Technology, Support, and News Forum

[chirantan_f Profile YIM]

i have problem in WinXP.
randomely it isplays a warning messege "RPC (Remore Procedure Call) has terminated unexpectedly , ur system needs to shut down , please save ur work" and system shuts down after 60 seconds. it happens many a times. and u cant stop tht shut down , its vey annoying.

does anyoen know abt this?

one more thing , just now Norton anti-virus displayed a warning showing it had found a virus , actually it was a trojan , but even then i rebooted my system in safe mode , disconnected net and then ran full system scan , it found 3 trojans.
one infected file was "rdvute.exe" and it was infected with trojan named "Downloader.MSCache" , NAV quarantined "rdvute.exe" , there were 2 more files but i dont remember their names.
now i restarted system in normal mode. but to my surprise , i couldtn connect to any site , IE kept giving me error as "server not found" , but my LAN connection was working and even "Overnet" was working , and downloading at normal speed (though even overnet's homepage didnt open , even it said "server not found"). so i found out tht although net was ON i cudnt surf. i guessed tht this must have happened due to tht qurantined files. , so i went to qurantined files and restored "rdvute.exe" again , and ..... IE worked again , i could surf again.

but i dont want to keep an infected file in my windows folder (by the way tht "rdvute.exe" was in my system folder)

now i have submitted tht file to Norton support , i am hoping to get their reply within 2 days , but till then i am posting here.

Can u help me out?

thanx in advance!


[Chirantan]

[customcomp135]

sounds like ms blast or one of the varients , look for msblast.exe and stop that process hit ctrl alt del then go to process tab highlight msblast.exe then stop. find removal tool on symantec site and use to remove the worm. then go to windows update and fully update to avoid these hideous worms.

[SCgone Profile YIM]

I'm moving this to the virus forum.

The download MsCache is pretty easy to remove, but it's more than one file, usually several.
A randomly named .dll file, which is 36864 bytes in size. This component has been distributed as a .cab archive with a random file name. The archive contains the .dll and a .inf file, with matching random file names. When loaded, the .dll downloads the file, Randomiser.exe.
Randomiser.exe, which is 7680 bytes in size. This executable downloads mscache2.exe and mscache2.dll, and saves them in %Windir% with random names.
Mscache2.exe, which is 114688 bytes in size. This component attempts to download and execute content from a geocities.com Web site, which is not currently accessible.
Mscache2.dll, which is 122880 or 131072 bytes in size. This component is installed as a browser helper object that can download and install updates of itself.

To remove it...
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Disconnect from the Internet.
4. Unregister the browser helper object.
5. Restart the computer in Safe mode or VGA mode.
6. Run a full system scan and delete all the files detected as Downloader.MSCache.

To disable the browser helper object.
Unregistering the browser helper object
Before performing this step, you will need the full path and file name of the .dll, which is installed as a browser helper object. It may be found in the Windows directory with a name of the form <6-8 random lower-case characters>.dll, and should be 122880 or 131072 bytes in size. It has also reportedly been found in the Temporary Internet Files folder. If you are not sure of the file name, first run a full system scan (see step 6) and record the path and file names, but do not delete the infected files yet.

Perform the following steps for each .dll file, detected as Downloader.MSCache:

Click Start, and then click Run. (The Run dialog box appears.)

Type:

regsvr32 /u "<path to dll>"

For example:

regsvr32 /u "c:\windows\zyxwabcd.dll"

Click OK.

At this point, an Internet Explorer window may appear. Close the window.

--------------------------------------------------------------------------------
Note: If you see an error message after attempting to unregister the dll, disregard it and proceed to step 5.

[chirantan_f Profile YIM]

thanx bell
but as i searched for all *.dll files in my windows folder , there were abt 4000 dll files , and many of them have the somewhat similar size (between 122 and 132 KB) , and moreover u told me tht size in bytes , but i see in my comp it in kilobytes , so it makes even harder to determine which file i want to pinpoint.
can u plz help me more?

thanx

[Chirantan]

[SCgone Profile YIM]

thanx bell
but as i searched for all *.dll files in my windows folder , there were abt 4000 dll files , and many of them have the somewhat similar size (between 122 and 132 KB) , and moreover u told me tht size in bytes , but i see in my comp it in kilobytes , so it makes even harder to determine which file i want to pinpoint.
can u plz help me more?

thanx

[Chirantan]

Do another full system scan with your antivirus and see if it returns any "dll" files around that size, that will probably be the files you want. They'll have odd names also. Then just write down the full path and names of them and unregister them as above.

[chirantan_f Profile YIM]

thanx bell
i found orwwbr.dll . it was already quarantined!

[Chirantan]