Author Topic: Suspicious file detected- rdpclip.exe  (Read 8520 times)

0 Members and 1 Guest are viewing this topic.

Offline A. User

  • Sr. Member
  • ****
  • Posts: 388
Suspicious file detected- rdpclip.exe
« on: July 31, 2013, 06:13:29 PM »
Hi Essexboy,
Avast found a suspicious file in the system32 folder. I have configured the AV to try repair then moce to chest then ask. Avast seems to be unable to move to chest and has asked me what to do with the 1st screenshot. I selected move to chest but the message reappears again and again when i press ok. Then i selected block and the second screenshot appears. After that, avast again showed me the message, but this time it wasn't the mbam.exe proccess, but explorer.exe. I captured the both messages and searched in the port tracking section of Privatefirewall for suspicious processes, but i hasn't found anything. Then my computer restarted without any my action. I login and my PC usage was close to 100, my PC became a turtle. I checked in the task manager and there was 10 or more opened chrome.exe processes and the user was "anonymous user". I closed them all. :o

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Suspicious file detected- rdpclip.exe
« Reply #1 on: July 31, 2013, 06:42:30 PM »
Hello,

please follow this guide here: http://forum.avast.com/index.php?topic=53253.0

After that attach all logs, DONT COPY AND PASTE THEM.  After that malware removers will be notified by an moderator.

But please be patient, it can take some time till they arrive.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Suspicious file detected- rdpclip.exe
« Reply #2 on: July 31, 2013, 07:34:39 PM »
As the triggering programme is MBAM was it running a scan at the time ?

Offline A. User

  • Sr. Member
  • ****
  • Posts: 388
Re: Suspicious file detected- rdpclip.exe
« Reply #3 on: July 31, 2013, 09:19:07 PM »
I don't know, Malwarebytes is running a flash scan after every update, but even if there was a scan running at the first time when avast detects it, in the second the process was explorer.exe and not mbam.exe. I have submitted the file to avast but i flagged it as a possible malware. I think it is a false positive because the file has an copyright from microsoft corporation and it has all of the details as the other system files it is not signed from microsoft but not all of the other files are signed. i will attach the OTL log in my next reply. ::)

PS.: Scanned with avast and malwarebytes-free. Virustotal-https://www.virustotal.com/bg/file/63fb201040002775e6ef6f836a8f0f4d94324fc299c0f9bc1f17a97c6bb24552/analysis/1375298584/ Someone has scanned the file today before me-maybe it is not only my false positive. ???
« Last Edit: July 31, 2013, 09:27:28 PM by liubomirwm »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Suspicious file detected- rdpclip.exe
« Reply #4 on: July 31, 2013, 10:53:34 PM »
I would suspect an FP

Quote
rdpclip.exe is the executable for File Copy. It is provides function for Terminal Services server that allows you to copy and paste between server and client. This program is important for the stable and secure running of your computer and should not be terminated.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Suspicious file detected- rdpclip.exe
« Reply #5 on: July 31, 2013, 11:01:28 PM »
You can contact Avast over this site and explain the situation to them:

http://www.avast.com/de-de/contact-form.php

Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline A. User

  • Sr. Member
  • ****
  • Posts: 388
Re: Suspicious file detected- rdpclip.exe
« Reply #6 on: August 01, 2013, 11:34:15 AM »
@Essexboy- why was that restart? :o

@Steven Winderlich- Thank you for the link, but if you see it closely it is in German ;D ;D

PS.: I have submitted the file again, but this time i marked it as FP ::)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Suspicious file detected- rdpclip.exe
« Reply #7 on: August 01, 2013, 03:29:39 PM »
I can check the system out if you wish, were you installing windows updates at the time ?

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Suspicious file detected- rdpclip.exe
« Reply #8 on: August 01, 2013, 03:47:38 PM »
Sorry liubomirwm,

i havent thought about that, im from germany and thats why the site is in german. ;D ;D
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline A. User

  • Sr. Member
  • ****
  • Posts: 388
Re: Suspicious file detected- rdpclip.exe
« Reply #9 on: August 01, 2013, 08:36:59 PM »
I can check the system out if you wish, were you installing windows updates at the time ?

Ok, i will post an OTL log :) Yes, Windows is installing all of the updates automatically.

Sorry liubomirwm,

i havent thought about that, im from germany and thats why the site is in german. ;D ;D

No problem, if i need to see the page i will select english ;). I sent the file as a FP to avast lab from the interface.
« Last Edit: August 01, 2013, 08:41:25 PM by liubomirwm »

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Suspicious file detected- rdpclip.exe
« Reply #10 on: August 01, 2013, 08:38:03 PM »
Now you can just wait......... 8)
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline A. User

  • Sr. Member
  • ****
  • Posts: 388
Re: Suspicious file detected- rdpclip.exe
« Reply #11 on: August 01, 2013, 09:30:28 PM »
I can check the system out if you wish

The logs are attached

Now you can just wait......... 8)

In fact after the problem yesterday i haven't noticed anything so i am sure it's a false positive but it don't means that i'm not infected- anyone may have a virus :)
« Last Edit: August 01, 2013, 09:42:57 PM by liubomirwm »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: Suspicious file detected- rdpclip.exe
« Reply #12 on: August 01, 2013, 09:41:16 PM »
Quote
The logs are attached
attached where?


Offline A. User

  • Sr. Member
  • ****
  • Posts: 388
Re: Suspicious file detected- rdpclip.exe
« Reply #13 on: August 01, 2013, 09:43:51 PM »
Quote
The logs are attached
attached where?

In my prevoius post :o

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Suspicious file detected- rdpclip.exe
« Reply #14 on: August 01, 2013, 11:25:41 PM »
Just some orphaned adware is all I can see :)

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1000\..\URLSearchHook: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1000\..\URLSearchHook: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1000\..\URLSearchHook: {da30eff8-ccc6-4162-a20d-67402a26a215} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1000\..\SearchScopes,DefaultScope = {69ABAE4C-47BC-4EAD-A2B3-ED08ED617830}
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\URLSearchHook: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\URLSearchHook: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\URLSearchHook: {da30eff8-ccc6-4162-a20d-67402a26a215} - No CLSID value found
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\SearchScopes,bProtectorDefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\SearchScopes,BrowserMngrDefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=ct3135048&SearchSource=55"
[2012.09.17 15:48:47 | 000,000,000 | ---D | M] (incredibar.com) -- C:\Users\bojanka\AppData\Roaming\mozilla\Firefox\Profiles\xufoh5eo.default\extensions\ffxtlbr@incredibar.com
[2013.05.25 19:37:22 | 000,003,710 | ---- | M] () (No name found) -- C:\Users\bojanka\AppData\Roaming\mozilla\firefox\profiles\xufoh5eo.default\extensions\fhdp@fhdp.tv.xpi
[2012.09.17 17:01:35 | 000,002,223 | ---- | M] () -- C:\Users\bojanka\AppData\Roaming\mozilla\firefox\profiles\xufoh5eo.default\searchplugins\BabylonMngr.xml
[2012.11.03 14:44:51 | 000,002,536 | ---- | M] () -- C:\Users\bojanka\AppData\Roaming\mozilla\firefox\profiles\xufoh5eo.default\searchplugins\browsemngr.xml
[2013.07.19 00:01:27 | 000,000,934 | ---- | M] () -- C:\Users\bojanka\AppData\Roaming\mozilla\firefox\profiles\xufoh5eo.default\searchplugins\conduit.xml
O2 - BHO: (no name) - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
O3 - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\Toolbar\WebBrowser: (no name) - {DA30EFF8-CCC6-4162-A20D-67402A26A215} - No CLSID value found.
O3 - HKU\S-1-5-21-3413393324-4158200969-766036720-1001\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.