XP can't live without the CD in the drive

[Ric]

I have a problem on 2 XP Pro machines that I've been unable to figure out.

After logging in a dialogue pops up saying:

"Files that are required for Windows to run properly must be copied to the
DLL Cache
Insert your windows XP Professional CD-ROM now"

If I insert the CD the dialogue goes away. However, the computer then starts
accessing the CD-ROM drive continuously, every couple of minutes, which i
think is degrading the system performance.

Also, if I try the sfc command from a cmd window I get this error:

"C:\Documents and Settings\Administrator>sfc /scannow
Windows File Protection could not initiate a scan of protected system files.

The specific error code is 0x000006ba [The RPC server is unavailable.]."

I've tried everything I could find in the knowledge base and on the web,
including a re-install/repair of XP, installing SP1 or SP1a, changing the
source path, checking the certificates... nothing seems to help. I'm
thinking of copying the CD to a hard drive folder and setting the sourcepath
to it so that at least it doesn't have to access the CD all the time, but
that's not really the solution I'm looking for.

I've scanned with antivirus and antispyware software and can't find any
evidence of a malicious program on either computer.

Short of a complete fresh install, is there anything I can do?

Thanks,
Ric

 

[Yves Leclerc]

This happened to my client! Turns out they had an old virus, which they
brought over from an old PC, which was replicating like crazy.

 

[Guest]

Congratulations - you've got the RPC BlasterWorm, probably transferred from another PC or application
Welcome to the unsterile world of modern exchange. Recommend you run your anti-virus program NOW
W32.Blaster.Worm Removal Tool - ZDNet Download
http://downloads-zdnet.com.com/3000-2092-10219754.html?tag=lst-0-4

 

[Alex Nichol]

Also, if I try the sfc command from a cmd window I get this error:

"C:\Documents and Settings\Administrator>sfc /scannow
Windows File Protection could not initiate a scan of protected system files.

The specific error code is 0x000006ba [The RPC server is unavailable.]."

Damage to RPC suggests strongly that you have contracted the Blaster
worm or one of its relatives.
Go to
http://www.kellys-korner-xp.com/xp_w.htm#worm
and I would get and use all three of the Worm removal scripts.

You should then be able to reboot and have RPC active - check in Control
Panel - Admin tools - Services to see; and then run the
SFC /SCANNOW

 

[Ric]

Also, if I try the sfc command from a cmd window I get this error:

"C:\Documents and Settings\Administrator>sfc /scannow
Windows File Protection could not initiate a scan of protected
system files.

The specific error code is 0x000006ba [The RPC server is
unavailable.]."

Damage to RPC suggests strongly that you have contracted the Blaster
worm or one of its relatives.
Go to
http://www.kellys-korner-xp.com/xp_w.htm#worm
and I would get and use all three of the Worm removal scripts.

You should then be able to reboot and have RPC active - check in
Control Panel - Admin tools - Services to see; and then run the
SFC /SCANNOW

I've updated Norton Antivirus (corporate) and scanned repeatedly and it
fails to find anything. RPC service is started (when I check under system
services). I'll try the links you guys have suggested the next time I'm at
the computer. But since this isn't a new virus, if this is what's really
going on I'm just really surprised that Norton Antivirus can't catch it.
Does the virus specifically evade Norton?

Thanks,
Ric

 

[Ric]

Also, if I try the sfc command from a cmd window I get this error:

"C:\Documents and Settings\Administrator>sfc /scannow
Windows File Protection could not initiate a scan of protected
system files.

The specific error code is 0x000006ba [The RPC server is
unavailable.]."

Damage to RPC suggests strongly that you have contracted the Blaster
worm or one of its relatives.
Go to
http://www.kellys-korner-xp.com/xp_w.htm#worm
and I would get and use all three of the Worm removal scripts.

You should then be able to reboot and have RPC active - check in
Control Panel - Admin tools - Services to see; and then run the
SFC /SCANNOW

Incidentally, I decided to try sfc /scannow on my home computer just now,
out of curiosity. It had no problem running, but very quickly told me it
needed to copy files to the dll cache and to insert my XP service pack 2 CD.
I'm curious as to why it needs to copy files suddenly (it doesn't normally
complain like the 2 computers I described, only when I run sfc /scannow) and
what does it mean by SP2 (which I clearly didn't install since I'm not aware
of it having been released yet...) Will my XP pro SP1 CD work?

Thanks again,
Ric

 

[Please reply to newsgroup.]

Congratulations - you've got the RPC BlasterWorm, probably transferred from another PC or application.
Welcome to the unsterile world of modern exchange. Recommend you run your anti-virus program NOW!
W32.Blaster.Worm Removal Tool - ZDNet Downloads
http://downloads-zdnet.com.com/3000-2092-10219754.html?tag=lst-0-4

The computer doesn't reboot though, so it's not Blaster.

 

[Please reply to newsgroup.]

Ric wrote:

Also, if I try the sfc command from a cmd window I get this error:

"C:\Documents and Settings\Administrator>sfc /scannow
Windows File Protection could not initiate a scan of protected
system files.

The specific error code is 0x000006ba [The RPC server is
unavailable.]."

Damage to RPC suggests strongly that you have contracted the Blaster
worm or one of its relatives.
Go to
http://www.kellys-korner-xp.com/xp_w.htm#worm
and I would get and use all three of the Worm removal scripts.

You should then be able to reboot and have RPC active - check in
Control Panel - Admin tools - Services to see; and then run the
SFC /SCANNOW

I've updated Norton Antivirus (corporate) and scanned repeatedly and it
fails to find anything. RPC service is started (when I check under system
services). I'll try the links you guys have suggested the next time I'm at
the computer. But since this isn't a new virus, if this is what's really
going on I'm just really surprised that Norton Antivirus can't catch it.
Does the virus specifically evade Norton?

Thanks,
Ric

No, Blaster dosen't evade Norton, and I don't think it even is Blaster.

 

[Please reply to newsgroup.]

Ric wrote:

Also, if I try the sfc command from a cmd window I get this error:

"C:\Documents and Settings\Administrator>sfc /scannow
Windows File Protection could not initiate a scan of protected
system files.

The specific error code is 0x000006ba [The RPC server is
unavailable.]."

Damage to RPC suggests strongly that you have contracted the Blaster
worm or one of its relatives.
Go to
http://www.kellys-korner-xp.com/xp_w.htm#worm
and I would get and use all three of the Worm removal scripts.

You should then be able to reboot and have RPC active - check in
Control Panel - Admin tools - Services to see; and then run the
SFC /SCANNOW

Incidentally, I decided to try sfc /scannow on my home computer just now,
out of curiosity. It had no problem running, but very quickly told me it
needed to copy files to the dll cache and to insert my XP service pack 2 CD.
I'm curious as to why it needs to copy files suddenly (it doesn't normally
complain like the 2 computers I described, only when I run sfc /scannow) and
what does it mean by SP2 (which I clearly didn't install since I'm not aware
of it having been released yet...) Will my XP pro SP1 CD work?

Thanks again,
Ric

Odd - However, since that computer hasn't had problems in the past, I
wouldn't mess with it.

 

[cquirke (MVP Win9x)]

Byte wrote:

No, that's not how RPC attackers such as MSBlaster get about. They
spread directly through networks via attacks made on unpatched RPC on
NT, Win2000 and XP PCs. These attacks are walled out if the defective
RPC code has ben patched, and/or if firewall protection is effective.

However, not all RPC malware rely solely on RPC attack to spread; e.g.
SDBot.RPC.A still spreads itself via other SDBot spreading methods,
etc. That's why PCs that are not vulnerable to RPC attack (any Win9x,
patched NT/2k/XP, firewall-protected) can get these.

A good general recommendation, but this will NOT prevent the DoS
effects of *attempted* RPC invasion - as these effects are the result
of mis-aligned attack packets crashing RPC even though absolutely zero
malware code ever enters the PC (so av can't help there).

The computer doesn't reboot though, so it's not Blaster.

Again, that's incorrect. The rebooting effect is not the result of
successful MSBlast (Lovesan) infection; it's a(n avoidable)
side-effect of *failed* attempts to infect via RPC attack.

Although NT, Win2k and XP all share the vulnerability, attacks crafted
for one OS will not successfully infect the other. This is because
the offsets required in the attack packet differ for Win2000 compared
to XP, so a packet correctly "shaped" for XP will crash Win2000's RPC
service, and vice versa.

Lovesan's documented to send out 4 attack packets shaped for XP for
every 1 shaped for Win2000, so XP users have a 1:5 chance of being
DoS'd by an attack packet, while for Win2000 victims, it's 4:5 chance.

In practice, there can be such a constant barrage of attack packets
that the difference is moot; both will be kicked over daily.

Even without firewall or patch, you can reduce this DoS effect simply
by killing some "WTF were they thinking??" MS duhfault settings:
- stop system from automatically restarting on system errors
- set RPC failures to restart the *service*, not the whole PC!

XP users can (and should) at least turn on the built-in firewall

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.