RPCXSOCSA.EXE - Service that takes over internet connection

Discussion in 'malware problems & news' started by jreh, Feb 10, 2005.

Thread Status:
Not open for further replies.
  1. jreh

    jreh Registered Member

    Joined:
    Feb 10, 2005
    Posts:
    7
    Location:
    Upstate NY
    I recently noticed a service that stays at 4,280K untill I dial into the internet. It then uses between 50 and 100% of my available bandwidth and begins to grow. I have watched it grow to around 10.5K before I closed the process.

    When researching the process on my PC, I found that it calls itself "Social Security Agency".

    I can not find any mention of this process on the internet.

    Has anyone seen this process?

    JR
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    This one looks mighty suspicious, does your AV say you are clean? Try disabling the Service (by clicking Start/Control Panel/Performance And Maintenance/Administrative Tools/Services, to bring up the Services box; then set it to 'Disable' in the 'Startup Type' dropdown box) and see if it starts up again.

    Have you noticed any other changes such as new BHO's, Toolbars, autostarts and the like? Make sure you are not letting unknown processes access the internet through your FW.

    This one needs futher investigation. You should do a full system scan in 'safe mode' with your AV; and you can get a second opinion by doing an online scan here:- http://housecall.trendmicro.com/

    If this all comes up clean it could be that you have an entirely new piece of malware - but you don't mention what AV you have been using, or what it says.
     
    Last edited: Feb 10, 2005
  3. jreh

    jreh Registered Member

    Joined:
    Feb 10, 2005
    Posts:
    7
    Location:
    Upstate NY
    Thanks for the reply.

    Let me start by answering your questions:

    1. Norton AV 2005 can not find this problem in normal or safe modes.
    2. I believe that I confused a service with a process. This process can be found in the task manager. I can not find any reference to it in the services manager.
    3. I have not noticed any changes to my browser. I am using Spyware Blaster and Guard. They seem to catch most if not all of these problems.
    4. TrendMicro found a Java bug but could not remove it. (file in use) I then ran Norton AV in safe mode and the problem was removed.

    Some other observations:
    1. As mentioned in my original post, the .exe file is referenced in my startup manager. (twice) as "Social Security Agency" - My registry and All Users Registry.
    2. If I uncheck both references to disable these startup items then reboot, the processes are restarted with 2 new references.

    Some questions:
    1. Can this problem be associated with a legitimate application? Such as a spyware/AV program trying to update itself.
    2. Is there a way of tracing the .exe to its source?
    3. Is there a way to trace which internet site the process is downloading information from? My only firewall is the one that comes with XP.

    Machine specs:
    1. Windows XP Pro w/ SP1... running as a domain PC on my home LAN
    2. Norton AV 2005, Spyware Blaster and Spyware Guard, Adaware SE, Spybot Search and Destroy
    3. This is a dual boot (both XP) machine with no evidence of this problem on the other boot. Boot 1 is for work and internet activities. Boot 2 is for gaming.
    4. Dialup Internet access - no broadband available in these mountains where the men are men and the sheep are... well you know the rest

    Any help you can give me is greatly appreciated. I have a feeling that this problem will only get worse as time goes on.
    JR
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Bad news, this Social Security Agency is actually a Government agency that is tracking you, I think the Government ordered the ISP to install on people's computers to collect evidence I think. The Government is spying on some people.
    http://www.ssani.gov.uk/
    You cannot get rid of this process I think. This does not seem suspicious at all, it's actually the Government itself tracking its own citizens internet behaviour.
     
  5. jreh

    jreh Registered Member

    Joined:
    Feb 10, 2005
    Posts:
    7
    Location:
    Upstate NY
    And to think that I started my computer career designing 3080 and 3090 main frame computers for IBM whos biggest customer was the government of the US.

    If this is true, it is very disturbing. I have worked (still do) and paid my taxes my whole career. I served proudly in the US Army Special Forces and have always supported my government.

    The only thing I can think of is my son recently returned from war in Iraq (US Navy) and on his return he married a Russian woman. I can see this raising a few eyebrows but tracking my Internet use is beginning to make me paranoid.

    I wonder if this is legal and if not who do I complain to. If it is legal, who do I complain to?

    If anyone can tell me how to remove this file, please advise. In the mean-time, I will contact my government to see what's up.

    Since this is a tracking process, should I continue to post any information I find in this forum?

    Thanks for the help.

    John Reh
    From the land of the free?
     
    Last edited: Feb 11, 2005
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    This is unlikely to be a legitimate process, it is entirely unknown, if it was legitimate someone else somewhere would have it besides you! Much more likely it is malware of some sort with a randomly assigned file name. It doesn't look like it is a browser hijacker else SpywareGuard would have jumped to attention. But it could be a Trojan, and if it is it will have free access through your FW because the Windows XP FW is only unidirectional and will not stop stuff getting out. You should install a bi-directional FW, like Zone Alarm which is free. You would be able to referr to the FW logs to see what processes were attempting to contact what IP address etc.

    To find out the file path to this file click Start/Search/All Files & Folders, tick 'Search hidden files & folders' in the 'More Advanced Options' section, then run a search for RPCXSOCSA.EXE . You then want to navigate to the file in Windows Explorer and attempt to delete it, you would first need to halt the process in Task Manager though. Try this and see what happens.

    When using Windows Explorer you would need to 'unhide' hidden files as follows:-
    1. Select "Tools" from the menu on top.
    2. Select "Folder Options".
    3. Select the "View" tab.
    4. Scroll down and Select "Show hidden files and folders".
    5. Unselect "Hide extentions for known file types".
    6. Unselect "Hide protected operating system files".
    7. If you get a "warning" prompt, say yes you want to do it anyway.
    8. Click Apply and Ok.

    You also say you had a Java bug, probably this was something in your cache; it's best, in any case, to have a good cleanout of your temp files etc., so D/L and run CCleaner from here:- http://www.ccleaner.com/

    Finally, I don't believe for one moment this is a Government thing, but if you needed to complain I guess you'd contact:-

    Your US Senators and Representative -

    http://www.senate.gov/

    http://clerk.house.gov/members/index.html

    P.S. - as an afterthought, a really good way of finding out info on running processes is to use Process Explorer from here:- http://sysinternals.com/ntw2k/freeware/procexp.shtml
    A right click on a process will enable you to bring up the Properties box which should give file path etc.

    PPS - Above I referred to the file as being randomly named - but of course it isn't! RPCSS.exe (Remote Procedure Call) is a legitimate process, and this appears to be calling itself RPC X SOCial Security Agency - very, very suspicious indeed!!
     
    Last edited: Feb 11, 2005
  7. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Seems like I got the wrong idea from that Social Security Agency name! Instead I thought it was the government. :eek:
    Ok, I thought about this for some time, and it certainly is not the government up to any funny tricks. :D It's a file that is most likely a trojan.

    Follow topper's instructions and search for the file, if you can find the file post its properties back here.
    If the file is really a trojan, then I suggest you run TDS-3 from www.diamondcs.com.au

    If you've any more questions just post it back here.
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Since my searches are coming up empty....would you Please verify the spelling of that file and also....locate the file, check it's properties and post any of that info that might be of value in helping you determine the origin.

    Also....even with my limited knowledge of XP's firewall ? ....I'm almost certain Windows XP Internet Connection Firewall does not monitor the outgoing connections from your computer....which in your case would possibly help in determining or tracing which internet site the process is possibly downloading information from\to.

    Having said that....I suggest you visit our Other Firewalls Forum....and start a thread for member suggestions concerning your lack of outbound protection. Also....as part of that Forum is an interesting Sticky thread that contains useful info about true Firewall(inbound\outbound) protection....Other Firewalls Sticky Posts and Other Useful Links
     
  9. jreh

    jreh Registered Member

    Joined:
    Feb 10, 2005
    Posts:
    7
    Location:
    Upstate NY
    First I would like to thank everyone for all of the help you have given me.

    I followed the instructions from previous posts and TDS-3 did the trick.

    The application identified the .exe file as a DCOM RPC Exploit and I was able to remove the file. Unfortunatly I was not able to configure the built in email program which would have enabled me to send the file to the experts.

    Thanks again and I know I have found a new home for help and information.

    John Reh
     
  10. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  11. jreh

    jreh Registered Member

    Joined:
    Feb 10, 2005
    Posts:
    7
    Location:
    Upstate NY
    The first and only time that I tried to install SP2, my PC choked on it. After doing some investigating, I found that my BIOS was to blame and needed to be flashed.

    Before flashing, I thought I should do some homework. My system is a 3.2G Prescott P4 sitting in a DFI LanParty board with 1G ram, 228G SATA Raid 1, and 120G standard IDE. This was a long winded story which leads to the DFI board.

    I downloaded a copy of Everest Home (pretty good program!) and found that my BIOS is labeled " (875LD409) EVALUATION ROM - NOT FOR SALE"

    To be fair to DFI, they did rush me a new BIOS after the first one did not work at all. But I hesitate to flash this thing on my own. My thoughts are that I will try to get by with my system in it's current state untill I can justify (to my wife) a new PC. Then send the BIOS chip off to DFI for a flash.

    Anyway, TDS-3 is an excellent tool, as is all of the software I looked at in DiamondCS' site. I look forward to learning as much as time will allow about all of Diamonds' apps.

    BTW - Zone Alarm now resides at my front/back door and when finances allow, I think I will invest in Norton Internet Security (Your thoughts?). My reason for not wanting to stick with ZA is the number of redundant (ZA) learning problems encountered. ie. how many times do I need to tell ZA that it is OK for my Win2K server to execute it's Time Server process? I guess I should not complain... ZA is helping me protect my stuff at no charge!

    JR
     
    Last edited: Feb 14, 2005
  12. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Its unfortunate that you are one of those people who have had problems with SP2 because it is much safer than SP1.

    Asking for opinions on Norton products on this Forum is a little bit like waving a red flag at a bull! Several of us have experienced problems in the past with poor technical support from Symantec, product instability and unreliability, difficulties with uninstalling Norton and the fact that, as market leader, Norton is itself a target for malware which is designed to shut it down.

    Having said that, for most users, Norton seems to do a good job, but I would not go so far as to recommend it! The FW is certainly much better than the XP SP1 FW, and is very easy to run, but it is not as safe as Zone Alarm. For one thing it seems to allow some progs to create their own access rules, which always seems dangerous to me. There is always a trade-off between security and ease of use, once you become familiar with ZA you should find it OK.

    I'm also a little bit disappointed that Norton failed to recognise your problem, the DCOM RPC exploit seems to be well known and established, so you should not have had to rely upon a specialist anti-trojan like TD3. I like to think that AVs such as Kaspersky or NOD32 would have done better!

    Finally, the DiamondCS product that a lot of us at Wilders like to run is Process Guard, this should be able to prevent a Trojan, or other malware, from executing on your machine even if it gets past your AV and AT.
     
  13. jreh

    jreh Registered Member

    Joined:
    Feb 10, 2005
    Posts:
    7
    Location:
    Upstate NY
    I am going with your advice and sticking to ZA. I just purchased the full copy of Process Guard and Zone Alarm is next.

    I did run into a problem when I tried to purchase TDS-3. Diamonds web site recommends making the purchase with register.exe which is included in the TDS directory. It would appear that the exe app is not working. It just re-directs me back to Diamonds web site which in turn tells me to use register.exe. I tried using Mozilla and IE with no success. I sent an email to Diamond to ask for assistance.

    On another note, right now I have Process Guard, SpywareGuard, Norton AV, and Zone Alarm resident in my system tray. Is this sufficient or do I need something else to complete the suite?
     
  14. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The most important things, securitywise, apart from windows updates and browser settings, are your AV and FW; all the rest tends to be personal choice. There are some excellent free programs available but I don't think it is necessarily a good idea to pile everything on - it is better to make a balanced selection.

    The only additional item you may care to try in your tray is the new Ms-AS ( http://www.microsoft.com/downloads/...a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en ); this is based on Giant AS (which I use) and is very good. It is also worth getting Lavasoft's AdAware for AS demand scans. Both of these are free.

    WinPatrol is another nice free prog to consider, it monitors critical areas of your Registry for changes, but there will be overlap of function with SpywareGuard and Ms-AS. SpywareBlaster does not sit in your tray and does not 'run' as such, and is therefore certainly worth installing.

    For me the 5 progs I like to have in my tray are: AV, AT, AS, FW and PG. This gives me all the cover I need! (The full version of PG is definitely superior in protection than the free version!).

    I'm not familiar with TDS3, because I use Ewido, but that is personal choice - not because I think it is better or worse! - but if you have particular queries about it I'm sure you will find the TDS3 section of this Forum very helpful (the same goes for PG!).
     
    Last edited: Feb 16, 2005
  15. flyboyqw

    flyboyqw Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    1
    Hey guys,

    I found the file on my computer (ZA detected an internet connection attempt) about a week ago, but when I googled it then, I found nothing, so it must be something new.

    I tried to disassemble the file with IDAPro415 and W32dasm 8.93, but it didn't work. I also didn't find any text in the file with an hex editor. Anyway, I tried to upload the file to this forum, but it only supports images. Where should I send the file to?

    Thanks
     
  16. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Why not send it here:- http://www.ewido.net/en/malware/

    Ewido is a specialist anti-trojan, so I'm sure they would be interested in something new.

    Or you could try DiamondCS or your own AV company.

    PS - If you do submit this file, please let us know the result!
     
  17. tech guy

    tech guy Guest

    ok restart your computer press F5 during boot and start up in safe mode, log in as administrator and run highjackthis! scan and fix rpcxsocsa.exe then log off log onto all the users and do the same, the go to windows, then prefect and delete the pf file its called rpcxscsa.pf or something like that. reboot and try highjack this 1 more time if it don't show up your all good, if it shows up again try the steps again, highjackthis link is http://www.majorgeeks.com/download3155.html
    this has worked for a week so far
    please reply tech guy
     
  18. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    You'd probably be better off banging F8 if you want to go into 'safe'! See here:- http://www.bleepingcomputer.com/forums/tutorial61.html

    This thing certainly seems to be spreading, but if ATs like TDS3 can handle it, I guess that would be a better option for most people. There may be some associated files we don't yet know about. It would be good if someone could bring up the properties box for RPCXSOCSA.EXE and note it's date and time stamp, and then run a search for files of the same date and time.
     
  19. tech guy

    tech guy Guest

    sorry guy's forgot to tell you i'm running win xp pro
     
  20. Lisajd

    Lisajd Registered Member

    Joined:
    Mar 2, 2005
    Posts:
    6
    man these files are driving one of my friends nuts and we've worked on it all day....I want to thank all of you guys for posting as most have helped.....Her problem was she couldn't get to the web. WFW was blocking these files named RPCXSAIS, RPCXSOCSA and RPCXUISU.....

    I was able to find info on the SOCSA in a bunch of places, one hit on the rpcxsais but none on the rpcxuisu. if she shut them down in "services" she was able to connect to the internet (via dialup, yeah there are people who still use dial up). We've done everything including changing all the ad ware settings to those of the above post and at this point everything is coming up clean...did a spybot and of course nav in safe mode.

    We followed the instructions to remove them from the prefetch location and wall ah, they come back.... The three files are in the "start up" location and i dissabled them all and she is not having the problem, should we figure out how to totally remove them from her system or should she be ok since they are now disabled?

    again thanks for all the posts, i love google.......oh the first few scans we did came up with some xxxtoolbar and windows ad status and something called dyfuca, but at this point they seem to have all been corrected...

    you guys are so much more able then calling any other tech supports, these boards are a wealth of information even for a relative computer dummy like me..

    Lisa
     
  21. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Hi Lisa

    I'm not quite sure what you mean by disabling files in the "start up" location. Do you mean the files appear as entries in the 'Startup' tab of msconfig and you unticked them there, or do you mean they appear as processes in Task Manager' and you terminated them there?

    You sure don't want these things on your system disabled or not! What is the exact name and file path of the files, and do they have an .exe extension?

    Since it was successful for others, I'd have thought the best idea would be to download and run TDS3, or another Anti-Trojan like Ewido, have you tried that?
     
  22. Lisajd

    Lisajd Registered Member

    Joined:
    Mar 2, 2005
    Posts:
    6
    Topper, we disabled them in "services" thru msconfig, stopped them and unchecked the boxes...

    One of them was located in C:\Windows\Prefetch, after stopping the process, we did as instructed in another post and deleted them from the prefetch files but it was not successful...

    Im going to have her do a file search again for all three of them and copy me with their exact locations...

    thanks for the response and i'll have her try that program too!

    Lis
     
  23. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    So this thing has given you 3 running Services, that sounds a bit ominous!

    I wish you luck with running the Anti-Trojan, which is your best bet at the moment. I feel you may have some other files you are not yet aware of!
     
  24. Lisajd

    Lisajd Registered Member

    Joined:
    Mar 2, 2005
    Posts:
    6
    Ok, here is what i've found, the location of these files is Software/microsoft/windows/currentversion/run

    when go into the registry editor, i looked in all five files, current user, local machine, user, current config and class roots. couldn't find them anywhere.....did a "find" search of the registry and found the following

    000 reg_sz rpcxuisu.exe
    001 reg_sv rpcxsocsa.exe
    002 reg_sv rpcxsais.exe
    003 reg_sv rpcxuisu
    004 reg_sv rpcxsocsa
    005 reg_sv rpcxsais


    does any of this make an sense to anyone.....in the mean time I have her loading the tds trojan program, but thats going to take a while as she is on dial up...

    thanks guys/gals.....
     
  25. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    HKLM/Software/microsoft/windows/currentversion/run and HKCU/Software/microsoft/windows/currentversion/run are Registry locations for autoruns. If you look at the 'Startup' tab in msconfig you should see these executables listed there. If you untick them then, in theory, you should stop them from autostarting at bootup - but I fear this would be futile since the underlying trojan will simply start them up again. If they are currently running processes you will also see them in Task Manager, under the Processes tab. Again you could terminate them by clicking 'end process' - but they will probably start up again! No harm in trying these things though.

    When TDS3 is up and running go into 'safe' to use it. In the meantime look to your Firewall to make sure this thing is not sending info out of your machine.
     
Loading...
Thread Status:
Not open for further replies.