Solved: no RCP/drag/drop/copy/paste/network etc after removing Virtumondo virus...

icepam · 27-Feb-2009, 08:41 AM #1

Hello, this is my first post... i will try to be as verbose as possible in the hope of a quick solution and that other users will be able to find this post by searching for the different symptoms.

win XP pro/sp2

I had to remove a virtumondo virus (i used pctools spyware doctor, comodo firewall and antivirus (didnt see it anyway), virtumondoBegone, and vundoFix (didnt see it)).

I deleted the usual random 8-letter .dlls and some random 8-letter .ini and .ini2 files hidden in system32, created at the same time as the .dlls.

I manually deleted entries from registry relating to abovesaid dlls.

When i rebooted:
the "RPCSS is starting" message stays on the screen for 20 seconds, and i suppose fails, then after logon, i receive "RPC server not available, cannot start skype.exe" or something like that.

I cannot drag and drop or copy and paste in explorer. instead to copy files the only way is to do it in a dos prompt.

I cannot connect to the internet or any network: my network connections folder is empty, the create new connection wizard has most of its options greyed out and is useless. (i reinstalled my wireless adapter driver, no change, and there is no X on the wireless adapter under device manager - only on the VMware Virtual ethernet adapter for VMNet1/8)

I cannot see anything in the control panel/user accounts folder, cant even right-click to add a new one!

When i try to manually start the Remote Procedure Call service and related services, e.g DCOM and DHCP, it fails saying Could Not Start Remote Procedure Call (RPC) service on local computer, Error 193: 0xc,1.
trying to start the COM+ Event System service and others says "Error 1068: The dependency service or group failed to start." in fact i think all my services set to automatic are refusing to start manually.

I have read on some forum that the svchost.exe file may be at fault: i have replaced that: no change.

I have gone through all the steps in this post:
http://forums.techguy.org/malware-re...y-paste-4.html
including devil_himself's .vbs file to start RPC... no use to me.

i like MOSAIC1's proposal, that the culprit is probably a hanging dependency on RPCss, it seems to have helped manomia. I cannot access his batch file to remove that though: anyone help with that please (clearit.bat)?

i do not have system restore, and i do not have recovery console.

i do not want to reinstall as i have dozens of softwares installed that i need for work and cannot access my originals until next month when i go back home.
last resort: i would be happy to do a repair install, but the only CD i have available has an unattended slipstreamed version of xp that will not i think offer me the R repair option. Is there a way to create a new iso out of an existing slipstreamed cd, which would make it an attended install again?

I have run COMBOFIX and HJT, will post the logs if asked.

icepam · 27-Feb-2009, 08:43 AM #2

oops, the title should be no RPC, ...

would be happy to try MOSAIC1's RPCss dependency clearing clearit.bat before anything else! thanks!

icepam · 27-Feb-2009, 08:48 AM #3

ok, nevermind clearit.bat, i found it here:
http://209.85.229.132/search?q=cache...lnk&cd=3&gl=fr

will test and post update. thanks for any other ideas in the meantime

icepam · 27-Feb-2009, 08:59 AM #4

clearit didn't help, as there was no DependentOnService value attached to RpcSs.
on the other hand, i notice that in the registry, some services are dependent on RpcSs, others on RPCSS: is the value case-sensitive?

running the windows file protection test sfc /scannow, but taking forever. (my wfp service was off normally, so i wouldnt be surprised if the results are bad

)

icepam · 27-Feb-2009, 01:43 PM #5

bump*

i tried the legacy_rpcss/0000 hack on the registry but still no use. rpc refuses to start with an error 193.

in fact there are so many different versions of this /0000 that i am lost if they are for winXP or win 2000. can anyone please tell me what is the exact solution, better: help me with a .reg file for windows XP SP2?

in all cases, i cannot get access to change some values in the registry, access denied. for example, i cannot add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCSS\0000\Control]
"ActiveService"="RpcSs"

as proposed here:http://forums.techguy.org/malware-re...activated.html

TIA!

icepam · 27-Feb-2009, 08:28 PM #6

ok, gave up and did a repair installation - worked great, and didnt lose any applications or files.
if you're using nLite to slipstream SP2 etc, make sure you select "Prompt for Repair" in the Unattended settings page, create a bootable CD or DVD, then follow warnings here:
http://www.michaelstevenstech.com/XP...install.htm#RI
and instructions here:
http://pcsupport.about.com/od/operat...txprepair1.htm

hope this helps someone.

Tag Cloud
access acer asus batch bios bsod crash desktop driver drivers error ethernet excel freeze gaming gpu hard drive hardware hdmi internet laptop malware memory monitor motherboard netgear network printer problem ram registry router server slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!