Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with trojan-downloader


  • Please log in to reply
10 replies to this topic

#1 frank41

frank41

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 26 February 2009 - 11:14 AM

I am using Windows xp pro with sp3. I found the infection using a squared free, I scanned the computer with malwarebytes, superantispyware and they both report no infections. a squared will not remove trojan-downloader after several attempts of quarantine.

Thank you for all assistance.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 AM

Posted 26 February 2009 - 11:27 AM

Did a-squared provide a specific file name associated with this malware threat(s) and if so, where is it located (full file path) at on your system?

Each security vendor uses their own naming conventions to identify various types of malware so it's difficult to determine exactly what has been detected or the nature of the infection without knowing more information about the actually file(s) involved. See Understanding virus names.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 frank41

frank41
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 26 February 2009 - 11:35 AM

A squared says names it trojan-downloader.17876 .The path location is c\windows\system32\rpcnetp.exe


thanks for the help.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 AM

Posted 26 February 2009 - 12:04 PM

MBAM has a built-in FileAssassin feature for removing stubborn malware files.
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the file(s) to remove using the drop down box next to "Look in:" at the top.
    • C:\Windows\system32\rpcnetp.exe <- this file
  • When you find the file(s), click "Open".
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • Repeat the above steps to find and remove: C:\Windows\system32\rpcnetp.dll <- this file
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to serious problems with your operating system.


-- If the file(s) returns, then you probably have other malware on your system which is protecting or regenerating it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 frank41

frank41
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 26 February 2009 - 12:24 PM

I did a google search for system32\rpcnetp.exe and that file is associated with Lojack for laptops which i have on my laptop. the article is here.

http://www.file.net/process/rpcnetp.exe.html

i installed hijackthis and ran a scan only and it reports this about rpcnetp.exe.

The service 023 is from Absolute software corporation.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 AM

Posted 26 February 2009 - 12:35 PM

Seems to be some conflicting info out there -> rpcnetp.exe, rpcnetp.dll

Anytime you come across a suspicious file for which you cannot find any information about, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 frank41

frank41
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 26 February 2009 - 12:46 PM

jotti reports that A-Squared
Found Trojan-Downloader.17876!IK

Ikarus
Found Trojan-Downloader.17876

all others report nothing.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 AM

Posted 26 February 2009 - 01:08 PM

After some more research it appears the file may be pre-installed on laptops from a number of manufacturers, such as Gateway. I'm inclined to believe you are dealing with a false positive". Report your findings to a-squared Support so they can investigate further.

Edited by quietman7, 26 February 2009 - 01:09 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 frank41

frank41
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 26 February 2009 - 01:12 PM

Thank you very much for your time and your rapid response to my request. I would also like to thank you for donating you time to help others.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 AM

Posted 26 February 2009 - 01:18 PM

You're quite welcome.

Please post back hear and let us know what they have to say.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 frank41

frank41
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 27 February 2009 - 12:35 PM

This is the reply from A-Squared support.

Hi mainer,

Welcome to the forum.

Well, that can be False Positive... or we should never forget that any file can be poisoned by 3rd party or downloaded from the wrong place, etc.

"trojan-downloader.17876" - that is most likely not a precise detection name.
You typed it ... there could be mistake(s) in file name too
That's why it is recommended saving report and copy/paste it (or extraction) here.
The location of the files / precise names of files and/or Registry Entries ; processes, etc. are required. The same applies to the detections names.

In order to investigate the matter if you are not sure, first it is better submitting items detected to EMSI (“Submit as false alert”) from the detection list before quarantining
But there are methods of rechecking (“Re-Scan”) after you placed something into jail.
Please read the following link. In the reply from Thursday, 25 December under “submitting and or auto-rescanning” there are helpful references about different ways to do that.
I hope you will learn how to investigate, submit detected items, setting Re-Scan option, etc…. e.g.: “How should I treat the malware I found?”
http://forum.emsisoft.com/Default.aspx?g=posts&t=4220

I checked the link you posted, but in the future please don't post links to the files/software in question unless you were asked to do so.

First, that doesn't add a lot. Nobody will download / install the Software at the same time if that is infectious site that can be harmful to other users.

Only analysis of the code of that particular file present on your computer can give an answer. And that can be done only by EMSI developers

My regards

h**p://forum.emsisoft.com/Default.aspx?g=posts&t=4570




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users