Solved

RPC service missing+no network connections+no printers+cl&ose+no drag and drop

Posted on 2004-08-30
7
821 Views
Last Modified: 2011-09-20
Hello,

I am running two file servers on the same network.  Both have Windows 2000 server with sp4.  Both have no network connections but you can still connect to their shares.  One server is a small print server but you cannot see the printers anymore and printing does not work.  You cannot drag and drop on either server.  It has been two days and on the one server that is not the print server the RPC service is totally missing from the services.  Both have the cl&ose button on the add/remove programs window with the icons only on the left side of the window.  Here is what I have tried so far.

sfc /purgecache
sfc /scannow

There was an artcile from Microsoft about unregistering files appwiz.cpl and mshtml.dll and re-register them after you extract the correct version.

I have installed sp4 again.

I have tried to re-install IE 6.0 sp1

There have been some patches that I have tried to apply.

I have Symantec Antivirus that I have run a scan in safe mode as well but it can't find anything.

I have tried ad aware, spybot search and destroy, hi jack this.

I have run the blaster removal tool from symantec, welchia removal tool, sasser removal tool.  Nothing finds anything.

I may be missing something else but that is all I can remember.  Any ideas would be helpful.

One other thing is that I tried to start and logon with a different user and password.

I have also tried to start in safe mode but the problem still exists.

I want to try to disconnect them from the network to see if that helps by isolating them.

I am out of ideas, any suggestions would be great!

0
Comment
Question by:ccgll01
  • 4
  • 3
7 Comments
 
LVL 1

Expert Comment

by:rdnoble
ID: 11943998
This sounds a lot like the Nachi virus especially because it hit 2 machines at the same time and drag & drop isn't working, but it sounds like you've run scans and removal tools.

- Have you had any occurances of a virus reported on this machine recently?

It's interesting that the RPC service won't start on one machine and is missing from the other.  I would have expected a virus common to both machines to generate similar problems.  

- Did your isolation test reveal anything?

- Are there any interesting entries in the event log?

- What do you mean by; "Both have no network connections but you can still connect to their shares."


0
 

Author Comment

by:ccgll01
ID: 11944960
It could be virus related, we have had users connected to the network with the Welchia virus that have since been cleaned but may have done some damage.

I was able to put back the RPC service on the one machine by editing the registry so now both servers have the RPC service in the registry but it just won't start.

The isolation test didn't really change anything.  I still had the same problems on both servers even with the network cables unplugged from the network.

There are two entries in the event log that look like they may contain something useful but I will have to get back to you on those.

What I mean by there are no network connections but I can still connect to the shares is that when I open the network and dialup connections box from the control panel to look at my network connection it is totally blank.  no icons appear that usually show my ethernet connections to the network.  But when a user logs onto the network they can connect to the server and the share that they want.  I can even do an ipconfig on the server and see my network connections and their settings are still there, I just can't change them.

Do you know where in the registry I may find the rpc settings to see if they are valid?

Have you heard of all these problems being related, meaning the spooler service not starting for the printers, the rpc service not starting, add/remove programs, no network connection icons?
0
 
LVL 1

Expert Comment

by:rdnoble
ID: 11945432
There are several window boxes that require RPC services to work correctly, I believe the network connections listing is one of them along with many of the other Control Panel controls.  Based on your description I'd say that's what you're seeing, or not seeing as the case might be.

I know of someone who had the Nachi virus and after running the clean-up fix from Microsoft still couldn't get RPC to start.  He went to another server and compared RPC related entries in the registry and found a couple that were different, so he changed them via REGEDT32.  After that he was able to start the RPC service.  But man did he pull his hair out trying to fix that one.

I don't know what key/value entries he modified but I can get them for you if you need it.
Good luck!

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:ccgll01
ID: 11951733
I did a search on the registry and can't find many entries for the RPC service.  You may be on to something.  Can you get the keys for me.  Maybe something is changed in my registry or missing perhaps?

I was also thinking about running other spyware type removers?  When I run ad-adware I alsways seem to get items that it find that are bad.  Can you suggest any others that may help or do you think this isn't the right path to go down.

I still think there is some patch or it's a virus that has changed something on the servers.  I am thinking of callong Microsoft tech support if I can't get this soon.

Thanks for any help you can give.
0
 
LVL 1

Accepted Solution

by:
rdnoble earned 500 total points
ID: 11954934
I like Search & Destroy as a anti-spyware utility but I think the Welchia virus you mentioned did something to the registry.  Here is the entry my friend found missing;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\rpcss REG_MULTI_SZ RpcSs

After entering it he was able to get RPC to start.  I'm not sure if he rebooted first or not.

No comment on asking Microsoft for help.
0
 

Author Comment

by:ccgll01
ID: 11960015
The registry entry that you gave me was right on.  I didn't even have to reboot and everything worked.  although I have rebooted for the updating process from Microsoft and things still work.

The RPC service started, print spooler started, add/remove doesn't have the cl&ose button.

I am running the windows update and scanning for viruses now.

I am glad that you came up with this so that I don't have to call Microsoft.  You never know if you will get a good tech and plus there's always a fee.

I will award you full points for this.  I don't understand why no one else responded to my question.  I thought this was a good sight to get answers from a whole host of online viewers.  At least you were there.  Thanks again!
0
 
LVL 1

Expert Comment

by:rdnoble
ID: 11962529
I'm really glad this worked out and thanks for the points.  Hope you still have some hair left.

Now don't be raggin on the Experts that hang out on this site cause I know I've gotten good suggestions from them in the past.  But do your part too, and supply answers when you see problems you've encountered in the past.  Those experts need the competition.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now