TechSpot

rpcc.dll problem

By darkdrgn
Jan 27, 2007
  1. Hello, currently i have a problem with something called rpcc.dll.
    Somehow, some software was installed on my computer that put a fake windows shield in the tray and prompted me to download their registry cleaner, i was able to remove the icon through use of AdAware Se Personal, and SpyBotSD. However, a scan with my HJT version 1.99.1 shows the rpcc.dll and it won't go away. A scan with SpyBot showed something called Smitfraud that might or might not be related, but i could not remove it even with the "run spybot at reboot" option.

    First symptoms that showed: background changed, some websites appear to be redirected like tech support ones, this website fortunately wasn't blocked.

    Attached is my HTJ log.

    Any help would be greatly appreciated! Thanks
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is infected with a variety of nasties.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Download and run the Blacklight programme. follow all the instructions carefully.


    Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of darkdrgn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. darkdrgn

    darkdrgn TS Rookie Topic Starter

    Ok, so i ran avg first and it found four viruses, i took a screenshot since i didn't know how to get a text log. Blacklight found nothing, and i redid the HJT log under a different EXE name.
     
  4. tomrca

    tomrca TS Rookie Posts: 1,000

    you will need to follow all the instructions and the links that Howard has given. the avg you need to run, is 'avgas', avg anti-spyware, previously known as 'ewido'.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    If you had read the instructions properly, you would have seen that AVG Antispyware is a completely different programme to the free AVG Antivirus.

    Uninstall the AVG antivirus programme from add remove programmes in your control panel. This is beacuse you shouldn`t be running more than one antivirus programme at the same time. Then, follow the instructions below exactly.

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    These are the filepaths you need to enter into Vundofix.

    C:\WINDOWS\system32\rpcc.dll
    C:\WINDOWS\system32\vjfzgnk.dll

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Microsoft authenticate service (MsaSvc)<Disable the service name and/or the name in brackets.

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    msasvc.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {19C140AF-4F3C-4371-D03C-0B5593AD6D55} - C:\WINDOWS\system32\vjfzgnk.dll

    O4 - Startup: Adobe Gamma.lnk.disabled

    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled

    O4 - Global Startup: Bluetooth Manager.lnk.disabled

    O4 - Global Startup: hpoddt01.exe.lnk.disabled

    O4 - Global Startup: RAMASST.lnk.disabled

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab

    O16 - DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} (IWS Photo Upload Tool) - http://public2.uploader.officelive.com/_layouts/1033/wh/ActiveX/MsnPUpld.cab

    O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nvidia.com

    O17 - HKLM\Software\..\Telephony: DomainName = nvidia.com

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nvidia.com

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nvidia.com

    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = nvidia.com

    Only fix the above 017 entries, if they don`t belong to your ISP or you don`t recognise the domain.

    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

    O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\msasvc.exe

    Reboot into normal mode and rehide your protected OS files.

    Now go HERE and follow the instructions for downloading, installing and running the AVG Antispyware programme.

    Post a fresh HJT log as well as an AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of darkdrgn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. darkdrgn

    darkdrgn TS Rookie Topic Starter

    Ok, AVG scan complete, and HJT. Logs attachted
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    svchos.exe<Not to be confused with svchost.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Documents and Settings\calvin\Desktop\Desktop\svchos.exe

    Delete all files in AVG Antispyware quarantine.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of darkdrgn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. darkdrgn

    darkdrgn TS Rookie Topic Starter

    done, btw, svchos.exe is one of my program i renamed as a joke. However, i still notice that i cannot visit bleepingcomputers.com....this link exactly http://www.bleepingcomputer.com/



    also, i just noticed this weird thing with nero, i'm not doing anything and this error message pops up...is it bad? screenshot included
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    For your Nero problem, do the following.

    Download and run this Nero cleanup tool. Read the instructions. Once done, reboot your system and reinstall Nero.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of darkdrgn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. darkdrgn

    darkdrgn TS Rookie Topic Starter

    thank you! but is the redirection due to some virus or adware?
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Where exactly are you getting redirected to?

    Regards Howard :)
     
  12. darkdrgn

    darkdrgn TS Rookie Topic Starter

    I'm sorry, that was a bad choice of words, when i enter the website in, it shows a 404 error, the page doesn't load at all, but when i go through a proxy, the web page loads.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Is this only happening with the Bleeping computer site?

    Just as an experiment, download and install Firefox. During the install, you will be asked if you wish to import anything from IE. Don`t import anything. See if you can access the site from Firefox.

    Regards Howard :)
     
  14. darkdrgn

    darkdrgn TS Rookie Topic Starter

    i have internet explorer and firefox, both cannot visit Bleeping Computer, i can't visit http://www.ewido.net/en/download/ either, the only way i was able to download HJT, was through a proxy, i think whatever is doing this is purposely blocking tech support pages.
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Regards Howard :)

    This thread is for the use of darkdrgn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. darkdrgn

    darkdrgn TS Rookie Topic Starter

    Ok, logs included.

    Sorry to be a bother, but i noticed another problem, i can't install the itunes with the quicktime package, screenshot enclosed.
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    As I suspected, you have a rootkit infection.

    Download and run this tool. Rustock.b-fix.

    Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (C:\avenger.txt & C:\rustbfix\pelog.txt). Post the content of these logfiles along with a new HJT log and a fresh Combofix log.

    As for your Itunes install problem. Do not try and install anything other than the tools I ask at this stage, as it will just make things more complicated.

    Regards Howard :)

    This thread is for the use of darkdrgn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. darkdrgn

    darkdrgn TS Rookie Topic Starter

    all 4 logs attached!
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The rootkit has been deleted and your HJT log is clean.

    Provided you`re having no other problems, I think you`re good to go.

    Regards Howard :)

    This thread is for the use of darkdrgn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. darkdrgn

    darkdrgn TS Rookie Topic Starter

    so, you can't find anything up with the website visit problem?
    If so, thank you very much for your help
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No, I can`t find anything that would account for you not being able to visit Bleeping computer.

    I know this is a long shot, but maybe your ISP has blocked the site by accident? Contact your ISP and ask.

    Regards Howard :)

    This thread is for the use of darkdrgn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  22. darkdrgn

    darkdrgn TS Rookie Topic Starter

    Alright, thanks again, and i'm assuming my computer is too messed up to install itunes?
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Sorry, I forgot about your Itunes problem.

    I have no idea why you can`t install itunes, except maybe the download is corrupt in some way. Try redownloading it and see if that helps.

    Regards Howard :)
     
  24. darkdrgn

    darkdrgn TS Rookie Topic Starter

    Ok, here's the deal, i think my computer may have crashed during an installation of quicktime once, well i've tried to remove it using regcleaner and CCleaner, then i went to check windows install clean up and "Add remove programs" window, quicktime appears to be fully removed. Then i go to c:/program files/quicktime and try to delete the whole folder and get this error message. "Cannot delete PictureViewerLocalized.qtr: Data error (cyclic redundancy check)", any clue what this means?
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, try this.

    Click start/run and type regedit into the runbox and press the enter key.

    When the window appears, click file/export and save the file to wherever you want. this is a complete backup of your registry.

    Then, click edit/find and type quicktime into the dialogue box and click find next. In the right hand pane, right click on any Quicktime entries and choose delete. Now click edit again and choose find next. Do the same in the right hand pane as above. keep doing this until no more Quicktime entries are found.

    Reboot your computer and try reinstalling Quicktime/Itunes.

    Regards Howard :)

    This thread is for the use of darkdrgn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...