- Posts: 5
- Thank you received: 0
Hhheeelllpp RPC Problem :(
- deathmatrix
- Topic Author
- Offline
- New Member
Less
More
21 years 3 days ago #1718
by deathmatrix
mess with the best and die like the rest
Hhheeelllpp RPC Problem :( was created by deathmatrix
hi Sahirh, help me out, some times well almost everytime i cinnect to the internet through my diel-up connection i get a RPC popup and some times i dont even get a popup and my system reboots in 30 Sec, can you tell me what the problem is and what i can do to fix it,
note: i have two ISPs and this happends with both of them and i am running Win XP Pro on my sys.
thnx
deathmatrix : :
note: i have two ISPs and this happends with both of them and i am running Win XP Pro on my sys.
thnx
deathmatrix : :
mess with the best and die like the rest
21 years 3 days ago #1721
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Hhheeelllpp RPC Problem :(
Oops Deathmatrix, I'm afraid it sounds like you've been infected by W32/Msblast otherwise known as msblaster, lovesan etc etc. Its a worm that spreads through a security hole in the Windows Remote Procedure Call Service.
However patching things will be a little difficult for you since you can't get online to download the patch, so we'll just do this the manual way.
First off, start task manager (ctrl+shift+esc) and check for msblast.exe if its there, kill the process. Then go to %winroot%\system32 (where %winroot% is your windows directory, and find the file and delete it.
Now open regedit (by clicking start >> run >> type regedit) and go to this key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
There should be a value like this in the right pane :
"windows auto update"="msblast.exe"
Delete that sucker.
Reboot.
We shoulda got rid of it.
I recommend you get yourself a personal firewall like zonealarm ( www.zonelabs.com ) or if you already have a firewall block out ports 135, 137 and 139.. this might break your local lan if you don't do it on the correct interface, so just check on what you're doing.
Even if you didn't find this file you could have been infected by any number of variants of the worm.. I recommend you fire up your anti virus scanner (It would appear you're not running one or your definitions are horribly out of date you bad bad boy !)
It is also feasible that someone manually exploited your machine, which is why the virus scanner didn't pick up a signature. The RPC DCOM exploit is available everywhere. I don't think this is likely though as your machine is displaying classic blaster symptoms.
Btw clean up all machines on your local lan, they've all got it by now
I don't know if you'll be able to view these pages before a reboot but here they are anyway for extra info :
www.zdnet.com.au/newstech/security/story...8600,20277131,00.htm
www.ravantivirus.com/virus/showvirus.php?v=196
As a permanent solution to viruses you might consider switching to this wonderful new product 'Microsoft Linux', available as a free download from www.redhat.com .
hehe don't take the last paragraph too seriously.
Linux: Telling Microsoft "where to go today" since 1991
However patching things will be a little difficult for you since you can't get online to download the patch, so we'll just do this the manual way.
First off, start task manager (ctrl+shift+esc) and check for msblast.exe if its there, kill the process. Then go to %winroot%\system32 (where %winroot% is your windows directory, and find the file and delete it.
Now open regedit (by clicking start >> run >> type regedit) and go to this key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
There should be a value like this in the right pane :
"windows auto update"="msblast.exe"
Delete that sucker.
Reboot.
We shoulda got rid of it.
I recommend you get yourself a personal firewall like zonealarm ( www.zonelabs.com ) or if you already have a firewall block out ports 135, 137 and 139.. this might break your local lan if you don't do it on the correct interface, so just check on what you're doing.
Even if you didn't find this file you could have been infected by any number of variants of the worm.. I recommend you fire up your anti virus scanner (It would appear you're not running one or your definitions are horribly out of date you bad bad boy !)
It is also feasible that someone manually exploited your machine, which is why the virus scanner didn't pick up a signature. The RPC DCOM exploit is available everywhere. I don't think this is likely though as your machine is displaying classic blaster symptoms.
Btw clean up all machines on your local lan, they've all got it by now
I don't know if you'll be able to view these pages before a reboot but here they are anyway for extra info :
www.zdnet.com.au/newstech/security/story...8600,20277131,00.htm
www.ravantivirus.com/virus/showvirus.php?v=196
As a permanent solution to viruses you might consider switching to this wonderful new product 'Microsoft Linux', available as a free download from www.redhat.com .
hehe don't take the last paragraph too seriously.
Linux: Telling Microsoft "where to go today" since 1991
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
21 years 2 days ago #1736
by tfs
Thanks,
Tom
Replied by tfs on topic Re: Hhheeelllpp RPC Problem :(
OUCH !!!
Some people just can't resist taking a potshot at MS. :roll:
Some people just can't resist taking a potshot at MS. :roll:
Thanks,
Tom
21 years 1 day ago #1742
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Hhheeelllpp RPC Problem :(
Haha would I ever miss a chance... though Ive gotta admit, after I murdered my RH9 box today I'm laughing on the other side of my face (how do you do that exactly) :roll:
Lol, you and I spend wayyy too much time staring at these dark blue, grey and green pages....
Lol, you and I spend wayyy too much time staring at these dark blue, grey and green pages....
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.126 seconds