T
Thomas N
Description of my problem:
My wife's PC (Windows XP Home edition, Build 2600, SP1)
was infected by the Blaster/Lovsan Worm probably on
Tuesday
I found out about it through my wife's Internet provider
on Wednesday. In fact, they were nice enough to send us
some information for manual removal.
In following the instructions I was able to remove
msblast.exe from the taskmanager and also 'windows auto
update = msblast.exe' from the Registry. (Nothing was said
about the C:\windows\system32)
The third step in the manual removal process related to
the 'remote procedure call (RPC)' service found
under 'Control Panel --> Administration ... --> Services'
By right clicking the entry --> Properties --> editable
window with two tabs', I was meant to deactivate the
procedure (probably also the deactivate the restore
process)
Well, I was not able to do this under the correct tab
(function disabled). So, I went to the other tab and saw
that I could disable this function here, which I did
without too much thinking.
As it proved, the effect of this is bad and I am not able
to 'enable' this process again. I have talked to several
experts here (including Microsoft Switzerland) which gave
me suggestions following normal standard restore
procedures. None of this worked so far:
I find the RPC procedure under 'Standard Services', 'not
started'. Clicking on Properties does not lead to the
opening of an 'editable window' as before. Right clicking
on the RPC procedure and seleting 'Start' comes back with
Error 1058: 'the service can not be started because it is
disabled or because it has no enabled devices associated
with it'.
Trying to restore the system is not successful either:
Clicking 'Start --> ALL Programs --> Accessories -->
System Tools --> System Restore' comes back with: 'System
Restore is not able to protect your computer. Please,
restart your computer and then run System Restore again'
Pressing F8 at start-up of the computer and seleting 'Last
known Good Configuration (your most recent settings that
worked' does not generate an earlier version.
Pressing F8 at start-up and selecting 'save mode', the
system behaves the same as for 'normal mode', i.e. I am
also not able to select a version of the system prior to
disabling RPC.
Using 'Start --> Run' and entering dcomcnfg leads me to a
window. Opening 'Component Services' and trying to
doubleclick on 'Computer' does not get me any underlying
information. I should have been able to select from
here 'Arbeitsplatz (workplace?) --> rightclick -->
properties --> standard Procedures --> activate DCOM
I did get the Microsoft patch to take care of the DCOM RPC
vulnerability through my computer. However, when I try to
install it on my wife's computer I get Setup Error KB
823980: 'Setup could not verify the integrity of the file
Update.inf. Make sure the cryptographic service is running
on this computer'
Since I did get the Norton Removal Tool for the worm, I am
basically set. I hope to have the rest of the problems (no
Internet-, WindowsUpdate-Access, windows disappear when
sending them to the task bar, links to certain information
on the PC (DELL) or certain underlying windows don't open
up) solved by enabling the RPC process again.
Questions:
It was suggested to me to use the Windows Installation CD
and install anew. Question: what could get lost with
regard to none-OS applications (e.g. my wife's family tree
progr.) or data like mails, address lists etc. ( I'm
trying to save myself some work!)
Is there a way to enable the RPC service by starting
some .exe files from the windows directory directly?
Is there a way to manually edit some Registry entries to
achieve the same thing?
Thanks for your help.
Tom
My wife's PC (Windows XP Home edition, Build 2600, SP1)
was infected by the Blaster/Lovsan Worm probably on
Tuesday
I found out about it through my wife's Internet provider
on Wednesday. In fact, they were nice enough to send us
some information for manual removal.
In following the instructions I was able to remove
msblast.exe from the taskmanager and also 'windows auto
update = msblast.exe' from the Registry. (Nothing was said
about the C:\windows\system32)
The third step in the manual removal process related to
the 'remote procedure call (RPC)' service found
under 'Control Panel --> Administration ... --> Services'
By right clicking the entry --> Properties --> editable
window with two tabs', I was meant to deactivate the
procedure (probably also the deactivate the restore
process)
Well, I was not able to do this under the correct tab
(function disabled). So, I went to the other tab and saw
that I could disable this function here, which I did
without too much thinking.
As it proved, the effect of this is bad and I am not able
to 'enable' this process again. I have talked to several
experts here (including Microsoft Switzerland) which gave
me suggestions following normal standard restore
procedures. None of this worked so far:
I find the RPC procedure under 'Standard Services', 'not
started'. Clicking on Properties does not lead to the
opening of an 'editable window' as before. Right clicking
on the RPC procedure and seleting 'Start' comes back with
Error 1058: 'the service can not be started because it is
disabled or because it has no enabled devices associated
with it'.
Trying to restore the system is not successful either:
Clicking 'Start --> ALL Programs --> Accessories -->
System Tools --> System Restore' comes back with: 'System
Restore is not able to protect your computer. Please,
restart your computer and then run System Restore again'
Pressing F8 at start-up of the computer and seleting 'Last
known Good Configuration (your most recent settings that
worked' does not generate an earlier version.
Pressing F8 at start-up and selecting 'save mode', the
system behaves the same as for 'normal mode', i.e. I am
also not able to select a version of the system prior to
disabling RPC.
Using 'Start --> Run' and entering dcomcnfg leads me to a
window. Opening 'Component Services' and trying to
doubleclick on 'Computer' does not get me any underlying
information. I should have been able to select from
here 'Arbeitsplatz (workplace?) --> rightclick -->
properties --> standard Procedures --> activate DCOM
I did get the Microsoft patch to take care of the DCOM RPC
vulnerability through my computer. However, when I try to
install it on my wife's computer I get Setup Error KB
823980: 'Setup could not verify the integrity of the file
Update.inf. Make sure the cryptographic service is running
on this computer'
Since I did get the Norton Removal Tool for the worm, I am
basically set. I hope to have the rest of the problems (no
Internet-, WindowsUpdate-Access, windows disappear when
sending them to the task bar, links to certain information
on the PC (DELL) or certain underlying windows don't open
up) solved by enabling the RPC process again.
Questions:
It was suggested to me to use the Windows Installation CD
and install anew. Question: what could get lost with
regard to none-OS applications (e.g. my wife's family tree
progr.) or data like mails, address lists etc. ( I'm
trying to save myself some work!)
Is there a way to enable the RPC service by starting
some .exe files from the windows directory directly?
Is there a way to manually edit some Registry entries to
achieve the same thing?
Thanks for your help.
Tom