rtshost.exe virus symptoms and removal, rtshost.exe is not to be confused with rdshost.exe Options

[Razor]

I posted this up on the CWABoard, so I thought I'd post it up here too, hoping Google Bots will pick up on it because Google brings back no relevant results when "rtshost.exe" is searched for..





--This tutorial will be for Windows XP (Service Pack 3 recommended) as that is the O/S I'm running--


Hello, 2 days ago Automatic Updates was turned off when I booted my pc up, I wont go into any details but no matter what you try to fix this problem, upon reboot the Automatic Updates service will be deleted if your computer is infected with rtshost.exe

Okay now I'm posting this here because a Google search for rtshost.exe brings up no useful results, so I thought that maybe this would help people in the future:

Please Note: rtshost.exe will be called "Running Task Manager" or something similar to this in your firewall.




Symptoms

Windows Automatic Updates turned off.
Unable to turn Automatic Updates on in the Windows Security Center.
Able to turn on Automatic Updates in the Automatic Updates window (yet this will make no difference to Automatic Updates.)
The Automatic Updates service has been deleted from the list of services in services.msc

I didn't experience any other problems caused by the virus.




Removal

Here is how I got rid of the virus:




Reinstalling the Automatic Updates service

1. Go to Start>Run then copy and paste this command "%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall
132 %SystemRoot%\inf\au.inf " (without quotes).

2. Insert your Windows XP disc into your CD/DVD drive and locate the 'i386' folder on the CD and then locate the file specified.

3. Once the Automatic Updates service is installed you may be prompted to reboot your computer.. DO NOT, you will just be back to square one after you reboot.





Removal of rtshost.exe

1. I went into my firewall (I'm using NOD32 Security Center) and denied all internet access to rtshost.exe

2. I went into Start>Search and search for "rtshost.exe" (without quotes), this brought back 1 file that was in the X:\WINDOWS\Prefetch folder, it will be named "RTSHOST.EXE-<numberstring>.PF (the number string will of course be replaced by a string of numbers.)

3. Upon deletion of this file you'll want to go and download Unlocker from here.

4. You MUST open up Layout.ini and copy all of the contents and open a .txt document and paste it in there and save the document as <anything>.txt (I'm glad I backed up the contents, you'll find out when the virus is gone)

5. Once Unlocker is installed, right-click on Layout.ini and click on 'Unlocker' then delete the file.

6. Go Start>Run and type in "regedit.exe" (without quotes) and when the Registry editor starts up click on File>Find... (Ctrl+F) and search for "rtshost" (without quotes).

I found 3 entries: 1 in HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run and 2 in HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce, I didn't make a note of where the 3rd registry value was but I think it might be in HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices

7. Delete all of the rtshost registry values that the search brings back and then close the Registry Editor.

8. Go into Task Manager (Ctrl+Alt+Delete) and click on the Processes tab, search the list of running processes for "rtshost.exe", if there are 2 processes called rtshost.exe, then end the process using the least Memory Usage first. Once done close Task Manager.

9. Open Start>Run and type "msconfig" (without quotes) and go into the Startup tab, uncheck the checkbox next to "Running Task Manager - rtshost.exe" then click on Apply and OK.
You will probably be prompted to reboot, if you are able to choose not to reboot, then do not reboot.

10. Reboot your computer as you would normally.

Please Note: After you reboot, you'll probably notice (if you're using custom windows themes, that they will not be recognised).

11. Once your computer has started up you will want to open up the .txt document that contains the contents of Layout.ini, once you've opened the .txt document search (Ctrl+F) for "rtshost" (without quotes) and delete the line in which rtshost appears.

12. Save this modified .txt document as "Layout.ini" (make sure you do not add .txt after .ini) in X:\WINDOWS\Prefetch

13. Reboot your computer as you normally would.

14. Once the computer starts you may have to replace X:\WINDOWS\system32\uxtheme.dll again before being able to use custom themes again.


UXTHEME.DLL PATCHER can be found here and will work with almost all Service packed versions on XP.




Please Note: If you replace uxtheme.dll with a patched version for a Service Packed operating system that you are not currently running your computer will be unbootable.



That's it, well that's all I did and now my Automatic Updates is running smoothly.


I hope this helps people out in the future and will at least bring something useful up on a Google Search.


one more thing: rtshost.exe is not to be confused with rdshost.exe, rdshost.exe is a valid windows process.

[dorsef]

I posted this up on the CWABoard, so I thought I'd post it up here too, hoping Google Bots will pick up on it because Google brings back no relevant results when "rtshost.exe" is searched for..





--This tutorial will be for Windows XP (Service Pack 3 recommended) as that is the O/S I'm running--


Hello, 2 days ago Automatic Updates was turned off when I booted my pc up, I wont go into any details but no matter what you try to fix this problem, upon reboot the Automatic Updates service will be deleted if your computer is infected with rtshost.exe

Okay now I'm posting this here because a Google search for rtshost.exe brings up no useful results, so I thought that maybe this would help people in the future:

Please Note: rtshost.exe will be called "Running Task Manager" or something similar to this in your firewall.




Symptoms

Windows Automatic Updates turned off.
Unable to turn Automatic Updates on in the Windows Security Center.
Able to turn on Automatic Updates in the Automatic Updates window (yet this will make no difference to Automatic Updates.)
The Automatic Updates service has been deleted from the list of services in services.msc

I didn't experience any other problems caused by the virus.




Removal

Here is how I got rid of the virus:




Reinstalling the Automatic Updates service

1. Go to Start>Run then copy and paste this command "%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall
132 %SystemRoot%\inf\au.inf " (without quotes).

2. Insert your Windows XP disc into your CD/DVD drive and locate the 'i386' folder on the CD and then locate the file specified.

3. Once the Automatic Updates service is installed you may be prompted to reboot your computer.. DO NOT, you will just be back to square one after you reboot.





Removal of rtshost.exe

1. I went into my firewall (I'm using NOD32 Security Center) and denied all internet access to rtshost.exe

2. I went into Start>Search and search for "rtshost.exe" (without quotes), this brought back 1 file that was in the X:\WINDOWS\Prefetch folder, it will be named "RTSHOST.EXE-<numberstring>.PF (the number string will of course be replaced by a string of numbers.)

3. Upon deletion of this file you'll want to go and download Unlocker from here.

4. You MUST open up Layout.ini and copy all of the contents and open a .txt document and paste it in there and save the document as <anything>.txt (I'm glad I backed up the contents, you'll find out when the virus is gone)

5. Once Unlocker is installed, right-click on Layout.ini and click on 'Unlocker' then delete the file.

6. Go Start>Run and type in "regedit.exe" (without quotes) and when the Registry editor starts up click on File>Find... (Ctrl+F) and search for "rtshost" (without quotes).

I found 3 entries: 1 in HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run and 2 in HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce, I didn't make a note of where the 3rd registry value was but I think it might be in HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices

7. Delete all of the rtshost registry values that the search brings back and then close the Registry Editor.

8. Go into Task Manager (Ctrl+Alt+Delete) and click on the Processes tab, search the list of running processes for "rtshost.exe", if there are 2 processes called rtshost.exe, then end the process using the least Memory Usage first. Once done close Task Manager.

9. Open Start>Run and type "msconfig" (without quotes) and go into the Startup tab, uncheck the checkbox next to "Running Task Manager - rtshost.exe" then click on Apply and OK.
You will probably be prompted to reboot, if you are able to choose not to reboot, then do not reboot.

10. Reboot your computer as you would normally.

Please Note: After you reboot, you'll probably notice (if you're using custom windows themes, that they will not be recognised).

11. Once your computer has started up you will want to open up the .txt document that contains the contents of Layout.ini, once you've opened the .txt document search (Ctrl+F) for "rtshost" (without quotes) and delete the line in which rtshost appears.

12. Save this modified .txt document as "Layout.ini" (make sure you do not add .txt after .ini) in X:\WINDOWS\Prefetch

13. Reboot your computer as you normally would.

14. Once the computer starts you may have to replace X:\WINDOWS\system32\uxtheme.dll again before being able to use custom themes again.


UXTHEME.DLL PATCHER can be found here and will work with almost all Service packed versions on XP.




Please Note: If you replace uxtheme.dll with a patched version for a Service Packed operating system that you are not currently running your computer will be unbootable.



That's it, well that's all I did and now my Automatic Updates is running smoothly.


I hope this helps people out in the future and will at least bring something useful up on a Google Search.


one more thing: rtshost.exe is not to be confused with rdshost.exe, rdshost.exe is a valid windows process.

Have you tried to change your antivirus? Maybe your antivirus was the problem and if you change with one more professional you will get rid of your problem. You can try Kaspersky, I truly recommand it to you. You can find it here: http://www.trustdownload.com/Antivirus-and...curity-7.0.html