Process Running-->>RPCSS.EXE

[Keisha]

RPSCC.EXE

Everytime my computer loads, this service loads and tries to connect to the internet. My firewall shows two instances running, one connecting to a port number, and the other to DCOM. They don't send or recieve, just sit there and listen.

I've done the google thing, and found that it's supposed to have something to do with Visual Studio, which I do have installed. However, it seems to serve no actual purpose, and is accused of security issues as well as causing instability. There were also another several articles that accused it of being a M$ trojan that reports back to them.

Long story short, I want it gone. In comes the problem I'm posting about. I can't get rid of the damn thing. I can locate the file in Windows>System. Attempting to simply delete it results in the "This program is in use" message. However, I've been unable to find any way to shut it down. Taskmanager doesn't show it's running. Msconfig doesn't show an entry for it. My firewall (Outpost) offers the option to break the connection. Great idea, except that it doesn't work. It's on the list of blocked services, but runs anyway. Tried renaming it, and that doesn't work either.

I'm running Windows ME.

Does anyone have -any- ideas here?

-Keisha

[meister]

download this prog:
http://www.webmasterfree.com/procview.html#
it shows all running processes under windows 9x/me
there should be your RPSCC.EXE somwhere. if you mark it in the list in the window beneath there will be the path to the application. then kill the app and then delete it
this should help...

--------------------------------------------------------------------------------------------------------------------
"Knowledge is the Real Power"

[Shangrila]

I don't know if ME has dos, if it doesn't download it and put it on a boot disk. Boot up dos and delete it that way. Then windows can't do anything about it and your problem is solved. I hope this helped.

[Cojonudo]

Okay, I think you should tackle it via BIOS level.

By the way, nice tweaking docs you posted last

[nyx]

Wich port does it open?

I've read a post on Agnitum Outpost (I use it too) about services, and someone said then although the service is running they couldn't stop it ( they could but, it would give you a BSOD ) but they assured that altough it was running the firewall was blocking it.

I don't have the link here at work but i can post it when i got home.

You can try search their forum, it's got good tips for the firewall....

http://www.agnitum.com/forum/

[CrittendenIV]

I wouldnt worry about it man. I noticed the same thing about a year ago, researched it and left it alone. You will probably see no issues with it. If you want to see the open TCP and UDP connections and there owning processes DL this little tool, hxxp://online.securityfocus.com/tools/1896, (sorry, I dont post direct links in forums).

[slarty]

RPCSS.exe is a key core component of window NT / windows 2000

It will open some sockets at boot time, you cannot stop this. You can firewall them from outside if you like, it shouldn't affect it, but DON'T KILL THE PROCESS

This is not a trojan, do not kill it. Otherwise you'll be sorry. Really

Of course this doesn't stop someone writing a trojan which is called RPCSS.EXE, but the one which runs by default isn't one.

On windows 95/98 anything called RPCSS.EXE probably IS a trojan and should be killed immediately.

[titanmike]

Keisha.I agree with Slarty dont kill the process!
Do the msconfig thing but look for Dcom and uncheck it.
It opens ports 135,500 and1025.
To see if it is running on your comp look in the win folder if you see a lot of files starting with fff then its running. it seems to bypass firewalls somehow
Hope this helps
mike

[titanmike]

Oops! process to uncheck is MDM microsoft debug manager under startup sorry.
This problem has been around since 1999

[Mucolaca]

I got all of the start up methods from some site. I think the orginal site is www.TLSecurity.net not sure though but anyway here they are just look in all of these places for what ever is starting up...sure u could do it the easy way and d/l a app and have it show u the path but well uh um this funner if u do this and u ummm learn to..yeah thats it any way here it is.

All Known and (so called) Unknown Windows Autostart Methods (10/03/2001)

1. Autostart folder

C:\windows\start menu\programs\startup {english}
C:\windows\Menu Démarrer\Programmes\Démarrage {french}
C:\windows\All Users\Menu Iniciar\Programas\Iniciar { Portuguese, Brasilian }

This Autostart Directory is saved in :
* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"


By setting it to anything other then C:\windows\start menu\programs\startup will lead to execution
of ALL and EVERY executable inside set directory.
Addendum : as of 10/03/2001 Subseven 2.2 now uses this method.


2. Win.ini
[windows]
load=file.exe
run=file.exe

3. System.ini
[boot]
Shell=Explorer.exe file.exe

4. c:\windows\winstart.bat
'Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts everytime.

5. Registry

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"


6. c:\windows\wininit.ini

'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example content of wininit.ini :
[Rename]
NUL=c:\windows\picture.exe
' This example sends c:\windows\picture.exe to NUL, which means that it is being deleted.
This requires no interactivity with the user and runs totaly stealth.

7. Autoexec.bat

Starts everytime at Dos Level.

8. Registry Shell Spawning

[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe
is executed EVERYTIME an exe/pif/com/bat/hta is executed.
Known as Unkown Starting Method and is currently used by Subseven.

9. Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

10. Explorer start-up

Windows 95,98,ME
Explorer.exe ist started through a system.ini entry, the entry itself contains no path information
so if c:\explorer.exe exist it will be started instead of c:\$winpath\explorer.exe.

Windows NT/2000
The Windows Shell is the familiar desktop that's used for interacting with Windows. During system
startup, Windows NT 4.0 and Windows 2000 consult the "Shell" registry entry,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, to determine the
name of the executable that should be loaded as the Shell.

By default, this value specifies Explorer.exe.

The problem has to do with the search order that occurs when system startup is in process.
Whenever a registry entry specifies the name of a code module, but does it using a relative path,
Windows initiates a search process to find the code. The search order is as follows:

* Search the current directory.
* If the code isn't found, search the directories specified in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path, in the order
in which they are specified.
* If the code isn't found, search the directories specified in HKEY_CURRENT_USER\Environment\Path,
in the order in which they are specified.

More info : http://www.microsoft.com/technet/sec...n/fq00-052.asp
Patch : http://www.microsoft.com/technet/sup....asp?ID=269049

General :
If a trojan installs itself as c:\explorer no run keys or other start-up entries are needed.
If c:\explorer.exe is a corrupted file the user will be locked out of the system. Affects all windows
version as of today.

10. Active-X Component

[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName]
StubPath=C:\PathToFile\Filename.exe

Believe it or not, this does start filename.exe BEFORE the shell (explorer.exe) and any other Program normaly
started over the Run Keys.


11. Misc Information

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object"
"NeverShowExt"=""

The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS.
This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs including Explorer.
Your registry should be full of NeverShowExt keys, simply delte the key to get the real extension to show up.

hope this helps someone and if it hurts some one I'm sorry