HELP!! I Have A Worm! rpcsdbot.a

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi there

I have the rpcsdbot.a worm, and while its not really causing me any direct headaches, i'd REALLY like to be rid of this thing

I've tried everything

I've downloaded the WindowsXP-KB823980-x86-ENU.exe patch from Microsoft that is recommended here
URL=http://www.sophos.com/virusinfo/analyses/w32rpcsdbota.htm

and talked about and linked to here (Microsoft Security Bulletin MS03-026)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.as

I've run Trend Micro, Panda ActiveScan, and BitDefender online virus scans.

I've tried to manually remove it (files, registry entries) outlined here: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDBOT.

I've tried to delete the yuetyutr.dll and winlogin.exe files from the \system32 directory manually, but yuetyutr.dll is always in use and winlogin.exe always returns in about 5 seconds. Same goes for the the registry entried i try to delete

PLEEEASE..... any help on getting this outta my system would be VERY appreciated

:
 
Hi Dan,

Stop any running processes of the same via Task Manager, then remove the run
keys then go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon

In the right pane scroll down to Shell, delete everything listed there
except: explorer.exe



DAN said:
Hi there,

I have the rpcsdbot.a worm, and while its not really causing me any direct
Click to expand...
headaches, i'd REALLY like to be rid of this thing.
I've tried everything.

I've downloaded the WindowsXP-KB823980-x86-ENU.exe patch from Microsoft that is recommended here:
URL=http://www.sophos.com/virusinfo/analyses/w32rpcsdbota.html

and talked about and linked to here (Microsoft Security Bulletin MS03-026):
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp


I've run Trend Micro, Panda ActiveScan, and BitDefender online virus scans.


I've tried to manually remove it (files, registry entries) outlined here: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDBOT.A


I've tried to delete the yuetyutr.dll and winlogin.exe files from the
Click to expand...
\system32 directory manually, but yuetyutr.dll is always in use and
winlogin.exe always returns in about 5 seconds. Same goes for the the
registry entried i try to delete.
 
Hi Kelly

Thanks for your reply. Unfortunately, this did not work. Seconds after I modify the value, the winlogin.exe value comes back, as per my desciption above

Anyone? Please help!
 
You have to kill the program (eg the worm) that is writing it.

Type in Start Run

cmd /c tasklist > "%userprofile%\desktop\tasklist.txt"

and post the contents of the text file that appears on your desktop.
 
Thanks, David. Good luck, Dan.




You have to kill the program (eg the worm) that is writing it.

Type in Start Run

cmd /c tasklist > "%userprofile%\desktop\tasklist.txt"

and post the contents of the text file that appears on your desktop.


--
----------------------------------------------------------
http://www.g2mil.com/Dec2003.htm
DAN said:
Hi Kelly,

Thanks for your reply. Unfortunately, this did not work. Seconds after I
Click to expand...
modify the value, the winlogin.exe value comes back, as per my desciption
above.
 
Hi David. Thanks for your reply. Unfortunately, the process isn't there. I believe you are looking for nstask32.exe or winlogin.exe. As you can see, neither are running (dont confuse with winlogON.exe, which is a legit system process):



Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 228 K
smss.exe 448 Console 0 464 K
csrss.exe 496 Console 0 3,664 K
winlogon.exe 520 Console 0 4,240 K
services.exe 564 Console 0 3,224 K
lsass.exe 576 Console 0 1,476 K
svchost.exe 756 Console 0 2,908 K
svchost.exe 808 Console 0 17,164 K
StyleXPService.exe 836 Console 0 2,280 K
svchost.exe 924 Console 0 2,292 K
svchost.exe 968 Console 0 3,632 K
spoolsv.exe 1132 Console 0 3,756 K
alg.exe 1272 Console 0 3,780 K
AvidSDMService.exe 1284 Console 0 1,048 K
CDANTSRV.EXE 1320 Console 0 1,288 K
gearsec.exe 1348 Console 0 1,308 K
mdm.exe 1376 Console 0 2,820 K
NeroSVC.exe 1512 Console 0 1,980 K
explorer.exe 1680 Console 0 23,412 K
nvsvc32.exe 1700 Console 0 2,992 K
svchost.exe 1784 Console 0 2,780 K
Tablet.exe 1824 Console 0 3,128 K
wanmpsvc.exe 1908 Console 0 2,228 K
TrayServer.exe 688 Console 0 6,616 K
CTHELPER.EXE 692 Console 0 6,436 K
rundll32.exe 916 Console 0 5,444 K
wcescomm.exe 1428 Console 0 2,844 K
rundll32.exe 1456 Console 0 4,272 K
EM_EXEC.EXE 1596 Console 0 5,352 K
aoltray.exe 1504 Console 0 4,700 K
ObjectDock.exe 1732 Console 0 7,360 K
opera.exe 1576 Console 0 44,360 K
SmartFTP.exe 1628 Console 0 2,236 K
Icq.exe 1184 Console 0 16,240 K
wmiprvse.exe 2744 Console 0 4,364 K
cmd.exe 2832 Console 0 1,424 K
cmd.exe 3212 Console 0 1,324 K
tasklist.exe 3220 Console 0 4,272 K



In fact, running an msconfig (System Configuration Utility), I see that winlogin.exe is classified as a startup item. So it must be running. However, if i try to UNCHECK it in the Startup tab, it just reappears after I restart.

PLEASE HELP!!!
 
David isn't confusing anything, you are. Go to the registry key I mentioned
just a bit ago and clear Shell except for explorer.exe




DAN said:
Hi David. Thanks for your reply. Unfortunately, the process isn't there. I
Click to expand...
believe you are looking for nstask32.exe or winlogin.exe. As you can see,
neither are running (dont confuse with winlogON.exe, which is a legit system
process):
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 228 K
smss.exe 448 Console 0 464 K
csrss.exe 496 Console 0 3,664 K
winlogon.exe 520 Console 0 4,240 K
services.exe 564 Console 0 3,224 K
lsass.exe 576 Console 0 1,476 K
svchost.exe 756 Console 0 2,908 K
svchost.exe 808 Console 0 17,164 K
StyleXPService.exe 836 Console 0 2,280 K
svchost.exe 924 Console 0 2,292 K
svchost.exe 968 Console 0 3,632 K
spoolsv.exe 1132 Console 0 3,756 K
alg.exe 1272 Console 0 3,780 K
AvidSDMService.exe 1284 Console 0 1,048 K
CDANTSRV.EXE 1320 Console 0 1,288 K
gearsec.exe 1348 Console 0 1,308 K
mdm.exe 1376 Console 0 2,820 K
NeroSVC.exe 1512 Console 0 1,980 K
explorer.exe 1680 Console 0 23,412 K
nvsvc32.exe 1700 Console 0 2,992 K
svchost.exe 1784 Console 0 2,780 K
Tablet.exe 1824 Console 0 3,128 K
wanmpsvc.exe 1908 Console 0 2,228 K
TrayServer.exe 688 Console 0 6,616 K
CTHELPER.EXE 692 Console 0 6,436 K
rundll32.exe 916 Console 0 5,444 K
wcescomm.exe 1428 Console 0 2,844 K
rundll32.exe 1456 Console 0 4,272 K
EM_EXEC.EXE 1596 Console 0 5,352 K
aoltray.exe 1504 Console 0 4,700 K
ObjectDock.exe 1732 Console 0 7,360 K
opera.exe 1576 Console 0 44,360 K
SmartFTP.exe 1628 Console 0 2,236 K
Icq.exe 1184 Console 0 16,240 K
wmiprvse.exe 2744 Console 0 4,364 K
cmd.exe 2832 Console 0 1,424 K
cmd.exe 3212 Console 0 1,324 K
tasklist.exe 3220 Console 0 4,272 K



In fact, running an msconfig (System Configuration Utility), I see that
Click to expand...
winlogin.exe is classified as a startup item. So it must be running.
However, if i try to UNCHECK it in the Startup tab, it just reappears after
I restart.
 
Kelly suggests this
Have him run Doug's exe

http://www.dougknox.com/xp/utils/WinloginRemove.zip

Post back if it doesn't work. Viruses are easy to remove. Just have to understand their defences.

Seeing you have a lot of crap installed I'm downloading a database listing files so I can check each filename. But it's taking a long time.
--
----------------------------------------------------------
http://www.g2mil.com/Dec2003.htm
Kelly said:
David isn't confusing anything, you are. Go to the registry key I mentioned
just a bit ago and clear Shell except for explorer.exe

--
All the Best,
Kelly

MS-MVP Win98/XP
[AE-Windows® XP]

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Utilities for Windows XP
http://www.kellys-korner-xp.com/xp_u.htm#xp_util


DAN said:
Hi David. Thanks for your reply. Unfortunately, the process isn't there. I
Click to expand...
believe you are looking for nstask32.exe or winlogin.exe. As you can see,
neither are running (dont confuse with winlogON.exe, which is a legit system
process):
Image Name PID Session Name Session# Mem Usage
=============================== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 228 K
smss.exe 448 Console 0 464 K
csrss.exe 496 Console 0 3,664 K
winlogon.exe 520 Console 0 4,240 K
services.exe 564 Console 0 3,224 K
lsass.exe 576 Console 0 1,476 K
svchost.exe 756 Console 0 2,908 K
svchost.exe 808 Console 0 17,164 K
StyleXPService.exe 836 Console 0 2,280 K
svchost.exe 924 Console 0 2,292 K
svchost.exe 968 Console 0 3,632 K
spoolsv.exe 1132 Console 0 3,756 K
alg.exe 1272 Console 0 3,780 K
AvidSDMService.exe 1284 Console 0 1,048 K
CDANTSRV.EXE 1320 Console 0 1,288 K
gearsec.exe 1348 Console 0 1,308 K
mdm.exe 1376 Console 0 2,820 K
NeroSVC.exe 1512 Console 0 1,980 K
explorer.exe 1680 Console 0 23,412 K
nvsvc32.exe 1700 Console 0 2,992 K
svchost.exe 1784 Console 0 2,780 K
Tablet.exe 1824 Console 0 3,128 K
wanmpsvc.exe 1908 Console 0 2,228 K
TrayServer.exe 688 Console 0 6,616 K
CTHELPER.EXE 692 Console 0 6,436 K
rundll32.exe 916 Console 0 5,444 K
wcescomm.exe 1428 Console 0 2,844 K
rundll32.exe 1456 Console 0 4,272 K
EM_EXEC.EXE 1596 Console 0 5,352 K
aoltray.exe 1504 Console 0 4,700 K
ObjectDock.exe 1732 Console 0 7,360 K
opera.exe 1576 Console 0 44,360 K
SmartFTP.exe 1628 Console 0 2,236 K
Icq.exe 1184 Console 0 16,240 K
wmiprvse.exe 2744 Console 0 4,364 K
cmd.exe 2832 Console 0 1,424 K
cmd.exe 3212 Console 0 1,324 K
tasklist.exe 3220 Console 0 4,272 K



In fact, running an msconfig (System Configuration Utility), I see that
Click to expand...
winlogin.exe is classified as a startup item. So it must be running.
However, if i try to UNCHECK it in the Startup tab, it just reappears after
I restart.
PLEASE HELP!!!
Click to expand...
Click to expand...
 
Kelly,

As I have already stated, the method you suggested did not work. Upon refreshing the registry, the winlogin.exe value comes back, as I have already said.

(In fact, the method you suggest would alone not even work according to this Symantec security resonse on the subject:
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html)

If you have any other info, please feel free to provide it. Please don't be rude. All I did was supply the info David Candy requested.


If there is anyone else who has information pertaining to the problem, I would really appreciate any insight you have. Thanks!
 
You have two cmd listed in that post. Accordsing to symantec this creates a hidden cmd. My instruction would create 1.

so Ctrl -Alt-Delete, look up the PID of cmd, then type cmd in Start Run and type

taskkill /f /pid <pid #>

also what are those two rundll32.
 
Hi David.

I tried to run the exe from that zip. Unfortunately, it just deletes the reg entries that are outlined in the Symantec page. I am still having the same problem of the entries being regenerated every 5 seconds or so after deletion. Same goes for the winlogin.exe in my system32 directory if i try to delete it manually.

any ideas?
 
Dan,

First off, I am not rude nor ever intend to be taken that way. You seem
thorough enough to relate to, am just trying to make sure you are case on/in
point. Seems so.

In another post you gave a link that suggested areas to check. In this one
you provided info concerning Randex (which I have a cleaner for on line
258):
http://www.kellys-korner-xp.com/xp_tweaks.htm

That said, seems your issues are more complexed. Download and run Doug's
Startup Tracker: http://www.dougknox.com/xp/utils/StartupTracker3.zip and
post the log file here.

Good luck!

All the Best,
Kelly

MS-MVP Win98/XP
[AE-Windows® XP]

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Utilities for Windows XP
http://www.kellys-korner-xp.com/xp_u.htm#xp_util


DAN said:
Kelly,

As I have already stated, the method you suggested did not work. Upon
Click to expand...
refreshing the registry, the winlogin.exe value comes back, as I have
already said.
(In fact, the method you suggest would alone not even work according to
Click to expand...
this Symantec security resonse on the subject:
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html)

If you have any other info, please feel free to provide it. Please don't
Click to expand...
be rude. All I did was supply the info David Candy requested.
If there is anyone else who has information pertaining to the problem, I
Click to expand...
would really appreciate any insight you have. Thanks!
 
Back
Top