Bean has a computer, running windows xp home edition, which has just recently started crashing constantly – often within a minute or less of boot-up. This is a problem.
The error says something about “the Remote Procedure Call (RPC) service terminated unexpectedly” (see image to right).
If any Alas readers have any suggestions to post, or has a computer-maven pal they could ask to pretty please look at this post, we’d really appreciate it. (But please remember, we’re computer illiterates, so detailed step-by-step suggestions are especially appreciated!) Thanks!.
You have been infected by an exploit of the “DCOM RPC Overflow”. The vulnerability has been known for some months, and a fix was made available via Windows Update, but not everyone lets Windows Update run automatically.
http://www.cert.org/advisories/CA-2003-19.html
http://www.kb.cert.org/vuls/id/326746
To my knowledge, there is no way to repair this, short of a reformat and reinstall.
Be sure to follow the steps for recovery for all other PCs on your network. You don’t want ’em all going down.
Do you know how to reformat and reinstall?
Is that the same thing as wiping the hard drive and starting over?
One problem is that we don’t have a Windows XP CD-Rom. (I know, the dealer who sold Bean her computer should have given her that – but he didn’t).
Yes, it’s the same thing as wiping the harddrive and starting over. Unfortunately, that’s pretty damn hard to do without an XP CD-ROM. Do you know anyone who has an XP CD that you could use? Actually, it would be best if you got in touch with her dealer and saw if you could get one from him/her.
Amp, yes formatting and reinstalling is “wipeing the hard drive and starting over”. If you can’t locate a WinXP cd, let me know and we’ll mail you one.
But I don’t see how doing this is going to fix her problem.
here is a link from MS with the patch
http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
and you should get yourselves a firewall (personally I’d recommend zone alarm).
Morrigan,
As I understood it, the patch wouldn’t help once the computer had been infected, if only for the logistical problem of downloading and installing the update patch in the few minutes before the computer crashed.
However, feel free to correct me if I’m wrong.
If, indeed, you can get the patch downloaded & installed before it crashes, you may be fixed. You can also, if time before crash (now known as TBC) allows, follow the instructions on the Cert page and shut down access over the offending ports. Once you’ve done that you should be OK. Unless you’ve got an infection on your PC (as opposed to some obnoxious hacker just overloading you from outside). Which is likely. So, you also need to do a virus scan to locate and remove the offending software.
Yeah, you really need a firewall. I’m using ZoneAlarm. People I know like Black Ice. My dad is partial to Grisoft. They’re all free for home use. And damned useful they are. I think it’s worthwhile to have anti-virus software. I also recommend Spybot Search & Destroy (which locates & deletes known spybots from your system) which is also free.
But what the hell do I know? I’m just some poor schmoe wandering the internet with no clear idea of where I am or where I want to go.
FTR — when I bought my PC, I did so because my last computer had totally died. I demanded an install CD. The people at the store (Best Buy) told me that everything was on the computer and I didn’t need the install disk. I told them that that was stupid — if my computer crashes, I can’t very well get to any of the information on the computer. They insisted that there wasn’t an install disk. I got really pissed, yelled a bit, and they kept insisting that.
So, I went home, hooked up the new computer and did some on-line checking. I went back to the store and demanded the install disk that should have come with the computer. They tried to pull the same thing. I demanded to speak to the manager. Finally, he said yes, there should have been an install disk, but now that I had bought the computer there was nothing he could do about it. He couldn’t take an install disk from another computer because then he wouldn’t be able to sell it (to which I retorted “obviously you’ve done it before”).
Anyway, suffice it to say, I do not have a disk, and other than borrowing one (thanks Morrigan!!) there’s nothing I can do about that.
Okay, Amp, before you guys do anything drastic like reformatting and reinstalling, I think this may work… (I’m working off a Mac right now, so I can’t be 100% certain, just so you know what you’re getting yourself into).
Disconnect bean’s computer from the network/internet. (I’m assuming that she’s connected to an ethernet or DSL of some kind. If it’s not, then you have an infection on the computer itself that’s exploiting the error.)
On another computer download this file: the patch.
When it’s downloaded, put it on a 3.1/2″ floppy.
Put the floppy in bean’s computer. Run the program off the floppy. (You should be able to do this by going to the Start Menu and clicking on “Run.” In the box that pops up type “a:/WindowsXP-KB823980-x86-ENU.exe” sans quotes.)
Follow the onscreen instructions.
Reboot the computer, reconnect it to the network/internet and see if things aren’t any better.
Final step: curse Microsoft for making such a crappy product.
(This has nothing to do with the current error, but I’m curious.)
bean,
What do you do when you install a new program that requires the XP CD?
PDP — I’ve never had to do that.
Check the following URL. Could be this worm virus exploiting the vulnerability:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
Cheers from a Spanish Ampersand reader ;-)
Also, if you can wait until tomorrow evening (which, I’ve been told, has been renamed in my honor – as has every Tues eve at your place – woohoo!), I’ll be there and I can take a look. We can boot in safe mode and see what happens & if we can fix it that way so that we don’t need to reformat/reload.
Cool Jake! Actually, after whining to Amp, my first question was “can we call Jake?” :p But, Amp, being his typical passive-aggressive self thought, “why not just post it on the board — that way, Jake might offer to do it, and I don’t have to feel like I asked for help.” :p :p
Oh, like I didn’t guess. But, you know, I want to appear generous and sympathetic and crap like that. Of course this way I can also demand that Amp locate the computers on which the scripts for Granny Applethorpe’s Hour of yadayadayada may reside. And there’s always the possibility that I will have no clue and will wind up just shrugging my shoulders. In any case, get it the hell off the network/net for now.
GASP!! There’s no way I’ll survive with no internet until tomorrow night. No way at all. Not only because I like to read blogs and boards — but because I’m desperately searching for a job. I can’t possibly put that off. I’m already at the “borrowing money for cigarettes” stage.
But she did download and install Zone-Alarm. And being paranoid, I installed every security update Microsoft had available….
Here is a quote from
http://it.ucdavis.edu/whatsnew/text/news2.cfm?id=527
We are also aware of some unconfirmed reports that this installation of the patch may still leave your computer with vulnerability. Other possible methods to reduce this vulnerability include disabling COM Internet Services on your computer or using hardware or software firewalls to:
* Block TCP and UDP ports 135 (Remote Procedure Call)
* Block TCP ports 139 and 445 (NetBIOS)
* Block TCP port 593 (RPC-over-HTTP)
Also here is another link
http://www.cert.org/advisories/CA-2003-16.html
Also a solution to your problem can be found here.
You may not have to reinstall!!!!
http://www.blackviper.com/AskBV/tech10.htm
Oh, good, I’m happy to hear that Jake can actually physically take a look at the computer. Like I said, I’m on my Mac and so can’t give the best of instructions. Hope things get fixed okay!
BTW, PDP — I’m curious about what programs I would need the XP CD to install. I’ve certainly never run across any in the year and a half I’ve had this computer.
You shouldn’t need to wipe your hard drive and reinstall
from
http://www.blackviper.com/AskBV/tech10.htm
You can “stop” the Remote Procedure Call service from shutting down the system after 60 seconds. I absolutely do not condone this action as a “fix,” but it could be used to stop the system from rebooting while you are attempting to repair the issue and scan your computer for vulnerabilities:
1. Head to Start –> Run –> and type services.msc You can also go to the services.msc by following the procedure listed below under “Changing a Services default failure actions.”
2. Select the Remote Procedure Call Service from the list by double clicking it.
3. Select the “Recovery” tab.
4. The default for this service is “Restart the Computer” for all failures.
5. Change each one to “Take No Action”
The web site shows all the screens
If you do this, you should then be able to repair the damage. You should also use that opportunity to back up all the user files to a cd-r
Anyway, I hope that this helps
bean –
I’m not sure about Windows XP, which I only used for about a year before I decided to give it the boot, but back in the good ol’ days of Windows 95 and 98 it seemed like every major program I installed required the Windows disc. I didn’t have to do that very often in Windows 2000, though, so I guess they worked pretty hard at fixing that. Then again, if they’re going to take up one-and-one-half gigabytes of harddrive space for the operating system alone, you darn well better not have to install additional components to run programs. I suppose that now the only things you’re likely to need the XP CD for are hardware changes and reinstallation. Now that they’ve gotten Windows a bit more convenient, maybe they could work on not making it a piece of crap. Er, sorry, didn’t mean to being to rant.
i was having the same problem, and thanks to your post i got a solution.
the boyfriend downloaded that patch for me and installed it. we also got zone alarm pro, pest patrol, and the anonymizer. hopefully this will help me out.
note: the anonymizer warps css and makes text REALLY large.
but hey, thanks for the heads up. i thought i had screwed up something on my own and wouldn’t have known it was a virus. it didn’t show up on my virus scan!
the virus shows up as “msblast” just to let everyone know. do NOT allow permissions on that baby.
1) Throw current computer in the trash.
2) Buy a Mac.
I’d say that’s all the detail you need.
Sure, buy a Mac if you’re doing graphics work. Otherwise your just paying extra for essentially the same thing. You could always run Linux. Uh oh. I’ve started a Mac/PC argument.
Oh, and check out blueheron for the answer to all your problems.
Go here:
http://www.livejournal.com/users/heron61/158848.html#cutid1
That’s idiot speak for, “What the fuck is HTML and how is it used? And is it really worth the time to figure out. I can just type these rambling semi-sentences instead.”
I haven’t read the other comments yet. I had just emailed you two about this virus before reading that Bean had it. Our best friends have it too.
Don’t do the restore! That won’t help. According to the http://www.norton.com site, you need to download that patch at microsoft (I emailed the link) and then remove the virus, but it looks like you have to download the patch first.
If her computer is doing what theirs is doing, she won’t be able to do that, but we saved the file to disk for our friends, and so Amp should be able to burn it and then you should be able to install it on her computer. I hope!
Good luck!
Also, re: firewalls…
When you have a firewall, aren’t there some things you can’t do online? Could I still indulge in my frequent chatting and gameplaying?
I had the same problem and after kicking msblast.exe out of the list of active processes in the task manager the problem stopped. This is just a short term solution, install the patch afterwards. (AFAIK msblast.exe is the automatical update service in WIN XP.)
See also http://sysadminnews.com/sysadminnews-32-20030814WindowsDCOMRPCExploit.html for more info.
Thanks for all the comments, folks – hopefully, people googling for solutions to this problem may run into this thread.
In the meanwhile, it does appear that Bean has pretty much solved the problem, so thanks to everyone for the helpful info. Yay!
That’s idiot speak for, “What the fuck is HTML and how is it used? And is it really worth the time to figure out. I can just type these rambling semi- sentences instead.”
Thanks muchly for the vast lack of compassion. Not funny, go away.
John (if that is you), you’ve mistaken Jake’s attitude. He wasn’t talking about you, he was talking about himself – in particular, about his own not turning the URL into an html link.
[carefully avoids making any comments about Macs vs. Windows vs Linux]
[no, really…]
Ehm… I must insist on having a fast check through Symantec’s page and download this fancy program to erase the msblast virus:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Of course you also must download the patch from Microsoft’s site. But first is destroying the bug.
Cheers.
just got back to this thread… glad to see everything is under control again :) Bean, just drop me an email with your real address and I’ll send you a cd. And the manager at bestbuy is an ass.
Morrigan — email snet [grr] (oh, sorry, habit… :p ) Thanks again.
Just a quick comment — Macs suck!!! :p
PDP:
Do you know anyone who has an XP CD that you could use?
You probably already know this, but it’s a violation of MS’s terms of service agreement to do that (i.e. use the same serial number to install XP on two different machines).
Yes, stupid policy.
Yes, stupid dealer for not giving bean the CD key. Makes me wonder if they only bought one copy of Win XP and are reusing it over and over, to save the expense. But that’s neither here nor there.
Amp/bean:
In the meanwhile, it does appear that Bean has pretty much solved the problem, so thanks to everyone for the helpful info. Yay!
So which specific remedy did you use?
John (if that is you), you’ve mistaken Jake’s attitude. He wasn’t talking about you, he was talking about himself – in particular, about his own not turning the URL into an html link.
Ah, many thanks for pointing that out, I in a fiarly hostile frame of mind last night and misread his post.
I’ve often had XP crash on me for undetermined reasons.
I fixed it by installing Linux.
Oliver Willis found a patch from Microsoft. I’m hoping to get it downloaded before the next crash, then install it afterwards.
If you haven’t heard of flash mobs, they are large groups of people that show up in a public place at a specific moment and perform synchronized actions for a short period of time, then quickly disperse. The intention of this is simply to have fun and make passersby stop and go, “Wait, what the hell was that?” If you would like to be part of the first known flash mob in Portland, please go to this site: http://groups.yahoo.com/group/PDXFM and join the group. You will receive further information by way of email through the group. Please send this message to everyone that you know.
Someone in a post above made reference to the ports to block on a firewall (or router) to disallow this crap onto your network; the list was basically correct, but missed an important one: port 69 TFTP which this little beauty uses to put stuff on your machine.
an access-list (for a cisco IOS router) might look something like this:
ip access-list extended badwormACL
deny tcp any any eq 135
deny tcp any any eq 4444
deny udp any any eq 69 (or tftp)
permit ip any any
now apply it to your router serial 0 (or which ever interface is you internet)
ip access-group badwormACL in
remember that tftp is blocked, but the named access-list allows removal of that line, so you can run tftp if needed, and then reapply it.
—-
If you are not using a Cisco device at home (most likely), make sure you deny ports tcp 135, tcp 4444 and udp 69 INBOUND, ie make sure your routing device/firewall discards packets with these port numbers in them before they pass the interface. Yes, a good one inspects all those packets before allowing them in…
No legitimate intenet application/packet is going to use these ports for anything the average user needs…and with a nasty little booger like this out there, why take a chance?
Cisco users, don’t forget the permit ip any any…you know who you are…. :)
The Virus removal tool can be found here
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
READER GREG PIPER NOTES that this sounds “awfully Jayson-Blairish:”
Gilligan’s eccentric working practices are well known at the BBC, which he joined four years ago from the Sunday Telegraph. He was headhunted by Today’s then editor, Rod Liddle, who appears to have cut him a good deal of slack: Marsh said the problems caused by the Iraq dossier story were “in many ways a result of the loose and in some ways distant relationship he’s been allowed to have with Today”.
Hmm. Read the whole thing.
Paul beat me to it. But because I’m in a helpful mood, I’ll reiterate. Get a Mac. You’re not just spending more for graphics. You’re getting what you pay for.
And, FGE, what does Gilligan or Blair have to do with Windows XP problems?
You probably already know this, but it’s a violation of MS’s terms of service agreement to do that (i.e. use the same serial number to install XP on two different machines).
as soon as they audit her home pc, I’ll worry. ;)
As for this virus, it just exploded at my work today. No downtime though, but they did bring down the servers in the middle of the day to update the virus software (which I can’t remember the last time they brought down the servers in the middle of production before…)
CD will be in the mail tomorrow, sorry for the delay.
Thanks again, Morrigan — no problem about the delay.
Kevin — but what about those of us who absolutely hate Macs?
“1) Throw current computer in the trash.
2) Buy a Mac.
I’d say that’s all the detail you need. ”
Bwah-hah-hah-hahhhh !!!
bean, you only think you hate Macs. As is typical of Microphiles, you actually need Mac Users around so you can continue to tell what used to be called “Polish Jokes” or, up North, “Newfie Jokes,” w/o seeming un-P.C. However, never fear. Once you surrender to the obscure charm of the Mac-Universe, you’ll still have aol users and the entire staff of FOX news[sic] to kick around, so no worries. :p
No, no, I really hate them. I was forced to work on one in grad school, when my grad assistantship was maintaining the dept. web page. I really, really hated it.
Also, the first computer I ever used was a Mac — well, actually, the first computer I ever used was a Commodore 64, but after that it was a Mac. So I know it’s not just a “familiarity” thing. I just really don’t like Macs.
Oh, sure. Just keep posting that ’til you believe it. ;)
Ah. The Cult of Mac rears its ugly head through the voice of AmyS. Please, let’s hear more of your absurd “Mac good, PC bad” reasoning. Then, if we’re lucky, we can get someone else to amuse us with absurd “PC good, Mac bad” reasoning. Finally, the linux geeks can finish things off with “Linux good, all else bad” songs. We’re just missing the technophobes to tell us that computers (Mac, PC or Linux) foretell the doom of all mankind. And then the party is complete:)
See, now, Jake, I’m not gonna go there :p
I don’t think PCs are “better than” Macs — I just know that, for me, I like PCs better. If other people like Macs better, I say get a Mac and have fun. If other people like PCs better (or Linux), use that. People can talk about the worth (or lack thereof) of Macs or PCs or Linux all day and all night. Doesn’t make one bit of difference to me. I know what I like, for me, and petty arguments about which is better isn’t going to change my mind. I’ve used both, I know what I like. Other people’s opinions are their own, and I wish them more power in using what they want, but it ain’t gonna change my mind.
I’m with bean here and respect her position. One can bring out all the numbers and statistics and all that that one wants, but personal taste still prevails. I’ve used Windows, and I’ve used Macs, and I’ve used Linux (although not as much as the other two) and no benchmarks will ever convince me to use anything other than what I like.
Err… Jake, I’m just teasing. Lighten the fuck up. (rolleyes)
Geeze guys, it was a joke. Didn’t you notice the little pseudo-iconic smiley face at the end. I never do that. A not-very-funny-funny it seems. Oh well, when you’ve got a million of ’em some of them are bound to fall flat.
many of us in phil. are reasearching this kinda wierd behavior of our computers here in philipines. bec. it has made a lot of threats. and we have been locating somepatches and repairs.. but i havent thought that even other countries are also have these problems..
I had the virus and it is VERY simple to get rid of…in the 3 minutes you have before it starts to shutdown go to microsoft.com save it to your desktop and follow the very easy instructions…it took me about 5 minutes to get my computer back on line…the instructions are easy to read and easy to do…it does not destroy your hard drive and you do not need to get rid of your computer…I am a windows XP user and very new to using computers…less than 6 months…and I followed the instructions and here I am…computer has been up and running since I went to the micosoft web page..Good luck!!!!
I had this same virus, on a computer that is only 4 months old. I tried everything, including saving the patch to a floppy and installing it. This stopped the timed pop up from restarting, instead, it wouldnt let me connect to the internet at all. I had to reformat my harddrive, which wasnt exactly easy since there is no “restart to ms dos option.” My question now is there any way to prevent something like this from happening again? I do have a virus detection program, but that obviously doesnt work. Thanks.
HELP!!!
We had our computer which is a Compaq 5080US 5000 series
brought to an electronic store in the Bronx.They put in WindowsXP-KB823980-x86-ENU and didn’t give us a recovery disk.How can we get one????
THANKS Paulette
URGENT HELP NEEDED
I have the same problem with the remote procedure call error, however i have downloaded all the worm removal tools, but this has not fixed it. It is only when i connect to the internet, is there anything else that could be the problem or is this definatly the worm?
Thankyou
Ben
All i did was as soon as i start up the computer go to start menu, programs, accessories then system tools and do a system restore to an earlier date, worked for me!
Hello everyone! A few months ago I have built a computer which consist of an AMD Processor from Micro Center. My computer keeps re-booting while in the middle of writing a paper or even surfing on the Internet (cable modem). It looks like my Win XP has a problem with the AMD products? Last evening I tried to format and install Win 2000 Pro as well as 98 and would get a blue screen with all different types of letters, looking crazy. Could it have anything to do with front side bus speed? Do you have any suggestions on how to fix this re-booting problem? I do like Win XP features.
and this may be a little late but if you have windows xp or 2000 for that matter, copy the I386 folder from your cd to your hard drive. that way when something asks for the cd you can point it to that directory. that’s usually the folder that’s being looked for.