Here’s a quick fix that doesn’t stop the process running, but strips the ‘gummings’ it needs to enable a server.
Disable the virus scanner from starting up using START/RUN then type msconfig and click ok.
Select the STARTUP tab in the pop up window, then uncheck the box alongside avast! to stop it loading.
Restart the PC.
If the virus scanner fails to start which is what you need, you can then simply go to C:\WINDOWS\SYSTEM and look for a dll file named Rpcltscm.dll.
Rename this to Rpcltscm.txt (note the change of extension)
Now run mscofig again to re-enable the virus scanner (check the box you un-checked earlier)
Restart the PC.
Avast still runs, still updates as normal, but now this pesky server is history.
Remember, the process RPCSS.EXE still starts and runs in the background, it just doesn’t know how to run as a server anymore.
I don’t know how effective this workaround is, the dll file may get re-written at some point, but so far, so good.

Hi pcb.

No I didn’t update manually, avast still does that despite disabling RPCSS.EXE !!! (it updated with a new fileset only today)
Now someone still try to tell me it’s used for updating!
Also, not allowing it to connect to the net does not seem to affect the functionality of the software, mine starts and seems to be running fine.

I gotta say MODS, all this seems a little fishy to me.
Microsoft have ADMITTED (under pressure, as usual) that there is security flaw with RPCSS, yet you seem unwilling to even explore this further despite these posts.

Can I ask, does your company use the RCPSS process for comunicating with our PC’s, or have you enabled it for someone else, maybe for a fee?
Someone like…MICROSOFT?

I know we’ve been asked to wait for a reply, but waiting 'aint one of my attributes, especially when it takes 3 hours to rebuild my operating system from scratch just because some scrote thinks he’s Neo and has the right to fcuk with my PC!

Like i said, i did not follow this thread, but if you do not like this Microsoft service why not disable it?

JusMe:
You have already read it above: VLK will be back on Monday and I can’t help you with this technical question relevantly. If waiting 'aint one of your attributes, you can read the opinion VLK expressed in the thread above several times.

Can I ask, does your company use the RCPSS process for comunicating with our PC's, or have you enabled it for someone else, maybe for a fee?

Total bullshit. We are working hard on our antivirus programs for 15 years this month (well at least some of us ) and we still like it. The reason why avast! Home is free is that we want to help to the home users and well, to make avast! a little bit more famous as well .

If you do not trust your antivirus vendor, how you can trust his programs? If you believe there is some kind of spyware/backdoor in avast, please by so kind and deinstall it immediately. But do not spread false accusations without any facts, please!

Pavel

Pavel,
I come from a place where the saying ‘calm down’ is sort of a catchphrase.
That was the first thing I thought of when reading your response, especially when I got to the bit that said:

OOOOPS!!!

Pavel,

It’s nice to hear from you…it’s been a long time since a moderator has responded to this thread.
I realise the others are on holiday, and you must be pretty busy.

Please realise that we are just concerned about this issue.
I don’t know about anybody else posting here, but I am not a computer expert, though neither am I a newbie.
I have been letting RPCSS.exe access the internet, believing it to be a legitimate action, used by Avast to get virus updates.

At first, I blocked it, but then later, as it seemed OK to give it access, I did so, and have been doing so for the last 2 days.
Now, if this is NOT Avast calling on it to access the net, what have I been allowing to be sent in and out of my computer?

I hope you can appreciate my/our concern.

I would like to add that I have never even come across RPCSS.exe intill I installed Avast a short while ago.

If it turns out that RPCSS.exe has nothing to do with the Virus signature updating service, and can be blocked by a firewall without preventing Avast from doing it’s job, (please see Jusme’s last posting though, which I quote below) then I’ll be quite happy, and won’t bother anyone about it again.

I am, apart from this one issue, very impressed with Avast, and once reassured about this issue, and have a fuller understanding of how/why RPCSS.exe is used by the Avast, I will be a devoted user, I am sure.

Thankyou. I look forward to hearing from one of the software authors, hopefully on Monday or soon after.

Jusme…

you say:

No I didn’t update manually, avast still does that despite disabling RPCSS.EXE !!! (it updated with a new fileset only today)

Also, not allowing it to connect to the net does not seem to affect the functionality of the software, mine starts and seems to be running fine.

If what you say is true, then what Pavel and Vlk said in this posting: http://www.avast.com/forum/index.php?board=2;action=display;threadid=220;start=0
is not true.

Raman,
I must believe them- that the RPC service is needed for Avast to be fully functional.

Cheers, all,

PcB

Strange, the preview is posting???
Anyway…
the bit where you say I’m spreading false accusations.
Not to be too bitchy about it, I think you’ll find they were questions, which you have ANGRILY denied.
Ok, I do beleive you (dunno why? jus do. maybe trust has to start somewhere)

I never really suspected your company of this type of underhand tactic.
What would be the point?
In the short term, yeah, make a quick killing by bundling, but in the long term you’d be doomed once the techies were onto it.

Lets just say the ‘MS theory/QUESTION’ was my way of ‘opening doors’.

I love this scanner up to now, I even like the scanning GUI, and want it to work on my PC ‘cause others I’ve tried just hog too much resource, so don’t be putting me off by tellin’ me to ‘uninstall’ just because I’ve said something that you don’t like.
Isn’t that called washing your hands?

I’ve read the previous on this, seen the comments VLK made.
Local ports can be routed to, so it 'aint safe.
An open port is an open port, be it local or otherwise.
The fact the program is RUNNING and LISTENING is a security threat.
Along with Microsoft themselves admiting this process can be exploited, I just cannot believe this is not seen as problem.

VLK has said he see’s no problem with letting it run in the background.
There are many out there that disagree, including myself, but I look forward to seeing what the man has to say on his return in light of these postings.

At the end of the day, I’ve disabled it, and if you guys are happy with that, then so am I.
Still leaves one nigglin question though.
Why?

Guess I’ll have to be patient :p’

PcP

I’m sorry, but I think I’ve got you confused a bit.
You have misunderstood what I have actually disabled on my PC.
I have not disabled RPCSS.EXE, VLK is right, it IS needed. (just try renaming it, see if avast works after that, you’ll find it wont)
What I HAVE disabled is the DLL that allows REMOTE ACCESS.(Rpcltscm.dll)
That is not the same as disabling the WHOLE RPCSS process.

Sorry about that.

Boy…this turned out to be one heck of a thread!

Anyway…everyone please calm down! Name calling and insults (and cursty language) won’t get this matter resolved. We ALL are interested in this now.

One thing I can add. My W98 system has RPCSS.exe called up whenever Avast is running, BUT DOES NOT ASK FOR INTERNET ACCESS. I have this blocked by my firewall, therefore, VLK’s remarks that this process is used by Avast for inter-process communication seems believable.
I think that at this point, it has been determined that Avast uses the RPCSS not only for updating, but for the On line Protection Control, and all of it’s other internal components since Avast will not function when RPCSS is disabled (not just blocked from internet access)

My FW has not recorded any attempts by the RPCSS process to communicate with, or to be used by any outside server other than “local machine”.

I certainly take exception to the remark that Avast put a backdoor in to secretly communicate with our pcs.
Bunk on that one!

The Avast team has proven themselves in doing everything they can to make Avast one of the best av programs around. With every new release, “a bug” can creep in, but with cooperation from users…it gets fixed! If you can’t stand with them and cooperate in a proper manner, then go find another av to use.

Techie 101,

Unlike you, I have had RPCSS.exe access the net, and also receive, regularly. This is one of the “alerts” from my Firewall:

“Someone from c-134-76-211.b.dial.de.ignite.net [62.134.76.211], port 4944 wants to send UDP datagram
to port 135 owned by ‘Distributed COM Services’ on your computer” “c:\windows\system\rpcss.exe” . )

I have queried Ripe Whois about that address, which came up with this:

inetnum: 62.134.64.0 - 62.134.127.255
netname: BT-IGNITE-DIAL-5
descr: BT Ignite Dialin
country: DE
admin-c: BCCC-RIPE
tech-c: BNMC-RIPE
status: ASSIGNED PA
remarks: was VIAG-DIAL-5
remarks: appr. RIPE-NCC-20000918
mnt-by: IGNITE-DE-MNT
changed: dave.pratt@viaginterkom.de 20001017
changed: katrin.bihlmayer@btignite.de 20020115
changed: hermann.maser@btignite.de 20020404
source: RIPE

route: 62.134.0.0/16
descr: DE-VIAG-20000918
origin: AS8472
mnt-by: IGNITE-DE-MNT
changed: david.pratt@viaginterkom.de 20000919
source: RIPE

role: BT Ignite Customer Care Centre
address: Mergethaleralle 6-8,
address: 65760, Eschborn, Germany
phone: +49 69 3307 6611
fax-no: +49 69 3307 1111
e-mail: bccc.internet@btignite.de
trouble: SPAM/COMPLAINTS to: btignite-abuse@btignite.de
trouble: SPAM/COMPLAINTS to other addresses will probably be ignored.
admin-c: KM2133-RIPE
tech-c: HK376-RIPE
tech-c: ST378-RIPE
tech-c: SR1985-RIPE
notify: ripe@de-ignite.net
nic-hdl: BCCC-RIPE
mnt-by: IGNITE-DE-MNT
changed: dp@planning.viaginterkom.de 20010703
changed: hermann.maser@btignite.de 20020227
changed: hermann.maser@btignite.de 20020429
source: RIPE

Looks harmless, and maybe even helpful (an anti-spam service?)- I presume the BT is my telecoms provider: British Telecom. ( I have emailed Dave Pratt asking for information)

Why should my RPCSS.exe be wanting access to the net, and not yours?
As I mentioned earlier, I started off by blocking the service( when I didn’t know what it was all about), but then, as it appeared to be a legitimate use by Avast I have been allowing both in & out…(stopping it all from now though!)

Jusme,
Thanks for your tip on how to disable RPCSS.exe without in fact disabling it ;-).
Yes, I’m sorry, I misunderstood. (Reading too fast, I suppose).

I would like to have this workaround verified as acceptable by the experts.

By the way, you could try not to be too wild in your accusations. I think that Pavel was pretty restrained in his reply to you, considering!

This for the Avast team:

If Avast does not assign RPCSS.exe to access the net, why has a warning (that it might do so and can be safely blocked by a firewall) not been included (in the installation process or the readme or the helpfile) ? And to advise users to block it with a firewall.
Surely this would have been sensible, so as to avoid this worrying misunderstanding?

(Of course not everyone uses firewalls. I can see the problem there for you. Other AV programs don’t seem to use RPC, (with great respect) could you not find some other way to fulfil the same function?

All the best,

PcB

Ok guys, point taken.
I’m a little rough around the edges, I know ok, lol
Never been very…errr… diplomatic.
(thats real close to an apology you know)

Maybe I did fly off the handle a bit, said some controversial shi…hmmm…and ‘crusty’ stuff, but I was real mad when I realised I was connected to the net with a listening port known to be EASILY exploited.

I musta presumed you guy’s would know better than to let this happen, so I thought you’d musta done it on purpose.
Not sure which is more worrying.
You knowing, or not knowing…

I’m calm and mellow now, (disabling the server listening on 135 helped)
Along with a little more research, I now beleive this to be just another UNINTENTIONAL SECURITY FLAW.

Pavel. Another thing.

I don’t know who you guys are.
I’m sure you really are straight up, but remember, I’ve just walked in off the street.
Am I to just instantly trust EVERYBODY that produces software?
(My experience says no, suss 'em out first!)

Yet another thing.
Would you be telling me to uninstall if I’d paid for it?

Sorry if it sounds like I’m having a go again, it’s only self defense : )

A nose walked into a bar and asked for a shot of JD.
“No chance” said the barman, “your off your face”

Hi JusMe.

Thanks for the tip about disabling the rpcltscm.dll.

Have renamed it and am happy to see that RPCSS no longer has any connections open to the outside world.

I feel better now, even though I already had the firewall blocking it.

While I really like the quick incremental upgrades for Avast and a number of other features, it does appear to have a few rough edges like this, but I suppose that’s why it’s free.

Took me a while to realize that it was Avast which had activated RPCSS on my PC as I did a number of simultaneous changes recently (always a bad idea) and it was only discovering this forum which confirmed my suspicions.

Really do not like the idea of a server running on my Win98 machine, even if it is hiding behing a firewall!

Unlike you, I have had RPCSS.exe access the net, and also receive, regularly…
Why should my RPCSS.exe be wanting access to the net, and not yours?

pcb,
I wish I had an answer for you, but my rpcss does not communicate with the internet. I have never heard of Ignite, but that may be a service in Europe that does not extend itself to the US.
Hopefully, VLK who is the senior guru might come back with some more information.

Fact remains, if you disable rpcss completely, Avast will not do anything!

If we keep “asking”…we may get a more detailed answer from the Avast Team.

Wish I had more to offer on this, but I am as puzzled as you.

:-[

Many thanks for all your input, Techie101, Svenouk, and Jusme,

Looks like we’re getting this sorted out, without Avasts’ help. Just our luck that they are on holiday!

Jusme & Svenouk, by disabling the rpcltscm.dll, are you sure you’re not preventing some other important/useful program/process from working?

Does anybody have any in-depth knowledge on this one?

Cheers all,

PcB

The one with the dll is a bit quick and dirty. There is a good german “how to disable Windows XP/2000 Services” guide http://www.kssysteme.de/s_content.php?id=fk2002-01-31-3823
A quick google search brings up this site. Maybe it is usefull(did not read it completly) http://www.overclockersclub.com/windowsxpservices.shtml
But be carefull, if you not know what you doing, it could affect the “behavior” of your Computer!

Raman,

Thanks for the input and links. I’m afraid, though that I’m still using 98se, so wonder whether what goes for XP goes for 98se in this case.
Anyway, given what was mentioned on the second link:

Remote Procedure Call (RPC) (Automatic) -Critical! Leave this set to Automatic. Just about everything depends on this service to be running.

Remote Procedure Call (RPC) Locator (DISABLE) -Manages the RPC name service database. I have not found a reason to keep this service running. If something on your network breaks after you disable this service, put it back to Manual or Automatic.

…which RPC are we talking about here…the locator (seemingly OK to disable), or the former (Critical!) one?

I’m still unwilling to follow Jusme’s tip, until more sure of what can transpire.

PcB

Hi snevouk.
Your welcome, although raman is right, it is a dirty fix, (but as you’ve found, it does work.)

pcb
Don’t think you need to worry about it affecting your PC, remember the majority of RPCSS still runs, just the bit that starts the SERVER is ‘hacked off’.
Other programs that need the process should still work unless they need to act as a SERVER FROM YOUR PC.
At the end of the day, if anything DOES go wrong, just rename it back, no harm done.

Servers mean letting people gain access to your PC, not for me that’s sure.
Having said that, it seems you CAN kill RPCSS once avast has STARTED.
As far as I can tell, NOT ONE PART OF RPCSS IS USED FOR UPDATING or KEEPING THE PROGRAM FUNCTIONAL.

Try it.
Get a decent ‘background programs’ viewer, there are free ones if you look around.
Some viewers will also let you Kill the running tasks it finds.
Kill the RSPCC program.
Avast doesn’t ‘die’, and it still scans, updates and works fine.
It’s just that avast won’t STARTUP if RSPCC is disabled or removed, for example, if you re-boot your PC, hence the need for dll ‘hatchet job’ if you want avast to run as normal, but not start this unnecesary and dangerous service.

I’m quite pleased with the product up to now, like snevouk said, just the odd burr that needs filing down to give a nice and smooth, sleek product.
A bit worried about the limited and lengthy time to respond though.
It seems we have to wait for one guy to come back from his hol’s before anything can even be looked at, never mind fixed and resolved.
In the meantime, many of us could be broadcasting away to the underbelly of the WWW.
Who knows, we may get some answers this coming week.

JusMe,

I have in fact a couple of process viewers…started using them when I discovered RPCSS.exe in my TaskKiller list -wanted to find out about it.

And yes, I too have killed RPC on several occasions, without any apparent effect on Avast, but I wasn’t sure if it was effecting it’s ability to do it’s job properly.
You say that

NOT ONE PART OF RPCSS IS USED FOR UPDATING (we all know that now) OR KEEPING THE PROGRAM FUNCTIONAL

Raman doesn’t seem too keen on your dll renaming trick. I expect it’s fine to do it, but I’m afraid I’m still not 100% convinced.
I think I’ll wait for more opinions, with respect.

all the best,
PcB

Hello!

I have a dial-up connection, and so every time Avast! tries to access the net on its own whim it can cost me money, and it’s also a waste of time and an annoyance.

I tried the RPCSS dll solution, but apparently on WindowsME it isn’t as effective as on other platforms, because Avast!/RPCSS still initiated a dial-up connection at startup.

Also, on WinME it’s much harder to rename the dll in the first place: the renaming needs to be done in Safe Mode, because otherwise the automatic System File Protection (SFP) restores a copy of the file within seconds after it is modified!

I thought I’d include some info from my firewall program in case this can assist anyone:

Connection origin :File Version : 4, 0, 234, 0
File Description : avast! antivirus service
File Path : C:\Program Files\Alwil Software\Avast4\ashServ.exe
Process ID : FFFEC159 (Heximal) 4294885721 (Decimal)

local initiated
Protocol : ICMP
Local Address : 203.220.231.46
ICMP Type : 8 (Echo Request)
ICMP Code : 0
Remote Name : www.avast.com
Remote Address : 64.246.6.135

Ethernet packet details:
Ethernet II (Packet Length: 44)
Destination: 20-53-52-43-00-00
Source: 44-45-53-54-00-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0… = Don’t fragment: Not set
…0. = More fragments: Not set
Fragment offset:0
Time to live: 64
Protocol: 0x1 (ICMP - Internet Control Message Protocol)
Header checksum: 0xb675 (Correct)
Source: 203.220.231.46
Destination: 64.246.6.135
Internet Control Message Protocol
Type: 8 (Echo Request)
Code: 0
Data (4 bytes)

Binary dump of the packet:
0000: 20 53 52 43 00 00 44 45 : 53 54 00 00 08 00 45 00 | SRC…DEST…E.
0010: 00 1C 0A A3 00 00 40 01 : 75 B6 CB DC E7 2E 40 F6 | …@.u…@.
0020: 06 87 08 00 EC FF 02 00 : 09 00 00 00 | …

I’m not totally sure about this, but I think that RPCSS is also responsible for the Scandisk disruptions which have been an issue for some users (see separate thread: scandisk).

Overall, RPCSS seems to me to be an outdated, annoying, and unreliable protocol.

Anyway, that’s all. For now…

Cheers.