rpc Error

[Matt]

I have had RPC (Remote Procedure Call) Errors from the RPC
Service on port 135 on our computer since yesterday. I
narrowed it down to this command line "C:\WINDOWS\system32
\svchost -k rpcss". I was able to duplicate this error by
killing this process manually. I found msblaster.exe
running in the processes list and researched it, but to no
avail. I disassembled the file and am currently looking
for any suspicious code. I have found fragments of
strings such as "bill gates you made this possible" and "I
just...want you to know...love sam. I placed this file in
the recycle bin, but upon subsequent reboots and dialups,
it seems to return to the processes list. I have deleted
it four different times. I am only in 10th grade and am
teaching myself microsoft programming and networking,
unfortunately, I haven't learned a lot about this area yet
and am unable to repair this. I have added the error
information from the system event log for your use. I have
also seen remote guest logins from other unfamiliar
workstations in the security audits. There has also been
a serious error resulting in a blue screen and memory
dump, though, this seems to have resulted from a fault in
the nv4.dll "NVidia" driver and not msblaster.exe.



Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7031
Date: 8/12/2003
Time: 7:40:14 PM
User: N/A
Computer: *****
Description:
The Remote Procedure Call (RPC) service terminated
unexpectedly. It has done this 1 time(s). The following
corrective action will be taken in 60000 milliseconds:
Reboot the machine.


Thanks for any assistance,

Matt

 

[Matt]

I forgot to mention that I searched the internet yesterday
for msblast and havn't found anything, and that the
problem appears be a buffer overflow in the service when
it receives certain messed up packets.

 

[Bud W.]

Just scroll back on this subject, you will find many, many solutions to this
problems. Trust me, "You ain't alone"!

 

[kurttrail]

I have had RPC (Remote Procedure Call) Errors from the RPC
Service on port 135 on our computer since yesterday. I
narrowed it down to this command line "C:\WINDOWS\system32
\svchost -k rpcss". I was able to duplicate this error by
killing this process manually. I found msblaster.exe
running in the processes list and researched it, but to no
avail. I disassembled the file and am currently looking
for any suspicious code. I have found fragments of
strings such as "bill gates you made this possible" and "I
just...want you to know...love sam. I placed this file in
the recycle bin, but upon subsequent reboots and dialups,
it seems to return to the processes list. I have deleted
it four different times. I am only in 10th grade and am
teaching myself microsoft programming and networking,
unfortunately, I haven't learned a lot about this area yet
and am unable to repair this. I have added the error
information from the system event log for your use. I have
also seen remote guest logins from other unfamiliar
workstations in the security audits. There has also been
a serious error resulting in a blue screen and memory
dump, though, this seems to have resulted from a fault in
the nv4.dll "NVidia" driver and not msblaster.exe.



Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7031
Date: 8/12/2003
Time: 7:40:14 PM
User: N/A
Computer: *****
Description:
The Remote Procedure Call (RPC) service terminated
unexpectedly. It has done this 1 time(s). The following
corrective action will be taken in 60000 milliseconds:
Reboot the machine.


Thanks for any assistance,

Matt

I bet yo' mama taught you not to play with matches, and not to run
around the house with scissors. Now listen close to Uncle Kurt, DON'T
PLAY WITH COMPUTER WORMS! LOL!

You got the BLASTER worm.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.kurttrail.com
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei!"

 

[Matt]

Also, I found a file on the startup menu called tftp3036.
From what I gather, this file was downloaded by my system
by another copy of this file that is on another system
through a shell created on some other port. This was done
with system priviliges apparently so this could be serious.
Matt

 

[kurttrail]

Just scroll back on this subject, you will find many, many solutions
to this problems. Trust me, "You ain't alone"!

I bet he doesn't have much company! How many people go around
decompiling & analyzing suspicious code?

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.kurttrail.com
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei!"

 

[Chris]

Go to the following places to download a program to kill
the worm

http://vil.nai.com/vil/stinger/
http://securityresponse.symantec.com/avcenter/venc/data/w3
2.blaster.worm.removal.tool.html

and before you do run it run the following update for
windows:

http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/MS03-026.asp

And disable system restore (Control panel/system/system
restore)

The run the program and it should kill the worm... also
start up the windows firewall and run your own for added
security (currently sitting behind 4 firewalls!)

 

[Krista]

Dude,

Just get yourself the patch (and not the Ortho-Evra kind) from Microsoft.

http://microsoft.com/technet/security/bulletin/MS03-026.asp

Also, somebody teaching themselves Microsoft programming and networking
ought to using Windows Update and a firewall on a regular basis.