Hi All,
I have a problem with my Laptop where it reboots every few hours with the message that the system is rebooting because the RPC service has stopped.
Please read the thread where I originally asked for expert help:
http://www.experts-exchang
As you can see I have collected a FileMon of the activity around the time it happened and it looks malicious to me. It is creating a program called dts12.exe which seems to collect some information, create a dll called mspush.dll and call it.
It does all this under the watchfull eye of MacAfee (Corporate).
I have scanned my laptop with SuperAntiSpyware, MalwareBytes, Spyware S&D and I am now trying an online scan with Kaspersky. None of them have found anything malicious.
Someone else seems to have the same problem:
http://www.bwhacks.com/for
Please only focus on the 'System Shutdown' dialog in the screenshot and the narrative below. Refrain, for your own sanity, from studying the rest of the screenshot and from following the discussion.
I've attached the FileMon log as an xls. I believe you can see signs of Winlogon recognising that the RPC has stopped in record 5245 just after what looks like an invocation of mspush.dll by dts12.exe.
Notice that dts12.exe is created on the fly by a svchost.exe a little further up the log and dts12 creates mspush.dll on the fly too. This looks distinctly fishy to me.
Has anyone got any ideas what this is and how I can get rid of it?
Paul
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Well, I know rpggamergirl and IndiGenus are very good at this stuff. Maybe they'll get here soon and recommend ComboFix or SDFix. Also, check:
http://www.computerhope.co
Hi,
Both the dts12.exe and mspush.dll files are pretty much surely malware.
I think it would be a good idea to run combofix at this.
Please download ComboFix from either of these links to your Desktop.
http://subs.geekst
http://dow
**Note
1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
http://www.bleepingcom
* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
Thanks for the suggestions people.
I'll be running Combofix as per your instructions.
I think I've either removed it or disabled it because it hasn't happened today. I expect ComboFix will tell me.
Last night I did a clean boot and went straight in with Process Explorer and terminated any services and background apps I knew weren't necessary. Essentially leaving me with just Microsoft and McAfee services.
I then watched for a while to see if any services started themselves up again. The most persistent were from 'Nokia PC' so I uninstalled that and started again.
I noticed that spoolsv also had a svchost child process. Is this normal?
I then created a folder called DTS12.exe in my System32 folder to stop the creation of DTS12.exe that I noticed in the FileMon log.
So, the combination of the removal of Nokia PC and the creation of the folder has stopped the crashes.
Last night there was definitely a copy of mspush.dll in my System32 folder but there wasnt today which points at Nokia but I have had it installed for over a year and had no troubles with it.
I'll let you know what ComboFix finds.
I posted a HijackThis log on the other thread. Are you asking for a new one?
Paul
Thanks, I ran combofix and also deleted the original dts12.exe, and created a folder called DTS12.exe in system32. Now I just have to do this on EVERY computer at my work, and at home...sigh! Upon further inspection, it seems that every box @ work has InClick.txt in C:\...the strange thing is, only a handful of them have the RPC restarting thing.
Hi surgexx,
I had the same feeling you had about the Blaster derivative.
The odd thing I noticed in the FileMon log was the creation of DTS12.exe by a service called svchost, which seems unlikely doesn't it? Combine that with the fact that I also noticed a svchost child process of spoolsv and it may be in a printer driver or spooler somewhere.
It seems to have got/gone away or is hiding on my setup. Perhaps these guys will catch it on yours.
I think it is collecting information and posting somewhere through the web.
I got quite a lot out of the FileMon log. You might like to install the new Sysinternals ProcessMonitor if you havent yet. You could then have a trace of everything it does. Just leave it running and logging until the RPC restart kicks in.
I hope someone comes in to look. You may get more help if you post your own question and include a link to this one.
Paul
Business Accounts
Answer for Membership
by: nlcafePosted on 2008-10-02 at 14:26:05ID: 22628857
http://www.microsoft.com/t
Have you tried that. I breifly scanned your other posts.
IHave you performed all these steps?
http://www.softwaretipsand