HELP!! I Have A Worm! rpcsdbot.a

[Guest]

Hi there

I have the rpcsdbot.a worm, and while its not really causing me any direct headaches, i'd REALLY like to be rid of this thing

I've tried everything

I've downloaded the WindowsXP-KB823980-x86-ENU.exe patch from Microsoft that is recommended here
URL=http://www.sophos.com/virusinfo/analyses/w32rpcsdbota.htm

and talked about and linked to here (Microsoft Security Bulletin MS03-026)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.as

I've run Trend Micro, Panda ActiveScan, and BitDefender online virus scans.

I've tried to manually remove it (files, registry entries) outlined here: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDBOT.

I've tried to delete the yuetyutr.dll and winlogin.exe files from the \system32 directory manually, but yuetyutr.dll is always in use and winlogin.exe always returns in about 5 seconds. Same goes for the the registry entried i try to delete

PLEEEASE..... any help on getting this outta my system would be VERY appreciated

:

 

[Kelly]

Hi Dan,

Stop any running processes of the same via Task Manager, then remove the run
keys then go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon

In the right pane scroll down to Shell, delete everything listed there
except: explorer.exe

Hi there,

I have the rpcsdbot.a worm, and while its not really causing me any direct

headaches, i'd REALLY like to be rid of this thing.

I've tried everything.

I've downloaded the WindowsXP-KB823980-x86-ENU.exe patch from Microsoft that is recommended here:
URL=http://www.sophos.com/virusinfo/analyses/w32rpcsdbota.html

and talked about and linked to here (Microsoft Security Bulletin MS03-026):
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp


I've run Trend Micro, Panda ActiveScan, and BitDefender online virus scans.


I've tried to manually remove it (files, registry entries) outlined here: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDBOT.A


I've tried to delete the yuetyutr.dll and winlogin.exe files from the

\system32 directory manually, but yuetyutr.dll is always in use and
winlogin.exe always returns in about 5 seconds. Same goes for the the
registry entried i try to delete.

 

[Guest]

Hi Kelly

Thanks for your reply. Unfortunately, this did not work. Seconds after I modify the value, the winlogin.exe value comes back, as per my desciption above

Anyone? Please help!

 

[David Candy]

You have to kill the program (eg the worm) that is writing it.

Type in Start Run

cmd /c tasklist > "%userprofile%\desktop\tasklist.txt"

and post the contents of the text file that appears on your desktop.

 

[Kelly]

Thanks, David. Good luck, Dan.




You have to kill the program (eg the worm) that is writing it.

Type in Start Run

cmd /c tasklist > "%userprofile%\desktop\tasklist.txt"

and post the contents of the text file that appears on your desktop.


--
----------------------------------------------------------
http://www.g2mil.com/Dec2003.htm

Hi Kelly,

Thanks for your reply. Unfortunately, this did not work. Seconds after I

modify the value, the winlogin.exe value comes back, as per my desciption
above.

 

[Guest]

Hi David. Thanks for your reply. Unfortunately, the process isn't there. I believe you are looking for nstask32.exe or winlogin.exe. As you can see, neither are running (dont confuse with winlogON.exe, which is a legit system process):



Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 228 K
smss.exe 448 Console 0 464 K
csrss.exe 496 Console 0 3,664 K
winlogon.exe 520 Console 0 4,240 K
services.exe 564 Console 0 3,224 K
lsass.exe 576 Console 0 1,476 K
svchost.exe 756 Console 0 2,908 K
svchost.exe 808 Console 0 17,164 K
StyleXPService.exe 836 Console 0 2,280 K
svchost.exe 924 Console 0 2,292 K
svchost.exe 968 Console 0 3,632 K
spoolsv.exe 1132 Console 0 3,756 K
alg.exe 1272 Console 0 3,780 K
AvidSDMService.exe 1284 Console 0 1,048 K
CDANTSRV.EXE 1320 Console 0 1,288 K
gearsec.exe 1348 Console 0 1,308 K
mdm.exe 1376 Console 0 2,820 K
NeroSVC.exe 1512 Console 0 1,980 K
explorer.exe 1680 Console 0 23,412 K
nvsvc32.exe 1700 Console 0 2,992 K
svchost.exe 1784 Console 0 2,780 K
Tablet.exe 1824 Console 0 3,128 K
wanmpsvc.exe 1908 Console 0 2,228 K
TrayServer.exe 688 Console 0 6,616 K
CTHELPER.EXE 692 Console 0 6,436 K
rundll32.exe 916 Console 0 5,444 K
wcescomm.exe 1428 Console 0 2,844 K
rundll32.exe 1456 Console 0 4,272 K
EM_EXEC.EXE 1596 Console 0 5,352 K
aoltray.exe 1504 Console 0 4,700 K
ObjectDock.exe 1732 Console 0 7,360 K
opera.exe 1576 Console 0 44,360 K
SmartFTP.exe 1628 Console 0 2,236 K
Icq.exe 1184 Console 0 16,240 K
wmiprvse.exe 2744 Console 0 4,364 K
cmd.exe 2832 Console 0 1,424 K
cmd.exe 3212 Console 0 1,324 K
tasklist.exe 3220 Console 0 4,272 K



In fact, running an msconfig (System Configuration Utility), I see that winlogin.exe is classified as a startup item. So it must be running. However, if i try to UNCHECK it in the Startup tab, it just reappears after I restart.

PLEASE HELP!!!

 

[Kelly]

David isn't confusing anything, you are. Go to the registry key I mentioned
just a bit ago and clear Shell except for explorer.exe

Hi David. Thanks for your reply. Unfortunately, the process isn't there. I

believe you are looking for nstask32.exe or winlogin.exe. As you can see,
neither are running (dont confuse with winlogON.exe, which is a legit system
process):

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 228 K
smss.exe 448 Console 0 464 K
csrss.exe 496 Console 0 3,664 K
winlogon.exe 520 Console 0 4,240 K
services.exe 564 Console 0 3,224 K
lsass.exe 576 Console 0 1,476 K
svchost.exe 756 Console 0 2,908 K
svchost.exe 808 Console 0 17,164 K
StyleXPService.exe 836 Console 0 2,280 K
svchost.exe 924 Console 0 2,292 K
svchost.exe 968 Console 0 3,632 K
spoolsv.exe 1132 Console 0 3,756 K
alg.exe 1272 Console 0 3,780 K
AvidSDMService.exe 1284 Console 0 1,048 K
CDANTSRV.EXE 1320 Console 0 1,288 K
gearsec.exe 1348 Console 0 1,308 K
mdm.exe 1376 Console 0 2,820 K
NeroSVC.exe 1512 Console 0 1,980 K
explorer.exe 1680 Console 0 23,412 K
nvsvc32.exe 1700 Console 0 2,992 K
svchost.exe 1784 Console 0 2,780 K
Tablet.exe 1824 Console 0 3,128 K
wanmpsvc.exe 1908 Console 0 2,228 K
TrayServer.exe 688 Console 0 6,616 K
CTHELPER.EXE 692 Console 0 6,436 K
rundll32.exe 916 Console 0 5,444 K
wcescomm.exe 1428 Console 0 2,844 K
rundll32.exe 1456 Console 0 4,272 K
EM_EXEC.EXE 1596 Console 0 5,352 K
aoltray.exe 1504 Console 0 4,700 K
ObjectDock.exe 1732 Console 0 7,360 K
opera.exe 1576 Console 0 44,360 K
SmartFTP.exe 1628 Console 0 2,236 K
Icq.exe 1184 Console 0 16,240 K
wmiprvse.exe 2744 Console 0 4,364 K
cmd.exe 2832 Console 0 1,424 K
cmd.exe 3212 Console 0 1,324 K
tasklist.exe 3220 Console 0 4,272 K



In fact, running an msconfig (System Configuration Utility), I see that

winlogin.exe is classified as a startup item. So it must be running.
However, if i try to UNCHECK it in the Startup tab, it just reappears after
I restart.

 

[David Candy]

Kelly suggests this
Have him run Doug's exe

http://www.dougknox.com/xp/utils/WinloginRemove.zip

Post back if it doesn't work. Viruses are easy to remove. Just have to understand their defences.

Seeing you have a lot of crap installed I'm downloading a database listing files so I can check each filename. But it's taking a long time.
--
----------------------------------------------------------
http://www.g2mil.com/Dec2003.htm

David isn't confusing anything, you are. Go to the registry key I mentioned
just a bit ago and clear Shell except for explorer.exe

--
All the Best,
Kelly

MS-MVP Win98/XP
[AE-Windows® XP]

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Utilities for Windows XP
http://www.kellys-korner-xp.com/xp_u.htm#xp_util

Hi David. Thanks for your reply. Unfortunately, the process isn't there. I

believe you are looking for nstask32.exe or winlogin.exe. As you can see,
neither are running (dont confuse with winlogON.exe, which is a legit system
process):

Image Name PID Session Name Session# Mem Usage
=============================== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 228 K
smss.exe 448 Console 0 464 K
csrss.exe 496 Console 0 3,664 K
winlogon.exe 520 Console 0 4,240 K
services.exe 564 Console 0 3,224 K
lsass.exe 576 Console 0 1,476 K
svchost.exe 756 Console 0 2,908 K
svchost.exe 808 Console 0 17,164 K
StyleXPService.exe 836 Console 0 2,280 K
svchost.exe 924 Console 0 2,292 K
svchost.exe 968 Console 0 3,632 K
spoolsv.exe 1132 Console 0 3,756 K
alg.exe 1272 Console 0 3,780 K
AvidSDMService.exe 1284 Console 0 1,048 K
CDANTSRV.EXE 1320 Console 0 1,288 K
gearsec.exe 1348 Console 0 1,308 K
mdm.exe 1376 Console 0 2,820 K
NeroSVC.exe 1512 Console 0 1,980 K
explorer.exe 1680 Console 0 23,412 K
nvsvc32.exe 1700 Console 0 2,992 K
svchost.exe 1784 Console 0 2,780 K
Tablet.exe 1824 Console 0 3,128 K
wanmpsvc.exe 1908 Console 0 2,228 K
TrayServer.exe 688 Console 0 6,616 K
CTHELPER.EXE 692 Console 0 6,436 K
rundll32.exe 916 Console 0 5,444 K
wcescomm.exe 1428 Console 0 2,844 K
rundll32.exe 1456 Console 0 4,272 K
EM_EXEC.EXE 1596 Console 0 5,352 K
aoltray.exe 1504 Console 0 4,700 K
ObjectDock.exe 1732 Console 0 7,360 K
opera.exe 1576 Console 0 44,360 K
SmartFTP.exe 1628 Console 0 2,236 K
Icq.exe 1184 Console 0 16,240 K
wmiprvse.exe 2744 Console 0 4,364 K
cmd.exe 2832 Console 0 1,424 K
cmd.exe 3212 Console 0 1,324 K
tasklist.exe 3220 Console 0 4,272 K



In fact, running an msconfig (System Configuration Utility), I see that

winlogin.exe is classified as a startup item. So it must be running.
However, if i try to UNCHECK it in the Startup tab, it just reappears after
I restart.

PLEASE HELP!!!

 

[Guest]

Kelly,

As I have already stated, the method you suggested did not work. Upon refreshing the registry, the winlogin.exe value comes back, as I have already said.

(In fact, the method you suggest would alone not even work according to this Symantec security resonse on the subject:
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html)

If you have any other info, please feel free to provide it. Please don't be rude. All I did was supply the info David Candy requested.


If there is anyone else who has information pertaining to the problem, I would really appreciate any insight you have. Thanks!

 

[David Candy]

You have two cmd listed in that post. Accordsing to symantec this creates a hidden cmd. My instruction would create 1.

so Ctrl -Alt-Delete, look up the PID of cmd, then type cmd in Start Run and type

taskkill /f /pid <pid #>

also what are those two rundll32.

 

[Guest]

Hi David.

I tried to run the exe from that zip. Unfortunately, it just deletes the reg entries that are outlined in the Symantec page. I am still having the same problem of the entries being regenerated every 5 seconds or so after deletion. Same goes for the winlogin.exe in my system32 directory if i try to delete it manually.

any ideas?

 

[Kelly]

Dan,

First off, I am not rude nor ever intend to be taken that way. You seem
thorough enough to relate to, am just trying to make sure you are case on/in
point. Seems so.

In another post you gave a link that suggested areas to check. In this one
you provided info concerning Randex (which I have a cleaner for on line
258):
http://www.kellys-korner-xp.com/xp_tweaks.htm

That said, seems your issues are more complexed. Download and run Doug's
Startup Tracker: http://www.dougknox.com/xp/utils/StartupTracker3.zip and
post the log file here.

Good luck!

All the Best,
Kelly

MS-MVP Win98/XP
[AE-Windows® XP]

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Utilities for Windows XP
http://www.kellys-korner-xp.com/xp_u.htm#xp_util

Kelly,

As I have already stated, the method you suggested did not work. Upon

refreshing the registry, the winlogin.exe value comes back, as I have
already said.

(In fact, the method you suggest would alone not even work according to

this Symantec security resonse on the subject:

http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html)

If you have any other info, please feel free to provide it. Please don't

be rude. All I did was supply the info David Candy requested.

If there is anyone else who has information pertaining to the problem, I

would really appreciate any insight you have. Thanks!