Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

rpcnetp.exe, rpcnetp.dll Spyware Issue? [Closed]

Started by Aztec077 , Jan 07 2009 09:16 PM

This topic is locked

#16
Aztec077

Posted 16 January 2009 - 06:16 AM

Member

Topic Starter
Member
38 posts

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 16, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 16, 2009 05:44:34
Records in database: 1629516
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 206678
Threat name: 1
Infected objects: 0
Suspicious objects: 7
Duration of the scan: 01:06:19

File name / Threat name / Threats count
C:\CDROMBB\BACKUP\CM.001 Suspicious: Type_Win32 1
C:\CDROMBB\BACKUP\CM.002 Suspicious: Type_Win32 1
C:\CDROMBB\BACKUP\CM.003 Suspicious: Type_Win32 1
C:\CDROMBB\BACKUP\CM.004 Suspicious: Type_Win32 1
C:\CDROMBB\BACKUP\CM.exe Suspicious: Type_Win32 1
C:\CDROMBB\CM.exe Suspicious: Type_Win32 1
C:\CDROMBB\Patch_13.01c.EXE Suspicious: Type_Win32 1

The selected area was scanned.

#17
Aztec077

Posted 16 January 2009 - 06:32 AM

Member

Topic Starter
Member
38 posts

Sorry it took 2 posts, I fell asleep while Kaspersky Scanner was running. lol.

#18
Jimmy2012

Posted 16 January 2009 - 10:25 PM

Trusted Helper

Retired Staff
6,238 posts

Hello Aztec077,

Sorry it took 2 posts, I fell asleep while Kaspersky Scanner was running.

No problem

Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Files
C:\CDROMBB\BACKUP\CM.001
C:\CDROMBB\BACKUP\CM.002
C:\CDROMBB\BACKUP\CM.003
C:\CDROMBB\BACKUP\CM.004
C:\CDROMBB\BACKUP\CM.exe
C:\CDROMBB\CM.exe
C:\CDROMBB\Patch_13.01c.EXE

:Commands
[purity]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

#19
Aztec077

Posted 16 January 2009 - 11:12 PM

Member

Topic Starter
Member
38 posts

Here we are, oh, incidentally all those files are from a program I like and use often, can I reinstall that stuff with the source CD when we are finished. I hope so. Can other people get into those files and corrupt them or are they inherently corrupt, this would be nice to know if you know...

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\CDROMBB\BACKUP\CM.001 moved successfully.
C:\CDROMBB\BACKUP\CM.002 moved successfully.
C:\CDROMBB\BACKUP\CM.003 moved successfully.
C:\CDROMBB\BACKUP\CM.004 moved successfully.
C:\CDROMBB\BACKUP\CM.exe moved successfully.
C:\CDROMBB\CM.exe moved successfully.
C:\CDROMBB\Patch_13.01c.EXE moved successfully.
========== COMMANDS ==========
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01172009_000154

#20
Jimmy2012

Posted 17 January 2009 - 07:47 PM

Trusted Helper

Retired Staff
6,238 posts

Hello Aztec077,

can I reinstall that stuff with the source CD when we are finished.

Yes.

Can other people get into those files and corrupt them or are they inherently corrupt, this would be nice to know if you know...

If it is a program you know and trust, then it looks like it was just infected. Reinstalling it should be fine.

How is your computer running now?

#21
Aztec077

Posted 17 January 2009 - 09:04 PM

Member

Topic Starter
Member
38 posts

Better, but I still get the rpcnetp.exe and rpcnetp.dll errors, which, Comodo Firewall detects and quarantines right away but is there any way to get rid of it completely or not? It says TrojWare.Win32.TrojanDownloader.Small.AAC@285458

But, it does run a bit better, though, yes.

#22
Jimmy2012

Posted 18 January 2009 - 12:35 AM

Trusted Helper

Retired Staff
6,238 posts

Hello Aztec077,

but I still get the rpcnetp.exe and rpcnetp.dll errors, which, Comodo Firewall detects and quarantines right away

Could you please tell me where Comodo is finding them at?

#23
Aztec077

Posted 18 January 2009 - 01:23 AM

Member

Topic Starter
Member
38 posts

Ok, it's in C:\Windows\System32 as individual files, I think. They may be necessary to run Computrace/Lojack, that's the way it seems to me, so, maybe I won't worry about it. I dunno, what do you think?? lol, just curious?

#24
Jimmy2012

Posted 18 January 2009 - 10:06 PM

Trusted Helper

Retired Staff
6,238 posts

Hello Aztec077,

Lets go ahead and see what those files are.

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
- C:\Windows\System32\rpcnetp.exe
Click on the Upload button
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

And please do the same for this file.

C:\Windows\System32\rpcnetp.dll

#25
Aztec077

Posted 19 January 2009 - 12:10 AM

Member

Topic Starter
Member
38 posts

VirSCAN.org Scanned Report :
Scanned time : 2008/12/20 02:25:01 (EST)
Scanner results: 21% Scanner(8/39) found malware!
File Name : rpcnetp.exe
File Size : 17408 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 896f1dd6b538c3282d70e5ec079c394f
SHA1 : cbef6aaf4da5a0617ed807c26efa6bf58f93b691
Online report : http://virscan.org/r...d13f48c378.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.28 20081219013143 2008-12-19 3.33 BehavesLikeWin32.ExplorerHijack!IK
AhnLab V3 2008.12.20.00 2008.12.20 2008-12-20 1.00 Win-AppCare/Malware.17408
AntiVir 7.9.0.45 7.1.1.14 2008-12-19 1.65 -
Antiy 2.0.18 20081220.1879959 2008-12-20 0.12 -
Arcavir 1.0.5 200812131407 2008-12-13 1.23 -
Authentium 5.1.1 200812192224 2008-12-19 1.07 W32/Heuristic-400!Eldorado (Heuristic)
AVAST! 3.0.1 081219-0 2008-12-19 0.00 -
AVG 7.5.52.442 270.9.19/1857 2008-12-19 1.78 -
BitDefender 7.81008.2367409 7.22649 2008-12-20 2.17 -
CA (VET) 9.0.0.143 31.6.6269 2008-12-19 5.94 -
ClamAV 0.94.1 8786 2008-12-19 0.01 -
Comodo 3.0 781 2008-12-19 1.32 TrojWare.Win32.TrojanDownloader.Small.AAC
CP Secure 1.1.0.715 2008.12.20 2008-12-20 6.15 -
Dr.Web 4.44.0.9170 2008.12.19 2008-12-19 3.72 -
ewido 4.0.0.2 2008.12.19 2008-12-19 3.97 -
F-Prot 4.4.4.56 20081219 2008-12-19 1.07 Possible W32/Heuristic-400!Eldorado (not disinfectable)
F-Secure 5.51.6100 2008.12.20.01 2008-12-20 3.94 -
Fortinet 2.81-3.117 9.831 2008-12-19 0.30 W32/Agent.SW!tr
GData 19.1994/19.151 20081220 2008-12-20 4.21 -
ViRobot 20081219 2008.12.19 2008-12-19 1.57 -
Ikarus T3.1.01.45 2008.12.20.72035 2008-12-20 3.70 BehavesLikeWin32.ExplorerHijack
JiangMin 11.0.706 11.0.706.. 11.0.706-- 1.56 -
Kaspersky 5.5.10 2008.12.20 2008-12-20 0.04 -
KingSoft 2008.9.8.18 2008.12.19.17 2008-12-19 0.58 -
McAfee 5.3.00 5469 2008-12-19 2.66 -
Microsoft 1.4205 2008.12.20 2008-12-20 7.39 -
mks_vir 2.01 2008.12.19 2008-12-19 2.68 -
Norman 5.93.01 5.93.00 2008-12-18 5.76 -
Panda 9.05.01 2008.12.19 2008-12-19 2.48 -
Trend Micro 8.700-1004 5.724.03 2008-12-19 0.02 -
Quick Heal 10.00 2008.12.20 2008-12-20 0.89 -
Rising 20.0 21.08.51.00 2008-12-20 0.92 -
Sophos 2.82.1 4.37 2008-12-20 1.90 -
Sunbelt 4754 4754 2008-12-10 0.44 -
Symantec 1.3.0.24 20081219.005 2008-12-19 0.05 -
nProtect 20081215.03 2773539 2008-12-15 3.28 Trojan-Spy/W32.Small.17408
The Hacker 6.3.1.2 v00193 2008-12-19 0.48 -
VBA32 3.12.8.10 20081219.2214 2008-12-19 1.50 -
VirusBuster 4.5.11.10 10.98.3/730823 2008-12-19 0.96 -

#26
Aztec077

Posted 19 January 2009 - 12:11 AM

Member

Topic Starter
Member
38 posts

VirSCAN.org Scanned Report :
Scanned time : 2008/12/20 02:31:36 (EST)
Scanner results: 23% Scanner(9/39) found malware!
File Name : rpcnetp.dll
File Size : 17408 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 7924abb9f0943121061a694edd9648a7
SHA1 : 937827fedf45182f8ccd60e0a5c69247ea7d007e
Online report : http://virscan.org/r...dd2fba772b.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.28 20081219013143 2008-12-19 8.54 Trojan-Downloader.17876!IK
AhnLab V3 2008.12.20.00 2008.12.20 2008-12-20 1.14 Win-AppCare/Malware.17408
AntiVir 7.9.0.45 7.1.1.14 2008-12-19 1.69 -
Antiy 2.0.18 20081220.1879959 2008-12-20 0.12 -
Arcavir 1.0.5 200812131407 2008-12-13 1.23 -
Authentium 5.1.1 200812192224 2008-12-19 1.11 W32/Heuristic-400!Eldorado (Heuristic)
AVAST! 3.0.1 081219-0 2008-12-19 0.00 -
AVG 7.5.52.442 270.9.19/1857 2008-12-19 1.80 -
BitDefender 7.81008.2367409 7.22649 2008-12-20 2.18 -
CA (VET) 9.0.0.143 31.6.6269 2008-12-19 22.08 -
ClamAV 0.94.1 8786 2008-12-19 0.01 -
Comodo 3.0 781 2008-12-19 0.96 TrojWare.Win32.TrojanDownloader.Small.AAC
CP Secure 1.1.0.715 2008.12.20 2008-12-20 6.14 -
Dr.Web 4.44.0.9170 2008.12.19 2008-12-19 3.72 -
ewido 4.0.0.2 2008.12.19 2008-12-19 5.10 -
F-Prot 4.4.4.56 20081219 2008-12-19 1.07 Possible W32/Heuristic-400!Eldorado (not disinfectable)
F-Secure 5.51.6100 2008.12.20.01 2008-12-20 3.95 -
Fortinet 2.81-3.117 9.831 2008-12-19 0.37 W32/Agent.SW!tr
GData 19.1994/19.151 20081220 2008-12-20 9.18 -
ViRobot 20081219 2008.12.19 2008-12-19 2.07 -
Ikarus T3.1.01.45 2008.12.20.72035 2008-12-20 3.70 Trojan-Downloader.17876
JiangMin 11.0.706 11.0.706.. 11.0.706-- 3.69 -
Kaspersky 5.5.10 2008.12.20 2008-12-20 0.04 -
KingSoft 2008.9.8.18 2008.12.19.17 2008-12-19 1.88 -
McAfee 5.3.00 5469 2008-12-19 2.64 -
Microsoft 1.4205 2008.12.20 2008-12-20 4.79 -
mks_vir 2.01 2008.12.19 2008-12-19 2.57 Trojan.DownLoader.179
Norman 5.93.01 5.93.00 2008-12-18 5.72 -
Panda 9.05.01 2008.12.19 2008-12-19 6.89 -
Trend Micro 8.700-1004 5.724.03 2008-12-19 0.02 -
Quick Heal 10.00 2008.12.20 2008-12-20 0.85 -
Rising 20.0 21.08.51.00 2008-12-20 0.86 -
Sophos 2.82.1 4.37 2008-12-20 1.89 -
Sunbelt 4754 4754 2008-12-10 3.84 -
Symantec 1.3.0.24 20081219.005 2008-12-19 0.15 -
nProtect 20081215.03 2773539 2008-12-15 6.16 Trojan-Spy/W32.Small.17408
The Hacker 6.3.1.2 v00193 2008-12-19 0.50 -
VBA32 3.12.8.10 20081219.2214 2008-12-19 1.50 -
VirusBuster 4.5.11.10 10.98.3/730823 2008-12-19 0.95 -

#27
Jimmy2012

Posted 19 January 2009 - 05:48 PM

Trusted Helper

Retired Staff
6,238 posts

Hello Aztec077,

Lets go ahead and try to remove those files.

Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
:Processes
explorer.exe

:Files
C:\Windows\System32\rpcnetp.exe
C:\Windows\System32\rpcnetp.dll

:Commands
[purity]
[start explorer]
[Reboot]
```
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

#28
Aztec077

Posted 19 January 2009 - 09:04 PM

Member

Topic Starter
Member
38 posts

Process explorer.exe killed successfully.
========== FILES ==========
C:\Windows\System32\rpcnetp.exe moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\rpcnetp.dll
C:\Windows\System32\rpcnetp.dll NOT unregistered.
C:\Windows\System32\rpcnetp.dll moved successfully.
========== COMMANDS ==========
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01192009_220137

#29
Jimmy2012

Posted 20 January 2009 - 12:14 AM

Trusted Helper

Retired Staff
6,238 posts

Hello Aztec077,

Is Comodo still picking those files up?

#30
Aztec077

Posted 20 January 2009 - 11:38 AM

Member

Topic Starter
Member
38 posts

I uninstalled Comodo and installed Sunbelt Firewall because I thought Comodo was making false positives with those rpcnetp.exe and rpcnetp.dll files, but, I'm not sure.