System reboot every few hours. Probably malware but nothing found.

Hi All,

I have a problem with my Laptop where it reboots every few hours with the message that the system is rebooting because the RPC service has stopped.

Please read the thread where I originally asked for expert help:

As you can see I have collected a FileMon of the activity around the time it happened and it looks malicious to me. It is creating a program called dts12.exe which seems to collect some information, create a dll called mspush.dll and call it.

It does all this under the watchfull eye of MacAfee (Corporate).

I have scanned my laptop with SuperAntiSpyware, MalwareBytes, Spyware S&D and I am now trying an online scan with Kaspersky. None of them have found anything malicious.

Someone else seems to have the same problem:

Please only focus on the 'System Shutdown' dialog in the screenshot and the narrative below. Refrain, for your own sanity, from studying the rest of the screenshot and from following the discussion.

I've attached the FileMon log as an xls. I believe you can see signs of Winlogon recognising that the RPC has stopped in record 5245 just after what looks like an invocation of mspush.dll by dts12.exe.

Notice that dts12.exe is created on the fly by a svchost.exe a little further up the log and dts12 creates mspush.dll on the fly too. This looks distinctly fishy to me.

Has anyone got any ideas what this is and how I can get rid of it?

LVL 16
Who is Participating?

Improve company productivity with a Business Account.Sign Up

IndiGenusConnect With a Mentor Commented:

Both the dts12.exe and mspush.dll files are pretty much surely malware.

I think it would be a good idea to run combofix at this.

Please download ComboFix from either of these links to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.

PaulCaswellAuthor Commented:
Hi nlcafe,

I am pretty confident this is not msblast. I have run the small scan script and the McAfee full scan. No sign. I am running XP fully patched and updated with corporate MacAfee ant-virus and regular (weekly) spyware scans.

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Well, I know rpggamergirl and IndiGenus are very good at this stuff. Maybe they'll get here soon and recommend ComboFix or SDFix. Also, check:;all
Hi Paul,
McAfee Anitvirus alone does not defend spaywares! you will need  Mcafee Antispyware addon.
Keep that in mind for future.

Have you tried running Windows Malicious Software Removal Tool (KB890830)?
Run hijack this- Post log

Turn off system restore.

Delete the bad entries.

Turn back on system restore.  You will be done.  Dont make this harder than it is.  If you wanted help listen to these guys.
PaulCaswellAuthor Commented:
Thanks for the suggestions people.

I'll be running Combofix as per your instructions.

I think I've either removed it or disabled it because it hasn't happened today. I expect ComboFix will tell me.

Last night I did a clean boot and went straight in with Process Explorer and terminated any services and background apps I knew weren't necessary. Essentially leaving me with just Microsoft and McAfee services.

I then watched for a while to see if any services started themselves up again. The most persistent were from 'Nokia PC' so I uninstalled that and started again.

I noticed that spoolsv also had a svchost child process. Is this normal?

I then created a folder called DTS12.exe in my System32 folder to stop the creation of DTS12.exe that I noticed in the FileMon log.

So, the combination of the removal of Nokia PC and the creation of the folder has stopped the crashes.

Last night there was definitely a copy of mspush.dll in my System32 folder but there wasnt today which points at Nokia but I have had it installed for over a year and had no troubles with it.

I'll let you know what ComboFix finds.

I posted a HijackThis log on the other thread. Are you asking for a new one?

Yes, post a new HJT log after running combofix.
PaulCaswellAuthor Commented:
Hi people. ComboFix finished, log attached.

HJT on it way.


PaulCaswellAuthor Commented:
HJT log enclosed.

Nothing amiss in there that I can see.


PaulCaswellAuthor Commented:
I've also added an entry in my McAfee onAccess rules to alert me and block creation of System32\dts21.exe. Hopefully that will disable it even if it is still there.

I notice some md5s of spoolsvc in the ComboFix log. Am I right in guessing that something may be lurking there?

Hmm, maybe if it ever appears again, you can submit the file to Malwarebytes or SUPERAntiSpyware or whoever. Anyway, your logs look clean to me. Wait for rpggamergirl or IndiGenus to check.
PaulCaswellAuthor Commented:
I've removed the dt12.exe folder and I'm now going to leave it to McAfee to catch it if it's still there.

I'll leave this question open for a few days in case it comes back like last time.

Thanks again all for your help.

Thanks, I ran combofix and also deleted the original dts12.exe, and created a folder called DTS12.exe in system32.  Now I just have to do this on EVERY computer at my work, and at home...sigh!  Upon further inspection, it seems that every box @ work has InClick.txt in C:\...the strange thing is, only a handful of them have the RPC restarting thing.
PaulCaswellAuthor Commented:
Hi surgexx,

I had the same feeling you had about the Blaster derivative.

The odd thing I noticed in the FileMon log was the creation of DTS12.exe by a service called svchost, which seems unlikely doesn't it? Combine that with the fact that I also noticed a svchost child process of spoolsv and it may be in a printer driver or spooler somewhere.

It seems to have got/gone away or is hiding on my setup. Perhaps these guys will catch it on yours.

I think it is collecting information and posting somewhere through the web.

I got quite a lot out of the FileMon log. You might like to install the new Sysinternals ProcessMonitor if you havent yet. You could then have a trace of everything it does. Just leave it running and logging until the RPC restart kicks in.

I hope someone comes in to look. You may get more help if you post your own question and include a link to this one.

PaulCaswellAuthor Commented:
P.S. I have no proof that the creation of a folder called DTS32.exe made any difference. I never saw the effect after that but that was the last in a long line of scans from many different spyware removal tools and the complete deinstallation of a quite complex package.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.