Re: DcomRpc.gen virus

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 02/20/04 

Date: Fri, 20 Feb 2004 18:32:55 -0500

Derek:

Those *.LOG or log files can't be opened because the WinXP Operating System is currently
holding their respective file handles open and thus blocked them from being scanned OR
infected.

As for a DcomRPC.gen this is a Generic detection (hence .gen) of the Exploit of the
RPC/RPCSS Buffer Overflow Vulnerability and could just be an attempt at exploitation or a
tool that "may" be used to exploit the vulnerability.

The present version of McAfee DAT files (signature files) is v4326. If you don't have the
level, then force an update. Then follow the following directions...

1) Disable System Restore
            http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode
3) Using your AV software, perform a Full Scan of your platform and clean/delete any
            infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) Re-enable System Restore and re-apply any System Restore preferences,
           (e.g. HD space to use suggested 200 ~ 400MB), reboot PC.
6) Create a new Restore point
7) Download and install the following patch for the RPC/RPCSS Buffer Overflow
Vulnerability that is addressed by Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

Please read: http://www.microsoft.com/security/incident/blast.asp

You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected.

I also suggest the installation of *ALL* MS Critical Updates ASAP.

Please report back your results

Dave

"derek" <anonymous@discussions.microsoft.com> wrote in message
news:13ed701c3f802$68f18e70$a001280a@phx.gbl...
My home PC has been hit by thewksPatch1 and svchost.exe
virus despite my McAfee software being upto date.After
doing a dos scan I have been told that a list of files
could not be opend including sytem 32
\config\system.log...software.log...default.log...SAM.log.
..security.log.

I have an oem version of xp and my vendor wants £100 to
send me an xp restore disk. Is this my only option.

Regards

Derek

Relevant Pages

  • Re: No System Toolbars (or anything for that matter!) after login
    ... You could try System Restore and set it back to a date before the issue. ... Spybot S&D is more of an advanced users tool and changing from the default settings can be dangerous to the novice user. ... Copy HJT to it's own folder, this is where the log files will be saved. ... Read the quick start here on how to create a log file that can be copied/pasted into a forum that can provide assistance on removal of unwanted pests. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: System Restore Points - How Much Space Is Enough ?
    ... >that controls the amount of space that System Restore can use. ... >is now advice as to how much I need, and what happens if it is set too ... >Information folder, and some time or other I saw the contents of this ... There are also a few modest size log files. ...
    (microsoft.public.windowsxp.general)
  • Re: Troj_se.118079
    ... The MRKlunky showed up in system restore so I turned off system ... | "jarjar.bac" and it could not clean it. ... Post and/or attach the log files of the AV modules which found malware. ...
    (microsoft.public.security.virus)
  • Re: SP2 problem with installation
    ... > to stop it manually and run system restore. ... Some log files you can check for any clues or error messages: ... You might need to enable verbose logging to find the reason in one ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
    (microsoft.public.windowsupdate)
  • Re: pop up box
    ... > I also cannot access defrag, system restore and other ... It contains advice ... using Windows XP "prettifications". ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.perform_maintain)