Author Topic: Avast/RPCSS.exe accessing the internet..worried user  (Read 34372 times)

0 Members and 1 Guest are viewing this topic.

Offline Vlk

  • Global Moderator
  • Serious Graphoman
  • **
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #45 on: July 21, 2003, 03:02:24 PM »
Quote
...if this is so, then it is not used by Avast on 98se systems (mine). Why, then, is it then launched?- surely you could write the program so that it isn't, on non NT base OSs? Maybe in the next version?

What do you mean "launched"?? Avast doesn't launch it, really. Under Win98, it uses RPC ONLY for the virus chest (i.e. to communicate between the virus chest and the rest of the system). Nothing more...

Vlk
If at first you don't succeed, then skydiving's not for you.

Offline pcb

  • Jr. Member
  • **
  • Posts: 22
  • I am not a llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #46 on: July 21, 2003, 03:22:31 PM »
Vlk,

I mean "launched" as a running process.
 the following is copied from Task Info:


[Process Pane]

|Process|                 |% CPU| |LT % CPU|  |Time| |Sw/s| |InMem KB| |Total KB|   |Th||Pri|       |Ver| |State|       |Path|
                                                                                                                       
+ Idle                     89.88%     76.18%   50:16     80          0          0    1  Very Idle   4.0                 Idle
+ KERNEL32.DLL              0.33%      0.44%    0:14     18         32         44    3  High        4.3   32            C:\WINDOWS\SYSTEM\KERNEL32.DLL
+ MSGSRV32.EXE              0.04%      0.03%    0:13      1        168        220    1  Norm        4.0   16 Sys        C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+ MPREXE.EXE                                              0        336        556    1  Norm        4.0   32 Sys        C:\WINDOWS\SYSTEM\MPREXE.EXE
+ mmtask.tsk                0.04%                         0         92        120    1  Norm        4.0   16 Sys        C:\WINDOWS\SYSTEM\mmtask.tsk
+ ASHSERV.EXE               0.12%      1.43%    0:12     21      8,696     21,592   24  Norm        4.0   32 Sys        C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
+ EXPLORER.EXE              0.31%      1.69%    0:11     13      7,204     16,964   14  Norm        4.0   32            C:\WINDOWS\EXPLORER.EXE
+ TASKMON.EXE                                             0        132        232    1  Norm        4.0   32 Sys        C:\WINDOWS\TASKMON.EXE
+ SYSTRAY.EXE                          0.01%              0      1,020      3,700    2  Norm        4.0   32            C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+ RPCSS.EXE                                               1      1,144      2,524    4  Norm        4.0   32 Con Sys    C:\WINDOWS\SYSTEM\RPCSS.EXE
+ SPEEDKEY.EXE                         0.04%              0      1,620      6,400    1  Norm        4.0   32            C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
+ POINT32.EXE                                             0        924      2,896    1  Norm        4.0   32            C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
+ HF.EXE                    0.04%      0.02%    0:01      3      1,988      5,356    1  Norm        4.0   32 Sys        C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE
+ STIMON.EXE                0.09%      0.68%    0:07     14      2,996     19,428    4  Norm        4.0   32            C:\WINDOWS\SYSTEM\STIMON.EXE
+ FPDISP4A.EXE              0.04%      0.01%              0      1,492      4,964    2  Norm        4.0   32            C:\WINDOWS\SYSTEM\FPDISP4A.EXE
+ ASHMAISV.EXE              0.17%      0.10%    0:09      6      4,728     15,396    6  Norm        4.0   32            C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
+ TTMAN.EXE                            0.63%              0      2,588      6,356    1  Norm        4.0   32            C:\PROGRAM FILES\HACE\TASKBAR EXECUTIVE\TTMAN.EXE
+ WINEJECT.EXE                                            0        644      2,452    1  Norm        4.0   32            C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE
+ INVISIBLE.EXE             0.04%      0.01%              0      1,384      4,528    2  Norm        4.0   32            C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE
+ WMIEXE.EXE                0.04%                         0        428        812    3  Norm        4.0   32 Sys        C:\WINDOWS\SYSTEM\WMIEXE.EXE
+ CIDIAL.EXE                                              2      1,880      6,536    1  Norm        4.0   32            C:\PROGRAM FILES\CIDIAL-MANUALLY INSTALLED\CIDIAL.EXE
+ RNAAPP.EXE                           0.65%    0:02      4      1,980      6,932    3  Norm        4.0   32            C:\WINDOWS\SYSTEM\RNAAPP.EXE
+ TAPISRV.EXE               0.04%      0.01%    0:03      0      1,036      1,948    6  Norm        4.0   32 Sys        C:\WINDOWS\SYSTEM\TAPISRV.EXE
+ SPOOL32.EXE                                             0        972      3,684    2  Norm        4.0   32 Sys        C:\WINDOWS\SYSTEM\SPOOL32.EXE
+ MOZILLAFIREBIRD.EXE       5.90%      6.81%    6:09     69     32,744     41,472    9  Norm        4.0   32            C:\PROGRAM FILES\MOZILLA FIREBIRD\MOZILLAFIREBIRD\MOZILLAFIREBIRD.EXE
+ TASKINFO.EXE              0.56%      6.43%    0:01     26      2,320      6,696    1  High        4.0   32            C:\PROGRAM FILES\IARSN\TASKINFO2000 3.0\TASKINFO.EXE
+ VxD NTKERN                                              0          0          0    6  Norm        4.3                 VxD NTKERN  


[Current Process Pane]

CMD              =RPCSS
Curr Dir         =C:\Program Files\Alwil Software\Avast4
Started by       =C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
Data KB          =1,232  in mem = 628  in use = 504
Code KB          =1,292  in mem = 516  in use = 444
Handles Count    =30
Windows          = 2


You can see RPCSS.exe is a running process -#10 in the list, and at the bottom (under "current process pane") you can see that it was "started by" Avast.

Surely this means that Avast is "launching/loading" RPCSS.exe as a process?

Cheers,

PcB
« Last Edit: July 21, 2003, 03:24:57 PM by pcb »

Offline pcb

  • Jr. Member
  • **
  • Posts: 22
  • I am not a llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #47 on: July 21, 2003, 03:40:38 PM »
Vlk,
 
At first, you said that:

Quote
avast! uses RPC for its communication between ashServ.exe and ashDisp.exe (under NT based OSs only).


which I took to mean that Avast does not use RPC (at all) on non-NT based systems, eg 98se. (Hense my last post)
 
..and now you say:

Quote
under Win98, it uses RPC ONLY for the virus chest (i.e. to communicate between the virus chest and the rest of the system)

So, if this last is correct, it is, in fact, necessary for Avast to "start"  RPCSS.exe as a running process on non-NT based OSs, and there is nothing to be done.
Can this procedure not be done some other way in future versions?
I do not seem to be alone in being concerned about having this process opening a port to the net, constantly.
(Jusme's dll renaming trick may turn out to be problematic)


PcB.


Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #48 on: July 21, 2003, 04:03:10 PM »
Hi,
on my W2k i have 22 services (some disabled) potentially dependend on RPCSS
even on W98, I'd guess there is also some other stuff which uses rpcss except from avast..
so whether Avast USES it or not, I'd guess rpcss will be needed once in a while..



Offline pcb

  • Jr. Member
  • **
  • Posts: 22
  • I am not a llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #49 on: July 21, 2003, 04:44:00 PM »
Whocares,

 Your point is accepted...all I can say is, I have not seen RPCSS.exe in my running tasks before installing Avast, and it certainly has never tried accessing the net: I've never had a relevant alert from my firewall in the 3 years or so I've been using one.
And it is definitely Avast that is starting RPC as a running  process.

 

Offline FlashFlood

  • Newbie
  • *
  • Posts: 6
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #50 on: July 21, 2003, 06:28:49 PM »
Hello!

Today finds me feeling very pleased with myself.  :)

I have, I think, solved almost all of my problems with Avast!.

After reading the replies to my post of yesterday (thanks!), I realised that the dll modification had actually worked, in as far as that whilst Avast! was still causing dial-up-behaviour, the Avast!/RPCSS process was no longer contributing toward this.

It then occurred to me that I had seen references to an .ini file modification in several threads, and so I edited my Avast! .ini file (whilst I was at it I also altered some timeout values which seemed far too low).

Now my firewall traffic log shows that neither Avast! nor RPCSS is constantly listening/attempting to access the internet.

Enough of my gloating.

In reading this thread, I have been struck by the fact that many seem not to understand the fundamental differences between NT/2000 & 98/ME.

Many network protocols and the associated services and processes are native to NT/2000 and are run automatically and by default. RPC is, I think, one of these.

Most of these protocols/services/processes are not native to 98 or ME and are tacked on for reasons of cross-platform compatability. But they don't always play nicely.

So, in NT/2000, RPCSS would almost certainly be running anyway. However, in ME (and I suspect 98), RPCSS is not widely utilized and certainly on my machine it was not used by any of my autorun services until I installed Avast!.

So, there you have it.

Cheers;
Flash.
- Flash  (28yo; Adelaide, Australia).
Avast 4; WindowsME; Sygate Personal Firewall; Dial-up connection.

Offline FlashFlood

  • Newbie
  • *
  • Posts: 6
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #51 on: July 21, 2003, 06:56:09 PM »
In my last message I forgot to say that my tinkering also seems to have cured the problems I had been experiencing with Scandisk disruptions since I installed Avast!

Also, since installation I had been experiencing some sporadic login problems, especially when rebooting, and these might be gone (I hope)...

-Flash.
- Flash  (28yo; Adelaide, Australia).
Avast 4; WindowsME; Sygate Personal Firewall; Dial-up connection.

Offline Lonny Jones

  • Newbie
  • *
  • Posts: 11
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #52 on: July 22, 2003, 07:42:06 AM »
Hi flash
Hay you have the exact same setup as i do. win me ,avast4,
sygate personal, a dial-up. But I already had RPCSS as a process
RPCSS is distributed com services, and it is set to ask me for access, I cant remember when I noticed it, your right its not installed along with the system ,I think though works or something Else put it there, and needs it,rpcss by itself cannot access the internet neither will avast so maybe you have something else set to auto-update or autodial ?
at least The way I'm understanding it , and rpcss is necessary for parts of some program's to talk to other parts of itself and other programs
though maybe you have some sleeping monster and now that its active, alows it to awaken ,,
Have you been to spf's forum
some places Ive looked:
http://www.cexx.org/rpc.htm
http://www.computing.net/security/wwwboard/forum/2553.html
http://www.annoyances.org/exec/forum/winme/t1028301859
Well there is no end to it on google.
Regards
Lonny

Offline FlashFlood

  • Newbie
  • *
  • Posts: 6
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #53 on: July 22, 2003, 10:45:10 AM »
Hi!

Thanx Lonny - your response was very much appreciated.

I suspect that there are many factors at play in motivating our PCs' strange behaviours.

Since I seem to have solved most of my problems (for now...), I guess I'll have to be satisfied with that.

Cheers;
Flash.
- Flash  (28yo; Adelaide, Australia).
Avast 4; WindowsME; Sygate Personal Firewall; Dial-up connection.

Offline JusMe

  • Newbie
  • *
  • Posts: 11
  • I'm a tokin' llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #54 on: July 23, 2003, 03:05:35 AM »
Like flash says, problem solved as far as I'm concerned too, so this will probably be the end of this thread for me.

Thanks for all your views and ideas.
Wouldn't say no to a link to that thread you found though flash (avast.ini)

I'm happy now to allow RPCSS to run, but still without the Rpcltscm.dll. (It DOES work for me lol)

VLK is right when he says it's required for the virus chest, with RPCSS disabled you are unable to move a file to the chest, so if you wanna use that function, or if any other program needs RPCSS, leave it running.
I think it's clear now that avast does not need to start this server to function, VLK backs this up, but IS wrong about RPCSS being enabled as default.

As pcb pointed out, your program STARTS the RPCSS process on our OS.

If I disable your software, RPCSS does NOT start on my machine.
Avast may not use the networking side of things, but when RPCSS starts, it also then kicks off a load of other services, including the dll I mentioned which STARTS THE SERVER which DEFFO LISTENS ON PORT 135 (trust me! lol).

By the way, I've now blocked all incoming blue bitmaps from passing through the firewall just to be sure (I AM that paranoid lol)

Anyway, if you think think this thread is long, check this out!
http://computing.net/windows95/wwwboard/forum/3943.html.

Gives a lot of theories including a conspiracy theory that suggests 135 is opened so Microsoft can check on piracy!
(Woooooahhh, now I really AM worried! lol)

A far more productive and extremley informative page can be found at http://www.cexx.org/rpcss.htm

C'y'all soon.

Offline pcb

  • Jr. Member
  • **
  • Posts: 22
  • I am not a llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #55 on: July 23, 2003, 09:12:23 AM »
Cheers Jusme,

Thanks once again for your excellent dll renaming tip.
And all your other input.

and Flash,
I too would like to know more on your Avast4.ini tweak. Would you mind sharing your expertise?

Thanks,
 
PcB

« Last Edit: July 23, 2003, 09:17:43 AM by pcb »