General discussion

Locked

Problem with RCPSS running CPU at 70+%

By baz_shaw ·
Desktop PC, Windows 2000 Pro, Recently installed SP4.
Problem appears to be svchost.exe/rcpss (as shown by running tlist) running constantly at 70-90%, unable to stop the process in Task Manager etc. Excessive demands on CPU (Pent. II 450) make normal diagnostics extremely difficult and slow.

Other symptoms:
netstat -a shows 30-40 open listening ports, with epmap opening more at a rate of about 1/sec.

In some applications, such as mmc modules, regedt32 and so on, Properties windows do not appear when a line item is double-clicked, yet when trying to close that application, receive an error message saying Properties Windows need to be closed first.

Regedt32 only stays open for about 15 seconds, then self closes. Not being able to hack the registry is a big obstacle obviously!

I ran a bunch of antivirus tools - - Norton, TrendMicro, Stinger as well as Ad-Aware, all came up clean.

Searching the web I came across several chat rooms where people were describing identical problems, all within the past month, but no-one has any answers. Suggestions ranged from Blaster variants to some evil Spyware from Microsoft....

I have another machine hooked to it and can net use and map drives to it, and in fact used this to run virus scans by proxy. I can also remotely manage .msc apps, but frankly don't know what to try next.

So I'm game to try anything before I give up and re-image the thing!

thanks

Barry Shaw

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by baz_shaw In reply to Problem with RCPSS runnin ...

EXCUSE MY DYSLEXIA!!
I mean RPCSs of course, not RCPSs !!

Collapse -

by Joseph Moore In reply to Problem with RCPSS runnin ...

Couple of questions for you:
1. Do you have a firewall on this machine? I am willing to bet that you don't. It doesn't sound like it.
2. Did you put the MS patch on as described at this page:
http://www.microsoft.com/security/incident/blast.asp

What's going on is you are NOT protected from the DCOM/RPC vulnerability the Blaster worm (and its variants) exploit. It is possible to be exploited by a Blaster worm, but NOT be infected. The RPC service will crash, which gives you strange Windows functionality (like windows not working, things closing without warning, etc).
The Blaster worm (and its variants) trigger the DCOM/RPC bug on your system. Sometimes Blaster can then open the remote port and pull itself over and activate itself. Sometimes, all that fails, but the initial buffer overflow in DCOM/RPC is successful.
So, it CAN be possible to be affected by Blaster but not INFECTED by Blaster.
A lot of people have gotten confused by this. Antivirus scans come up clean, but things still are acting weird.
You need to patch, as per the link I posted.
You also need a firewall, but the patch is a minimum.
All of the "epmap" port connections you see are people who ARE infected successfully with Blaster scanning you to try and infect you. Blaster (and its variants) is still REALLY popular out there on the Internet. It is still out there, scanning.

hope this helps

Collapse -

by baz_shaw In reply to

Thank you Joseph for your help. As it turns out, I had the W32.HLLW.Gaobot.AO (or W32/Agobot as Sophos refers to it) virus, but the mode of entry was not as one would expect. The infected PC was firewall protected, but last week I networked it to a laptop running XP, which I virus scan & firewall. But I had to invoke System Restore on it after a failed app install, and I think the virus was hiding in the _restore/ folder. It jumped across the LAN connection to my PC and infected it. Easy enough to remove once I knew what it was! Microsoft KB 827363 helps a lot. Anyway I think you deserve the points since you were on the right track and it spurred me to look deeper. thanks again, Barry.

Collapse -

by Curacao_Dejavu In reply to Problem with RCPSS runnin ...

after install sp4, you need the update your system with the post security patches in order not to get infected by welchia type viruses that can infect the rpc vulnerabillities.
go to www.windowsupdate.com to get the latest patches.

Leopold

Collapse -

by baz_shaw In reply to

Thanks Leopold, but I had already solved it with Joseph's advice.

Collapse -

by baz_shaw In reply to Problem with RCPSS runnin ...

This question was closed by the author

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums