- Posts: 5
- Thank you received: 0
Hhheeelllpp RPC Problem :(
- deathmatrix
- Topic Author
- Offline
- New Member
-
20 years 5 months ago #1718
by deathmatrix
mess with the best and die like the rest
Hhheeelllpp RPC Problem :( was created by deathmatrix
hi Sahirh, help me out, some times well almost everytime i cinnect to the internet through my diel-up connection i get a RPC popup and some times i dont even get a popup and my system reboots in 30 Sec, can you tell me what the problem is and what i can do to fix it,
note: i have two ISPs and this happends with both of them and i am running Win XP Pro on my sys.
thnx
deathmatrix
: :
note: i have two ISPs and this happends with both of them and i am running Win XP Pro on my sys.
thnx
deathmatrix
: : mess with the best and die like the rest
20 years 5 months ago #1721
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Hhheeelllpp RPC Problem :(
Oops Deathmatrix, I'm afraid it sounds like you've been infected by W32/Msblast otherwise known as msblaster, lovesan etc etc. Its a worm that spreads through a security hole in the Windows Remote Procedure Call Service.
However patching things will be a little difficult for you since you can't get online to download the patch, so we'll just do this the manual way.
First off, start task manager (ctrl+shift+esc) and check for msblast.exe if its there, kill the process. Then go to %winroot%\system32 (where %winroot% is your windows directory, and find the file and delete it.
Now open regedit (by clicking start >> run >> type regedit) and go to this key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
There should be a value like this in the right pane :
"windows auto update"="msblast.exe"
Delete that sucker.
Reboot.
We shoulda got rid of it.
I recommend you get yourself a personal firewall like zonealarm ( www.zonelabs.com ) or if you already have a firewall block out ports 135, 137 and 139.. this might break your local lan if you don't do it on the correct interface, so just check on what you're doing.
Even if you didn't find this file you could have been infected by any number of variants of the worm.. I recommend you fire up your anti virus scanner (It would appear you're not running one or your definitions are horribly out of date you bad bad boy !)
It is also feasible that someone manually exploited your machine, which is why the virus scanner didn't pick up a signature. The RPC DCOM exploit is available everywhere. I don't think this is likely though as your machine is displaying classic blaster symptoms.
Btw clean up all machines on your local lan, they've all got it by now
I don't know if you'll be able to view these pages before a reboot but here they are anyway for extra info :
www.zdnet.com.au/newstech/security/story...8600,20277131,00.htm
www.ravantivirus.com/virus/showvirus.php?v=196
As a permanent solution to viruses you might consider switching to this wonderful new product 'Microsoft Linux', available as a free download from www.redhat.com .
hehe don't take the last paragraph too seriously.
Linux: Telling Microsoft "where to go today" since 1991
However patching things will be a little difficult for you since you can't get online to download the patch, so we'll just do this the manual way.
First off, start task manager (ctrl+shift+esc) and check for msblast.exe if its there, kill the process. Then go to %winroot%\system32 (where %winroot% is your windows directory, and find the file and delete it.
Now open regedit (by clicking start >> run >> type regedit) and go to this key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
There should be a value like this in the right pane :
"windows auto update"="msblast.exe"
Delete that sucker.
Reboot.
We shoulda got rid of it.
I recommend you get yourself a personal firewall like zonealarm ( www.zonelabs.com ) or if you already have a firewall block out ports 135, 137 and 139.. this might break your local lan if you don't do it on the correct interface, so just check on what you're doing.
Even if you didn't find this file you could have been infected by any number of variants of the worm.. I recommend you fire up your anti virus scanner (It would appear you're not running one or your definitions are horribly out of date you bad bad boy !)
It is also feasible that someone manually exploited your machine, which is why the virus scanner didn't pick up a signature. The RPC DCOM exploit is available everywhere. I don't think this is likely though as your machine is displaying classic blaster symptoms.
Btw clean up all machines on your local lan, they've all got it by now
I don't know if you'll be able to view these pages before a reboot but here they are anyway for extra info :
www.zdnet.com.au/newstech/security/story...8600,20277131,00.htm
www.ravantivirus.com/virus/showvirus.php?v=196
As a permanent solution to viruses you might consider switching to this wonderful new product 'Microsoft Linux', available as a free download from www.redhat.com .
hehe don't take the last paragraph too seriously.
Linux: Telling Microsoft "where to go today" since 1991
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.150 seconds