I got a trojan while installing, Avast quarantined the aforementioned file.
My question is: Is this an infected file nessecary for Windows
, or an otherwise non-existent file created by the virus?
System: Windows 7 x64
I got a trojan while installing, Avast quarantined the aforementioned file.
My question is: Is this an infected file nessecary for Windows
, or an otherwise non-existent file created by the virus?
System: Windows 7 x64
If you haven’t added the formatting RpcRtRemotte.dll the [nobbc]t[/nobbc] bit then there is no way this would be a system file ?
You don’t say what the malware name is or the location of the detection ?
Extracting the formatting then the file name also looks a bit suspect RpcRtRemotte.dll (the two tt’s in Remotte), zero hits on this file name on google (image1).
So maybe that it is trying to look like a legit file RpcRtRemote.dll, which does have a lot of google hits.
I’m sorry, the location was C:\Windows\SysWOW64 and it was right next to the original RpcRtRemote
file.I googled it, and since it had no results, I deleted the file, so I have got no clue, what type of trojan it was.
I just want to reassure myself, that I haven’t messed up my system by deleting a necessary file.
I suspect it was as I suggested a file name close enough to the legit thing to cause you this kind of doubt and concern.
Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest (a protected area) and investigate.
@@@@@
However, in this case it does look like a legit detection, had you not deleted it then it could have been checked out at a site with multiple scanners:
It would have been possible to check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.
Thanks for the help.
I was a moron and deleted it, but next time I’ll try your method.
So there is no such file in a clean Windows x64 as RpcRtRemotte.dll, I guess.
The original RpcRtRemote.dll seems intact.
Here is the dll information: http://www.win7dll.info/rpcrtremote_dll.html
It can be used by hackers to compromise, read about this issue via this link:
http://answers.microsoft.com/en-us/windows/forum/windows_7-security/rpcrtremotedll-errors-at-startup/3b5a3fb3-0162-4c94-bcd1-73cc8c720877 (link author = Azeez N - MS support engineer)
polonus
You’re welcome.
When the dark brown stuff hits the fan it is hard to think rationally ;D
With dll files in either system32 or syswow64 folders, etc. I would expect there to be a good number of hits on a search, so yes I would say there is no such legit/clean file with that name.
Whilst this is the legit file and it may well be possible to exploit it, in this instance this wasn’t the file detected by avast but RpcRtRemotte.dll.
Hi DavidR,
Agree with you, the malcreants just use slightly different file names to give the impression they are legit. Comparison with the legit files sets them out, that is why I gave this info,
polonus