Solved

WinXP: RPC won't launch after virus removal

Posted on 2008-10-16
10
633 Views
Last Modified: 2013-12-09
Recently removed a very pesky set of viruses from an Windows XP computer.  After the final pre-boot scan and cleaning by Avast (Trend Micro would find it but not clear it), the system has a few problems.  Most of them relate to RPC.  It won't start...so anything and everything that depends on RPC won't start.  If I attempt to start it manually at a command prompt it tells me that it can't find the file SCARDSVR.DLL.  Oddly enough, I don't find that file on any working systems either.  I suspect that it was an infected file that got nuked by the scans.

I'm banging my head against the wall guys.  Short of reO/S, how can I salvage this machine?
0
Comment
Question by:ITnavigators
  • 5
  • 4
10 Comments
 
LVL 16

Expert Comment

by:JoWickerman
ID: 22739432
Hi ITnavigators,

Did you try to run a XP repair on the system?
0
 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 500 total points
ID: 22740582
You may have a class ID permissions issue. This may resolve your problem, but if not will not harm the system. Run REGEDIT and expand the HKEY_ROOT hive. Right-click on CLSID and select Permissions. Add the following permissions for the key and all subkeys by clicking on Add-Advanced-Find Now. After adding, make sure the permissions are set as shown below.

Authorized User : Read Only  (NOTE: Instead of Authorized User you may see Authenticated User)
Network Services: Full Control.

Also, on the properties for RPC Service, you may have to check the "Interact with Desktop" box

It sounds like a user rights/permissions issue which crops up in XP SP2 after some security updates or occasioanlly after removal of certain software (like Norton Antivirus)

Good Luck
0
 
LVL 1

Author Comment

by:ITnavigators
ID: 22743821
BTW... Problem number two is that I can't open the property dialog boxes in the Event Viewer OR services.msc.  I can to make the changes manually in the registry.  I can, however, open the dialog boxes in regedit.  I'll check the permissions.

Tried to reinstall SP2.  No joy because Cryptographic isn't available.  Haven't tried a XP Repair yet.  
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 30

Expert Comment

by:flubbster
ID: 22744461
try the procedure I outlined...
0
 
LVL 1

Author Comment

by:ITnavigators
ID: 22745361
I did the procedure you outlined.  No change in behavior.

Couldn't set the Interact with Desktop as that is only available for LocalSystem.  The user is currently NT Authority\NetworkService.  That matches all of my other WinXP boxes.  I switched it anyway (through the registry since I can't only any dialog box).  Rebooted.  No change.  Switched it back.  Rebooted.  No change.

RPC is a real booger.  EVERYTHING seems to rely on it.
0
 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 500 total points
ID: 22746413
You're right... it's a killer to figure out. It happened to my son's PC after a virus. I searched online for almost 2 weeks. Everything I found referred to a fix for a indows 2003 server. It was the fix I outlined for you. In my case, it finally worked. You could try also adding an "Everyone" to the permissions the same way. One more thing. I remeber there being a setting in there for parent-child setting. You need to check it to take affect. It allows the permissions to become active for all keys that report to it. Something like "inherent all permissions from parent objects" Set that, making sure you click apply, then reboot.

Do you notice a delay when the desktop loads? Or opening apps? That is from the RPC setting when it fails to start.
0
 
LVL 1

Author Comment

by:ITnavigators
ID: 22746456
Yes on the delays.  Haven't noticed on the apps.  Too many of them just can't start anyway.

What I don't get is why it wants to launch SCARDSVR.DLL.  Microsoft hasn't used the dll version of that for quite a while.  It is now SCARDSVR.EXE.  I've looked all over and can't find a copy of the dll file.  All my systems are too current.

I know there was a bad virus a while back that created look-alike files SCARDSVR32.EXE and SCARDSVR32.DLL.  But this is actually calling the file by it's old name?  Why?  It's not listed anywhere in the registry.  I wonder if it worked it's way into LSASS?
0
 
LVL 1

Accepted Solution

by:
ITnavigators earned 0 total points
ID: 22746498
Did a bit search.  The call is embedded in the version of SVCHOST.EXE that is on the machine.  I don't believe that is the original version of SVCHOST!  

I don't have the WinXP SP2 version handy, so I loaded the SP3 version.  SFC had a fit, but RPC launched immediately.  I rebooted and the system came up.  Now that I have it running I will install SP3 so that the version will be correct.  :)
0
 
LVL 1

Author Comment

by:ITnavigators
ID: 22746568
SP3 installed perfectly.  System is back to normal (sans virus).  

Flubbster, you were incredibly helpful (even though it didn't end up being the permissions issue).  When we started chatting about what a pain this RPC is, I more fully documented the behavior.  That got me thinking about the files that were involved and from there the idea to do a bit level search for the string.  I wouldn't have gotten there without you -- at least not tonight.

Many thanks.  I am awarding the points.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 22748646
Thank you. I am glad that I was able to help in some small way. RPC can be a true killer to diagnose, and I am glad that things worked out for you. I am going to add this to my knowledgebase as a reference also so that I can refer back to it easily in case what you did can help someone else.

Take care....
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Zepto Ransomware - Decrypt/Restore files 5 261
Checkpoint Endpoint Managment 3 84
Error login w2012 domain 6 97
Transfer configuration between Windows XP installations 4 71
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question