Solved

WinXP: RPC won't launch after virus removal

Posted on 2008-10-16
10
632 Views
Last Modified: 2013-12-09
Recently removed a very pesky set of viruses from an Windows XP computer.  After the final pre-boot scan and cleaning by Avast (Trend Micro would find it but not clear it), the system has a few problems.  Most of them relate to RPC.  It won't start...so anything and everything that depends on RPC won't start.  If I attempt to start it manually at a command prompt it tells me that it can't find the file SCARDSVR.DLL.  Oddly enough, I don't find that file on any working systems either.  I suspect that it was an infected file that got nuked by the scans.

I'm banging my head against the wall guys.  Short of reO/S, how can I salvage this machine?
0
Comment
Question by:ITnavigators
  • 5
  • 4
10 Comments
 
LVL 16

Expert Comment

by:JoWickerman
ID: 22739432
Hi ITnavigators,

Did you try to run a XP repair on the system?
0
 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 500 total points
ID: 22740582
You may have a class ID permissions issue. This may resolve your problem, but if not will not harm the system. Run REGEDIT and expand the HKEY_ROOT hive. Right-click on CLSID and select Permissions. Add the following permissions for the key and all subkeys by clicking on Add-Advanced-Find Now. After adding, make sure the permissions are set as shown below.

Authorized User : Read Only  (NOTE: Instead of Authorized User you may see Authenticated User)
Network Services: Full Control.

Also, on the properties for RPC Service, you may have to check the "Interact with Desktop" box

It sounds like a user rights/permissions issue which crops up in XP SP2 after some security updates or occasioanlly after removal of certain software (like Norton Antivirus)

Good Luck
0
 
LVL 1

Author Comment

by:ITnavigators
ID: 22743821
BTW... Problem number two is that I can't open the property dialog boxes in the Event Viewer OR services.msc.  I can to make the changes manually in the registry.  I can, however, open the dialog boxes in regedit.  I'll check the permissions.

Tried to reinstall SP2.  No joy because Cryptographic isn't available.  Haven't tried a XP Repair yet.  
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 30

Expert Comment

by:flubbster
ID: 22744461
try the procedure I outlined...
0
 
LVL 1

Author Comment

by:ITnavigators
ID: 22745361
I did the procedure you outlined.  No change in behavior.

Couldn't set the Interact with Desktop as that is only available for LocalSystem.  The user is currently NT Authority\NetworkService.  That matches all of my other WinXP boxes.  I switched it anyway (through the registry since I can't only any dialog box).  Rebooted.  No change.  Switched it back.  Rebooted.  No change.

RPC is a real booger.  EVERYTHING seems to rely on it.
0
 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 500 total points
ID: 22746413
You're right... it's a killer to figure out. It happened to my son's PC after a virus. I searched online for almost 2 weeks. Everything I found referred to a fix for a indows 2003 server. It was the fix I outlined for you. In my case, it finally worked. You could try also adding an "Everyone" to the permissions the same way. One more thing. I remeber there being a setting in there for parent-child setting. You need to check it to take affect. It allows the permissions to become active for all keys that report to it. Something like "inherent all permissions from parent objects" Set that, making sure you click apply, then reboot.

Do you notice a delay when the desktop loads? Or opening apps? That is from the RPC setting when it fails to start.
0
 
LVL 1

Author Comment

by:ITnavigators
ID: 22746456
Yes on the delays.  Haven't noticed on the apps.  Too many of them just can't start anyway.

What I don't get is why it wants to launch SCARDSVR.DLL.  Microsoft hasn't used the dll version of that for quite a while.  It is now SCARDSVR.EXE.  I've looked all over and can't find a copy of the dll file.  All my systems are too current.

I know there was a bad virus a while back that created look-alike files SCARDSVR32.EXE and SCARDSVR32.DLL.  But this is actually calling the file by it's old name?  Why?  It's not listed anywhere in the registry.  I wonder if it worked it's way into LSASS?
0
 
LVL 1

Accepted Solution

by:
ITnavigators earned 0 total points
ID: 22746498
Did a bit search.  The call is embedded in the version of SVCHOST.EXE that is on the machine.  I don't believe that is the original version of SVCHOST!  

I don't have the WinXP SP2 version handy, so I loaded the SP3 version.  SFC had a fit, but RPC launched immediately.  I rebooted and the system came up.  Now that I have it running I will install SP3 so that the version will be correct.  :)
0
 
LVL 1

Author Comment

by:ITnavigators
ID: 22746568
SP3 installed perfectly.  System is back to normal (sans virus).  

Flubbster, you were incredibly helpful (even though it didn't end up being the permissions issue).  When we started chatting about what a pain this RPC is, I more fully documented the behavior.  That got me thinking about the files that were involved and from there the idea to do a bit level search for the string.  I wouldn't have gotten there without you -- at least not tonight.

Many thanks.  I am awarding the points.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 22748646
Thank you. I am glad that I was able to help in some small way. RPC can be a true killer to diagnose, and I am glad that things worked out for you. I am going to add this to my knowledgebase as a reference also so that I can refer back to it easily in case what you did can help someone else.

Take care....
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question