removing trojans

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a trojan on my laptop that only ewido seems to be able to locate. I'm
not comfortable running around the registry keys deleting files, so can
someone tell me how to go about removing this little beast? I know which
files it is infecting, I just don't know how to get rid of it without
crashing my computer. Thanks!
 
From: "BlooferLady" <[email protected]>

| I have a trojan on my laptop that only ewido seems to be able to locate. I'm
| not comfortable running around the registry keys deleting files, so can
| someone tell me how to go about removing this little beast? I know which
| files it is infecting, I just don't know how to get rid of it without
| crashing my computer. Thanks!

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
No Dice. I tried multiple scanners in both safe and normal mode, and they
didn't find anything. As I said, ewido.net seems to be the only scanner that
can find this trojan. It keeps infecting the file C:\WINDOWS\system32\rpcnet.
It's name is trojan.dialer.nv. Any additional help would be lovely.
 
From: "BlooferLady" <[email protected]>

| No Dice. I tried multiple scanners in both safe and normal mode, and they
| didn't find anything. As I said, ewido.net seems to be the only scanner that
| can find this trojan. It keeps infecting the file C:\WINDOWS\system32\rpcnet.
| It's name is trojan.dialer.nv. Any additional help would be lovely.

It this the full name ?
C:\WINDOWS\system32\rpcnet

not C:\WINDOWS\system32\rpcnet.dll

or

C:\WINDOWS\system32\rpcnet.exe ?
 
David H. Lipman said:
From: "BlooferLady" <[email protected]>

| No Dice. I tried multiple scanners in both safe and normal mode, and they
| didn't find anything. As I said, ewido.net seems to be the only scanner that
| can find this trojan. It keeps infecting the file C:\WINDOWS\system32\rpcnet.
| It's name is trojan.dialer.nv. Any additional help would be lovely.

It this the full name ?
C:\WINDOWS\system32\rpcnet

not C:\WINDOWS\system32\rpcnet.dll

or

C:\WINDOWS\system32\rpcnet.exe ?


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


It's C:\WINDOWS\system32\rpcnet.exe. I'd be willing to deal with the registry editor and all that if I could at least find the file on there.
Click to expand...
 
Please submit a sample of "rpcnet.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.
 
BTW: Is this a notebook PC ?
Maybe a loaner or one provided by an educational institution ?
 
OK, here's what the search came up with. Ewido also detects the Rpcnet.dll
file, so here's the scan of that.

Antivirus Version Update Result
AntiVir 6.33.0.77 01.14.2006 TR/Dialer.NV
Avast 4.6.695.0 01.14.2006 no virus found
AVG 718 01.14.2006 no virus found
Avira 6.33.0.77 01.14.2006 TR/Dialer.NV
BitDefender 7.2 01.14.2006 BehavesLike:Win32.ExplorerHijack
CAT-QuickHeal 8.00 01.14.2006 no virus found
ClamAV devel-20051123 01.14.2006 no virus found
DrWeb 4.33 01.14.2006 Dialer.CabeDialer
eTrust-Iris 7.1.194.0 01.14.2006 no virus found
eTrust-Vet 12.4.1.0 01.13.2006 no virus found
Ewido 3.5 01.14.2006 Trojan.Dialer.nv
Fortinet 2.54.0.0 01.14.2006 no virus found
F-Prot 3.16c 01.13.2006 no virus found
Ikarus 0.2.59.0 01.13.2006 Dialer
Kaspersky 4.0.2.24 01.14.2006 no virus found
McAfee 4674 01.13.2006 no virus found
NOD32v2 1.1365 01.14.2006 no virus found
Norman 5.70.10 01.13.2006 W32/Dialer.GKE
Panda 9.0.0.4 01.14.2006 no virus found
Sophos 4.01.0 01.14.2006 no virus found
Symantec 8.0 01.14.2006 no virus found
TheHacker 5.9.2.074 01.14.2006 no virus found
UNA 1.83 01.13.2006 no virus found
VBA32 3.10.5 01.13.2006 Trojan.Win32.Dialer.nv

Not that I know what to do from here...
 
and here's the rpcnet.exe scan,

Antivirus Version Update Result
AntiVir 6.33.0.77 01.14.2006 TR/Dialer.NV
Avast 4.6.695.0 01.14.2006 no virus found
AVG 718 01.14.2006 no virus found
Avira 6.33.0.77 01.14.2006 TR/Dialer.NV
BitDefender 7.2 01.14.2006 BehavesLike:Win32.ExplorerHijack
CAT-QuickHeal 8.00 01.14.2006 no virus found
ClamAV devel-20051123 01.14.2006 no virus found
DrWeb 4.33 01.14.2006 Dialer.CabeDialer
eTrust-Iris 7.1.194.0 01.14.2006 no virus found
eTrust-Vet 12.4.1.0 01.13.2006 no virus found
Ewido 3.5 01.14.2006 Trojan.Dialer.nv
Fortinet 2.54.0.0 01.14.2006 no virus found
F-Prot 3.16c 01.13.2006 no virus found
Ikarus 0.2.59.0 01.13.2006 Dialer
Kaspersky 4.0.2.24 01.14.2006 no virus found
McAfee 4674 01.13.2006 no virus found
NOD32v2 1.1365 01.14.2006 no virus found
Norman 5.70.10 01.13.2006 no virus found
Panda 9.0.0.4 01.14.2006 no virus found
Sophos 4.01.0 01.14.2006 no virus found
Symantec 8.0 01.14.2006 no virus found
TheHacker 5.9.2.074 01.14.2006 no virus found
UNA 1.83 01.13.2006 no virus found
VBA32 3.10.5 01.13.2006 Trojan.Win32.Dialer.nv
 
From: "BlooferLady" <[email protected]>

| and here's the rpcnet.exe scan,
|
| Antivirus Version Update Result
| AntiVir 6.33.0.77 01.14.2006 TR/Dialer.NV
| Avast 4.6.695.0 01.14.2006 no virus found
| AVG 718 01.14.2006 no virus found
| Avira 6.33.0.77 01.14.2006 TR/Dialer.NV
| BitDefender 7.2 01.14.2006 BehavesLike:Win32.ExplorerHijack
| CAT-QuickHeal 8.00 01.14.2006 no virus found
| ClamAV devel-20051123 01.14.2006 no virus found
| DrWeb 4.33 01.14.2006 Dialer.CabeDialer
| eTrust-Iris 7.1.194.0 01.14.2006 no virus found
| eTrust-Vet 12.4.1.0 01.13.2006 no virus found
| Ewido 3.5 01.14.2006 Trojan.Dialer.nv
| Fortinet 2.54.0.0 01.14.2006 no virus found
| F-Prot 3.16c 01.13.2006 no virus found
| Ikarus 0.2.59.0 01.13.2006 Dialer
| Kaspersky 4.0.2.24 01.14.2006 no virus found
| McAfee 4674 01.13.2006 no virus found
| NOD32v2 1.1365 01.14.2006 no virus found
| Norman 5.70.10 01.13.2006 no virus found
| Panda 9.0.0.4 01.14.2006 no virus found
| Sophos 4.01.0 01.14.2006 no virus found
| Symantec 8.0 01.14.2006 no virus found
| TheHacker 5.9.2.074 01.14.2006 no virus found
| UNA 1.83 01.13.2006 no virus found
| VBA32 3.10.5 01.13.2006 Trojan.Win32.Dialer.nv

Download Pocket KillBox
http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Extract KillBox.exe from KillBox.zip

Execute; KillBox.exe

Click on Tools --> Select; Delete Temp Files.

Choose; OK

In the Full Path of File to Delete box, type the entire following line exactly

C:\WINDOWS\system32\rpcnet.exe

Select; Replace on Reboot
put a check in the box "Use Dummy"
Click The Red circle and a white X
When prompted to Replace on Reboot, click YES
If prompted to Reboot Now, Click NO


In the Full Path of File to Delete box, type the entire following line exactly

C:\WINDOWS\system32\rpcnet.dll

Select; Replace on Reboot
put a check in the box "Use Dummy"
Click The Red circle and a white X
When prompted to Replace on Reboot, click YES
If prompted to Reboot Now, Click YES

Allow the PC to shutdown and then reboot into Safe Mode.

Run the Ewido scanner again.
 
OK, here's the new ewido scan report...

__________________________________________________
ewido security suite online scanner
http://www.ewido.net
__________________________________________________


Name: Trojan.Dialer.nv
Path: C:\!KillBox\rpcnet.exe
Risk: High

Name: Spyware.Cookie.2o7
Path: :mozilla.10:C:\Documents and Settings\Marcelle Martin\Application
Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Questionmarket
Path: :mozilla.18:C:\Documents and Settings\Marcelle Martin\Application
Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Com
Path: :mozilla.32:C:\Documents and Settings\Marcelle Martin\Application
Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Com
Path: :mozilla.33:C:\Documents and Settings\Marcelle Martin\Application
Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Atdmt
Path: :mozilla.45:C:\Documents and Settings\Marcelle Martin\Application
Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
Risk: Medium

Name: Trojan.Dialer.nv
Path: C:\WINDOWS\system32\rpcnet.dll
Risk: High


should I do the same thing again for the trojan that's still popping up in
C:\WINDOWS\system32?
 
From: "BlooferLady" <[email protected]>

| OK, here's the new ewido scan report...

|
| should I do the same thing again for the trojan that's still popping up in
| C:\WINDOWS\system32?

Yes.
 
OK, it took a few tries, but I finally got it to stop popping up in
System32, here's the ewido scan report, what now?

__________________________________________________
ewido security suite online scanner
http://www.ewido.net
__________________________________________________


Name: Trojan.Dialer.nv
Path: C:\!KillBox\rpcnet.dll
Risk: High

Name: Trojan.Dialer.nv
Path: C:\!KillBox\rpcnet.exe
Risk: High

Name: Spyware.Cookie.2o7
Path: :mozilla.14:C:\Documents and Settings\Marcelle Martin\Application
Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Com
Path: :mozilla.15:C:\Documents and Settings\Marcelle Martin\Application
Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Com
Path: :mozilla.16:C:\Documents and Settings\Marcelle Martin\Application
Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Questionmarket
Path: :mozilla.31:C:\Documents and Settings\Marcelle Martin\Application
Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Atdmt
Path: :mozilla.45:C:\Documents and Settings\Marcelle Martin\Application
Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
Risk: Medium


Also, if you could explain what that killbox program actually did, it would
be much appreciated.
 
From: "BlooferLady" <[email protected]>

| OK, it took a few tries, but I finally got it to stop popping up in
| System32, here's the ewido scan report, what now?
|
| __________________________________________________
| ewido security suite online scanner
| http://www.ewido.net
| __________________________________________________
|
| Name: Trojan.Dialer.nv
| Path: C:\!KillBox\rpcnet.dll
| Risk: High
|
| Name: Trojan.Dialer.nv
| Path: C:\!KillBox\rpcnet.exe
| Risk: High
|
| Name: Spyware.Cookie.2o7
| Path: :mozilla.14:C:\Documents and Settings\Marcelle Martin\Application
| Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
| Risk: Medium
|
| Name: Spyware.Cookie.Com
| Path: :mozilla.15:C:\Documents and Settings\Marcelle Martin\Application
| Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
| Risk: Medium
|
| Name: Spyware.Cookie.Com
| Path: :mozilla.16:C:\Documents and Settings\Marcelle Martin\Application
| Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
| Risk: Medium
|
| Name: Spyware.Cookie.Questionmarket
| Path: :mozilla.31:C:\Documents and Settings\Marcelle Martin\Application
| Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
| Risk: Medium
|
| Name: Spyware.Cookie.Atdmt
| Path: :mozilla.45:C:\Documents and Settings\Marcelle Martin\Application
| Data\Mozilla\Firefox\Profiles\5fw598yb.default\cookies.txt
| Risk: Medium
|
| Also, if you could explain what that killbox program actually did, it would
| be much appreciated.

Delete the folder; C:\!KillBox then dump the Recycle Bin.

Pocket KillBox allows a file to be deleted at a point very early in the boot process usually
before the file may be used. It is also good for replacing a file with a different version.
Hopefully replacing the file prior to its use.

I am glad you finally have this settled.
 
Curses, the trojan has re-appeared in system32. If you could perhaps tell me
how to do this through the registry editor, maybe a different strategy would
help. You've been very helpful so far, thanks!
 
Curses, the trojan has re-appeared in system32. If you could perhaps tell me
how to do this through the registry editor, maybe a different strategy would
help. You've been very helpful so far, thanks!
Click to expand...

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:

Dave Lipman's tools:
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Secured2K's AntiPauper (download link/info at)
http://forums.mcafeehelp.com/viewtopic.php?t=65072
 
From: "BlooferLady" <[email protected]>

| Curses, the trojan has re-appeared in system32. If you could perhaps tell me
| how to do this through the registry editor, maybe a different strategy would
| help. You've been very helpful so far, thanks!

Please email me a copy of both; "rpcnet.exe" and "rpcnet.dll" ASAP !

Just remove ~nospam~ form ...
[email protected]
[email protected]

After you email me the files then please go through this process again !

Execute; KillBox.exe

In the Full Path of File to Delete box, type the entire following line exactly

C:\WINDOWS\system32\rpcnet.exe

Select; Replace on Reboot
put a check in the box "Use Dummy"
Click The Red circle and a white X
When prompted to Replace on Reboot, click YES
If prompted to Reboot Now, Click NO

In the Full Path of File to Delete box, type the entire following line exactly

C:\WINDOWS\system32\rpcnet.dll

Select; Replace on Reboot
put a check in the box "Use Dummy"
Click The Red circle and a white X
When prompted to Replace on Reboot, click YES
If prompted to Reboot Now, Click YES

Allow the PC to shutdown and then reboot into Safe Mode.

Run the Ewido scanner again.
 
rpcnet.exe, rpcnetp.exe problem

I have the same problem, every time I reboot RPCNETP.EXE reappears. I have also used Killbox,regseeker,Fillassassin and my antivirus is BitDefenderv10 which also picks it up. It has been deleted many times and is still there until I end process in Task Manager. Any help would really be appreciated.

Thanks, Tag :)
 
Back
Top