Win32.explorerhijack?!
I just recently installed Bit Defender, a little bit, shall we say, late. This is what forced my hand: my 2 year old laptop crashed, and upon rebooting, an activation of windows was required, (reactivation imo). I don't really know what that was about, but I did know that I did not have any antivirus software, and I need some fast. So I went with the best, and am loving it.
Here is my current problem:
Bit Defender gives a message: Virus blocked: Behaveslike.Win32.ExplorerHijack. This message is linked to C:\Windows\System32\rpcnet.dll and rpcnetp.dll. There is a wide debate on the web on the origin of these files. Many are concerned that it is an actual virus while others say it is part of a security program installed that phones a company if the notebook is stolen. I indeed have one of those programs installed on my laptop.
So, what do you think?
Comments
-
Hi I heart Cats,
It doesn't matter what we think, when we can find out for sure
Just put those files in a zip file, protected by the password infected and attach the archive to your next post. BD Virus Analysts will check the files and they will tell you for sure if the files represent any risk or if they are false positives (in which case, detection will be removed).
Cris.0 -
Hello, here are the files you requested, thanks for the timely response! There is also another file related to the Win32.explorerhijack warning, NT Agent.exe. I ran into a problem with adding rpcnet.exe and NT Agent.exe to the zip files:
"Action: Add (and replace) files Include subfolders: yes Save full path: no
Include system and hidden files: yes
Adding NTAgent.exe
Warning: could not open for reading: C:\Documents and Settings\Ben\Desktop\NTAgent.exe
replacing old Zip file"0 -
Hello,
If you're having trouble adding all files in the sme archive, just create separate archives for each file and attach all of them (in the same topic).Hello, here are the files you requested,
The previous topic has no files attached. If you wanted to attach something, you didn't succeed. To attach a file, press the Browse button, search and select the file and then press Upload (the green button on the right side of the Browse button)
Cris.0 -
Having the same thing on 2 of my laptops.
From log<ScanDetails>
<ScannedRegistryKey finalStatus="disinfect failed" path="[System]=]HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RPCNET\ImagePath=]C:\WINDOWS\SYSTEM32\RPCNET.EXE" threatType="virus" threatName="BehavesLike:Win32.ExplorerHijack" action="disinfect"/>
<ScannedRegistryKey finalStatus="disinfect failed" path="[System]=]HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\RPCNET\ImagePath=]C:\WINDOWS\SYSTEM32\RPCNET.EXE" threatType="virus" threatName="BehavesLike:Win32.ExplorerHijack" action="disinfect"/>
<ScannedRegistryKey finalStatus="disinfect failed" path="[System]=]HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\RPCNET\ImagePath=]C:\WINDOWS\SYSTEM32\RPCNET.EXE" threatType="virus" threatName="BehavesLike:Win32.ExplorerHijack" action="disinfect"/>
<ScannedFile finalStatus="disinfect failed" path="[System]=]C:\WINDOWS\system32\rpcnet.exe (disk)" threatType="virus" threatName="BehavesLike:Win32.ExplorerHijack" action="disinfect"/>
<ScannedFile finalStatus="disinfect failed" path="C:\WINDOWS\system32\rpcnetp.exe" threatType="virus" threatName="BehavesLike:Win32.ExplorerHijack" action="disinfect"/>
</ScanDetails>[attachment=813:infected.zip]
/applications/core/interface/file/attachment.php?id=813" data-fileid="813" rel="">infected.zip0 -
Bueller? Anyone looking into this?
0 -
Sorry for the delay. This is a FP, detection will be removed after the next update. The problem was that the executable was using some unconventional methods, which triggered our heuristics.
Best regards.0 -
This has been gone for the past week but have started to get the popup alerts again last night and today.
0 -
Sorry for the delay. This is a FP, detection will be removed after the next update. The problem was that the executable was using some unconventional methods, which triggered our heuristics.
Best regards.
So, OK, I have the same problem with rpcnetp.exe -- caught repeatedly by bitdefender and moved into quarantine, only to reappear again (on the next boot up, meaning there's a seeder program inside my machine somewhere). Have no clue what to do about it or how to get rid of it. In your post, what does "This is a FP" mean?0 -
Hello,
FP means false positive (a clean file the is detected as malware). This might be your situation too. Please attach the file(s) in question in a password protected archive. Thanks!0