 |
 | sdbot and rpcsvc.exe |  |
|
pedz
|
|
I'm a Mac user and know very little about viruses of PCs. I have a PC that I use to do my corporate taxes. I had McAfee on it. It kept complaining about rpcsvc.exe. But it could not get rid of it. So, I did some google search and found something, downloaded it, and it killed McAfee. (It was a really old copy and I did not have support.) So, I searched again and found ClamWin. I run Clam A/V on my Mac server so I was glad to see it for Windows.
I removed McAfee using the PC (this is Windows 2000) remove program interface. Installed ClamWin and pointed it to my WINNT\system32 directory. It found some stuff but it does not think that rpcsvc.exe is infected. How do I know for sure? Right now, I'm scanning my whole C: drive so I probably can't do anything for a long while. Thanks for your help |
|||||||||||
|
|||||||||||||
 |
| |
|
alch
Site Admin
|
|
https://www.clamwin.com/content/view/40/27/
|
|||||||||||
|
|||||||||||||
|
| Is my set up wrong? | |
|
pedz
|
|
Virus total says that it is a virus and that Clam/AV finds it as PUA.Packed.MEW-1
But, I just updated my DB and ran a scan on just that file and the results are: Scan Started Sun Nov 11 12:28:48 2007 ------------------------------------------------------------------------------- ----------- SCAN SUMMARY ----------- Known viruses: 167893 Engine version: 0.91.2 Scanned directories: 0 Scanned files: 1 Skipped non-executable files: 0 Infected files: 0 Data scanned: 0.01 MB Time: 33.698 sec (0 m 33 s) -------------------------------------- Completed -------------------------------------- Am I doing something wrong? (I submitted a report as that page requests that I do.) |
|||||||||||
|
|||||||||||||
|
| |
|
alch
Site Admin
|
|
What scanners detect it on virustotal? Can you paste the Virustotal report?
PUA detection (Potentially unwanted application) is not yet enabled in clamwin |
|||||||||||
|
|||||||||||||
|
| Results | |
|
pedz
|
|
Antivirus;Version;Last Update;Result
AhnLab-V3;2007.11.10.0;2007.11.09;Win32/IRCBot.worm.Gen AntiVir;7.6.0.34;2007.11.09;Worm/IrcBot.8773.A Authentium;4.93.8;2007.11.10;W32/Ircbot.CI Avast;4.7.1074.0;2007.11.11;Win32:Trojan-gen {Other} AVG;7.5.0.503;2007.11.11;BackDoor.Generic.XYH BitDefender;7.2;2007.11.11;Backdoor.IRCBot.DM CAT-QuickHeal;9.00;2007.11.10;Backdoor.IRCBot.es ClamAV;0.91.2;2007.11.11;PUA.Packed.MEW-1 DrWeb;4.44.0.09170;2007.11.11;BackDoor.Oscar eSafe;7.0.15.0;2007.11.08;Win32.IRCBot.es eTrust-Vet;31.2.5284;2007.11.09;Win32/Cuebot.F Ewido;4.0;2007.11.11;Backdoor.IRCBot.es FileAdvisor;1;2007.11.11;- Fortinet;3.11.0.0;2007.10.19;W32/Cuebot F-Prot;4.4.2.54;2007.11.10;W32/Ircbot.CI F-Secure;6.70.13030.0;2007.11.11;Backdoor.Win32.IRCBot.es Ikarus;T3.1.1.12;2007.11.11;Backdoor.Win32.IRCBot.BV Kaspersky;7.0.0.125;2007.11.11;Backdoor.Win32.IRCBot.es McAfee;5160;2007.11.09;W32/Sdbot.worm.gen.by Microsoft;1.3007;2007.11.11;Backdoor:Win32/Sdbot NOD32v2;2652;2007.11.11;a variant of Win32/IRCBot.OO Norman;5.80.02;2007.11.09;W32/Ircbot.PU Panda;9.0.0.4;2007.11.11;Bck/IRCBot.OF Prevx1;V2;2007.11.11;- Rising;20.17.62.00;2007.11.11;Backdoor.IRCbot.xq Sophos;4.23.0;2007.11.11;W32/Cuebot-I Sunbelt;2.2.907.0;2007.11.09;Backdoor.Win32.IRCBot.n Symantec;10;2007.11.11;Backdoor.IRC.Bot TheHacker;6.2.9.123;2007.11.10;Backdoor/IRCBot.es VBA32;3.12.2.4;2007.11.11;Backdoor.Win32.IRCBot.es VirusBuster;4.3.26:9;2007.11.11;Worm.IRCBot.GP Webwasher-Gateway;6.0.1;2007.11.11;Worm.IrcBot.8773.A Additional information File size: 8773 bytes MD5: 46180c1f9fda31efff442be1312eb933 SHA1: 62b84523e45a531521e7567b13106958deddb6fb packers: PE_Patch, MEW |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
PUA is supposed to indicate a "tool" that could be used by a virus writer. It could be that Clam got the signature label wrong and put it in as a PUA instead of a regular signature--since so many of the other AVs see a back door. Regardless, it appears that the file is something that you don't want on your computer. Tell the site where you downloaded the file about it and see what they say.
Keep your copy of ClamWin updated and scan often. Regards, |
|||||||||||
|
|||||||||||||
|
| Cleaned up | |
|
pedz
|
|
Thanks Guys.
I read some pages that said to boot in safe mode and delete it. I did that and rebooted. I don't see the file or the process now. The web pages mentioned that there are some registry things to clean up but I didn't follow how to do that part of it. Hopefully, I'll be o.k. Thanks again. |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
Try the free Microsoft Live One Care service to clean up, tune up, and protect your computer once a month. Clean up includes a basic registry scan/clean. It's at
https://onecare.live.com/site/en-us/default.htm on the Web. Don't sign up for the paid service, however--there are better antivirus programs. Regards, |
|||||||||||
|
|||||||||||||
|
 | sdbot and rpcsvc.exe | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.