no viruses.
| Any other ideas?
|
| Thanks,
|
| Brian

The software works and works well. I have a feeling that you didn't following the
directions when you executed;
Multi_AV.exe

You must use the default folder C:\AV-CLS

When you run the Myulti AV scanner, use the Sophos, McAfee or Kaspersky scanner modules
since you already have Trend Micro AV on the PC.

 

[brian_mosher]

Dave, it doesn't take my MIS degree to know how to double-click on a
file to run it. I left the default directory C:\AV-CLS. When I run the
batch file "StartMenu.bat" I get the exact results I explained earlier.
However I did some piddling around and I found that very very very
briefly the following message is displayed before it kills the window:

0
Error : expected expression!
Script: C:\AV-CLS\menu.kix
Line : 13

I have a screenshot of it if you'd like it emailed to you. I took a
look at the menu.kix file, but I hate programming and didn't feel like
getting into it. If you have anymore ideas besides "i didn't execute
the file correctly" then I'd be happy to hear them. Thanks.

Brian

 

[David H. Lipman]

From: <[email protected]>

| Dave, it doesn't take my MIS degree to know how to double-click on a
| file to run it. I left the default directory C:\AV-CLS. When I run the
| batch file "StartMenu.bat" I get the exact results I explained earlier.
| However I did some piddling around and I found that very very very
| briefly the following message is displayed before it kills the window:
|
| 0
| Error : expected expression!
| Script: C:\AV-CLS\menu.kix
| Line : 13
|
| I have a screenshot of it if you'd like it emailed to you. I took a
| look at the menu.kix file, but I hate programming and didn't feel like
| getting into it. If you have anymore ideas besides "i didn't execute
| the file correctly" then I'd be happy to hear them. Thanks.
|
| Brian

It is difficult to support one remotely. Especially when you can't see what they see. Line
13 uses Windows Management Instrumentation to query the state of the computer (Normal Mode
vs Safe Mode). This is done after it runs a check on the functionality of WMI in a function
called ConfirmWMI().

Why your compute is failing to query "Win32_ComputerSystem" for the "BootupState" is unknown
but that is what seems to be happening on your computer. I'm sorry that I may have come to
a faux conclusion on what the script failed to run for you but based upon your reply, that
was all I had to go on. You didn't supply any facts to me as you have in the subsequent
reply.

Now the question is if there is a common factor that causes your RPC DCOM problem and this
WMI query problem of the script.

That I don't know and I'm left for a loss.

 

[brian_mosher]

Dave,

Thanks for your effort on that. I realize it's difficult to support
remotely. I do it everyday with computer illiterate pharmacists. I
suppose I'm going to have to do exactly what I don't want to do and
backup everything I've got and start over. It happens.

Thanks,

Brian

 

[David H. Lipman]

From: <[email protected]>

| Dave,
|
| Thanks for your effort on that. I realize it's difficult to support
| remotely. I do it everyday with computer illiterate pharmacists. I
| suppose I'm going to have to do exactly what I don't want to do and
| backup everything I've got and start over. It happens.
|
| Thanks,
|
| Brian

Further research indicates that Windows Management Instrumentation (WMI) does have a
dependency upon the RPC Service. Therefore the problem experienced with the WMI Query on
the BootState is somewhat tied to your problems encountered with RPC.

Lesson learned here !
{ at least on my part }