Remote Procedure Call (RPC)

[Logla]

I have been having a problem with new XP installs. For some reason (and this same problem has occured on more than 10 new builds now) when I open apps like mcafee AV or the epson printer driver installation or anything else for that matter after about 10seconds, they close themselves without any error messages. If I open the program again, the same thing happens. I was getting really anoyed with this and then I got an error a couple of minutes later.

This message was telling me that the PC is to be shut down in one minute because the Remote Procedure Call (RPC) has terminated unexpectidly. I went into the services and told the RPC to restart the service instead of rebooting the PC.

Now this seems to have done the trick but I'm not sure why it might be happening.

This all started when I shut down my perferctly normal, working pc and then turned it back on 20minutes later to find my hard disks were corrupt and all my data gone. I have not been able to get XP to install normally after that.

Any ideas.

[zerodamage]

Yup, you have the blaster worm or one of its variants.

First, d/l this and run it asap before your system reboots. http://grc.com/files/DCOMbob.exe

Go to the 3rd tab and immediately click on the "Disable DCOM" button. When you reboot, you will not be forced to shut down again.


Second, go here and d/l the removal tool http://www.symantec.com/avcenter/

Then go to Windows Update and update your windows, all critical updates.

[Logla]

I'm not sure how this can be a virus though. My hard disks were formatted completley before starting the rebuilds. The Machine wasn't connected to the internet so couldnt be picking it up from there. The only software was the windows disk which is definatley clean of any viruses.

My anti virus software is up to date and doesn't see any problems so I'm inclined to think this is something to do with hardware.

[zerodamage]

I am standing by what I said. I've seen it hundreds of times. You get a 60 second count down before your system restarts. It is the Blaster Worm or one of its variants. You can at least keep your system from shutting down by disabling DCOM. I recommend to at least disable the dcom and then do the symantec security response and then do the virus scan. You will see that I am correct.

[Logla]

Thanks man, that seems to have done the trick. I am now throwing every known blaster removal tool at my machine now. I'm puzzled as to where the virus came from though.

Having said all that - I was having major problems getting the FarCry demo to unpack and had to do it manually. My old (Norton crap) anti virus was causing the data.cab file not to extract but made it loop at a certain point but didn't recognise it as a virus. I stupidly removed Norton and got the files extracted. about 24 hours after removing norton AV, the problems began.

Damn Damn Damn!

[mkk]

Quote:

Originally posted by Logla
I'm puzzled as to where the virus came from though.

WinXP has a huge security hole from where this can come through automatically on any system that is not protected in one way or another. Microsoft oftenly gets a lot of undeserved flak for various things, but this one issue is so huge that it cannot be exaggerated.

[Logla]

Quote:

Originally posted by mkk
WinXP has a huge security hole from where this can come through automatically on any system that is not protected in one way or another. Microsoft oftenly gets a lot of undeserved flak for various things, but this one issue is so huge that it cannot be exaggerated.

Oh I appreciate this flaw however, how can the virus come through if the computer is physically disconnected from the internet?

[zerodamage]

You most likely got it when you connected to do updates of your anti-virus. If you have the Messenger service on or DCOM turned on, then you can be infected. All it takes is a second.
This is why I am either behind a firewall when I first connect a winxp /win2k machine to the net even if it is dial up. Put on a software firewall. You can get it via dial up as well. (seen it very many times)

It doens't always start causing problems right away either. It can take a bit which is what may have happened in your case. OR if you are on a LAN, then someone or another machine on the LAN has it and spread it to you.

[PangingJr]

just another good virus scan, made out executive for this...

McAfee AVERT Stinger - http://us.mcafee.com/virusInfo/default.asp?id=stinger
Stinger is a stand-alone utility (free - no install needed) used to detect and remove specific viruses. in version 1.9.5 (1/18/2004) includes detection for 39 variants.

Complete info - What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

[Logla]

Used stinger - didn't find anything. Wierd

Something else I thought a bit wierd. When I used DCOMbobulator to disable DCOM, it opened DCOM on port 1025 and switched on UPnP. I have since configured the firewall to stealth that port and I've turned off UPnP. Everything seems ok now but I have not found one instance of any virus on the machine so far. Everything is up to date so I should be ok but this is really wierd and has me a bit worried.

[PangingJr]

if there's no more 'RPC has terminated unexpectidly' error. i think you should be OK,

when you've got a good firewall, AV with def/dat files uptodate and all the Win Updates security patches. anyway, during this period try running Windows Task Manager (Ctrl-Shift-Esc) frequently and sometimes check the Startup tab in System configulation Utility (msconfig), look for someting install, not by you.

and stop by Shields UP! site to check your FW sometimes and if you have any ports listing as close or open... pls post back and will check more into it.

[Logla]

Checked shields up! and got 100% True Stealth - all ports stealthed.
I have just had an RPC error about 20mins ago. It happened whilst trying to install the Farcry demo again. That download was from a different source and was a different type of file to that of the one that caused nortons to start looping the file.

[PangingJr]

Quote:

Originally posted by Logla
I have just had an RPC error about 20mins ago.

other than the Blaster Worm, i cant think of anything that cause prob with RPC service in XP. (there's afew in NT/2k.. Not in XP)
i think we'll have to go from event logs info.

go to Administrative Tools -> Event Viwer, see for any Error(type)
in Application, Security and System..
D-click on each Error you find in there,
and hightlight and copy the "Event ID:" , "Sourec:" and "Description:",
then post the info here,

here's an example of format and info....

-----------

System
Sourec: NetBT
Event ID: 4311
Description: Initialization failed because the driver device could not be created.

----------

Application
Sourec: XXXXXXX
Event ID: XXXX
Description: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

-----------

[Logla]

Event Source: USER32

Event ID: 1074

Description:
The process winlogon.exe has initiated the restart of XXXXX-XXXXXXXX for the following reason: No title for this reason could be found
Minor Reason: 0xff
Shutdown Type: reboot
Comment: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly

What I notice before this was :

Event Type: Warning
Event Source: atapi
Event Category: None
Event ID: 26

Description:
The driver has detected that device \Device\Ide\IdePort1 has old or out-of-date firmware. Reduced performance may result.

and

Event Type: Warning
Event Source: Disk
Event Category: None
Event ID: 51

Description:
An error was detected on device \Device\Harddisk0\D during a paging operation.


I dont think (or rather I hope) that this is my RAID0 array, but the 20gig disk I had before removing it yesterday to put in my mp3 server. Its been playing up in the BIOS in that sometimes the BIOS doesn't pick the disk up or sometimes the CD-ROM that is on the same channel is missing. The jumpers and everything were all ok and I couldn't find a firmware upgrade for the drive (old maxtor 20gig).

[PangingJr]

Quote:

Originally posted by Logla
Event Source: USER32

Event ID: 1074

Description:
The process winlogon.exe has initiated the restart of XXXXX-XXXXXXXX for the following reason: No title for this reason could be found
Minor Reason: 0xff
Shutdown Type: reboot
Comment: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly

go to - http://www.sysinternals.com/ntw2k/fr.../procexp.shtml
and D/L Process Explorer (x86 - 230 KB) - free
make sure to D/L the one that say - you plan on using Process Explorer on WinNT/2K/XP
extract the zip file (procexpnt.zip), and run it.

on the top window of the program, click WINLOGON.EXE,
at the below window, scroll down to see handle "0xFF"
see if you can any info there.

more info about Event ID: 1074
Description of the Shutdown Event Tracker
http://support.microsoft.com/default...=kb;ja;Q293814