Discussion in 'malware problems & news' started by Elisat124, Jun 10, 2004.

Thread Status:
Not open for further replies.
  1. Elisat124

    Elisat124 Registered Member

    Apr 19, 2004
    After scanning my computer with Avast! antivirus, I got this message:
    Sign of "WIN32:RPCexploit[trj]" Has been found in "C:\Windows\Memory.DMP" file. It shows twice while it does the scan. I ran HijackThis and here is the scan results:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:23:16 PM, on 6/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MozillaFirebird\MozillaFirebird.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
    N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Mommy\Application Data\Mozilla\Profiles\default\7mx02acl.slt\prefs.js)
    N3 - Netscape 7: user_pref("", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Mommy\Application Data\Mozilla\Profiles\default\7mx02acl.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -,5,0,4312/
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A94C3B39-3314-48D3-AB7D-13429FE8148E}: NameServer =

    Any help or info on how to remove this virus would be greatly appreciated it.
    Thanks is advance.

  2. TonyKlein

    TonyKlein Security Expert

    Feb 9, 2002
    The Netherlands
    I don't think you're infected; it's probably an Avast False Positive.

    That file is a memory dump from a previous system crash containing debugging information. It can safely be deleted.

    I suggest you do that, then run your antivirus one last time.
  3. Brumla

    Brumla Guest

    I have prob with Win32:RPCexploit [trj]. My PC is going to crash randomly (1-5 hours) while conneted to inet. Then when i ve ran Avast i found this virus or whatever it is on my pc. Deleted infected file and memory dump (i think its this file is created as resultt of virus action which overdump memory .. maybe?). But when i got into same situaction again and again ... quite annoying and i have no exp with this kind of attacks ... any suggestions plz?

    btw on crashdown screen it says problems with ltmdmnt.sys file. And afterwards after autorestart memory.dmp file is always created in windows dir.
  4. nick s

    nick s Registered Member

    Nov 20, 2002
    Ltmdmnt.sys is a Lucent Winmodem driver. Check to see if there are updated drivers for your modem (usually available from your PC's manufacturer) or take a look here: Modemsite. But I solved my problems with Winmodem blue screens by buying an external modem.

Thread Status:
Not open for further replies.