Solved

System reboot every few hours. Probably malware but nothing found.

Posted on 2008-10-02
16
1,031 Views
Last Modified: 2013-12-09
Hi All,

I have a problem with my Laptop where it reboots every few hours with the message that the system is rebooting because the RPC service has stopped.

Please read the thread where I originally asked for expert help:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_23767371.html#a22627180

As you can see I have collected a FileMon of the activity around the time it happened and it looks malicious to me. It is creating a program called dts12.exe which seems to collect some information, create a dll called mspush.dll and call it.

It does all this under the watchfull eye of MacAfee (Corporate).

I have scanned my laptop with SuperAntiSpyware, MalwareBytes, Spyware S&D and I am now trying an online scan with Kaspersky. None of them have found anything malicious.

Someone else seems to have the same problem:

http://www.bwhacks.com/forums/hardware-software/35630-computer-forces-restard-every-hour.html

Please only focus on the 'System Shutdown' dialog in the screenshot and the narrative below. Refrain, for your own sanity, from studying the rest of the screenshot and from following the discussion.

I've attached the FileMon log as an xls. I believe you can see signs of Winlogon recognising that the RPC has stopped in record 5245 just after what looks like an invocation of mspush.dll by dts12.exe.

Notice that dts12.exe is created on the fly by a svchost.exe a little further up the log and dts12 creates mspush.dll on the fly too. This looks distinctly fishy to me.

Has anyone got any ideas what this is and how I can get rid of it?

Paul
FileMon.xls
0
Comment
Question by:PaulCaswell
  • 8
  • 2
  • 2
  • +3
16 Comments
 
LVL 3

Expert Comment

by:nlcafe
ID: 22628857
0
 
LVL 16

Author Comment

by:PaulCaswell
ID: 22629315
Hi nlcafe,

I am pretty confident this is not msblast. I have run the small scan script and the McAfee full scan. No sign. I am running XP fully patched and updated with corporate MacAfee ant-virus and regular (weekly) spyware scans.

Paul
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22630327
Well, I know rpggamergirl and IndiGenus are very good at this stuff. Maybe they'll get here soon and recommend ComboFix or SDFix. Also, check:
http://www.computerhope.com/forum/index.php?topic=67362.0;all
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 500 total points
ID: 22630411
Hi,

Both the dts12.exe and mspush.dll files are pretty much surely malware.

I think it would be a good idea to run combofix at this.

Please download ComboFix from either of these links to your Desktop.
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
http://www.bleepingcomputer.com/forums/topic114351.html

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.


0
 
LVL 1

Expert Comment

by:yhalai
ID: 22632500
Hi Paul,
McAfee Anitvirus alone does not defend spaywares! you will need  Mcafee Antispyware addon.
Keep that in mind for future.


Have you tried running Windows Malicious Software Removal Tool (KB890830)?
0
 
LVL 3

Expert Comment

by:nlcafe
ID: 22633389
Run hijack this- Post log

Turn off system restore.

Delete the bad entries.

Turn back on system restore.  You will be done.  Dont make this harder than it is.  If you wanted help listen to these guys.
0
 
LVL 16

Author Comment

by:PaulCaswell
ID: 22636342
Thanks for the suggestions people.

I'll be running Combofix as per your instructions.

I think I've either removed it or disabled it because it hasn't happened today. I expect ComboFix will tell me.

Last night I did a clean boot and went straight in with Process Explorer and terminated any services and background apps I knew weren't necessary. Essentially leaving me with just Microsoft and McAfee services.

I then watched for a while to see if any services started themselves up again. The most persistent were from 'Nokia PC' so I uninstalled that and started again.

I noticed that spoolsv also had a svchost child process. Is this normal?

I then created a folder called DTS12.exe in my System32 folder to stop the creation of DTS12.exe that I noticed in the FileMon log.

So, the combination of the removal of Nokia PC and the creation of the folder has stopped the crashes.

Last night there was definitely a copy of mspush.dll in my System32 folder but there wasnt today which points at Nokia but I have had it installed for over a year and had no troubles with it.

I'll let you know what ComboFix finds.

I posted a HijackThis log on the other thread. Are you asking for a new one?

Paul
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22636504
Yes, post a new HJT log after running combofix.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 16

Author Comment

by:PaulCaswell
ID: 22636892
Hi people. ComboFix finished, log attached.

HJT on it way.

Paul

ComboFix.txt
0
 
LVL 16

Author Comment

by:PaulCaswell
ID: 22636952
HJT log enclosed.

Nothing amiss in there that I can see.

Paul

hijackthis.log
0
 
LVL 16

Author Comment

by:PaulCaswell
ID: 22637155
I've also added an entry in my McAfee onAccess rules to alert me and block creation of System32\dts21.exe. Hopefully that will disable it even if it is still there.

I notice some md5s of spoolsvc in the ComboFix log. Am I right in guessing that something may be lurking there?

Paul
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22637220
Hmm, maybe if it ever appears again, you can submit the file to Malwarebytes or SUPERAntiSpyware or whoever. Anyway, your logs look clean to me. Wait for rpggamergirl or IndiGenus to check.
0
 
LVL 16

Author Comment

by:PaulCaswell
ID: 22637294
I've removed the dt12.exe folder and I'm now going to leave it to McAfee to catch it if it's still there.

I'll leave this question open for a few days in case it comes back like last time.

Thanks again all for your help.

Paul
0
 

Expert Comment

by:surgexx
ID: 22652393
Thanks, I ran combofix and also deleted the original dts12.exe, and created a folder called DTS12.exe in system32.  Now I just have to do this on EVERY computer at my work, and at home...sigh!  Upon further inspection, it seems that every box @ work has InClick.txt in C:\...the strange thing is, only a handful of them have the RPC restarting thing.
0
 
LVL 16

Author Comment

by:PaulCaswell
ID: 22652996
Hi surgexx,

I had the same feeling you had about the Blaster derivative.

The odd thing I noticed in the FileMon log was the creation of DTS12.exe by a service called svchost, which seems unlikely doesn't it? Combine that with the fact that I also noticed a svchost child process of spoolsv and it may be in a printer driver or spooler somewhere.

It seems to have got/gone away or is hiding on my setup. Perhaps these guys will catch it on yours.

I think it is collecting information and posting somewhere through the web.

I got quite a lot out of the FileMon log. You might like to install the new Sysinternals ProcessMonitor if you havent yet. You could then have a trace of everything it does. Just leave it running and logging until the RPC restart kicks in.

I hope someone comes in to look. You may get more help if you post your own question and include a link to this one.

Paul
0
 
LVL 16

Author Comment

by:PaulCaswell
ID: 22653015
P.S. I have no proof that the creation of a folder called DTS32.exe made any difference. I never saw the effect after that but that was the last in a long line of scans from many different spyware removal tools and the complete deinstallation of a quite complex package.

Paul
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video discusses moving either the default database or any database to a new volume.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now