RPCNET.EXE Virus?

Hello everyone, every time I reboot my antivirus and firewall pop up warning me about a virus rpcnet.exe[/U] and rpcnetp.exe both those also have a variant of .dll.
I have deleted it with BitDefenderv10, a-squared, regseeker, Killbox and others.
It wont go away, any Ideas ~ need some help.
Tag1995

 

Re: RPCNET.EXE Virus?

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy
• AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

RPCNET.EXE EXPLAINED and WORK AROUND

After Trying many fixes to get rid of rpcnet.exe, I used every scanner, maleware remover, spyware remover I could think of, and a lot of help from my AV forum (BitDefender). I ran a HJT log to see if it was in there, as it was, I also looked over about 24 different HJT logs with the same problem. And I didn't find one that was able to eliminate RPCNET.EXE. So I went back to where I started Absolute Software Corp. So now Realizing it was not maleware or a virus, I had to confirm it was Absolute Software (Lojack tracking Software mostly used in Laptops in case they are stolen). When you go to "services" via Control Panel> Administrative Tools> and open the services icon, Their are two valid services for Remote Procedure Call. They are Remote Procedure Call (RPC) - Status = Started, Startup type = Automatic and Remote Procedure Call (RPC) Locator - Status = Stopped, Startup type = Manual, You do not want to Remove or Disable these. If you have a third one right click go to Properties and open, if the Path is C:\WINDOWS\system32\rpcnet.exe, you probably have Absolute Software. To confirm go to Start> Run and type msconfig, and OK, in the System Configuration Utility open the Services Tab and put a check in the "Hide All Microsoft Services" scroll down to see if it shows Absolute Software Corp. I will put a attachment of how this will look. View attachment Absolute Software Corp. Photo.doc

Work Around: If you have found that Absolute Software is on your PC, as far as I can tell there is no way to delete it or disable it, as I believe it is on the MBR (Master Boot Record). You are probably fine as far as RPCNET.EXE is concerned, although it may show up in your scans. The only way to keep the Anti-Virus/Firewall from having the pop-up is by configuring your AV and Firewall by using a exception or exclusion for the Path. Here are all the Paths for Absolute> (C:\WINDOWS\system32\rpcnet.exe) (C:\WINDOWS\system32\rpcnet.dll) (C:\WINDOWS\system32\rpcnetp.exe) (C:\WINDOWS\system32\rpcnetp.dll). By creating a exception or exclusion, in the AV and FW it will by pass what it thinks is a virus.

After talking to Absolute support, they only have 3 Anti-virus/Firewall companies that they are working with, that acknowledged RPCNET.EXE as safe. Which is amazing after being in business for so many years. Of all the HJT logs I looked at, Gateway seemed to have the most problems with RPCNET.EXE, which happens to be my PC manufacture ~ which is also a Desktop. Help your Anti-virus/Firewall Co. by letting them know about Absolute Software Corp.

Chris

 

Do you have anything installed that is part of Absolute Software? If so, uninstall it, let me know if you can't remove it and we will manually remove it.

 

If its Absolute Software you put on your self, then of course you can Remove it from your PC in Add & Remove. But if most cases it was put on by the PC manufacturer, and I have not been able to delete it. I even went in to Enum/Root/LEGACY and Deleted all RPCNET and RPCNETP which is part of Absolute Software. My concluson is after deleting every rpcnet and rpcnetp with Disabling System Restore is that it will come back after reboot. If you have it on a Gateway PC, because there is a CHIP put on the MOTHERBOARD by Gateway> http://www.gateway.com/programs/gwshield/features.shtml. You may have better luck with a HP or Dell, but the majority of problems I came across were on Gateway PCs.
Good Luck everyone
Thanks for all replies, it takes many people to solve a problem.

 

I think most of the people who have just purchased a new PC, which comes with Norton or McAfee loaded on there PC. They may never know because according to Absolute Software, those two plus ZoneAlarm see RPCNET as safe. Gateways quality control must not be to good, because I have a Desktop and had no problems until I switched to BitDefender for my AV. I have also noticed that a lot of HJT logs think they have a Trojan Dialer, because of the Dialing Properties in Absolute Software. I am working with BitDefender, and I am trying to figure out a way to let Gateway know what a problem they are causing. If you have any ideas, let me know.
Thanks for your reply ~ your are one of the first who sees the problem.
Chris