I (still) Have a Worm! Please Help! W32.Randex.E aka RPCSDBOT.A

[Guest]

Hi there,

I have the rpcsdbot.a worm, also known as W32.Randex.E, and while its not really causing me any direct headaches, i'd REALLY like to be rid of this thing.

I've tried everything.

I've downloaded the WindowsXP-KB823980-x86-ENU.exe patch from Microsoft that is recommended here:
URL=http://www.sophos.com/virusinfo/analyses/w32rpcsdbota.html

and talked about and linked to here (Microsoft Security Bulletin MS03-026):
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

I've run Trend Micro, Panda ActiveScan, Symantec, and BitDefender online virus scans.

I've tried to manually remove it (files, registry entries) according to this:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDBOT.A

as well as this
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.htm

I've tried to delete the yuetyutr.dll and winlogin.exe files from the \system32 directory manually, but yuetyutr.dll is always in use and winlogin.exe always returns in about 5 seconds. Same goes for the the registry entried i try to delete.

I dont have the malicious files, "winlogin.exe" or sntask32.exe running, at least in the task manager

PLEEEASE..... any help on getting this outta my system would be VERY appreciated.

 

[Dave Douglas]

http://vil.nai.com/vil/stinger/
It's worth a shot

Hi there,

I have the rpcsdbot.a worm, also known as W32.Randex.E, and while its

not really causing me any direct headaches, i'd REALLY like to be rid of
this thing.

I've tried everything.

I've downloaded the WindowsXP-KB823980-x86-ENU.exe patch from

Microsoft that is recommended here:

URL=http://www.sophos.com/virusinfo/analyses/w32rpcsdbota.html

and talked about and linked to here (Microsoft Security Bulletin MS03-026):
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp


I've run Trend Micro, Panda ActiveScan, Symantec, and BitDefender online virus scans.


I've tried to manually remove it (files, registry entries) according to this:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDBOT.A

as well as this:
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html


I've tried to delete the yuetyutr.dll and winlogin.exe files from the

\system32 directory manually, but yuetyutr.dll is always in use and
winlogin.exe always returns in about 5 seconds. Same goes for the the
registry entried i try to delete.

I dont have the malicious files, "winlogin.exe" or sntask32.exe

running, at least in the task manager.

 

[JAX]

It may be in your System Restore files and re-loads itself. Try clearing
System Restore and go through the removal process again.

LOL, JAX

Hi there,

I have the rpcsdbot.a worm, also known as W32.Randex.E, and while its not

really causing me any direct headaches, i'd REALLY like to be rid of this
thing.

I've tried everything.

I've downloaded the WindowsXP-KB823980-x86-ENU.exe patch from Microsoft that is recommended here:
URL=http://www.sophos.com/virusinfo/analyses/w32rpcsdbota.html

and talked about and linked to here (Microsoft Security Bulletin MS03-026):
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp


I've run Trend Micro, Panda ActiveScan, Symantec, and BitDefender online virus scans.


I've tried to manually remove it (files, registry entries) according to this:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDBOT.A

as well as this:
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html


I've tried to delete the yuetyutr.dll and winlogin.exe files from the

\system32 directory manually, but yuetyutr.dll is always in use and
winlogin.exe always returns in about 5 seconds. Same goes for the the
registry entried i try to delete.

 

[Guest]

Hi Dave

Thanks for your reply, but unfortunately, that app didn't work. :

anyone? help... help......

 

[Guest]

System Restore had been disabled, as per the instructions from the websites I posted.


anyone?

 

[CWatters]

A web search suggests this...

http://www.its.uiowa.edu/cs/helpdesk/virus/buffer.htm

Perhaps try their "RPC clean up tool" under "What Should I Do If My Computer
Is Compromised?"

 

[Guest]

Cwatters,

I tried that page. The RPC Cleanup Tool didn't help.

 

[kimmy]

Hi there,

I have the rpcsdbot.a worm, also known as W32.Randex.E, and while its
not really causing me any direct headaches, i'd REALLY like to be rid
of this thing.

I've tried everything.

Have you tried HijackThis? From http://mjc1.com/mirror/hjt/ After
running, post your log to the recommended forum.

Kimmy

 

[Guest]

Hi Kimmy,

Thanks for the link. I ran it and got a log.. but where do you mean when you say "the recommended forum."? Where should I post it?

 

[MAP]

-----Original Message-----
Hi there,

I have the rpcsdbot.a worm, also known as W32.Randex.E,

and while its not really causing me any direct headaches,
i'd REALLY like to be rid of this thing.

I've tried everything.

I've downloaded the WindowsXP-KB823980-x86-ENU.exe patch

from Microsoft that is recommended here:

URL=http://www.sophos.com/virusinfo/analyses/w32rpcsdbota ..html

and talked about and linked to here (Microsoft Security Bulletin MS03-026):
http://www.microsoft.com/technet/treeview/default.asp? url=/technet/security/bulletin/MS03-026.asp


I've run Trend Micro, Panda ActiveScan, Symantec, and

BitDefender online virus scans.

I've tried to manually remove it (files, registry entries) according to this:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp ?VName=WORM_RPCSDBOT.A

as well as this:
http://securityresponse.symantec.com/avcenter/venc/data/w 32.randex.e.html


I've tried to delete the yuetyutr.dll and winlogin.exe

files from the \system32 directory manually, but
yuetyutr.dll is always in use and winlogin.exe always
returns in about 5 seconds. Same goes for the the
registry entried i try to delete.

I dont have the malicious files, "winlogin.exe" or

sntask32.exe running, at least in the task manager.

PLEEEASE..... any help on getting this outta my system would be VERY appreciated.


.
Follow these removal instructions "to the letter" you

should be able to delete yuetyutr.dll in safe mode.
Since you said that this is not really causing you
problems consider this trojan a blessing,it has shown you
that you need to secure your system better.Norton has
been able to stop this since August,keep your A/V updated
daily and shut off unneeded services.

http://www.blackviper.com/WinXP/servicecfg.htm

http://grc.com/dcom/

Good luck

 

[MAP]

If ny other post does not work try this
Line 258 at
http://www.kellys-korner-xp.com/xp_tweaks.htm

 

[Guest]

MAP, thanks for your replies.

But the pages you linked to were not instructions per se, they were web pages on tweaks and running services, and the DCOMbobulator is just a util that essentially closes ports.

I dont have any malicious/worm-related services or programs running. Could you please provide what i need to do?


thank you.

 

[kimmy]

Hi Kimmy,

Thanks for the link. I ran it and got a log.. but where do you mean
when you say "the recommended forum."? Where should I post it?

On the Quick Start page where you downloaded it, under "Where to find help"
http://www.spywareinfo.com/forums/ and http://tomcoyote.org/forums/

Kimmy