Tech Support Forum banner
Cancel

rpcss vanished from Registry

2362 Views 1 Reply 2 Participants Last post by  cetkat
L
Hi.
The Remote procedure call service is no more.
Os: XP Sp1
A scan with Avast Antivirus detected this :
-------------------------
3/6/2008 23:56:19 Luiz Márcio 1280 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\SVCHOST.EXE" file.
4/6/2008 00:42:03 SYSTEM 1676 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\SVCHOST.EXE" file.
4/6/2008 00:42:27 SYSTEM 1676 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe" file.
4/6/2008 00:42:47 SYSTEM 1676 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\windows\system32\SET23.tmp" file.
4/6/2008 03:23:38 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\I386\SVCHOST.EXE" file.
4/6/2008 05:38:28 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\unp28195895.tmp" file.
4/6/2008 08:26:03 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz26.tmp" file.
4/6/2008 08:27:39 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz27.tmp" file.
4/6/2008 08:28:45 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz28.tmp" file.
4/6/2008 08:29:26 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz29.tmp" file.
4/6/2008 08:36:33 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz2A.tmp" file.
--------------------------------------------

It put in quarentine these, and extracted de svchost.exe from de directory i386 of the Dell OS reinstalation cd .
Then, after a reboot, no drag and drop , no system restore, not opening of property sheets, the visual of the taskbar changed.
Almost no services running. RPC server not running mensage.
I made a backup of the registry 20 days ago in a .reg file, and another now.
Would it be advisable to try to add what is missing in the registry ?
I've copied all that make reference to rpcss in the old and new registry, and saved in two text files. Attached these 2 here.
I think only the keys
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security]
should be added. Or maybe this one too:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Enum]

The data under these keys and values can remain the same ?
I really don´t the risks involved in this procedure !!
I attached too what is missing of svchost.

Thanks,
Luiz.

Attachments

See less See more
Save
Like
Status
Not open for further replies.
1 - 2 of 2 Posts
C
Since this problem was caused by Malware, go ahead and complete the steps in the link below and post the requested information in the HijackThis Forum along with your question. They can give you the detailed advice and steps you need.

IMPORTANT - Read This Before Posting For Malware Removal Help
Save
Like
1 - 2 of 2 Posts
Status
Not open for further replies.
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top