Really Frustrated - XP RPC Call Failed

[Shane Brodie]

I have just finsihed re-installing my computer, and have a problem where I
cannot maintain a dial-up connection for more than 5 minutes before I
receive a very nasty window stating that there has been an RPC Call Failure
and that Windows needs to reboot. You can't stop the reboot, or do anything
to resolve the problem, as 5 minutes is not long enough to download almost
any patch ... if you could possibly find the patch.

Searching through the Microsoft site has been fruitless in trying to find
what patch would deal with this problem, so I can at least remain on-line
long enough to run Windows update to get the latest patches. Search for
"RPC Call Failed" returns nothing usefull, as does simply searching for
"RPC".

I have been tempted to download and install XP SP2 from the office, but
either the site is congested, or there is a bottelneck somewhere else on the
net because I can't get a transfer rate better than 5Kb /sec on a DSL
connection(19hrs)!

Does anybody have the slightest inkling what hotfixes are required to
resolve the RPC Call Failed issue!!!!

Regards

Shane Brodie

 

[HillBillyBuddhist]

I have just finsihed re-installing my computer, and have a problem where I
cannot maintain a dial-up connection for more than 5 minutes before I
receive a very nasty window stating that there has been an RPC Call Failure
and that Windows needs to reboot. You can't stop the reboot>

Does anybody have the slightest inkling what hotfixes are required to
resolve the RPC Call Failed issue!!!!

Regards

Shane Brodie

Start> Run> Shutdown -a will abort the shutdown.

Courtesy Of J. Jones and his fabulous Web site.

http://www3.telus.net/dandemar/blaster.htm

--
D

I'm not an MVP a VIP nor do I have ESP.
I was just trying to help.
Please use your own best judgment before implementing any suggestions or
advice herein.
No warranty is expressed or implied.
Your mileage may vary.
See store for details.

Remove shoes to E-mail.

 

[Ken Blake, MVP]

In

I have just finsihed re-installing my computer, and have a problem
where I cannot maintain a dial-up connection for more than 5 minutes
before I receive a very nasty window stating that there has been an
RPC Call Failure and that Windows needs to reboot. You can't stop
the reboot, or do anything to resolve the problem, as 5 minutes is
not long enough to download almost any patch ... if you could
possibly find the patch.

You have the MSBlaster worm. To remove it, do the following:

The following instructions are in three parts

1. Stop it from running

2. Remove it from your system

3. Make sure it doesn't come back



Before beginning, if you have an always-on internet connection,
it's a good idea to disconnect it.



1. Stop it from running

Press Ctrl-Alt-Delete to bring up the Task Manager, then on the
Processes tab, click msblast.exe and then "End process." Reply
"Yes" to the warning message that comes up.

This stops the worm from running, so your system will not shut
down. However, it doesn't remove it, and if that's all you do, it
will start up again the next time you boot.


***

2. Remove it from your system

a. Start the registry editor program, regedit, by going to Start
| Run, and typing REGEDIT
Navigate to HKEY_Local_Machine\Software\Microsoft\Windows\Current
Version\Run by clicking the plus signs next to each of the
folders in the left hand pane. When you get to the last of them,
Run, click the word Run itself.

Find an entry called "Windows Auto Update" on the right side.
Right-click it and delete it.

b. Do a Windows search for msblast, and delete all files found.

The worm is now gone, and won't start again the next time you
boot. But if that's all you do, you can get reinfected just as
you did the first time.

***


3. Make sure it doesn't come back

a. Make sure you're running a firewall that prevents worms like
this from getting in. You can enable the built-in Windows XP
firewall, or download and install another one such as the free
version of ZoneAlarm. To enable the built-in firewall, go to
Control Panel, double-click Networking and Internet Connections,
then click Network Connections. Right-click your connection, then
click Properties, and on the Advanced tab, click the option
"Protect my computer and network..."


b. If you've disconnected your internet connection, reconnect it.
Download and install the Microsoft patch at
http://support.microsoft.com/?kbid=824146 or

That will remove the vulnerability that the worm exploits.


c. Be sure you are running an anti-virus program, and that you
regularly download the latest updated virus definitions.

 

[Steve Nielsen]

In addition to the other advice, you do not need SP2, it's still Beta
anyway, but you do need SP1 to install the patches that prevent
re-infection.

Steve

 

[mr-rain]

This is the real way on how to fix your problem and so it
never bothers you again...

1st. Open your services manager.
Right click "My Computer"
Select "Manage"

2nd Open "Services And Applications"
Open "Services"

3rd From the list of services locate "Remote Procedure
Call (RPC)"
Right Click it and select properties.

4th Select Recovery Tab
Change all failure options so that the restart the
service and not the computer.
PROBLEM SOLVED.

as noted before look into getting a msblast fix as it's a
virus linked with the problem you've been having. Symantec
has one.

 

[Guest]

i have had extensive problems with modem speed although not exactly the same as yours,my problem turned out to be a poor connection in one of the terminals in my box. try it by testing with an avo meter or get an engineer to test it.

 

[Guest]

You will also need to turn off the "System Restore
reboot, turn "System Restore" back o

right click "My computer"/properties/"System Restore" ta

check box next to "Turn off system restore for all drives

reboot, remember to turn "system restore" back on by rechecking the bo

You'll lose the system restores up to today, but thats better then doing a restore in the future and waking that worm backup. Those nasty worms are good at hiding.

 

[Bruce Chambers]

Greetings --

If you connected the PC to the Internet without having first
enabled a firewall, without having first installed an antivirus
application with current virus definition files, and before installing
the KB824146 Hotfix, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[cquirke (MVP Win9x)]

On Fri, 16 Apr 2004 15:17:59 -0700, "mr-rain"

This is the real way on how to fix your problem and so it
never bothers you again...

1st. Open your services manager.
Right click "My Computer"
Select "Manage"

2nd Open "Services And Applications"
Open "Services"

3rd From the list of services locate "Remote Procedure
Call (RPC)"
Right Click it and select properties.

4th Select Recovery Tab
Change all failure options so that the restart the
service and not the computer.
PROBLEM SOLVED.

This is a good thing to do for the next set of holes that prang RPC,
whenever these get exploited in the future.

But that's not enough to fix the problem!

Firstly, there are *two* problems, and *both* must be fixed...


Problem 1: You have a broken RPC service

As shipped, NT (including Win2000 and XP) has a broken RPC service. A
correctly-crafted RPC attack packet can infect the PC. An
incorrectly-crafted RPC attack packet will crash the RPC service
instead of infecting the PC.

It is the *latter* that causes RPC failures, restarts, etc.!

Why would you get hit by incorrectly-crafted attack packets? Because
the offsets that are correct for one version of NT may not work for
another, and most RPC exploiters try both XP and Win2000 attack
packets. When the wrong packet hits an exposed and broken RPC
service, it crashes the service - and by duhfault, restarts the PC.

So the first thing you have to do is fix the defective RPC service,
which requires a patch that is small enough to fit on a diskette. The
catch; you may need 100M+ of Service Pack before you can apply the
patch! Note that the patch was revised in September 2003, so if you
still have and use the original July 2003 patch, that has to be
updated (I suspect some Welchia uses the newer holes).

You can also reduce exposure of the RPC service by using a firewall;
either an add-on, or (in the case of XP) the built-in one.
Unfortunately, you can't rip out the RPC service altogether, even if
you have no intention of letting the 'net remotely call procedures on
your PC - the same RPC is used internally, so it's a "face hugger".

Next in importance after the above two steps is to stop every RPC
crash from restarting the PC, using the advice I quoted from Mr Rain's
post. You can (and IMO should) also stop the system restarting on
every system error; Control Panel, System, Advanced...


Problem 2: You may be infected with malware

Not just RPC exploiters, but any other malware too. The best way to
detect and clean traditional malware ("virus", "worm" etc.) is by
formally scanning all files on the system using an antivirus app.

By "formally", I mean without running ANY infected code beforehand -
i.e. booting off a clean OS from something other than the HD, and
running no code from the ?infected HD whatsoever.

That's easy to do if your file system is FATxx; a clean
write-protected DOS mode boot diskette and a free DOS-based av from
www.f-prot.com, www.nod32.com or www.sophos.com will do.

But if you use NTFS, this approach is lost to you. Good luck.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.