Internet Explorer, Windows Explorer, and RPCSS.EXE

Discussion in 'Windows Networking' started by Stan Hilliard, Apr 30, 2004.

  1. Here is a troubling failure to load IE6 (and IE5.5 before it) that has
    happened many times. It usually happens on the first load of IE6 after
    making a dialup connection. After that it is ok.

    (PC has Win98SE, Dialup 56K, no network, all windows updates
    installed)

    Firewall status: Zonealarm internet lock was on.

    1 Dialed up 56K connection

    2 Started IE6. It froze, didn't finish its startup.

    3 Checked ZoneAlarm log. Windows Explorer tried to act as a server,
    but was stopped by the firewall. (This happens often on the first
    start of IE6 after dialup.)

    4 IE6 is shown on the start bar but is not on screen. Can't start any
    other program. [ctl][alt][del] Killed explorer (Windows Explorer) (not
    responding) with "end task". Another instance of explorer remained in
    the "close program" window.

    5 IE6 not responding -- end task

    6 Upon changing NoteTab from full screen to normal position, got this
    message: "RPCSS.exe has performed an illegal operation and will be
    shut down." (RPCSS.exe is called "Distributed COM Services" in the
    firewall log.)

    7 The windows start bar is missing. [alt][tab] brings it back and show
    IR6, even though I had "end task" it previously.

    8 The dialup icon is missing from the bottom right, even though the
    connection is still active.

    This pattern, or a variation on it, happens repeatedly.

    QUESTION 1: What could be happening?

    QUESTION 2: Is it safe to permit the firewall to allow Windows
    Explorer and RPCSS to access the internet as servers?

    QUESTION 3: Another alternative would be to rename RPCSS.exe. Is that
    a good idea?

    PS: I use Adaware, Spybot S&D, Fprot.

    Sincerely, Stan Hilliard
     
    Stan Hilliard, Apr 30, 2004
    #1
    1. Advertisements

  2. This might be related to the problem.

    I forgot to mention that once a small window popped up in the middle
    of my screen with "URL proxy" in the title bar. The rest of the window
    was blank. The "URL proxy" window closed when I closed IE6.

    What was going on with the "URL proxy" window?

    Stan Hilliard
     
    Stan Hilliard, Apr 30, 2004
    #2
    1. Advertisements

  3. Stan Hilliard

    H Leboeuf Guest

    Start here.

    http://groups.google.ca/groups?hl=e...&ie=UTF-8&oe=UTF-8&newwindow=1&sa=G&scoring=d
    --

    If no joy search for "ULR proxy" on google.com groups.

    Henri Leboeuf
    Web page: http://www.colba.net/~hlebo49/index.htm
    ===
     
    H Leboeuf, Apr 30, 2004
    #3
  4. Stan,

    First, *why* is ZoneAlarm blocking all internet access?

    For IE freezing issues check out the advice at the URL below:
    http://www.mvps.org/inetexplorer/answers3.htm#freezing

    You have not provided enough information about the Notepad error.

    rpcss.exe is a legitimate file; do not rename it. There is no way to tell
    whether a legitimate file, or malware, is using it. If you rename it in
    Win98 you'll have weird problems pop up all over the place. If you rename it
    in later OS, you kill your computer.

    IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from
    the URL below - some malware can kill your internet connection when it is
    removed, and this software should get things going for you again:
    http://www.cexx.org/lspfix.htm

    Get yourself a copy of BHODemon, available at
    http://www.definitivesolutions.com/bhodemon.htm .

    It does not need installing - simply unzip and run the EXE programme. It is
    very easy to use. It will often find the following hijackware DLL files,
    and give you the ability to disable them easily.

    Many people like AdAware, available at www.lavasoft.de. Make sure you keep
    the signature files up to date and remember, AdAware only removes the
    current install; it can't do anything about software that reinstalls itself
    (unless you want to get stuck in an endless loop of
    hijack/cleanout/hijack/cleanout). Sometimes you will have to track down and
    remove the software that keeps putting the hijackware back - hence this
    advice section. Warning: AdAware is now version 6.181. All previous
    versions are NO LONGER SUPPORTED and will not be updated.

    The more experienced user can try Spybot. Again, it is a free programme
    which can be downloaded from: http://spybot.eon.net.au/. Warning: it is NOT
    a good programme for the inexperienced. If you want to use this programme,
    please get the advice of those more experienced before 'fixing' anything
    that it finds.

    Go to the link below to check your system for parasites (supplied by
    Doxdesk.com):
    http://www.mvps.org/inetexplorer/parasite.htm

    Another excellent programme that allows you to examine your system and
    *create a results log for experts to examine* is HijackThis, available from:
    http://www.tomcoyote.org/hjt/

    Download and run the latest version of "Cool Web Shredder"
    http://www.merijn.org/files/CWShredder.exe

    Here is advice specific to:

    home page hijackings
    http://www.mvps.org/inetexplorer/answers.htm#home_page

    pop-up ads
    http://www.mvps.org/inetexplorer/data/popup.htm

    search engine hijackings
    http://www.mvps.org/inetexplorer/answers4.htm#search_engine

    IMPORTANT: The above programmes are excellent, and a lot of credit goes to
    those who authored and update the programmes, but they can NOT detect
    everything that is out there - as time goes on the programmes will become
    more and more unwieldy if they try to maintain a standard of positive
    identification for as much spyware as possible, and it will be harder and
    harder for the programmes to catch everything that is out there. More and
    more spyware uses RANDOM names as part of their programme making it
    impossible for positive identification to occur, therefore....

    It is VERY IMPORTANT that you learn how to examine your system for potential
    problems as well as using 'fixit' programme such as AdAware or Spybot.

    Check your startup folder and MSCONFIG (startup tab). You can also check
    the following registry keys and edit as appropriate (if you have experience
    with same).

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce

    The following link will lead you to some Microsoft KB articles about the
    basics of the Registry and working with it:
    http://www.mvps.org/inetexplorer/answers.htm#Registry

    An experienced computer technician can use programme such as AutoStart
    Viewer for in-depth diagnosis:
    http://www.diamondcs.com.au/index.php?page=asviewer

    Empty your IE cache and your other temporary file folders, eg:
    c:\windows\temp (if using Windows 98) or C:\Documents and
    Settings\<name>\Local Settings\Temp (the path to your temp folder will
    change depending on your name) - sometimes programmes can be hidden in
    there - watch out for mysterious *.exe files or *.dll files in those
    folders.

    Go to IE Tools, Internet Options, Temporary Internet Files {Settings
    Button}, View Objects, Downloaded Programme Files. Check for unusual objects
    there.

    Go to IE Tools, Internet Options, Accessibility. Make sure there is no
    style sheet chosen (under User Style Sheet - format documents using my style
    sheet). If the option is turned on, turn it OFF.

    It is possible to turn off third party extensions (Enable third-party
    browser extensions (requires restart) at IE tools, internet options,
    advanced) to disable *all* plug-ins but troubleshooting will be difficult
    and it is only a BANDAID. Nothing gets fixed. There is software that
    depends on 'third party browser extensions" to work, including Acrobat,
    Microsoft Money, and many other programmes.

    --
    Hyperlinks are used to ensure advice remains current
    Do NOT send me an email. I will NOT see it (thank the spammers and viruses)
    _______________________________________
    Sandi - Microsoft MVP since 1999 (IE/OE)
    http://inetexplorer.mvps.org/


     
    Sandi - Microsoft MVP, Apr 30, 2004
    #4
  5. This might be related to the problem. Thanks. That sounds a lot like my problem. I use Pegasus 4.12a as in
    that case.

    In Pegasus [alt][F10] and [incoming mail, hyperlinks] I unchecked "Use
    URLPROXY". I also clicked "Use the non-standard URLs used by internet
    explorer. I think that this fixed the problem with the URLPROXY
    window.
     
    Stan Hilliard, May 1, 2004
    #5
  6. The internet lock doesn't prevent all internet access. But having it
    on blocks all incoming and outgoing attempts on any port except for
    the programs that are specifically set to pass the lock.
    Thanks. I did.
    I was using NoteTAB. I just noticed what happened but do not have any
    additional information.
    I will leave it alone. Right now the ZoneAlarm firewall is set to
    allow RPCSS to start and access the internet, but not as a server. Is
    that a good setting?
    Thanks. I did.
    Thanks. BHODemon only detects my Google toolbar.

    However, prior to running BHODemon , earlier today, I noticed that my
    Google toolbar was missing from the IE6 screen. So I uninstalled it
    and then downloaded a new toolbar and installed it.

    Since I uninstalled/installed the Google toolbar I have not had IE6
    freeze! It used to always freeze on the first load after making a
    dialup connection.

    This seems to have fixed the freeze problem -- at least temporarily.
    Yes, I have Ad-aware 6.181 and I run every week. It always finds
    something.
    I have started using Spybot S & D. It found five things that Ad-aware
    didn't.
    I have this.
     
    Stan Hilliard, May 1, 2004
    #6
  7. I thought that I has solved the problem of the first IE6 instance
    after dialup hanging -- by uninstalling/reinstalling the google
    toolbar.

    That worked for a while, but the next day the problem was back. I made
    it go away again by again uninstalling/reinstallihg the google
    toolbar.

    Spybot S&D finds file AtHoc.log in the root directory dated 1/15/01,
    138KB. What is that?

    Spybot also flagged Windows Media Player, but that doesn't sound to me
    like something bad.

    I changed the ZoneAlarm firewall settings for RPCSS and Windows
    Explorer to allow them to access the Internet as servers -- since they
    kept trying to do that. Is that a problem?

    Sincerely, Stan Hilliard

    =================
     
    Stan Hilliard, May 3, 2004
    #7
  8. Stan Hilliard

    H Leboeuf Guest

  9. I did not (voluntarily) have that tool bar. But the article in link
    (3) implies (I think) that if I did it might not be visible to me.

    (1) The first link is to a page that apparently does not exist at this
    time.

    (2) The second link tries to download a file, but I don't know what
    the file is.

    (3) The third link is to an article that I find interesting because it
    reminds me of a button (inactive now) on my website from NetMind
    Mind-It.

    The dead button is on this page:

    http://samplingplans.com/latestchanges.htm

    When the button worked, visitors to that page would be informed by
    email from NetMind any time that the page changed.

    I think that the button went inactive when NetMind was bought out and
    they stopped making it free and I didn't pay.

    Stan Hilliard

    ===
     
    Stan Hilliard, May 3, 2004
    #9
  10. Stan Hilliard

    H Leboeuf Guest

    1- Thanks I will make the necessary correction, it now a 404 no longer
    availabe site.

    2- This is what I get on the link. Why you would think it's trying to
    download some programs is not known to me.

    Quote
    URLs Company URL (http://www.athoc.com/)
    Product URL (http://www.athoc.com/site/products/portalToolbar.asp)
    Privacy URL (http://www.athoc.com/site/misc/privacyPolicy.asp)

    Functionality Toolbar
    Description From their own description: "Our technology keeps your business
    continuously connected to employees and customers even when they're not on
    your Web site." as well as "Features include: [...]Tracking and Reporting".
    Whether your installation of this toolbar is a threat or not depends mostly
    on the AtHoc customer that provides your toolbar variant. The toolbar allows
    the customer tracking, and user information may be shared with associates
    for advertisement purposes. Our recommendation: keep the toolbar if you've
    installed it intentionally, otherwise remove it.
    Privacy AtHoc uses this information primarily to personalize your experience
    on the Web, improve service to you, monitor Website traffic generated by
    your use of this service, and determine appropriate fees to charge your
    Toolbar providers ("AtHoc Clients") and Websites you visit as a result of
    placement on your Toolbar ("AtHoc Affiliates"). AtHoc may combine
    information it collects from you with information from other sources. AtHoc
    may also use the information collected to provide you with targeted
    marketing or promotional information, which you can choose not to receive.
    Data collected by AtHoc may be provided by or distributed to the specific
    AtHoc Toolbar Partner who is providing the AtHoc Toolbar service for your
    use. Please see their privacy policies to understand their practices in
    handling the information collected.[...] AtHoc, AtHoc Clients, and AtHoc
    Affiliates may send you marketing or promotional offers[...]
    Unquote.
    --

    That may be is the reason you are getting a False Positive Hit on your virus
    scan.

    See what can be deleted from your system registry and computer.

    Go to http://www.spywareinfo.com/downloads.php#det
    Download "Hijack This!" [freeware] or download direct (below):
    http://www.merijn.org/files/hijackthis.zip

    If you get a 404 error or Access denied, try:
    http://216.180.252.218/~spywareinfo.com/downloads/tools/hijackthis.zip

    Unzip, double-click "HijackThis.exe" and Press "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log"
    button.
    Click: "Save Log" (generates "hijackthis.log")

    Next, HijackThis | Config [button] | Misc Tools [button]
    Click: Generate StartupList log [button] (generates "startuplist.txt")

    Next, go to the below location:
    http://www.spywareinfo.com/forums/

    Sign in, then copy and paste both files in your message.

    HijackThis Quick Start Help
    http://www.tomcoyote.org/hjt/

    The Tutorial if you want to know more about the results or the .log file.
    http://www.merijn.org/htlogtutorial.html
    _______________________________________



    Henri Leboeuf
    Web page: http://www.colba.net/~hlebo49/index.htm
    ===
     
    H Leboeuf, May 4, 2004
    #10
  11. Thanks, I will study that information.

    Meanwhile,

    The link was:
    http://www.safer-networking.org/index.php?page=threats&detail=297

    I still get the same result as I described earlier. It is the usual
    Win98SE messagebox that I always get when I download a file.

    window title: File Download
    File name: index.php
    From: www.safer-networking.org
    [open][save][cancel][more info]
     
    Stan Hilliard, May 4, 2004
    #11
  12. Stan Hilliard

    H Leboeuf Guest

    What happens when you go to this site (.php extension)
    http://forums.tomcoyote.com/index.php?showtopic=4413

    If you still get a download box then your file type association for .php may
    be the cause.
    Explorer-View-Folder Options-File Types
    I have nothing associated with .php as this is used by I.E.
    --

    Henri Leboeuf
    Web page: http://www.colba.net/~hlebo49/index.htm
    ===
     
    H Leboeuf, May 5, 2004
    #12
  13. I get the TomCoyote page in IE6. It has a message:

    You do not have permission to view this topic
    You are not logged in, you may log in below. (I registered)
    I checked, and I also have nothing associated with .php.

    I went back to the offending link in my previous post:

    http://www.safer-networking.org/index.php?page=threats&detail=297

    and it linked to a Spybot Search & Destroy description of AtHoc this
    time.

    I went to the link a second time and a third time about two minutes
    later and got the old messagebox offering to download index.php.

    I went to the link a fourth time and it linked to a Spybot Search &
    Destroy description of AtHoc.

    Does this make any sense?

    Sincerely, Stan Hilliard

     
    Stan Hilliard, May 5, 2004
    #13
  14. My mistake.

    ..PHP was associated with Notepad.

    I removed the association.

    Sorry, Stan Hilliard

     
    Stan Hilliard, May 5, 2004
    #14
  15. Stan Hilliard

    H Leboeuf Guest

    And this that cleared you problem?


    --

    Henri Leboeuf
    Web page: http://www.colba.net/~hlebo49/index.htm
    ===

     
    H Leboeuf, May 6, 2004
    #15
  16. It solves that problem of Win98SE trying to download the .php, but it
    does not change the initial problem.

    The initial problem was that the first instance of IE that I load
    after making a dialup connection to the internet causes Windows
    Explorer (explore.exe) to try to access the internet as a server
    program.

    I know this because I have ZoneAlarm firewall to notify.

    When I choose "yes" to allow Windows Explorer to continue, all seems
    OK.

    When I choose "no" to block Windows Explorer, IE6 remains hung up and
    I have to kill it with [ctl][alt][del]. Sometimes I have to kill an
    instance of explore.exe too, although an instance of explore remains
    in the close-program list.

    Again, this behavior only happens on the first load of IE6 following
    the establishing of a dialup connection.

    I could set the firewall to allow explore.exe to watch as server all
    the time. I am concerned that this is a security problem.

    I don't know if this means anything, but two probes from the internet
    occur regularly that I don't understand. The firewall blocks them.

    1) Probes of type TCP (flags:S) from DNS=x.222.in-addr.arpa, where the
    number x varies.

    2) Type TCP (flags:S) , program Internet Information Services.

    These occur at various times seemingly not related to the unexplained
    startup of windows explorer as I described, but I mention them anyway
    in case they mean something.
     
    Stan Hilliard, May 9, 2004
    #16
  17. Stan Hilliard

    H Leboeuf Guest

    These virus use fake an explorer.exe file to execute. Check them out.
    There may be others.

    http://www.symantec.com/avcenter/venc/data/backdoor.irc.zcrew.html
    http://securityresponse.symantec.com/avcenter/venc/data/spyware.dlder.html
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.flood.g.html
    --

    Henri Leboeuf
    Web page: http://www.colba.net/~hlebo49/index.htm
    ===
     
    H Leboeuf, May 9, 2004
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.