Solved

WinXP: RPC won't launch after virus removal

Posted on 2008-10-16
10
625 Views
Last Modified: 2013-12-09
Recently removed a very pesky set of viruses from an Windows XP computer.  After the final pre-boot scan and cleaning by Avast (Trend Micro would find it but not clear it), the system has a few problems.  Most of them relate to RPC.  It won't start...so anything and everything that depends on RPC won't start.  If I attempt to start it manually at a command prompt it tells me that it can't find the file SCARDSVR.DLL.  Oddly enough, I don't find that file on any working systems either.  I suspect that it was an infected file that got nuked by the scans.

I'm banging my head against the wall guys.  Short of reO/S, how can I salvage this machine?
0
Comment
Question by:ITnavigators
  • 5
  • 4
10 Comments
 
LVL 16

Expert Comment

by:JoWickerman
Comment Utility
Hi ITnavigators,

Did you try to run a XP repair on the system?
0
 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 500 total points
Comment Utility
You may have a class ID permissions issue. This may resolve your problem, but if not will not harm the system. Run REGEDIT and expand the HKEY_ROOT hive. Right-click on CLSID and select Permissions. Add the following permissions for the key and all subkeys by clicking on Add-Advanced-Find Now. After adding, make sure the permissions are set as shown below.

Authorized User : Read Only  (NOTE: Instead of Authorized User you may see Authenticated User)
Network Services: Full Control.

Also, on the properties for RPC Service, you may have to check the "Interact with Desktop" box

It sounds like a user rights/permissions issue which crops up in XP SP2 after some security updates or occasioanlly after removal of certain software (like Norton Antivirus)

Good Luck
0
 
LVL 1

Author Comment

by:ITnavigators
Comment Utility
BTW... Problem number two is that I can't open the property dialog boxes in the Event Viewer OR services.msc.  I can to make the changes manually in the registry.  I can, however, open the dialog boxes in regedit.  I'll check the permissions.

Tried to reinstall SP2.  No joy because Cryptographic isn't available.  Haven't tried a XP Repair yet.  
0
 
LVL 30

Expert Comment

by:flubbster
Comment Utility
try the procedure I outlined...
0
 
LVL 1

Author Comment

by:ITnavigators
Comment Utility
I did the procedure you outlined.  No change in behavior.

Couldn't set the Interact with Desktop as that is only available for LocalSystem.  The user is currently NT Authority\NetworkService.  That matches all of my other WinXP boxes.  I switched it anyway (through the registry since I can't only any dialog box).  Rebooted.  No change.  Switched it back.  Rebooted.  No change.

RPC is a real booger.  EVERYTHING seems to rely on it.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 500 total points
Comment Utility
You're right... it's a killer to figure out. It happened to my son's PC after a virus. I searched online for almost 2 weeks. Everything I found referred to a fix for a indows 2003 server. It was the fix I outlined for you. In my case, it finally worked. You could try also adding an "Everyone" to the permissions the same way. One more thing. I remeber there being a setting in there for parent-child setting. You need to check it to take affect. It allows the permissions to become active for all keys that report to it. Something like "inherent all permissions from parent objects" Set that, making sure you click apply, then reboot.

Do you notice a delay when the desktop loads? Or opening apps? That is from the RPC setting when it fails to start.
0
 
LVL 1

Author Comment

by:ITnavigators
Comment Utility
Yes on the delays.  Haven't noticed on the apps.  Too many of them just can't start anyway.

What I don't get is why it wants to launch SCARDSVR.DLL.  Microsoft hasn't used the dll version of that for quite a while.  It is now SCARDSVR.EXE.  I've looked all over and can't find a copy of the dll file.  All my systems are too current.

I know there was a bad virus a while back that created look-alike files SCARDSVR32.EXE and SCARDSVR32.DLL.  But this is actually calling the file by it's old name?  Why?  It's not listed anywhere in the registry.  I wonder if it worked it's way into LSASS?
0
 
LVL 1

Accepted Solution

by:
ITnavigators earned 0 total points
Comment Utility
Did a bit search.  The call is embedded in the version of SVCHOST.EXE that is on the machine.  I don't believe that is the original version of SVCHOST!  

I don't have the WinXP SP2 version handy, so I loaded the SP3 version.  SFC had a fit, but RPC launched immediately.  I rebooted and the system came up.  Now that I have it running I will install SP3 so that the version will be correct.  :)
0
 
LVL 1

Author Comment

by:ITnavigators
Comment Utility
SP3 installed perfectly.  System is back to normal (sans virus).  

Flubbster, you were incredibly helpful (even though it didn't end up being the permissions issue).  When we started chatting about what a pain this RPC is, I more fully documented the behavior.  That got me thinking about the files that were involved and from there the idea to do a bit level search for the string.  I wouldn't have gotten there without you -- at least not tonight.

Many thanks.  I am awarding the points.
0
 
LVL 30

Expert Comment

by:flubbster
Comment Utility
Thank you. I am glad that I was able to help in some small way. RPC can be a true killer to diagnose, and I am glad that things worked out for you. I am going to add this to my knowledgebase as a reference also so that I can refer back to it easily in case what you did can help someone else.

Take care....
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now