Topic: Got a Trojan that won't go away :( (Page 1 of 1)

About 3 months ago, our company switched our PDC to our home office. When this took place, they have a script that runs that uninstalled AVG and installed Trend Microsystems.

It wasn't 2 weeks or so after that, I got a virus. Not sure where it came from since I don't download anything on this computer (they watch us like a hawk anyway). But, it did happen. I've tried everything I can think of and then some. The virus comes in as rpcc.exe and every scan comes in as "C:\Windows\system32\rpcc.exe"

There's no reference to it in the registry.
I re-installed AVG and it picks it up, moves it to the vault, removes it from the vault, but comes back.
Spybot does not find it
Ad-Aware does not find it.
Trend Microsystem finds it, but says that it can't do anything with it.
There's no process called RPCC.exe running

Any other suggestions?

Thanks in advance!

Later,

C:\

Download the free trial of "Prevx1" it will get rid of it... I had it a while back and like you I'm not sure where it came from. I downloaded prevX1 and it found it and killed it dead.... I have since bought prevx1 ($20 a year) and its all I use on my wifes computer. Her computer hasn't had a problem in months and thats saying something since I use to have to clean her computer about every 2 weeks.


A little info on the virus...
http://virusinfo.prevx.com/pxparall.asp?PX5=02acb81b0022f8b5746c00c15886950089850a5c


Flashy signature here...

(Edited by loj58 on 09-06-2006 01:46)

Or, if you are an admin, try my home remedy:

Remove all permissions on virus file in question ( ie. Deny all access for everyone, even the owner).
Reboot. Now Windows can't load the virus from that file.
Remove file.
Scan a new.

So long,

->Tyberius Prime

Thanks for the replies.

One big problem is, is that AVG will actually move it to the Virus Vault. However, the next day, it's been moved again. Like it just keeps coming back.

I'll remove AVG from the picture temporarilly and see if I can remove it with either loj58's suggestion or TP's

Later,

C:\

It's not a case of it being moved back. That file isn't the originating script. The virus is running, originally, from a different file, and it's regenerating that file each time it's not where it is expected to be. There's some registry locations you can check to try and find the original file.

HKLM/Software/Microsoft/Windows/CurrentVersion/Run
HKLM/Software/Microsoft/Windows/CurrentVersion/RunOnce
HKLM/Software/Microsoft/Windows/CurrentVersion/Winlogon

And I've just completely spaced on what the rest are, but if you can get copies of the keys contained in there, they may point to what the original file is.


Justice 4 Pat Richard

I had a few nasties recently and it took a few programs to get rid of them.


You really should try these out: ( i have no affiliation with any of them, some of them are free/trials etc)

1. Webroot spysweeper seems to detect trojans specifically when nothing else will - you can use the free scan at least

2. There is a great tool called Haxfix which is a must to get rid of some trojans, run it to check if you have them and it will fix them if you do

3. There is a free scanner called ewido, i found this picks up some extra stuff and trojans - however it was unable to get rid of some trojans which is why i needed haxfix.

4. Fixwareout is another one i needed.

5. Panda activescan the online virus checker (you can use most of it free) often picks and cleans stuff others dont.

6. There is a tool called Security Task Manager which lets you view hidden processes etc, this helped me track down the culprit. Free to use 30 days or something.


I used all of those to clean my pc and its all fixed, no need to reinstall anything or anything. Give them a go, ill check back if you need extra help but google was enough for me.


p.s i was already using adaware, spybot, panda activescan, kerio, vet antivirus and a number of others which didnt detect these.

well, there's nothing in the registry.

I ran Haxfix, ewido and Security Task Manager. Ewido found some data miners but that was about it. I'll give the others a go on Friday. Not sure what the hell is going on. Freaky. Never had a virus before, espically one like this.

Thanks for the help.

Later,

C:\

The webroot one i found the best for picking up trojans, its free to check and then you can find out how to remove it at least. Its active protection is quite good too, already had it block a few trojan attempts.

I had a virus of somesort on a laptop a while back, it reproduced itself etc.. when it was closed or on shutdown as opposed to the usual on startup. Not sure if its relevant, but I needed to switch my pc off, not shutdown to stop it spreading itself once I used Ad-Aware on it. This isnt so easy on a laptop as it calls shut down when you hold down the power button a lot of the time, so I did it while running this batch file I made which basically loops the shutdown about command, the @ signs aren't very necessary:

@shutdown -a
@call thisfilesname.bat

Try not to do it while the hard drive is active and only if you feel you need to.

This was on shoutwire today:

'The War on Spyware'
http://www.shoutwire.com/comments/28154/Lakoyee_Pattisca_Ichibang

It might be of use to you.