How can we fix the RPC problem if the computer keeps rebooting?

[Garner Albright]

I was trying to download the Windows fix from Microsoft to
fix the vulnerability part of the Remote Procedure Call
(RPC) functionality, but before it can install Windows is
shut down. How can it be installed if the computer keeps
rebooting?

 

[Dave - Freedonia]

Good question. Can you download it using a computer that is properly
secured or has firewall software running? If so, then just burn the
file to CD (I don't know how big it is) and install it on your computer.

I have a couple people at work that had their home computers shutdown
last night multiple times from this. They didn't know what caused it
and kept rebooting it. I hate to see what was installed using this
exploit.

 

[kurttrail]

I was trying to download the Windows fix from Microsoft to
fix the vulnerability part of the Remote Procedure Call
(RPC) functionality, but before it can install Windows is
shut down. How can it be installed if the computer keeps
rebooting?

Get a download manager that can resume downloads from the point the
download was last stopped. I use GetRight. www.getright.com

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.kurttrail.com
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei!"

 

[Bovespa]

Get a download manager that can resume downloads from the point the
download was last stopped. I use GetRight. www.getright.com

Or simply stop the shutdown procedure by running the command shutdown -a.
Then finish downloading the patch and kill the worm !

Stefano-Italy

 

[Jim Byrd]

Hi Garner - See below for your specific question. Courtesy of Colin M.
McGroarty with some additions by me:

You can get more info about the worm here:
http://isc.sans.org/diary.html?date=2003-08-11

and here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Complete directions for fixing this can be found here:
http://www.bigblackglasses.com/Article.aspx?Article=342,
and here: http://www.kellys-korner-xp.com/xp_qr.htm#rpc USE THESE BY
PREFERENCE. There are "fix" scripts available at both sites.

Also, a stand-alone removal tool, Stinger, from McAfee, has been updated to
handle this as one of the 26 things it fixes. Available here:
http://vil.nai.com/vil/stinger/ Be sure that you get the patch installed
though.

and another from CA here: http://www3.ca.com/virusinfo/virus.aspx?ID=36265

but, if you can't get there because of the shutdown, then:


"URLs may wrap

Easy, but annoying fix. When your computer starts go to the services applet
found in administrative tools. Select properties for the RPC or Remote
Procedure Call service. Change the Recovery from "Restart Computer" to
"Restart Service." Now your PC will stay up long enough to fix.

Next download the Microsoft Patch found at:

http://www.microsoft.com/downloads/search.aspx?displaylang=en

The patch is currently in the top download choices for both Win 2K and Win
XP. Choose accordingly and download.

Once the patch is installed make sure to do a full virus scan with current
virus definitions.
See Symantec's web page

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Once the worm has been eliminated I recommend running Windows Update to get
all the current critical updates.
Lastly, change the RPC service back to "Restart Computer" as the recovery
method.

Hope this helps,


Colin M. McGroarty
MCP+I, MCSE, NT-CIP

(e-mail address removed)
www.McGroarty.org"



--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Patrick Pitre]

There's a few thing you can do:
Open task manager, and force quit msblast.exe. Then go to registry
(start-run-regedit) and drill down to this key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. In the Run
folder, delete the key that reads Windows Auto Update - msblast.exe. Also,
remove the msblast.exe from your windows\system32 folder. This will prevent
the nasty file from loading at startup and should let you stay online long
enough to download the patch.

To keep the RPC Service failure from restarting your machine:

Go to Start - settings - control panel - Admin. Tools - Services. Find the
Remote Procedure Call (RPC) service and double click it. Go to the tab
titled Recovery. This is where you set the recovery options if a service
fails. Change the first, second, and subsequent actions to Take no Action.

When all is said and done, install a router/firewall - hardware or software.