Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
According to NIS rpcnetp.exe is a known Trojan?
Fortunately NIS stopped this trojan from infiltrating my computer.
Is it a known bug and has NIS done the right thing stopping it from gaining access to my computer?
There is still 3 files rpcnet.dll, rpcnet.exe and rpcnetp.dll left behind and two of them rpcnet.exe and rpcnet.dll have the company name Absolute Software Corp come up in the little popup beside the files left in C:\Windows\System32
.Does this mean I am still infected and what should I do about those two files.
Hello Robert,
In most cases, to completely remove a threat, you should disable system restore, run LiveUpdate, perform a Full System Scan and delete any detected files. If Full System Scan cannot remove the infected files, you shoud run the scan in Safe Mode. Finally, you should check Windows Registry's Run sections, if you receive errors for missing files at Windows startup. To run Registry Editor, click the start menu button, chose run and type regedit then press enter. Go to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVerion\
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerion\
then see following keys: Run, RunOnce, RunOnceEx from left pane, and see if there are references to the infected files in the right pane so you can delete them, if you are sure that existing values refer to the infected files.
Norton SystemWorks's WinDoctor should be able to find such invalid entries in your registry so use it if you have NSW installed.
Vejdin wrote:Hello Robert,
In most cases, to completely remove a threat, you should disable system restore, run LiveUpdate, perform a Full System Scan and delete any detected files. If Full System Scan cannot remove the infected files, you shoud run the scan in Safe Mode. Finally, you should check Windows Registry's Run sections, if you receive errors for missing files at Windows startup. To run Registry Editor, click the start menu button, chose run and type regedit then press enter. Go to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVerion\
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerion\
then see following keys: Run, RunOnce, RunOnceEx from left pane, and see if there are references to the infected files in the right pane so you can delete them, if you are sure that existing values refer to the infected files.
Norton SystemWorks's WinDoctor should be able to find such invalid entries in your registry so use it if you have NSW installed.
SDid this do the job for you Robert?
i did everything you suggested in the above thread and the Complete scan in safe mode found the trojan and said it had done a partial solution. I ran System Works and it found 70 odd things to repair but I still get this warning pop-up on boot up:
Auto Protect has blocked back door trojan as a security risk - Your computer is safe.
As I said I managed to delete the three files from within System32 however every time my computer boots I get a message that NIS has successfully stopped a trojan from running. But when I run regedit there is still a folder rpcnet that contains information about the no longer present rpcnet.exe in System32. I would prefer not to have this pop-up at boot not run every time as i thought that was what NIS 2008 was supposed to be able to prevent.
Let's try something.
Please download SuperAntispyware at http://www.superantispyware.com
Update the database , than run a complete scan.
let's see what he can find
Bad news I'm afraid... I installed Super AntiSpyware and let it update itself and it ran and it found a new trojan called AIMVision which is completley different from what I have been chasing which was called rpcnet.exe. This shows you how they can change to avoid detection. Either that or I picked up a new one while Googling around the net trying to find a solution. But I'm aftraid after running it and allowing it to Quarantine this so -called Trojan AIMVision when my computer rebooted at the end of the process the little pop-up from NIS still came up with the not so re-assuring words: "Auto Protect has blocked back door Trojan as a security risk - Your computer is safe" Well I'm afraid that doesn't really satisfy me I want to be completely rid of the thing. I think it's still the rpcnet.exe one. As a matter of fact and the location that AIMVision was found tells me that it is for certain still the rpcnet.exe Trojan that is causin the problem. Incidentally the information I received from a Google search was that this trojan came from a company called Absolute Software Corp who use it to track stolen laptops.. but to me it's just a spyware/Trojan. A few people said the only way to be rid of it was to flash the BIOS (which I wouldn't have a clue how to do) One message in Google said this was the only way to get rid of it because it hides itself in the BIOS and every time you boot your computer it re-asserts itself into your system. Another message said it hides itself in your MBR and re-infects your computer at bootup.. it seems there are a couple of suggested ways of getting rid of it - neither of which I am capable of.
Surely things can't be that bad can they?
Surely there's something that I can do to be rid of it without having to take my new computer to a repair shop and get them to do an expensive operation on it that is not guaranteed to fix it.
Please help me.
I'll try running it again and see what happens but I'm afraid it's not gonna work. I'll let you know in an edit of this post.
Further bad news.. I ran Super AntiSpyware with System Restore switched off and did a scan - no further faults found.
I then ran Super AntiSpyware in Safe Mode (F8) also no further faults found.
Please i need some way to get this thing off my new system. I'll try anything you suggest and am relying on Symantec to come up with some way of resolving this problem. Having a pop-up at boot-up is not what I call a good permanent solution.
yours faithfully..
RobertR
Try downloading Malwarebytes and update and run a full scan
There is still 3 files rpcnet.dll, rpcnet.exe and rpcnetp.dll left behind and two of them rpcnet.exe and rpcnet.dll have the company name Absolute Software Corp come up in the little popup beside the files left in C:\Windows\System32
.Does this mean I am still infected and what should I do about those two files.
Every time NIS Starts I get a warning about the rpcnet trojan.
The pop-up says my computer is safe but I'd prefer not to have any warnings at all popping up
what can i do about this?
I don't think ignoring it is a good option and the link provided by the person in the solution post has so many answers I don't know what to do.
My Computer is only a month old. should I take it back for a warranty repair or what. I tried deleting the reference in regedit and then I tried to delete the two absolute software files but they would not delete.
Please someone help me get rid of this nasty bug.
Tried deleting rpcnetp from within Regedit but it will not stay deleted.
I managed to delete the two rpcnet.dll and rpcnet.exe files from within system 32 but every time my computer starts i get a message from NIS 2008 saying it has sucessfully prevented the trojan from having access to the net.
It's great that it has done this but does this mean I will have to put up with that warning from now until eternity?
Isn't there some way I can get rid of the whole thing and be clear of it.
As I said in the previous post my computer is still under warranty. Should I return it and get then to send it to Toshiba to get this fixed or what?
All of the threads relating to RobertR's issues have been merged here.
Keeping all issues related to one question or incident in a single thread is the most efficient way for all concerned. When posts about a question/problem/incident get spread out of multiple threads, it's entirely possible the same question will get answered multiple times.
We appeciate all users efforts to help us keep the information here organized. If anyone has questions please feel free to send me, or any admininstrator or moderator a PM.
Thanks,
Allen
What is the name of the Trojan?
Actually, rpcnet.exe appears to be safe: http://www.hijackfree.com/en/processdetails/?id=348
Unfortunately, the software is embedded in the BIOS. This program is NOT a malware, I suppose it came installed on your laptop when you bought it. Take a look at this link: About Absolute Software. There is a short description about this software. I've read that some companies had fixed their security software to bypass Absolute Software's program. Just set your Norton product to ignore the "suspicious" files and accept this program as additional protection for your laptop. It is for good there. I also think that flashing the BIOS will remove this software, but you should consult your manifacturer first.
I've read all those stories about how Absolute Software uses it to track stolen laptops but it's not right to be doing this!
And now I've tried Malwarebytes anti-malware as well as A Squared's Antimalwares versions of things to clear this problem, neither of them worked. This didn't come with my computer it only appeared 4 days ago when NIS 2008 warned me about a backdoor trojan.
I don't think it's a thing that Norton should ignore. As far as I'm concerned it is a Trojan and that means it should be gotten rid of.
If I can't get rid of it what procedures are involved in having my antivirus and Firewall ignore this and pass it without giving me that pop-up every time my computer boots. I don't think that's a very satisfactory answer but if that's all I can do i will do what you suggest.
Which section does it infect? Is the BIOS or is it the MBR surely someone knows which part of your computer it affects!
Please run me through the directions as to how I can get my AV and Firewall to ignore it.
As far as Norton products go this is not a very good signal to give about their AV software!
To ignore specific files, go to "Norton Internet Security Options", then "Exclusions". Click the "New" button under the category "Which disks, folders or files to exclude from risk scanning.", then click the folder icon to browse for files. Now add all files detected by manual scan (for example expand directories untill you reach C:\Windows\System32\filename.exe) and click OK, then Ok again to confirm. Do the same for category "Which disks, folders or files to exclude from auto-protect scanning". The ignored files should appear in the list.
To block those files from accessing the internet, go to "Personall Firewall" - Program Control from left.. Click Add, find the file you want to block, select it and click "Open". The Program control should ask you "What do you want to do". From the dropdown list select Block and click Ok. Do this for all files the you already ignored from scanning.
I have just spent 6 hours on the phone and using the remote chat facililty with a supervisor in India named Moses Paul
he tried (by remote control) several different methods at his disposal to try and rid myself of this persistant pop-up and every time he deleted or got rid of it somehow it came back the next time we booted my computer. At 5:45pm he gave up and said he would talk to all his top techs to try and find a way that he can rid me of this persistant nuisance. He said he is going to ring me at 10am tomorrow and continue with the attempts at fixing this problem. i told him of your advice (that it got into the BIOS or MBR) but he said no he could definitely see it as a procedure that was happening in my computer. He then asked me if I had a copy of Vista. I said no they don't issue one with new Toshiba laptops but that I was willing to buy one if that was all we could do. He then said he could get at it but it might involve deleting some files that I will need a Vista CD in order to copy those files back into place. I'm gonna go to the local repair shop (as I have no friends with Vista CD's) and hopefully borrow a Vista CD in order to do these tricks that he assures me will rid me permanently of this nasty trojan.
Every time he (or the two other techs that tried) deleted the rpcnetp folder from within the registry as soon as you rebooted it would re-install itself back to where he had just deleted it. Hopefully tommorrow will bring better results - otherwise I will have to follow your instructions about how to make NIS 2008 ignore this trojan. Incidentally he advised not to try any of the free version of the things recommended previously. (Super Anti-Malware etc..) He said they just get in the way and make it harder for people like himself to find the real culprit.
Keep your fingers crossed for me and please wish (or pray) that Moses can find out how to permanently get rid of this super nasty trojan. You would have to call it a trojan because even though it seems to come from a legitimate company they will not answer any e-mails and even if this laptop were stolen I can't see how they can track it without going to a lot of trouble.
Things like this should be able to be removed! I don't care who put it there. It's not right that they can completely take over my computer like this. So that is why I class it as a Trojan. It is persistant and I did not ask for it to be put on my computer.
I can tell you that six and a half hours of nervous energy has got me at my wits end.
Moses parted the Red Sea - lets hope he can fix a trojan for me!
hi RobertR - i'm confused. this is clearly a manufacturer inserted, bios-embedded lojack application and not really a trojan (it's not hiding as something else and it's clearly not polymorphic). i don't see how the removal of this has anything to do with Norton. why not contact your computer manufacturer and tell them you would like it disabled? this seems like a long way around to disable such an application.
mel
I wish you had come on line sooner melodic wynd! your ideas were nearly exactly what I had to do!
i just spent two days (16 hours) with a supervisor from Norton's service department in India
It took Moses Paul all this time to find and rid my computer of this Trojan.
After all that the computer was playing up something awful with brightness and contrast settings all mixed up and it would not accept my normal entry password. After all this time he said that if he put the files back on to fix the contrast and logon problems that putting those files back on my 'puter might bring the virus back. He was understandably frustrated and you can imagine how I felt.
Anyway he suggested that I ring Toshiba and explain to them what had happened and see what they could do. I phoned Toshiba and after about 10 mins the tech there directed me as to how to do this restore. He first asked me if I had any important files I wanted to save first and said it would take aprox 40 mins to restore my computer back to new condition including another 3 month trial of Office Pro and NIS 2008.
Well he gave me the directions and sure enough my computer was restored back to as new status AMAZING!!!
I've spent the last two hours restoring iTunes and other preferences I had and finally my computer is as new.
BUT!! you'd never believe it but after doing all this i downloaded my recent e-mails. among them was a reply from Absolute Software corp. saying that if I e-mailed their tech my serial no. he would be able to remove LoJack (rpcnetp.exe) from my computer.
If only this had happened mid week instead of Sunday I could have saved Symantec 15 hours some grey hairs and a whole lot of worry on my part. Just the restore from Toshiba would have satisfied me! but at least it is now fixed and I've got a brand new computer to play with. It cost me $138- from Symantec but I think I got a good deal for 15 hours work! :)
So that's a lesson for everbody who ever has this problem again.
If you can save all important files your manufacturer can renew your computer in only 1 hour!
Also the other lesson is that if you e-mail Absolute Software Corp. they also can do something.
I can't tell you how happy but tired I feel! (15 hours nervous energy can do that to you!)
At long last it is fixed and Moses Paul said it is a Trojan because even if the company says it's legit. it should not cause all this trouble. I thank the high hosts for Moses Paul and Toshiba tech department.
But there is a lesson for anybody who ever gets into trouble with this trojan again.
So I'm gonna click solution accepted and hope that it helps any future cases of this problem.
Hallelujah!!!!!