Suspicious file detected- rdpclip.exe

Hi Essexboy,
Avast found a suspicious file in the system32 folder. I have configured the AV to try repair then moce to chest then ask. Avast seems to be unable to move to chest and has asked me what to do with the 1st screenshot. I selected move to chest but the message reappears again and again when i press ok. Then i selected block and the second screenshot appears. After that, avast again showed me the message, but this time it wasn’t the mbam.exe proccess, but explorer.exe. I captured the both messages and searched in the port tracking section of Privatefirewall for suspicious processes, but i hasn’t found anything. Then my computer restarted without any my action. I login and my PC usage was close to 100, my PC became a turtle. I checked in the task manager and there was 10 or more opened chrome.exe processes and the user was “anonymous user”. I closed them all. :o

Hello,

please follow this guide here: http://forum.avast.com/index.php?topic=53253.0

After that attach all logs, DONT COPY AND PASTE THEM. After that malware removers will be notified by an moderator.

But please be patient, it can take some time till they arrive.

As the triggering programme is MBAM was it running a scan at the time ?

I don’t know, Malwarebytes is running a flash scan after every update, but even if there was a scan running at the first time when avast detects it, in the second the process was explorer.exe and not mbam.exe. I have submitted the file to avast but i flagged it as a possible malware. I think it is a false positive because the file has an copyright from microsoft corporation and it has all of the details as the other system files it is not signed from microsoft but not all of the other files are signed. i will attach the OTL log in my next reply. ::slight_smile:

PS.: Scanned with avast and malwarebytes-free. Virustotal-https://www.virustotal.com/bg/file/63fb201040002775e6ef6f836a8f0f4d94324fc299c0f9bc1f17a97c6bb24552/analysis/1375298584/ Someone has scanned the file today before me-maybe it is not only my false positive. ???

I would suspect an FP

rdpclip.exe is the executable for File Copy. It is provides function for Terminal Services server that allows you to copy and paste between server and client. This program is important for the stable and secure running of your computer and should not be terminated.

You can contact Avast over this site and explain the situation to them:

http://www.avast.com/de-de/contact-form.php

@Essexboy- why was that restart? :o

@Steven Winderlich- Thank you for the link, but if you see it closely it is in German ;D ;D

PS.: I have submitted the file again, but this time i marked it as FP ::slight_smile:

I can check the system out if you wish, were you installing windows updates at the time ?

Sorry liubomirwm,

i havent thought about that, im from germany and thats why the site is in german. ;D ;D

Ok, i will post an OTL log :slight_smile: Yes, Windows is installing all of the updates automatically.

No problem, if i need to see the page i will select english ;). I sent the file as a FP to avast lab from the interface.

Now you can just wait… 8)

The logs are attached

In fact after the problem yesterday i haven’t noticed anything so i am sure it’s a false positive but it don’t means that i’m not infected- anyone may have a virus :slight_smile:

The logs are attached
attached where?

In my prevoius post :o

Just some orphaned adware is all I can see :slight_smile:

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1000\..\URLSearchHook: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1000\..\URLSearchHook: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1000\..\URLSearchHook: {da30eff8-ccc6-4162-a20d-67402a26a215} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1000\..\SearchScopes,DefaultScope = {69ABAE4C-47BC-4EAD-A2B3-ED08ED617830}
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\URLSearchHook: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\URLSearchHook: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\URLSearchHook: {da30eff8-ccc6-4162-a20d-67402a26a215} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\SearchScopes,bProtectorDefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\SearchScopes,BrowserMngrDefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=ct3135048&SearchSource=55"
[2012.09.17 15:48:47 | 000,000,000 | ---D | M] (incredibar.com) -- C:\Users\bojanka\AppData\Roaming\mozilla\Firefox\Profiles\xufoh5eo.default\extensions\ffxtlbr@incredibar.com
[2013.05.25 19:37:22 | 000,003,710 | ---- | M] () (No name found) -- C:\Users\bojanka\AppData\Roaming\mozilla\firefox\profiles\xufoh5eo.default\extensions\fhdp@fhdp.tv.xpi
[2012.09.17 17:01:35 | 000,002,223 | ---- | M] () -- C:\Users\bojanka\AppData\Roaming\mozilla\firefox\profiles\xufoh5eo.default\searchplugins\BabylonMngr.xml
[2012.11.03 14:44:51 | 000,002,536 | ---- | M] () -- C:\Users\bojanka\AppData\Roaming\mozilla\firefox\profiles\xufoh5eo.default\searchplugins\browsemngr.xml
[2013.07.19 00:01:27 | 000,000,934 | ---- | M] () -- C:\Users\bojanka\AppData\Roaming\mozilla\firefox\profiles\xufoh5eo.default\searchplugins\conduit.xml
O2 - BHO: (no name) - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
O3 - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\Toolbar\WebBrowser: (no name) - {DA30EFF8-CCC6-4162-A20D-67402A26A215} - No CLSID value found.
O3 - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

This are the logs :wink:

System still running OK ?

I haven’t noticed any problems since the Evo-gen detection. Yes, the computer is running ok for now. I haven’t noticed any incredibar on my pc. :o In the “C” drive there is a folder called _OTL and in this folder there is another folder called “Moved Files”- should i delete it as it contains the toolbar? I used to think that avast browser cleanup will notify me if there is an unwanted toolbar. ::slight_smile: Neither avast nor malwarebytes is detecting it. ;D ;D

PS.: I will change my firewall from Private Firewall to Online Armor- what do you think? Should i change it?

Not sure about the firewall as I use AIS and have never tried the others

Run OTL and press cleanup that should remove the associated folders, if not delete manually