Tech Talk

Well, because of my own curiousity i ended up with 3 trojans and a virus called kuang2(?)  Anyways I'm using avast and Norton, my Norton definitions are a million years old cuz my free subscription ran out, so they didn't catch a thing.  Avast caught them all, but cannot delete, quarentine, or do anything to them, whenever I try avast freezes.  I finally got rid of the kuang2 virus but the trojans are still there.  Any ideas?  Edit:  Also I forget to mention there are some files in my WINDOWS/TEMP folder that wont delete, and it gives me some crap about cannot delete, files might be in use.  I used doctor delete but the files don't delete, i turned of system restore, the files still didn't delete, and sometimes more/less are there, they all have relatively the same name.  At the moment theres only 1 file, but occasionally more appear.  It's called JET9CD9.TMP, iunno if these temp files have anything to do with the virus/trojans.  

i ran merijn's startup program and i found this



C:\WINDOWS\WININIT.BAK listing:
(Created 18/1/2004, 16:24:0)

[rename]
nul=C:\UNZIPPED\EESBIN~1.0\EESBIN~1.EXE
nul=c:\_restore\temp\a0216707.cpy
nul=c:\_restore\temp\a0215786.cpy
nul=c:\progra~1\admunc~1\admunch.dll
nul=c:\windows\desktop\comput~1\olddes~1\am-ins~1.exe
c:\progra~1\admunc~1\admunch.dll=c:\progra~1\admunc~1\izdd323.tmp
c:\windows\system\shdocvw.dll=c:\windows\system\set5291.tmp
c:\windows\system\shlwapi.dll=c:\windows\system\set5294.tmp
c:\windows\system\urlmon.dll=c:\windows\system\set5295.tmp
c:\windows\system\mshtml.dll=c:\windows\system\set52a1.tmp
c:\windows\system\javacypt.dll=c:\windows\system\javacypt.001
c:\windows\system\javart.dll=c:\windows\system\javart.001
c:\windows\system\msawt.dll=c:\windows\system\msawt.001
c:\windows\system\msjava.dll=c:\windows\system\msjava.001
c:\windows\system\vmhelper.dll=c:\windows\system\vmhelper.001
c:\windows\system\jit.dll=c:\windows\system\jit.001
c:\windows\system\jscript.dll=c:\windows\system\jscript.001
c:\windows\system\crypt32.dll=c:\windows\system\crypt32.001

i believe

nul=c:\_restore\temp\a0216707.cpy
nul=c:\_restore\temp\a0215786.cpy

are the trojans?  Any help is greatly appreciated

well, if it's in /tmp or /temp, chances are you don't need it.  try getting rid of them.  i don't know what else would be the infection...do you know what /UNZIPPED is?  and i imagine you know what /admunch~ is...

when you run avast, can you view the infected files without deleting them?  can you get names?

when i run avast it doesnt even find the files...its wierd.  so I'm hoping avast deleted them.  Ad Muncher yeah thats my popup blocker, that program in unzipped, when i look at it now, thats the file that installed the trojans/virus.  And I think the trojans were in temp, and I know the file extensions were .cpy, but when i go to windows/temp theres only like 3 or 4 files in there, none are .cpy, they are like jet9389.tmp or jeta, jete, somethin like that with .tmp extention, and I cannot delete them it says they are in use, so I tried usin Dr. Delete to schedule them for deletion at reboot, but it's not working.  Since avast no longer picks them up I hope they are gone for good  

hmmn.......don't get your hopes too high.

did you try closing explorer/internet explorer before deleting them?  you can close explorer with the task manager.

also, does netstat/a show anything fishy?

netstat looks normal, anything with :80 at the end is AIM right? because theres an IP on time_wait but its :80, iunno, but also rcpss.exe is running the background, and this worries me.  I'm gonna try closing explorer and deleting those temps right now

no, 80 simply means you're connected to port 80.  80 is commonly the http port, but that doesn't make it secure.  it could be your iexplore connecting without your permission.  if the address is toc.oscar.aol.com or something, it's aim.

what's your os?  i run w2k and i don't recognize rcpss.exe; rpcss.exe doesn't exist either.

get fport.  put it anywhere you wish; should just be a runfile.  START>RUN>type CMD or COMMAND (CMD if you run an nt windows; COMMAND if it's 98se or earlier).  at the prompt type what's between quotes following, "fport > c:\fport.txt".  now open c:\fport.txt and post it here (make sure to close your iexplore, especially if you're looking at anything naughty ).

don't recognize rcpss.exe; rpcss.exe doesn't exist either.

RPCSS.EXE is the DCOM executable. There is a Micro$oft Security patch for a vunerablitiy in that (like there isn't a security patch for every little thing Micro$oft has!)
RCPSS.EXE is something I have never seen and I cannot find anything on it in any virus library. I believe that is a typo.

RPCSS.exe is in windows\system\  somewhere i read about it, it said it was used for something something to access the internet, cant really remember, but it also said there is a very low chance of a virus using this because it is easily detected, the only reason i worry is because it never used to run before i got the virus's, althought I did install avast recently and a few other things that might have caused it.  i tried running fport and it said a required DLL was missing, psapi.dll

http://www.cexx.org/rpc.htm
http://www.cexx.org/rpcss.htm

these are the pages i read, kinda funny that there on cexx.org  
anyways, the main problem I see if this program never used to run, now after having some trojan/virus problems, its running at startup.  I don't know what to do about it, I've just been killing it with appswat everytime I start my computer.  Any suggestions?

     

boy is my face red...i'm a mod here and everything!

i searched my comp for the file rpcss.exe and didn't find it, so i assumed it wasn't a necessary file (i run w2kpro).

it's ok heh I had jus read the pages a few days previous, trying to find out what rpcss was, and I couldn't remember it was on cexx.  Also sometimes cexx's page layout can be a little bit confusing finding pages, no offense to Bill!  

Edit:  Also, any idea as to how I disable it, those pages make it pretty obvious I shouldn't delete it, but I know for a fact that it never ran at start up before now, so I figure I should disable it and see if everything goes ok, if I have problems then re-enable it.  Anyone know how to disable it, or have a better idea?  

thx again for the help

hi there,

Just reading the above postings and i have just found somert similar i ran AVG which i have just intalled and to my dismay i have found a trojan which AVG is unable to remove. (TUT) it's from Backdoor.subseven and i have 8 of these stored into my restore\temp\(then numbers) .CPY.

I have never had this problem before and rather unsure to what to do in order to remove these. (if poss).

Any sugestion  Please would be very appreciated!!!!!!!!!!!!

Cheers

Chris.