RPCXSOCSA.EXE - Service that takes over internet connection

we ran the tds-3 didn't do it in safe mode, found no trojans, what does running it in safe mode do?

Unfortunately Windows Firewall isn't full of reports and stuff, i'll go fish around in there and see if i can find anything on it....

 

No don't bother with Windows FW it only prevents incoming traffic. You want to stop stuff going out, for which you require a bi-directional FW, as discussed earlier in this thread.

Safe mode ensures only the minimum of important progs are running and therefore makes it easier to get rid of nasties that, hopefully, will not be able to run in 'safe'.

Can you see any of these files in msconfig startup tab and Task Manager processes?

Also do a search for the file path using Start/Search/All Files & Folders, being sure to click 'More Advanced Options' and place a tick in the 'Search Hidden Files & Folders' box. Let us know if you can find the exact file path.

 

All three are in msconfig Startup, but only there since we unchecked the boxes and shut them down...they are not listed in services or in task manager.

all are shown to be located in what I quoted before Software/microsoft/windows/currentversion/run

they only way to find them in regedit is to do a "find" and I posted above what i found.....the six entries....three with the .exe and three without

Life was simple before computers...but thanks for the time you are spending with me...

L

 

Could you click Control Panel/Performance & Maintenance/Administrative Tools/Services to bring up the Services box and confirm that there is nothing there.

In order to delete the files we have to know exactly where they are on your system. We know there are Registry entries - but unless we can find the files we can't tackle the problem. Have a look in msconfig/startup and look under the command column, this will give the file path. Post exactly what it says here. Also run that search.

It is getting late here, but tomorrow I'll try and suggest a way of deleting the files - if we can find them!

 

Yup, we checked in services yesterday and i just had her check again, no refrence to any of those files.

and the only location i have starts Software\Microsoft\Windows\Curentversion\run

nothing before or after......just doesn't make sense...

go get some sleep i ain't going anywhere...lol...thanks again

L

 

O.K., just to make one point clear, the location HKLM(or HKCU)\Software\Microsoft\Windows\Curentversion\run is the place in the Registry where these files are entered to allow them to start at bootup as 'autoruns'. It is just a Registry entry, not the actual location of the .exe files themselves!

To find these you should look for rpcxuisu.exe, rpcxsocsa.exe and rpcxsais.exe in the startup tab of msconfig, and under the 'command' column you will find the exact file path. You can then use Windows Explorer to navigate to the relevant locations (remembering firstly to 'unhide' your hidden files - as explained in post 6 in this thread). When you find the files in Explorer you should ideally right click to bring up the properties box, make a note of the exact date and time of the creation of these files, and if it is the same, run a 'search' for any other files of the same date/time. This may reveal some other underlying files we are unaware of.

When you know the exact file paths of the things you wish to get rid of, post it here and I will suggest a way of trying to delete them.

As an afterthought may I warn you that this may not be successful. It is possible you have a problem best dealt with by submitting a HijackThis log and unfortunately they no longer do those at Wilders - see here:- https://www.wilderssecurity.com/showthread.php?t=42149

If it comes to that though I will advise you how best to proceed.

 

When I ran Norton on my machine it did not initially come up with anything. Then I downloaded and ran (from floppy! write protected! talk about getting back to the rudimentary basics for me!) the malicious software removal tool from Microsoft and that located a protion of a backdoor virus. I then ran Norton again and BAM! It located the Backdoor: Win32/ROB.Gen virus. Now what is interesting is that when I looked at what files were being reported as infected it pointed directly to the very file that you are discussing here plus a few others that are very similar to these executables. What is also interesting is that in my firewall these services are automatically coming up as configured for full access to the internet! Since then I have totally blocked all access and have yet to run into a problem. I'm currently running Symantecs corporate edition firewall and it gives you this option, you may want to see if this would clear up any problems you might be having.