Remote Procedure Call??

  • Thread starter Thread starter Andy Martin
  • Start date Start date
A

Andy Martin

Hi

I've a recurring installation problem that's got me stumpted.

I'm installing a 2nd hand (with documentation) XP Pro after having a worm
contaminate my

last C drive. All files were cleaned and 'c' reformatted and my flash, new
OS installed.

First thing I did was to set up my internet connection and then install my
Norton

anti-virus. I connected to download the updates before anything else and 5
mins into it, up

xcame a little window saying that due to a 'Remote Procedure Call', NT
Authority\ System was

shutting my machine down (and it did... 5 times!)

I thought it must have been corrupted during installation so reinstalled
again. This time it

downloaded 15 mins worth of updates before doing the same.

Is Norton causing an upset or have I bought a dud copy of XP and Microsoft
have 'zapped' me.

I have seen his old machine use this but that is in bits now and replaced by
shiny mac

Many thanks

Andy

Now, I've just been flashed by Norton that I have the same worm (W32.Spybot)
in my C drive

again..... I realise i'm going to have to buy a new hard disc but do I have
to by a brand

new XP to??
 
xcame a little window saying that due to a 'Remote Procedure
Call', NT
Authority\ System was
shutting my machine down (and it did... 5 times!)

Is Norton causing an upset or have I bought a dud copy of XP and
Microsoft have 'zapped' me.

Neither.


again..... I realise i'm going to have to buy a new hard disc but do
I have to by a brand
Click to expand...


A new hard drive? Why do you think you have to do that? You have
the MSBlaster worm. To remove it, do the following:

The following instructions are in three parts

1. Stop it from running

2. Remove it from your system

3. Make sure it doesn't come back



Before beginning, if you have an always-on internet connection,
it's a good idea to disconnect it.



1. Stop it from running

Press Ctrl-Alt-Delete to bring up the Task Manager, then on the
Processes tab, click msblast.exe and then "End process." Reply
"Yes" to the warning message that comes up.

This stops the worm from running, so your system will not shut
down. However, it doesn't remove it, and if that's all you do, it
will start up again the next time you boot.


***

2. Remove it from your system

a. Start the registry editor program, regedit, by going to Start
| Run, and typing REGEDIT
Navigate to HKEY_Local_Machine\Software\Microsoft\Windows\Current
Version\Run by clicking the plus signs next to each of the
folders in the left hand pane. When you get to the last of them,
Run, click the word Run itself.

Find an entry called "Windows Auto Update" on the right side.
Right-click it and delete it.

b. Do a Windows search for msblast, and delete all files found.

The worm is now gone, and won't start again the next time you
boot. But if that's all you do, you can get reinfected just as
you did the first time.

***


3. Make sure it doesn't come back

a. Make sure you're running a firewall that prevents worms like
this from getting in. You can enable the built-in Windows XP
firewall, or download and install another one such as the free
version of ZoneAlarm. To enable the built-in firewall, go to
Control Panel, double-click Networking and Internet Connections,
then click Network Connections. Right-click your connection, then
click Properties, and on the Advanced tab, click the option
"Protect my computer and network..."


b. If you've disconnected your internet connection, reconnect it.
Download and install the Microsoft patch at
http://download.microsoft.com/downl...e-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

That will remove the vulnerability that the worm exploits.


c. Be sure you are running an anti-virus program, and that you
regularly download the latest updated virus definitions.
 
Hi

Tried as you sugggested but to no avail, there was no 'msblast' in the
process tab of Task Manager and having gone where you (and Norton) suggested
in the resistry, there were no references to either 'msblast' or 'spybot'.
Mind you, at least I was able to bring up the registry as on my original
infected disc, the registry and task manager collapsed on opening.

Once I get this sorted, a firewall is definately getting installed

Just went down again - NMain.exe was the file athe the top of Task Manager
and message in the pop up box said that the Remote Procedure Call had
terminated unexpectidly if that's any help.

Andy
 
Andy Martin [email protected]> said:
Hi

Tried as you sugggested but to no avail, there was no 'msblast' in the
process tab of Task Manager and having gone where you (and Norton)
suggested in the resistry, there were no references to either
'msblast' or 'spybot'. Mind you, at least I was able to bring up the
registry as on my original infected disc, the registry and task
manager collapsed on opening.

Once I get this sorted, a firewall is definately getting installed

Just went down again - NMain.exe was the file athe the top of Task
Manager and message in the pop up box said that the Remote Procedure
Call had terminated unexpectidly if that's any help.

Andy
Click to expand...

WinXP has a firewall. Turn it on NOW. You can turn it off if you apply
another one later.

It sometimes has other names now.
The first and last links are to copies of scripts that will disinfect your
machine, the last one being zipped.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Information:
http://www.kellys-korner-xp.com/regs_edits/msblast.vbs
http://www.kellys-korner-xp.com/xp_qr.htm#rpc
http://forum.mvps.org/viewtopic.php?t=2703
Microsoft Security Bulletin MS03-026:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp?frame=true
MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution
http://support.microsoft.com/?kbid=823980
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
http://securityresponse.symantec.com/avcenter/security/Content/8205.htm
To clean it up:
http://www.bigblackglasses.com/Article.aspx?Article=342
or a zipped script:
http://www.bigblackglasses.com/staff/downloads/msblast2.zip

--
Frank Saunders, MS-MVP IE/OE
http://www.fjsmjs.com
Reply to Newsgroup. I won't answer email
Protect Your PC
http://www.microsoft.com/security/protect/
 
Greetings --

If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
Many thanks to you all. Patches in place and worms (I had 2!) now removed
and harmony once again restored to my machine. XP's firewall now active.

Your help was much appreciated

Andy
 
Greetings --

You're welcome.

Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
Back
Top