Solved

WinXP: RPC won't launch after virus removal

Posted on 2008-10-16
10
638 Views
Last Modified: 2013-12-09
Recently removed a very pesky set of viruses from an Windows XP computer.  After the final pre-boot scan and cleaning by Avast (Trend Micro would find it but not clear it), the system has a few problems.  Most of them relate to RPC.  It won't start...so anything and everything that depends on RPC won't start.  If I attempt to start it manually at a command prompt it tells me that it can't find the file SCARDSVR.DLL.  Oddly enough, I don't find that file on any working systems either.  I suspect that it was an infected file that got nuked by the scans.

I'm banging my head against the wall guys.  Short of reO/S, how can I salvage this machine?
0
Comment
Question by:ITnavigators
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 16

Expert Comment

by:JoWickerman
ID: 22739432
Hi ITnavigators,

Did you try to run a XP repair on the system?
0
 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 500 total points
ID: 22740582
You may have a class ID permissions issue. This may resolve your problem, but if not will not harm the system. Run REGEDIT and expand the HKEY_ROOT hive. Right-click on CLSID and select Permissions. Add the following permissions for the key and all subkeys by clicking on Add-Advanced-Find Now. After adding, make sure the permissions are set as shown below.

Authorized User : Read Only  (NOTE: Instead of Authorized User you may see Authenticated User)
Network Services: Full Control.

Also, on the properties for RPC Service, you may have to check the "Interact with Desktop" box

It sounds like a user rights/permissions issue which crops up in XP SP2 after some security updates or occasioanlly after removal of certain software (like Norton Antivirus)

Good Luck
0
 
LVL 1

Author Comment

by:ITnavigators
ID: 22743821
BTW... Problem number two is that I can't open the property dialog boxes in the Event Viewer OR services.msc.  I can to make the changes manually in the registry.  I can, however, open the dialog boxes in regedit.  I'll check the permissions.

Tried to reinstall SP2.  No joy because Cryptographic isn't available.  Haven't tried a XP Repair yet.  
0
Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

 
LVL 30

Expert Comment

by:flubbster
ID: 22744461
try the procedure I outlined...
0
 
LVL 1

Author Comment

by:ITnavigators
ID: 22745361
I did the procedure you outlined.  No change in behavior.

Couldn't set the Interact with Desktop as that is only available for LocalSystem.  The user is currently NT Authority\NetworkService.  That matches all of my other WinXP boxes.  I switched it anyway (through the registry since I can't only any dialog box).  Rebooted.  No change.  Switched it back.  Rebooted.  No change.

RPC is a real booger.  EVERYTHING seems to rely on it.
0
 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 500 total points
ID: 22746413
You're right... it's a killer to figure out. It happened to my son's PC after a virus. I searched online for almost 2 weeks. Everything I found referred to a fix for a indows 2003 server. It was the fix I outlined for you. In my case, it finally worked. You could try also adding an "Everyone" to the permissions the same way. One more thing. I remeber there being a setting in there for parent-child setting. You need to check it to take affect. It allows the permissions to become active for all keys that report to it. Something like "inherent all permissions from parent objects" Set that, making sure you click apply, then reboot.

Do you notice a delay when the desktop loads? Or opening apps? That is from the RPC setting when it fails to start.
0
 
LVL 1

Author Comment

by:ITnavigators
ID: 22746456
Yes on the delays.  Haven't noticed on the apps.  Too many of them just can't start anyway.

What I don't get is why it wants to launch SCARDSVR.DLL.  Microsoft hasn't used the dll version of that for quite a while.  It is now SCARDSVR.EXE.  I've looked all over and can't find a copy of the dll file.  All my systems are too current.

I know there was a bad virus a while back that created look-alike files SCARDSVR32.EXE and SCARDSVR32.DLL.  But this is actually calling the file by it's old name?  Why?  It's not listed anywhere in the registry.  I wonder if it worked it's way into LSASS?
0
 
LVL 1

Accepted Solution

by:
ITnavigators earned 0 total points
ID: 22746498
Did a bit search.  The call is embedded in the version of SVCHOST.EXE that is on the machine.  I don't believe that is the original version of SVCHOST!  

I don't have the WinXP SP2 version handy, so I loaded the SP3 version.  SFC had a fit, but RPC launched immediately.  I rebooted and the system came up.  Now that I have it running I will install SP3 so that the version will be correct.  :)
0
 
LVL 1

Author Comment

by:ITnavigators
ID: 22746568
SP3 installed perfectly.  System is back to normal (sans virus).  

Flubbster, you were incredibly helpful (even though it didn't end up being the permissions issue).  When we started chatting about what a pain this RPC is, I more fully documented the behavior.  That got me thinking about the files that were involved and from there the idea to do a bit level search for the string.  I wouldn't have gotten there without you -- at least not tonight.

Many thanks.  I am awarding the points.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 22748646
Thank you. I am glad that I was able to help in some small way. RPC can be a true killer to diagnose, and I am glad that things worked out for you. I am going to add this to my knowledgebase as a reference also so that I can refer back to it easily in case what you did can help someone else.

Take care....
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question