RPC Doom Virus??
Results 1 to 10 of 10

Thread: RPC Doom Virus??

  1. #1
    Senior Member
    Join Date
    Jul 2002
    Posts
    117

    Question RPC Doom Virus??

    I was chatting with my girlfriend earlier tonight when she told me of a strange occurance with her computer at school. Not quite what to make of it myself, so I thought I'd run it by my fellow AO folks.

    Apparently earlier today, she was using her computer, and on either Google or Yahoo at the time. For a moment, she turned around to talk to one of her roommates and when she turned back around, her screen had turned blue (though not the typical Blue Screen of Death) with a message that said 'You have the RPC Doom Virus'. Also on this screen apparently were Yes/No buttons and some question relating to those...don't remembe exactly what. Instead, she just clicked the X to close the window. I Googled around to try and find some info about this message, but I didn't find anything decent. I'm pretty sure she doesn't have an antivirus program installed, nor a firewall (and yes, I've harped on her plenty about that). So what could be the cause of this? Could it be that she's infected by one of the many MyDoom's out there or could it be just a normal pop-up? Is there even a such thing as an 'RPC Doom Virus'? She is on ResNet at school, so that's why I worry.

    Briefly, also today somehow her IE start page managed to get changed from being set on mail.yahoo.com to this exact page: www.syspage.com/ads/homepagesai.php?id=start1. Attached is a JPEG of the exact page that she saw (with some identifing info edited out). Now, I'm not so concerned with the actual page itself as browsers have a bad habit of giving away tons of info and it's an ad screen. I'm just curious as to how it could have been automatically changed without her doing anything. Any thoughts on that?

    Her machine: P2 300, 64 MB ram (I think), Win98 (possibly SE), not sure which version of IE.

    Thanks in advance as any help or light shedding would be appreciated And I apologize for the potential vague-ness as I'm unable to actually take a look at her machine myself (damn these long distance relationships!!)

    alpha

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    just one of these popups trying to force you to click on it.
    some kind of adware/spyware, i guess
    there are a lot of threads about adaware and all the other tools you need

    [added]
    the link is ...lol

    it says to me:
    xxxxxxxxxxxxx- Your IP Address has been Traced
    Windows 2000 is Your Operating System
    You are in Washington, United States

    i#m in germany....
    Industry Kills Music.

  3. #3
    Banned
    Join Date
    Jun 2002
    Posts
    289
    I don't really know about the first part , the RPC thing.
    But if her start page keeps changing back to "www.syspage.com/.." have her download and run hijackthis. just make sure she doesn't delete everything she sees in the log. Have her email the log to you and you post it here or over at spywareinfo's forum.
    http://mjc1.com/mirror/hjt/

  4. #4
    Senior Member
    Join Date
    Nov 2003
    Posts
    285
    she doesn't have an antivirus program installed
    w00t .. don't have a antivirus ?? whay don't you tell her to try AVG its free .. . and for the home page changing . CoolwebSearch trojan , i always trust CWShredder . it has never let me down when others have failed. the blue window seems to a popup window try pressing ALT+F4 . you should definately consider installing a adware/spyware removal tool . i would reccoment AD-Aware

    [edit]

    yep jenjen thats what i ment for home page hijacks i think CWShredder works fine. i also recommend AD-Aware, thats what i use i use them both and they both in combination works fine for me. CWShredder takes care of the home Page Hijaks/cool Web Search trojans and Ad-Aaware gets the Adwaresand spywares

    and thanx for spotting the mistake i corrected the link

  5. #5
    Banned
    Join Date
    Jun 2002
    Posts
    289
    w0lverine.. CWShredder only works for coolwebsearch hijacks. It's not a "catch all" remover by any means. btw, your link to CWShredder points to an edit of some post here at AO.

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    RPC/DCOM affects nt based machines and not 9x

    scan with hijack and put a check next to each of these then close all browser windows and click "fix checked"

    O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB} - (no file)
    O3 - Toolbar: (no name) - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - (no file)
    O4 - HKLM\..\Run: [OVCJAHOV] C:\WINDOWS\OVCJAHOV.exe
    O4 - HKLM\..\Run: [BIP] C:\WINDOWS\BIP.exe

    Then reboot into safe mode and delete both :
    C:\WINDOWS\BIP.exe
    C:\WINDOWS\OVCJAHOV.exe

    from:

    http://www.tech-forums.net/computer/topic/10969.html

    syspage virus
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    Senior Member
    Join Date
    Nov 2003
    Posts
    285
    i think the first step should be to install a Antivirus and scan the computer with a antivirus. or you could try a online scan to check and be sure you do have a virus http://housecall.trendmicro.com/ rather than getting paranoid about it.

  8. #8
    Senior Member
    Join Date
    Jul 2002
    Posts
    117
    That's to all who responded...everyone has been a great help thus far.

    Now for an update...

    The trendmicro.com online virus scan revealed 3 trojans total, but one had infected twice somehow. Currently looking for a free trojan cleaner for her, but the best I can do so far is a 30 day free trial of "The Cleaner". Any suggestions or recommendations?

    Next, we ran Adaware 6.0, which found 106 pieces of spyware. Some of which couldn't be removed right away. Something about having to reboot and then run Adaware again... don't remember the specifics, so I apologize.

    Tried to download the free version of AVG, but as we were getting ready to, her Internet connection mysteriously died. She then couldn't connect to AIM or any web pages. Hmmm...

    I'll check back later on when I know more. Our thanks again to all those who have helped.

    alpha

  9. #9
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    665
    Moosoft The Cleaner is the Best Trojan cleaner around but it's not free you have to live with it for 30 days or buy it . antivirus Softwares are also able to detect Trojans to a certain extent if run in heuristics mode. download the AVG and please do not forget to swich to heuristics mode or it will certainly do not detect the Trojans. update its Virus database regurlarly to prevent this kind of situation. 106 mallware/spyware OMG . update the AD-aware reference file i just scanned my computer with AD-Aware this morning and found 5 tracking cookies(thats normal) then updated the refernce file and when i scanned again found 9 malware software. so update update..... do not forget to update

    good luck

  10. #10
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Speaking of RPC,

    I was just reading the FAQ of Port Monster and here's they're pitch on a RPC vulnerablility:

    http://www.portmonster.com/index.php?d=help-faq#nt4

    Can Port Monster help my NT 4 Workstation / Server and the RPC vulnerability that Microsoft won't patch?

    Recently, Microsoft released information about a vulnerability in many versions on the Windows Operating System, in the RPC Service. This includes Windows XP, 2000, and NT 4. They have released patches for Windows XP, and 2000, but claim that due to "Architectural Limitations" they cannot create a patch for Windows NT 4 (This would be Workstation and Server). The suggested solution is to upgrade, or to simply block all traffic to port 135, which is the port that RPC uses. Here is where Port Monster can work for you. Port Monster can run on your Windows NT 4 machine, and you can block all traffic that attempts to access port 135, in fact, this is already done by default! There are several local ports that are protected by default, and port 135 is one of them. Therefore, yes indeed Port Monster can help you with this situation.

    cheers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •