What is rtsal.exe

Hi, has anyone seen the above program before. I cannot find any reference to it with a google search.

A friend has asked me to look at his Windows 2000 pc because Zone Alarm keeps flagging this program trying to access the internet. He also had messages about foo.exe and videodrv.exe which are the Mimail virus and were found by AVG when I installed it but nothing was said about rtsal.exe.

I ran Housecall, Microsoft Antispyware, Adaware SE and Spybot S&D and Adaware showed it as a running process. I stopped the process and it does not seem to have come back.

Zone alarm gave the disk address as c:\winnt\system32\rtsal.exe but I cannot see the file when I look. There are 3 entries in the registry for it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"plug compres "= "rtsal.exe "

[HKEY_USERS\S-1-5-21-57989841-854245398-1917505955-1000\Software\Microsoft\OLE]
"plug compres "= "rtsal.exe "

[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"plug compres "= "rtsal.exe "

Is it ok just to delete these entries or do I need to search some more. I used Agent Ransack to search for the name and the only other files it occurred in are in c:\winnt\Internet Logs and presumably the occurences of it trying to access the internet.

I have run HiJack this as well and append the listing.

I suspect that this may be another part of the Mimail virus. All help and comments are welcome.

Nev


Logfile of HijackThis v1.99.1
Scan saved at 23:06:35, on 16/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I0M2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
C:\OPLIMIT\ocrawr32.exe
E:\UTILS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ballasthamdredging.com/
F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I0M2.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600 "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\RunServices: [plug compres] rtsal.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

 

I couldn't find it on google, and those registry values do not exist on my system. You could get rid of the "plug compres "= "rtsal.exe ", and only that, leave the Key that they are in.
HijackThis has some additional tools to use on this file. When it first opens, click on 'open miscellanous tools'. After a scan is done you would need to click on the 'Config' button, then 'Misc Tools', both methods take you to the same place.
In this section, first click on 'Open process manager, and look for rtsal.exe. If found, take a note of it's location, it may appear like this.
c:\windows\system32\rtsal.exe
Highlight it, and then click on 'Kill process'.
Then click on 'delete a file on reboot, a File Open window will appear. Paste in the path and filename in it, and click on Open. You will be then prompted to reboot.

Remove this entry in HJT.

O4 - HKLM\..\RunServices: [plug compres] rtsal.exe

Reboot.

 

Thanks Mark,

Deleting the data entries in the registry seemed to work. The process was not running and has not since I stopped it with Task Manager.

I am a little confused that I couls not find the program in the \winnt\system32 folder, even when it was running. Does that mean that it had some cunning method of hiding itself? and could it restart? Maybe it was part of the Mimail virus that I deleted?

Anyway at least my friend has the sense not to allow the thing to access the internet. He is just about to sign up for broadband so I needed to check his defences!

Thanks again.

Nev

 

The file may have had System and Hidden attributes, plus XP has different ways of hiding files. Some viruses are known to delete their startups as the windows starts up, then put them back when windows shuts down.
I recommend Spywareblaster, and the IEspy-ads file from the link below.
To really make use of these, go into Internet Options, then go into Security tab. Highlight the Restricted icon, then click on Custom. Then set to Disable or High if Disable is not there everything there, Password to Prompt. After doing this, and you get the message that 'ActiveX controls are disabled on this webpage...' when surfing, ignore this as it has nothing to do with what you see on the webpage. It would most likely be one of those sites in the Restricted Zone being accessed, and they are stopped from doing a "drive by installation ".

 

Thanks Mark,

I have given the PC back and hopefully it will not be attackred for a long time now.

Is it ok to run SpywareBlaster and the MicrosoftAntiSpyware protection together? I hope so.

Nev

 

Yes, you can. Spywareblaster is a program that inserts sites into the Restricted Zone, and doesn't need to be memory resident for it to do it's job. After the sites are there or "All Protections Enabled" Spywareblaster is no longer needed to be running. This is where Internet Explorer does it's job (hopefully), whenever one of those sites are referred to as a first party or third party website, they are subject to the Restricted settings.
If you see Restricted or Mixed Zone (Unknown) in the lower right of IE, where it usually says "Internet ", you know one of those sites are being called up. In some cases you will get a warning about "ActiveX controls are disabled on this site and some items may not appear properly" on 9x systems, this is another clue of one of those sites being called up. With an XP system, you get a warning bar just below the Address bar.
Just click OK on the warning box or close the bar, and forget about it. ActiveX has nothing to do with the appearance of the page, but a way for websites to install and run programs on your computer.