Hi Dan,

Stop any running processes of the same via Task Manager, then remove the run
keys then go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon

In the right pane scroll down to Shell, delete everything listed there
except: explorer.exe
--
All the Best,
Kelly

MS-MVP Win98/XP
[AE-Windows® XP]

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Utilities for Windows XP
http://www.kellys-korner-xp.com/xp_u.htm#xp_util


"DAN" > wrote in message
...
> Hi there,
>
> I have the rpcsdbot.a worm, and while its not really causing me any direct
headaches, i'd REALLY like to be rid of this thing.
>
> I've tried everything.
>
> I've downloaded the WindowsXP-KB823980-x86-ENU.exe patch from Microsoft
that is recommended here:
> URL=http://www.sophos.com/virusinfo/analyses/w32rpcsdbota.html
>
> and talked about and linked to here (Microsoft Security Bulletin
MS03-026):
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
>
>
> I've run Trend Micro, Panda ActiveScan, and BitDefender online virus
scans.
>
>
> I've tried to manually remove it (files, registry entries) outlined here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDBOT.A
>
>
> I've tried to delete the yuetyutr.dll and winlogin.exe files from the
\system32 directory manually, but yuetyutr.dll is always in use and
winlogin.exe always returns in about 5 seconds. Same goes for the the
registry entried i try to delete.
>
>
> PLEEEASE..... any help on getting this outta my system would be VERY
appreciated.
>
> :(
>
>

You have to kill the program (eg the worm) that is writing it.

Type in Start Run

cmd /c tasklist > "%userprofile%\desktop\tasklist.txt"

and post the contents of the text file that appears on your desktop.


--=20
----------------------------------------------------------
http://www.g2mil.com/Dec2003.htm
"DAN" > wrote in message =
...
>=20
>=20
> Hi Kelly,
>=20
> Thanks for your reply. Unfortunately, this did not work. Seconds after =
I modify the value, the winlogin.exe value comes back, as per my =
desciption above.
>=20
>=20
> Anyone? Please help!

Thanks, David. Good luck, Dan.

--
All the Best,
Kelly

MS-MVP Win98/XP
[AE-Windows® XP]

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Utilities for Windows XP
http://www.kellys-korner-xp.com/xp_u.htm#xp_util


"David Candy" > wrote in message
...
You have to kill the program (eg the worm) that is writing it.

Type in Start Run

cmd /c tasklist > "%userprofile%\desktop\tasklist.txt"

and post the contents of the text file that appears on your desktop.


--
----------------------------------------------------------
http://www.g2mil.com/Dec2003.htm
"DAN" > wrote in message
...
>
>
> Hi Kelly,
>
> Thanks for your reply. Unfortunately, this did not work. Seconds after I
modify the value, the winlogin.exe value comes back, as per my desciption
above.
>
>
> Anyone? Please help!

Hi David. Thanks for your reply. Unfortunately, the process isn't there. I believe you are looking for nstask32.exe or winlogin.exe. As you can see, neither are running (dont confuse with winlogON.exe, which is a legit system process):



Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 228 K
smss.exe 448 Console 0 464 K
csrss.exe 496 Console 0 3,664 K
winlogon.exe 520 Console 0 4,240 K
services.exe 564 Console 0 3,224 K
lsass.exe 576 Console 0 1,476 K
svchost.exe 756 Console 0 2,908 K
svchost.exe 808 Console 0 17,164 K
StyleXPService.exe 836 Console 0 2,280 K
svchost.exe 924 Console 0 2,292 K
svchost.exe 968 Console 0 3,632 K
spoolsv.exe 1132 Console 0 3,756 K
alg.exe 1272 Console 0 3,780 K
AvidSDMService.exe 1284 Console 0 1,048 K
CDANTSRV.EXE 1320 Console 0 1,288 K
gearsec.exe 1348 Console 0 1,308 K
mdm.exe 1376 Console 0 2,820 K
NeroSVC.exe 1512 Console 0 1,980 K
explorer.exe 1680 Console 0 23,412 K
nvsvc32.exe 1700 Console 0 2,992 K
svchost.exe 1784 Console 0 2,780 K
Tablet.exe 1824 Console 0 3,128 K
wanmpsvc.exe 1908 Console 0 2,228 K
TrayServer.exe 688 Console 0 6,616 K
CTHELPER.EXE 692 Console 0 6,436 K
rundll32.exe 916 Console 0 5,444 K
wcescomm.exe 1428 Console 0 2,844 K
rundll32.exe 1456 Console 0 4,272 K
EM_EXEC.EXE 1596 Console 0 5,352 K
aoltray.exe 1504 Console 0 4,700 K
ObjectDock.exe 1732 Console 0 7,360 K
opera.exe 1576 Console 0 44,360 K
SmartFTP.exe 1628 Console 0 2,236 K
Icq.exe 1184 Console 0 16,240 K
wmiprvse.exe 2744 Console 0 4,364 K
cmd.exe 2832 Console 0 1,424 K
cmd.exe 3212 Console 0 1,324 K
tasklist.exe 3220 Console 0 4,272 K



In fact, running an msconfig (System Configuration Utility), I see that winlogin.exe is classified as a startup item. So it must be running. However, if i try to UNCHECK it in the Startup tab, it just reappears after I restart.

PLEASE HELP!!!

David isn't confusing anything, you are. Go to the registry key I mentioned
just a bit ago and clear Shell except for explorer.exe

--
All the Best,
Kelly

MS-MVP Win98/XP
[AE-Windows® XP]

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Utilities for Windows XP
http://www.kellys-korner-xp.com/xp_u.htm#xp_util


"DAN" > wrote in message
...
>
> Hi David. Thanks for your reply. Unfortunately, the process isn't there. I
believe you are looking for nstask32.exe or winlogin.exe. As you can see,
neither are running (dont confuse with winlogON.exe, which is a legit system
process):
>
>
>
> Image Name PID Session Name Session# Mem Usage
> ========================= ====== ================ ======== ============
> System Idle Process 0 Console 0 20 K
> System 4 Console 0 228 K
> smss.exe 448 Console 0 464 K
> csrss.exe 496 Console 0 3,664 K
> winlogon.exe 520 Console 0 4,240 K
> services.exe 564 Console 0 3,224 K
> lsass.exe 576 Console 0 1,476 K
> svchost.exe 756 Console 0 2,908 K
> svchost.exe 808 Console 0 17,164 K
> StyleXPService.exe 836 Console 0 2,280 K
> svchost.exe 924 Console 0 2,292 K
> svchost.exe 968 Console 0 3,632 K
> spoolsv.exe 1132 Console 0 3,756 K
> alg.exe 1272 Console 0 3,780 K
> AvidSDMService.exe 1284 Console 0 1,048 K
> CDANTSRV.EXE 1320 Console 0 1,288 K
> gearsec.exe 1348 Console 0 1,308 K
> mdm.exe 1376 Console 0 2,820 K
> NeroSVC.exe 1512 Console 0 1,980 K
> explorer.exe 1680 Console 0 23,412 K
> nvsvc32.exe 1700 Console 0 2,992 K
> svchost.exe 1784 Console 0 2,780 K
> Tablet.exe 1824 Console 0 3,128 K
> wanmpsvc.exe 1908 Console 0 2,228 K
> TrayServer.exe 688 Console 0 6,616 K
> CTHELPER.EXE 692 Console 0 6,436 K
> rundll32.exe 916 Console 0 5,444 K
> wcescomm.exe 1428 Console 0 2,844 K
> rundll32.exe 1456 Console 0 4,272 K
> EM_EXEC.EXE 1596 Console 0 5,352 K
> aoltray.exe 1504 Console 0 4,700 K
> ObjectDock.exe 1732 Console 0 7,360 K
> opera.exe 1576 Console 0 44,360 K
> SmartFTP.exe 1628 Console 0 2,236 K
> Icq.exe 1184 Console 0 16,240 K
> wmiprvse.exe 2744 Console 0 4,364 K
> cmd.exe 2832 Console 0 1,424 K
> cmd.exe 3212 Console 0 1,324 K
> tasklist.exe 3220 Console 0 4,272 K
>
>
>
> In fact, running an msconfig (System Configuration Utility), I see that
winlogin.exe is classified as a startup item. So it must be running.
However, if i try to UNCHECK it in the Startup tab, it just reappears after
I restart.
>
> PLEASE HELP!!!

Kelly suggests this
Have him run Doug's exe

http://www.dougknox.com/xp/utils/WinloginRemove.zip

Post back if it doesn't work. Viruses are easy to remove. Just have to =
understand their defences.

Seeing you have a lot of crap installed I'm downloading a database =
listing files so I can check each filename. But it's taking a long time.
--=20
----------------------------------------------------------
http://www.g2mil.com/Dec2003.htm
"Kelly" > wrote in message =
...
> David isn't confusing anything, you are. Go to the registry key I =
mentioned
> just a bit ago and clear Shell except for explorer.exe
>=20
> --=20
> All the Best,
> Kelly
>=20
> MS-MVP Win98/XP
> [AE-Windows=AE XP]
>=20
> Troubleshooting Windows XP
> http://www.kellys-korner-xp.com
>=20
> Utilities for Windows XP
> http://www.kellys-korner-xp.com/xp_u.htm#xp_util
>=20
>=20
> "DAN" > wrote in message
> ...
> >
> > Hi David. Thanks for your reply. Unfortunately, the process isn't =
there. I
> believe you are looking for nstask32.exe or winlogin.exe. As you can =
see,
> neither are running (dont confuse with winlogON.exe, which is a legit =
system
> process):
> >
> >
> >
> > Image Name PID Session Name Session# Mem =
Usage
> > =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =
=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > System Idle Process 0 Console 0 =
20 K
> > System 4 Console 0 =
228 K
> > smss.exe 448 Console 0 =
464 K
> > csrss.exe 496 Console 0 =
3,664 K
> > winlogon.exe 520 Console 0 =
4,240 K
> > services.exe 564 Console 0 =
3,224 K
> > lsass.exe 576 Console 0 =
1,476 K
> > svchost.exe 756 Console 0 =
2,908 K
> > svchost.exe 808 Console 0 =
17,164 K
> > StyleXPService.exe 836 Console 0 =
2,280 K
> > svchost.exe 924 Console 0 =
2,292 K
> > svchost.exe 968 Console 0 =
3,632 K
> > spoolsv.exe 1132 Console 0 =
3,756 K
> > alg.exe 1272 Console 0 =
3,780 K
> > AvidSDMService.exe 1284 Console 0 =
1,048 K
> > CDANTSRV.EXE 1320 Console 0 =
1,288 K
> > gearsec.exe 1348 Console 0 =
1,308 K
> > mdm.exe 1376 Console 0 =
2,820 K
> > NeroSVC.exe 1512 Console 0 =
1,980 K
> > explorer.exe 1680 Console 0 =
23,412 K
> > nvsvc32.exe 1700 Console 0 =
2,992 K
> > svchost.exe 1784 Console 0 =
2,780 K
> > Tablet.exe 1824 Console 0 =
3,128 K
> > wanmpsvc.exe 1908 Console 0 =
2,228 K
> > TrayServer.exe 688 Console 0 =
6,616 K
> > CTHELPER.EXE 692 Console 0 =
6,436 K
> > rundll32.exe 916 Console 0 =
5,444 K
> > wcescomm.exe 1428 Console 0 =
2,844 K
> > rundll32.exe 1456 Console 0 =
4,272 K
> > EM_EXEC.EXE 1596 Console 0 =
5,352 K
> > aoltray.exe 1504 Console 0 =
4,700 K
> > ObjectDock.exe 1732 Console 0 =
7,360 K
> > opera.exe 1576 Console 0 =
44,360 K
> > SmartFTP.exe 1628 Console 0 =
2,236 K
> > Icq.exe 1184 Console 0 =
16,240 K
> > wmiprvse.exe 2744 Console 0 =
4,364 K
> > cmd.exe 2832 Console 0 =
1,424 K
> > cmd.exe 3212 Console 0 =
1,324 K
> > tasklist.exe 3220 Console 0 =
4,272 K
> >
> >
> >
> > In fact, running an msconfig (System Configuration Utility), I see =
that
> winlogin.exe is classified as a startup item. So it must be running.
> However, if i try to UNCHECK it in the Startup tab, it just reappears =
after
> I restart.
> >
> > PLEASE HELP!!!
>=20
>=20

Kelly,

As I have already stated, the method you suggested did not work. Upon refreshing the registry, the winlogin.exe value comes back, as I have already said.

(In fact, the method you suggest would alone not even work according to this Symantec security resonse on the subject:
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html)

If you have any other info, please feel free to provide it. Please don't be rude. All I did was supply the info David Candy requested.


If there is anyone else who has information pertaining to the problem, I would really appreciate any insight you have. Thanks!

You have two cmd listed in that post. Accordsing to symantec this =
creates a hidden cmd. My instruction would create 1.

so Ctrl -Alt-Delete, look up the PID of cmd, then type cmd in Start Run =
and type

taskkill /f /pid <pid #>

also what are those two rundll32.
--=20
----------------------------------------------------------
http://www.g2mil.com/Dec2003.htm
"DAN" > wrote in message =
...
>=20
> Kelly,=20
>=20
> As I have already stated, the method you suggested did not work. Upon =
refreshing the registry, the winlogin.exe value comes back, as I have =
already said.=20
>=20
> (In fact, the method you suggest would alone not even work according =
to this Symantec security resonse on the subject:
> =
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html=
)
>=20
> If you have any other info, please feel free to provide it. Please =
don't be rude. All I did was supply the info David Candy requested.
>=20
>=20
> If there is anyone else who has information pertaining to the problem, =
I would really appreciate any insight you have. Thanks!

Hi David.

I tried to run the exe from that zip. Unfortunately, it just deletes the reg entries that are outlined in the Symantec page. I am still having the same problem of the entries being regenerated every 5 seconds or so after deletion. Same goes for the winlogi
n.exe in my system32 directory if i try to delete it manually.

any ideas?

Dan,

First off, I am not rude nor ever intend to be taken that way. You seem
thorough enough to relate to, am just trying to make sure you are case on/in
point. Seems so.

In another post you gave a link that suggested areas to check. In this one
you provided info concerning Randex (which I have a cleaner for on line
258):
http://www.kellys-korner-xp.com/xp_tweaks.htm

That said, seems your issues are more complexed. Download and run Doug's
Startup Tracker: http://www.dougknox.com/xp/utils/StartupTracker3.zip and
post the log file here.

Good luck!

All the Best,
Kelly

MS-MVP Win98/XP
[AE-Windows® XP]

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Utilities for Windows XP
http://www.kellys-korner-xp.com/xp_u.htm#xp_util


"DAN" > wrote in message
...
>
> Kelly,
>
> As I have already stated, the method you suggested did not work. Upon
refreshing the registry, the winlogin.exe value comes back, as I have
already said.
>
> (In fact, the method you suggest would alone not even work according to
this Symantec security resonse on the subject:
> http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html)
>
> If you have any other info, please feel free to provide it. Please don't
be rude. All I did was supply the info David Candy requested.
>
>
> If there is anyone else who has information pertaining to the problem, I
would really appreciate any insight you have. Thanks!