Hi, on my W2k-SP4
RPC ist set to automatic, but RPC-Locator to manual
I don’t know if I set the locator settings myself though ;D ;D
but, no probs here

Well, I have renamed the RPCLTSCM.dll as suggested by JusMe.
And RPC is not longer opened up to the net.
I feel much better, so long as no problem occurs as a result.

Thanks Jusme.

PcB

Hi Flash,

Unfortunate, the dll ‘chop’ will only disable the server (which I’d do whether your on dial-up, cable or ANY INTERNET CONNECTION, just stop that damn server if it’s running : port 135)
I’ve removed all dial up features from my PC, so not sure which process is responsible for starting your connection, but to be honest, from your report, I’d say its avast ITSELF, dialing up to check for updates, a TOTALLY seperate process from what RPCSS does.
Have you disabled the avast auto update?
As for that system restore…blahhhhh…

I’m the same as you pcb, not to keen on having to hack away at my system, so I’m as keen to hear the views of the sunburnt techies at avast. lol

OK guys, I feel lots of you are eagerly waiting for me to write something to this thread but I wish I had something new for you… :wink:

I will try to be as technical as possible - I believe there has been enough haggling already. :slight_smile:

avast! uses RPC for its communication between ashServ.exe and ashDisp.exe (under NT based OSs only). I know most of you are not programmers but I can assure you that using RPC for such a purpose is a completely normal, supported, and recommended way of doing such things, and there must be hundreds of Windows programs that do just same… And, in fact, Windows itself uses LRPC (i.e. local RPC) for internal communication between some of its parts. It’s not that it is “listening on a port” - RPC is just a shell on top of other protocols (transports). One of these protocols is TCP/IP (so only in this case we could be talking about listening on a port), but avast does not use it. It just uses the LRPC - a custom, Windows-proprietary protocol that never ever touches the network and that you really don’t have to worry about - next time, you could have concerns about the security of displaying blue bitmaps on your screen, – little paranoid, don’t you think…? What I’m trying to say is that (the consumer edition of) avast never uses RPC for any kind of network communication, be it updating or anything else.

  • the other thing is that all the RPC stuff is hosted in the RPC service (RPCSS), and I’m not familiar with a way to selectively disable RPC’s individual transports. If the DLL hack you’ve described works, good for you. But please note that what you’re doing has really nothing in common with avast – the RPC service is part of Windows (and by default, it’s ON). If you don’t like, you can disable it (or otherwise hack it) but you must be prepared that some other apps just won’t work. E.g. both Exchange Server and Outlook rely heavily on RPC over TCP/IP (as do things like NFS under Unix, though - just FYI).

Hope this helps,
Vlk

Vlk,
Good to hear from you…hope you enjoed your holiday.

After all the initial brouhaha, I am now happy that the RPC issue is not of serious concern. However, Avast does launch it as a process, and mine has regularly sought access to the net, and has received data, as you can see from my postings.

You say that

avast! uses RPC for its communication between ashServ.exe and ashDisp.exe (under NT based OSs only)

…if this is so, then it is not used by Avast on 98se systems (mine). Why, then, is it then launched?- surely you could write the program so that it isn’t, on non NT base OSs? Maybe in the next version?

For now, is there any way for us to prevent it’s launch by Avast, in our present installations!? (out of sight, out of mind).

Thanks for your prompt response, and many thanks for a great program. Wish I had thought of downloading it long ago.

All the best,

PcB

...if this is so, then it is not used by Avast on 98se systems (mine). Why, then, is it then launched?- surely you could write the program so that it isn't, on non NT base OSs? Maybe in the next version?

What do you mean “launched”?? Avast doesn’t launch it, really. Under Win98, it uses RPC ONLY for the virus chest (i.e. to communicate between the virus chest and the rest of the system). Nothing more…

Vlk

Vlk,

I mean “launched” as a running process.
the following is copied from Task Info:

[Process Pane]

|Process| |% CPU| |LT % CPU| |Time| |Sw/s| |InMem KB| |Total KB| |Th||Pri| |Ver| |State| |Path|

  • Idle 89.88% 76.18% 50:16 80 0 0 1 Very Idle 4.0 Idle
  • KERNEL32.DLL 0.33% 0.44% 0:14 18 32 44 3 High 4.3 32 C:\WINDOWS\SYSTEM\KERNEL32.DLL
  • MSGSRV32.EXE 0.04% 0.03% 0:13 1 168 220 1 Norm 4.0 16 Sys C:\WINDOWS\SYSTEM\MSGSRV32.EXE
  • MPREXE.EXE 0 336 556 1 Norm 4.0 32 Sys C:\WINDOWS\SYSTEM\MPREXE.EXE
  • mmtask.tsk 0.04% 0 92 120 1 Norm 4.0 16 Sys C:\WINDOWS\SYSTEM\mmtask.tsk
  • ASHSERV.EXE 0.12% 1.43% 0:12 21 8,696 21,592 24 Norm 4.0 32 Sys C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
  • EXPLORER.EXE 0.31% 1.69% 0:11 13 7,204 16,964 14 Norm 4.0 32 C:\WINDOWS\EXPLORER.EXE
  • TASKMON.EXE 0 132 232 1 Norm 4.0 32 Sys C:\WINDOWS\TASKMON.EXE
  • SYSTRAY.EXE 0.01% 0 1,020 3,700 2 Norm 4.0 32 C:\WINDOWS\SYSTEM\SYSTRAY.EXE
  • RPCSS.EXE 1 1,144 2,524 4 Norm 4.0 32 Con Sys C:\WINDOWS\SYSTEM\RPCSS.EXE
  • SPEEDKEY.EXE 0.04% 0 1,620 6,400 1 Norm 4.0 32 C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
  • POINT32.EXE 0 924 2,896 1 Norm 4.0 32 C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
  • HF.EXE 0.04% 0.02% 0:01 3 1,988 5,356 1 Norm 4.0 32 Sys C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE
  • STIMON.EXE 0.09% 0.68% 0:07 14 2,996 19,428 4 Norm 4.0 32 C:\WINDOWS\SYSTEM\STIMON.EXE
  • FPDISP4A.EXE 0.04% 0.01% 0 1,492 4,964 2 Norm 4.0 32 C:\WINDOWS\SYSTEM\FPDISP4A.EXE
  • ASHMAISV.EXE 0.17% 0.10% 0:09 6 4,728 15,396 6 Norm 4.0 32 C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
  • TTMAN.EXE 0.63% 0 2,588 6,356 1 Norm 4.0 32 C:\PROGRAM FILES\HACE\TASKBAR EXECUTIVE\TTMAN.EXE
  • WINEJECT.EXE 0 644 2,452 1 Norm 4.0 32 C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE
  • INVISIBLE.EXE 0.04% 0.01% 0 1,384 4,528 2 Norm 4.0 32 C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE
  • WMIEXE.EXE 0.04% 0 428 812 3 Norm 4.0 32 Sys C:\WINDOWS\SYSTEM\WMIEXE.EXE
  • CIDIAL.EXE 2 1,880 6,536 1 Norm 4.0 32 C:\PROGRAM FILES\CIDIAL-MANUALLY INSTALLED\CIDIAL.EXE
  • RNAAPP.EXE 0.65% 0:02 4 1,980 6,932 3 Norm 4.0 32 C:\WINDOWS\SYSTEM\RNAAPP.EXE
  • TAPISRV.EXE 0.04% 0.01% 0:03 0 1,036 1,948 6 Norm 4.0 32 Sys C:\WINDOWS\SYSTEM\TAPISRV.EXE
  • SPOOL32.EXE 0 972 3,684 2 Norm 4.0 32 Sys C:\WINDOWS\SYSTEM\SPOOL32.EXE
  • MOZILLAFIREBIRD.EXE 5.90% 6.81% 6:09 69 32,744 41,472 9 Norm 4.0 32 C:\PROGRAM FILES\MOZILLA FIREBIRD\MOZILLAFIREBIRD\MOZILLAFIREBIRD.EXE
  • TASKINFO.EXE 0.56% 6.43% 0:01 26 2,320 6,696 1 High 4.0 32 C:\PROGRAM FILES\IARSN\TASKINFO2000 3.0\TASKINFO.EXE
  • VxD NTKERN 0 0 0 6 Norm 4.3 VxD NTKERN

[Current Process Pane]

CMD =RPCSS
Curr Dir =C:\Program Files\Alwil Software\Avast4
Started by =C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
Data KB =1,232 in mem = 628 in use = 504
Code KB =1,292 in mem = 516 in use = 444
Handles Count =30
Windows = 2

You can see RPCSS.exe is a running process -#10 in the list, and at the bottom (under “current process pane”) you can see that it was “started by” Avast.

Surely this means that Avast is “launching/loading” RPCSS.exe as a process?

Cheers,

PcB

Vlk,

At first, you said that:

avast! uses RPC for its communication between ashServ.exe and ashDisp.exe (under NT based OSs only).

which I took to mean that Avast does not use RPC (at all) on non-NT based systems, eg 98se. (Hense my last post)

…and now you say:

under Win98, it uses RPC ONLY for the virus chest (i.e. to communicate between the virus chest and the rest of the system)

So, if this last is correct, it is, in fact, necessary for Avast to “start” RPCSS.exe as a running process on non-NT based OSs, and there is nothing to be done.
Can this procedure not be done some other way in future versions?
I do not seem to be alone in being concerned about having this process opening a port to the net, constantly.
(Jusme’s dll renaming trick may turn out to be problematic)

PcB.

Hi,
on my W2k i have 22 services (some disabled) potentially dependend on RPCSS
even on W98, I’d guess there is also some other stuff which uses rpcss except from avast…
so whether Avast USES it or not, I’d guess rpcss will be needed once in a while…

Whocares,

Your point is accepted…all I can say is, I have not seen RPCSS.exe in my running tasks before installing Avast, and it certainly has never tried accessing the net: I’ve never had a relevant alert from my firewall in the 3 years or so I’ve been using one.
And it is definitely Avast that is starting RPC as a running process.

Hello!

Today finds me feeling very pleased with myself. :slight_smile:

I have, I think, solved almost all of my problems with Avast!.

After reading the replies to my post of yesterday (thanks!), I realised that the dll modification had actually worked, in as far as that whilst Avast! was still causing dial-up-behaviour, the Avast!/RPCSS process was no longer contributing toward this.

It then occurred to me that I had seen references to an .ini file modification in several threads, and so I edited my Avast! .ini file (whilst I was at it I also altered some timeout values which seemed far too low).

Now my firewall traffic log shows that neither Avast! nor RPCSS is constantly listening/attempting to access the internet.

Enough of my gloating.

In reading this thread, I have been struck by the fact that many seem not to understand the fundamental differences between NT/2000 & 98/ME.

Many network protocols and the associated services and processes are native to NT/2000 and are run automatically and by default. RPC is, I think, one of these.

Most of these protocols/services/processes are not native to 98 or ME and are tacked on for reasons of cross-platform compatability. But they don’t always play nicely.

So, in NT/2000, RPCSS would almost certainly be running anyway. However, in ME (and I suspect 98), RPCSS is not widely utilized and certainly on my machine it was not used by any of my autorun services until I installed Avast!.

So, there you have it.

Cheers;
Flash.

In my last message I forgot to say that my tinkering also seems to have cured the problems I had been experiencing with Scandisk disruptions since I installed Avast!

Also, since installation I had been experiencing some sporadic login problems, especially when rebooting, and these might be gone (I hope)…

-Flash.

Hi flash
Hay you have the exact same setup as i do. win me ,avast4,
sygate personal, a dial-up. But I already had RPCSS as a process
RPCSS is distributed com services, and it is set to ask me for access, I cant remember when I noticed it, your right its not installed along with the system ,I think though works or something Else put it there, and needs it,rpcss by itself cannot access the internet neither will avast so maybe you have something else set to auto-update or autodial ?
at least The way I’m understanding it , and rpcss is necessary for parts of some program’s to talk to other parts of itself and other programs
though maybe you have some sleeping monster and now that its active, alows it to awaken ,
Have you been to spf’s forum
some places Ive looked:
http://www.cexx.org/rpc.htm
http://www.computing.net/security/wwwboard/forum/2553.html
http://www.annoyances.org/exec/forum/winme/t1028301859
Well there is no end to it on google.
Regards
Lonny

Hi!

Thanx Lonny - your response was very much appreciated.

I suspect that there are many factors at play in motivating our PCs’ strange behaviours.

Since I seem to have solved most of my problems (for now…), I guess I’ll have to be satisfied with that.

Cheers;
Flash.

Like flash says, problem solved as far as I’m concerned too, so this will probably be the end of this thread for me.

Thanks for all your views and ideas.
Wouldn’t say no to a link to that thread you found though flash (avast.ini)

I’m happy now to allow RPCSS to run, but still without the Rpcltscm.dll. (It DOES work for me lol)

VLK is right when he says it’s required for the virus chest, with RPCSS disabled you are unable to move a file to the chest, so if you wanna use that function, or if any other program needs RPCSS, leave it running.
I think it’s clear now that avast does not need to start this server to function, VLK backs this up, but IS wrong about RPCSS being enabled as default.

As pcb pointed out, your program STARTS the RPCSS process on our OS.

If I disable your software, RPCSS does NOT start on my machine.
Avast may not use the networking side of things, but when RPCSS starts, it also then kicks off a load of other services, including the dll I mentioned which STARTS THE SERVER which DEFFO LISTENS ON PORT 135 (trust me! lol).

By the way, I’ve now blocked all incoming blue bitmaps from passing through the firewall just to be sure (I AM that paranoid lol)

Anyway, if you think think this thread is long, check this out!
http://computing.net/windows95/wwwboard/forum/3943.html.

Gives a lot of theories including a conspiracy theory that suggests 135 is opened so Microsoft can check on piracy!
(Woooooahhh, now I really AM worried! lol)

A far more productive and extremley informative page can be found at http://www.cexx.org/rpcss.htm

C’y’all soon.

Cheers Jusme,

Thanks once again for your excellent dll renaming tip.
And all your other input.

and Flash,
I too would like to know more on your Avast4.ini tweak. Would you mind sharing your expertise?

Thanks,

PcB