RPC shutdown (not msblast)

[Brian J. Burnett]

Yesterday my daughter installed Microsoft AntiSpyware and at the same time
updated to Acrobat Reader 7 on her dell laptop which runs XP2 pro SP2 on our
W2k3 SBS2003, ISA2004 served home network.

Her machine then went into a reboot cycle caused by the RPC process
termianting.

I've managed to gain some level of control over her PC by booting in safe
mode however there is not much I can run that does not try to start the RPC
process which then causes the auto reboot.

Her Norton AV and all Windows Update were up to date.

I've not found any trace of msblast or the other viruses that effect RPC as
described on the symatec and MS KBs, including running the virus removal
tools on the effeted PC. So far I have not been able to run Norton since
this occured as Norton says it does not run in safe mode.

One observation. The PC is really slow to boot. Takes about 10 minutes
even in Safe mode. When it does boot there is no drag and drop or property
sheets (e.g. I can't get in to the properties of the RPC service to change
the recovery actions!).

I'm really stuck.

Help much appreciated.

 

[Yves Leclerc]

There are several other worms that cause the RPC process to reboot the PC.
Also, if you had read the notice for Microsoft AntiVirus, you will have
noticed that it ia "beta" software and that Microsoft is not responsible if
you have to re-install the XP.

 

[David H. Lipman]

Suggestions:

#1)

Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/

1) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot the infected PC into Safe Mode
3) Using Stinger, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart the infected PC and perform a "final" Full Scan of your platform
5) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot the infected PC.
7) Create a new Restore point


* * * Please report back your results * * *


#2)

Since you indicated that this was caused by installing Adobe Acrobat Reader v7.0, I suggest
creating an account and posting this to Adobe's private News Server.

The following URL will take your default News Reader to the Adobe.Reader News Group on the
Adobe News server.

news://adobeforums.com/adobe.reader

The following URL will help you create an Adobe account since posting requires
authentication. Choose Register.

http://www.adobeforums.com/

The following is the Adobe Forums FAQ.

http://www.adobeforums.com/images/forumfaq.html


--
Dave
http://www.claymania.com/removal-trojan-adware.html




--
Dave




| Yesterday my daughter installed Microsoft AntiSpyware and at the same time
| updated to Acrobat Reader 7 on her dell laptop which runs XP2 pro SP2 on our
| W2k3 SBS2003, ISA2004 served home network.
|
| Her machine then went into a reboot cycle caused by the RPC process
| termianting.
|
| I've managed to gain some level of control over her PC by booting in safe
| mode however there is not much I can run that does not try to start the RPC
| process which then causes the auto reboot.
|
| Her Norton AV and all Windows Update were up to date.
|
| I've not found any trace of msblast or the other viruses that effect RPC as
| described on the symatec and MS KBs, including running the virus removal
| tools on the effeted PC. So far I have not been able to run Norton since
| this occured as Norton says it does not run in safe mode.
|
| One observation. The PC is really slow to boot. Takes about 10 minutes
| even in Safe mode. When it does boot there is no drag and drop or property
| sheets (e.g. I can't get in to the properties of the RPC service to change
| the recovery actions!).
|
| I'm really stuck.
|
| Help much appreciated.
|
|

 

[Brian J. Burnett]

David,

Thanks for the comprehensive reply.

See below...

Suggestions:

#1)

Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/

1) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot the infected PC into Safe Mode
3) Using Stinger, perform a Full Scan of your platform and clean/delete any
infectors found

Stinger did not find any viruses.

4) Restart the infected PC and perform a "final" Full Scan of your platform
5) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot the infected PC.
7) Create a new Restore point


* * * Please report back your results * * *


#2)

Since you indicated that this was caused by installing Adobe Acrobat Reader v7.0, I suggest
creating an account and posting this to Adobe's private News Server.

Will do. I don't think it was Adobe. I'm wondering if it is Microsoft
AntiSpyWare that caused the problem. My daughter said that it found
something when it did the intitial scan and I'm wondering if it has caused
this problem when removing whatever it was that it found.

 

[David H. Lipman]

Let me take a stab...

Try to install KB828741 in Safe Mode.

http://support.microsoft.com/default.aspx?scid=kb;en-us;828741

--
Dave




| David,
|
| Thanks for the comprehensive reply.
|
| See below...
|
| | > Suggestions:
| >
| > #1)
| >
| > Obtain McAfee's virus and worm removal tool, Stinger:
| http://vil.nai.com/vil/stinger/
| >
| > 1) Disable System Restore
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > 2) Reboot the infected PC into Safe Mode
| > 3) Using Stinger, perform a Full Scan of your platform and
| clean/delete any
| > infectors found
|
| Stinger did not find any viruses.
|
|
| > 4) Restart the infected PC and perform a "final" Full Scan of your
| platform
| > 5) Re-enable System Restore and re-apply any System Restore
| preferences,
| > (e.g. HD space to use suggested 400 ~ 600MB),
| > 6) Reboot the infected PC.
| > 7) Create a new Restore point
| >
| >
| > * * * Please report back your results * * *
| >
| >
| > #2)
| >
| > Since you indicated that this was caused by installing Adobe Acrobat
| Reader v7.0, I suggest
| > creating an account and posting this to Adobe's private News Server.
| >
|
| Will do. I don't think it was Adobe. I'm wondering if it is Microsoft
| AntiSpyWare that caused the problem. My daughter said that it found
| something when it did the intitial scan and I'm wondering if it has caused
| this problem when removing whatever it was that it found.
|
|
| > The following URL will take your default News Reader to the Adobe.Reader
| News Group on the
| > Adobe News server.
| >
| > news://adobeforums.com/adobe.reader
| >
| > The following URL will help you create an Adobe account since posting
| requires
| > authentication. Choose Register.
| >
| > http://www.adobeforums.com/
| >
| > The following is the Adobe Forums FAQ.
| >
| > http://www.adobeforums.com/images/forumfaq.html
| >
| >
| > --
| > Dave
| > http://www.claymania.com/removal-trojan-adware.html
| >
| >
| >
| >
| > --
| > Dave
| >
| >
| >
| >
| > "Brian J. Burnett" <[email protected]>
| wrote in message
| > | > | Yesterday my daughter installed Microsoft AntiSpyware and at the same
| time
| > | updated to Acrobat Reader 7 on her dell laptop which runs XP2 pro SP2 on
| our
| > | W2k3 SBS2003, ISA2004 served home network.
| > |
| > | Her machine then went into a reboot cycle caused by the RPC process
| > | termianting.
| > |
| > | I've managed to gain some level of control over her PC by booting in
| safe
| > | mode however there is not much I can run that does not try to start the
| RPC
| > | process which then causes the auto reboot.
| > |
| > | Her Norton AV and all Windows Update were up to date.
| > |
| > | I've not found any trace of msblast or the other viruses that effect RPC
| as
| > | described on the symatec and MS KBs, including running the virus removal
| > | tools on the effeted PC. So far I have not been able to run Norton
| since
| > | this occured as Norton says it does not run in safe mode.
| > |
| > | One observation. The PC is really slow to boot. Takes about 10 minutes
| > | even in Safe mode. When it does boot there is no drag and drop or
| property
| > | sheets (e.g. I can't get in to the properties of the RPC service to
| change
| > | the recovery actions!).
| > |
| > | I'm really stuck.
| > |
| > | Help much appreciated.
| > |
| > |
| >
| >
|
|

 

[Ken Blake]

In

There are several other worms that cause the RPC process to
reboot
the PC. Also, if you had read the notice for Microsoft
AntiVirus, you
will have noticed that it ia "beta" software and that Microsoft
is
not responsible if you have to re-install the XP.

No, Microsoft does not have available full-blown anti-virus
software, beta or not. What they have is a "Microsoft® Windows®
Malicious Software Removal Tool" at
http://www.microsoft.com/downloads/...E0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

or http://tinyurl.com/3vvsc

That is *not* beta software. You are mixing this up with
"Microsoft Windows Antispyware"
http://www.microsoft.com/athome/security/spyware/software/default.mspx
or http://tinyurl.com/47cus
which *is* beta.

 

[David H. Lipman]

The problem is the name "Malicious Software Removal Tool".
It is a worm removal tool and should be called a worm removal tool not a "Malicious Software
Removal Tool".

In addition, one should just go to the online scanner. There is no need to download the EXE
file.
http://www.microsoft.com/security/malwareremove/default.mspx

--
Dave




| In | Yves Leclerc <[email protected]> typed:
|
| > There are several other worms that cause the RPC process to
| > reboot
| > the PC. Also, if you had read the notice for Microsoft
| > AntiVirus, you
| > will have noticed that it ia "beta" software and that Microsoft
| > is
| > not responsible if you have to re-install the XP.
|
|
| No, Microsoft does not have available full-blown anti-virus
| software, beta or not. What they have is a "Microsoft® Windows®
| Malicious Software Removal Tool" at
|
http://www.microsoft.com/downloads/...E0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
|
| or http://tinyurl.com/3vvsc
|
| That is *not* beta software. You are mixing this up with
| "Microsoft Windows Antispyware"
| http://www.microsoft.com/athome/security/spyware/software/default.mspx
| or http://tinyurl.com/47cus
| which *is* beta.
|
| --
| Ken Blake - Microsoft MVP Windows: Shell/User
| Please reply to the newsgroup
|
|
| >
| > "Brian J. Burnett"
| > message
| > | >> Yesterday my daughter installed Microsoft AntiSpyware and at
| >> the
| >> same time updated to Acrobat Reader 7 on her dell laptop which
| >> runs
| >> XP2 pro SP2 on our
| >> W2k3 SBS2003, ISA2004 served home network.
| >>
| >> Her machine then went into a reboot cycle caused by the RPC
| >> process
| >> termianting.
| >>
| >> I've managed to gain some level of control over her PC by
| >> booting in
| >> safe mode however there is not much I can run that does not
| >> try to
| >> start the RPC
| >> process which then causes the auto reboot.
| >>
| >> Her Norton AV and all Windows Update were up to date.
| >>
| >> I've not found any trace of msblast or the other viruses that
| >> effect
| >> RPC as
| >> described on the symatec and MS KBs, including running the
| >> virus
| >> removal tools on the effeted PC. So far I have not been able
| >> to run
| >> Norton since this occured as Norton says it does not run in
| >> safe
| >> mode.
| >> One observation. The PC is really slow to boot. Takes about
| >> 10
| >> minutes even in Safe mode. When it does boot there is no drag
| >> and
| >> drop or property
| >> sheets (e.g. I can't get in to the properties of the RPC
| >> service to
| >> change the recovery actions!).
| >>
| >> I'm really stuck.
| >>
| >> Help much appreciated.
|
|

 

[Guest]

David

Once again thanks for taking the time to reply.

So I tried Cumulative Update for Microsoft RPC/DCOM (828741) as you
suggested and get the message that there is no need to apply the patch as the
Service Pack version on the machine is already more up to date.

I've also run Stinger and the Malicious Software removal tool both of which
found nothing.

Any further suggestions most welcome.

 

[David H. Lipman]

Brian:

Running Stinger was to make sure it wasn't some form of RPC Exploit and installing KB828741
was a stab in the dark and didn't think it would work but it was worth a try.

Try executing; sfc /scannow

--
Dave




| David
|
| Once again thanks for taking the time to reply.
|
| So I tried Cumulative Update for Microsoft RPC/DCOM (828741) as you
| suggested and get the message that there is no need to apply the patch as the
| Service Pack version on the machine is already more up to date.
|
| I've also run Stinger and the Malicious Software removal tool both of which
| found nothing.
|
| Any further suggestions most welcome.
|
|
|
| "David H. Lipman" wrote:
|
| > Let me take a stab...
| >
| > Try to install KB828741 in Safe Mode.
| >
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;828741
| >
| > --
| > Dave
| >
| >
| >

 

[Brian J. Burnett]

David

I tried sfc /scannow but get the message "Windows File Protection could not
initialte a scan of the protected system files. The error code is 0x000006ba
[The RPC server is unavailable]"

 

[David H. Lipman]

Try; sfc /scannow /quiet

Try other conbinations.

In a Command Prompt, execute; SFC /?
for the command syntax and switches

--
Dave




| David
|
| I tried sfc /scannow but get the message "Windows File Protection could not
| initialte a scan of the protected system files. The error code is 0x000006ba
| [The RPC server is unavailable]"
|
|
| | > Brian:
| >
| > Running Stinger was to make sure it wasn't some form of RPC Exploit and
| installing KB828741
| > was a stab in the dark and didn't think it would work but it was worth a
| try.
| >
| > Try executing; sfc /scannow
| >
| > --
| > Dave
| >
| >
| >
| >
| message
| > | > | David
| > |
| > | Once again thanks for taking the time to reply.
| > |
| > | So I tried Cumulative Update for Microsoft RPC/DCOM (828741) as you
| > | suggested and get the message that there is no need to apply the patch
| as the
| > | Service Pack version on the machine is already more up to date.
| > |
| > | I've also run Stinger and the Malicious Software removal tool both of
| which
| > | found nothing.
| > |
| > | Any further suggestions most welcome.
| > |
| > |
| > |
| > | "David H. Lipman" wrote:
| > |
| > | > Let me take a stab...
| > | >
| > | > Try to install KB828741 in Safe Mode.
| > | >
| > | > http://support.microsoft.com/default.aspx?scid=kb;en-us;828741
| > | >
| > | > --
| > | > Dave
| > | >
| > | >
| > | >
| >
| >
|
|

 

[Brian J. Burnett]

I believe I have the syntax correct. The problem is that sfc appears to
need RPC which is what appears to be broken and so not running.

 

[David H. Lipman]

I have errors occur under Win2K and changing the switch parameters helped.

--
Dave




| I believe I have the syntax correct. The problem is that sfc appears to
| need RPC which is what appears to be broken and so not running.
|
| | > Try; sfc /scannow /quiet
| >
| > Try other conbinations.
| >
| > In a Command Prompt, execute; SFC /?
| > for the command syntax and switches
| >
| > --
| > Dave
| >
| >
| >
| >
| > "Brian J. Burnett" <[email protected]>
| wrote in message
| > | > | David
| > |
| > | I tried sfc /scannow but get the message "Windows File Protection could
| not
| > | initialte a scan of the protected system files. The error code is
| 0x000006ba
| > | [The RPC server is unavailable]"
| > |
| > |
| > | | > | > Brian:
| > | >
| > | > Running Stinger was to make sure it wasn't some form of RPC Exploit
| and
| > | installing KB828741
| > | > was a stab in the dark and didn't think it would work but it was worth
| a
| > | try.
| > | >
| > | > Try executing; sfc /scannow
| > | >
| > | > --
| > | > Dave
| > | >
| > | >
| > | >
| > | >
| in
| > | message
| > | > | > | > | David
| > | > |
| > | > | Once again thanks for taking the time to reply.
| > | > |
| > | > | So I tried Cumulative Update for Microsoft RPC/DCOM (828741) as you
| > | > | suggested and get the message that there is no need to apply the
| patch
| > | as the
| > | > | Service Pack version on the machine is already more up to date.
| > | > |
| > | > | I've also run Stinger and the Malicious Software removal tool both
| of
| > | which
| > | > | found nothing.
| > | > |
| > | > | Any further suggestions most welcome.
| > | > |
| > | > |
| > | > |
| > | > | "David H. Lipman" wrote:
| > | > |
| > | > | > Let me take a stab...
| > | > | >
| > | > | > Try to install KB828741 in Safe Mode.
| > | > | >
| > | > | > http://support.microsoft.com/default.aspx?scid=kb;en-us;828741
| > | > | >
| > | > | > --
| > | > | > Dave
| > | > | >
| > | > | >
| > | > | >
| > | >
| > | >
| > |
| > |
| >
| >
|
|

 

[Brian J. Burnett]

David

Thanks for all of your suggestions.

As much as it irks me to give in, not knowing what was wrong, I've decided
that I'm going to re-install from scratch as I can't spend any more time on
it and my daughter needs her PC for her studies.

Thanks again.

PS: Personally, I think that it was the Microsoft Antispyware beta that
killed it.

I have errors occur under Win2K and changing the switch parameters helped.

--
Dave




| I believe I have the syntax correct. The problem is that sfc appears to
| need RPC which is what appears to be broken and so not running.
|
| | > Try; sfc /scannow /quiet
| >
| > Try other conbinations.
| >
| > In a Command Prompt, execute; SFC /?
| > for the command syntax and switches
| >
| > --
| > Dave
| >
| >
| >
| >
| > "Brian J. Burnett" <[email protected]>
| wrote in message
| > | > | David
| > |
| > | I tried sfc /scannow but get the message "Windows File Protection could
| not
| > | initialte a scan of the protected system files. The error code is
| 0x000006ba
| > | [The RPC server is unavailable]"
| > |
| > |
| > | | > | > Brian:
| > | >
| > | > Running Stinger was to make sure it wasn't some form of RPC Exploit
| and
| > | installing KB828741
| > | > was a stab in the dark and didn't think it would work but it was worth
| a
| > | try.
| > | >
| > | > Try executing; sfc /scannow
| > | >
| > | > --
| > | > Dave
| > | >
| > | >
| > | >
| > | >
| in
| > | message
| > | > | > | > | David
| > | > |
| > | > | Once again thanks for taking the time to reply.
| > | > |
| > | > | So I tried Cumulative Update for Microsoft RPC/DCOM (828741) as you
| > | > | suggested and get the message that there is no need to apply the
| patch
| > | as the
| > | > | Service Pack version on the machine is already more up to date.
| > | > |
| > | > | I've also run Stinger and the Malicious Software removal tool both
| of
| > | which
| > | > | found nothing.
| > | > |
| > | > | Any further suggestions most welcome.
| > | > |
| > | > |
| > | > |
| > | > | "David H. Lipman" wrote:
| > | > |
| > | > | > Let me take a stab...
| > | > | >
| > | > | > Try to install KB828741 in Safe Mode.
| > | > | >
| > | > | > http://support.microsoft.com/default.aspx?scid=kb;en-us;828741
| > | > | >
| > | > | > --
| > | > | > Dave
| > | > | >
| > | > | >
| > | > | >
| > | >
| > | >
| > |
| > |
| >
| >
|
|

 

[David H. Lipman]

If so -- That's what you get for installing BETA software. But being fare, you are the
first to experience such a malady that *may* be caused by that software.

Good Luck !

--
Dave




| David
|
| Thanks for all of your suggestions.
|
| As much as it irks me to give in, not knowing what was wrong, I've decided
| that I'm going to re-install from scratch as I can't spend any more time on
| it and my daughter needs her PC for her studies.
|
| Thanks again.
|
| PS: Personally, I think that it was the Microsoft Antispyware beta that
| killed it.