Re: Win XP RPC Service Failure Reboot Rant Help - the story of a ruined weekend!

From: AnnonUser (poster_at_annonuser.net)
Date: 04/26/04 

Date: Mon, 26 Apr 2004 09:59:02 -0400

Bill Gribble wrote:

> Quite a long, complicated story as much to blow off steam as anything
> else, though any help, sympathy or advice would be much appreciated.
> Judging from related threads that I've read here I'm not the first to
> fall foul of this particular problem...
>
> If nothing else, this is an anecdote of why it's so necessary to keep
> your OS patched up, a decent anti-virus package installed, actively
> scanning and totally up to date, and your Internet connection
> completely firewalled.
>
> Began sometime last week with the decision to upgrade my existing copy
> of Windows ME to XP Home Edition and install Symantec Internet
> Security 2004.
>
> The catalyst for this decision was my teenage daughter who saw fit to
> install Kazaa because some bright spark at her school had told her it
> was the best way to get free music. As I understand it now, it's the
> best way to get any number of things, most of them being things you
> really wouldn't want to catch...
>
> So, the PC (Win ME, firewalled by Zone Alarm, protected by McAffee VS
> - unfortunately the latter was out of date) could have already been
> infected by the time I took the decision to upgrade. It most likely
> was. However, I suspect I made matters worse...
>
> After uninstalling Kazaa, grounding my daughter for life and booting
> the PC on the Symantec Internet Security CD and letting it take the 34
> hours it needed to scan for a virus and find nothing, I then ran the
> Windows XP upgrade.
>
> I did this with my Broadband connection active, with Zone Alarm still
> running, because the instructions suggested Windoze would want to
> connect to the Web to download the latest patches as part of its
> upgrade process.
>
> In hindsight, an exceptionally dumb move.
>
> I suspect that the upshot of this is that at some point through the
> upgrade process my Broadband connection became "un-firewalled", as
> Zone Alarm got mangled by XP and XP defaults to not having its own
> firewall active when it first installs.
>
> So ME is now apparently upgraded to XP. I realise that the upgrade has
> mucked up Zone Alarm so uninstall it and switch on the XP firewall.
> Probably too late by now...
>
> Try to install Norton Internet Security. Seems to install fine, but
> doesn't fire up on rebooting. I catch on to this failure eventually,
> uninstall it, switch off the XP firewall (thinking this might be the
> problem) and reinstall it (again, giving myself unfirewalled exposure
> to the Web - Doh!). Of course, no joy.
>
> Better still, I start to get the RPC Service sporadically failing and
> restarting my computer... Oh, and giving me 60 seconds warning each
> time, which I guess could be construed as polite, but personally I
> think the *** PC is just rubbing my nose in it... >:(
>
> Some short time later, this leads me (via the web and Microsoft pages)
> to the conclusion that I've most likely been affected by W32.Blaster
> or one of its variants. This is also the likely reason why Norton
> Internet Security is failing to install.
>
> I find out how to fix the failure mode of the RPC service so that it
> just restarts itself rather than my whole PC, so my PC is now stable
> enough to do something with it.
>
> I download the Norton W32.Blaster fix and run it.
>
> Then I remember I haven't switched the XP firewall back on, and in the
> realisation that Norton isn't doing what it said it would do on the
> box, I abort the FixBlaster.exe scan and then switch the firewall back
> on.
>
> On aborting the FixBlaster scan it tells me that its found and deleted
> one infected file, suggesting that I'm on the right track...
>
> Firewall is back on and I restart the FixBlaster scan, now feeling
> very optimistic that I'm back on the right track. I have to go out, so
> leave my PC to get on with things.
>
> The scan eventually finishes, but finds nothing else.
>
> Switch the RPC service failure mode back to rebooting the PC on fail,
> expecting all to be well once more, and try to reinstall Norton
> Internet Security... The RPC service fails, machine gets rebooted.
> Windows again gives me the customary 60 seconds of warning in which to
> contemplate my many failures.
>
> Oh, and Norton Internet Security failed to install. Same problem as
> before. I'm subsequently led by the Symantec site into running
> MSCONFIG to try and identify whatever is apparently conflicting with
> it. MSCONFIG starts up and gives me a few seconds to speed-read what I
> can and then inexplicably closes. A bit like Norton. Well, at least
> I've identified the likely conflict.
>
> Everything is pointing back at a virus infection.
>
> Running the Symantec online scan identifies a couple of hundred files
> infected with W32.NetSky - I download the fix from Symantec, run the
> scan and let it do its thing. A couple of hundred files are deleted.
> Things are looking up?
>
> Nope. My old friend the RPC Service continues to reboot my PC with
> malicious and mocking glee, MSCONFIG can't keep it up and Norton
> Internet Security keeps flopping. Oh, and the Windows Update doesn't,
> well, update. It says it does, it downloads and executes the update,
> but on re-running the scan the Microsoft site tells me I still need
> the various critical updates I thought I'd just installed. It also
> leaves lots of folders in my C:\ with long gibberish names. I imagine
> those are the installation files for the various patches and Hotfixes
> Microsoft update tried and failed to load.
>
> Rerunning the Symantec FixBlaster scan previously downloaded finds
> nothing. As of last night, re-running the Symantec Online scan finds
> nothing. But the machine is behaving as if it were still infected with
> W32.Blaster. I finally went to bed last night in frustration at about
> 3am only to be kept awake by nightmares involving worms, wooden horses
> and an emasculating inability to bolt the stable door irrespective of
> the presence of the bloody horse or otherwise.
>
> I haven't downloaded a fresh copy of the FixBlaster.exe scan from
> Symantec since I first downloaded and ran it on Saturday. Is it
> possible I've re-infected myself with an updated version of the virus
> since then? Or the virus has chewed up the FixBlaster.exe? Or I've
> infected myself with something else entirely that has the same
> symptoms? But wouldn't the Symantec Online scan have caught something
> other than NetSky if that had been the case?
>
> Tonight I plan to start again. I've cancelled the various things I'd
> normally be committed to on a Monday night. Last night's frustration
> and despair has turned into a quiet anger and simmering hatred of
> whatever nasty little bug has infected my PC. It's like having
> somebody sleep with your wife...
>
> So I plan to download a fresh copy of the Blaster fix and start from
> there, possibly from somebody other than Symantec. And keep my XP
> firewall active whilst I trawl the web for other ideas, even though
> that feels a bit like closing the stable door after the horse has bolted.
>
> If it comes to it, I'll reformat and reinstall everything from
> scratch. But I really, really hope to avoid that if I can. Some time
> back (like about two years) I took the decision that backups were
> unnecessary, as it was only my personal PC, so if I ended up having to
> reinstall from scratch I wouldn't loose anything critical.
>
> I was only partly wrong. The data is only one of my worries. Having to
> reconfigure all my applications from scratch, find drivers for all my
> odd bits and pieces like firewire cards and network cards and so on,
> to tweak everything so that it's running just as I like... Even the
> games I play, flight simulators (IL2 rules) and Half-life CTF / Day of
> Defeat for the most part, just reinstalling them and getting
> everything patched just so... Doesn't bear thinking about.
>
> Anyway. I apologise for sucking up everybody's bandwidth and patience
> with the sort of tirade to which the obvious response is "cry more
> n00b". But I actually feel a little better now, and ready to start
> again afresh tonight.
>
>
> -Bill

Your story is an easy and fascinating read because you wrote in
sentences and paragraphs. The nightmare posts are run-on sentences in
caps.
You might want to try TrendMicro and McAfee Stinger for online scans.
Do you know how to stop the shutdown? You never said. Start - Run -
type cmd
in the command line type shutdown -a
You might also want to consider installing other protection -- you never
said if you have them, so . . .
Ad-Aware 6.0 - for removing spyware
http://www.lavasoftusa.com/
   
Spybot Search & Destroy - for removing spyware
http://www.safer-networking.org/

AdAware and Spybot complement one another -- update and run both.
  
 CWShredder - gets rid of page hijackers
http://www.majorgeeks.com/download4086.html

 Google Toolbar - for blocking popups
   
 http://toolbar.google.com/

Before running the Spybot and Ad-Aware, delete temporary internet files
and internet history.

The anti malware stuff should be especially important since you've had
the virus KaZaa.

Good luck. Post back. There are some fine experts on this group, and I
imagine you'll be getting more responses than just mine. If you need
additional help with this mess, may I suggest Annoyances.org.