Memory scan

[gtaillandier]

I've launched ashquick *MEMORY and I've got 3 alerts.

Virus name Win32:RPCexploit[Trj]
File name Process 676, memory block 0x00080000 block size 266240
VPS version 0311-2, 02.12.2003

Same virus name
Process 728, block 0x01960000    block size 1048576

and the last one

Same virus name
Process 728, block 0x01A60000  block size 1048576.


I've shut down down my computer, and at startup no more virus ( no action has been done at alert pop ups ).

Can I have precisions on this virus ( not too technical, because I'm French, and my english is not very good ).


When  using Pview, the programs are :

1) c:\windows\system32\svchost.exe ( process 676 )

2) c:\program files\sygate\SPF\smc.exe ( process 728 )

What kind of virus is it ?

[igor]

Did you run a hard-disk scan? Was there any virus reported?

[gtaillandier]

I've run avast! anti virus several times : result no virus detected.
But there's a lot of files not scanned due to error ( but no information about theses errors ).

When the program starts with Windows, no message.

Can you tell me where the problems come from ?

( sorry, but I'm French )

Sincerely.

[igor]

Well, it's hard to say... it can be a false alarm in the memory scan, but I'm not completely sure about it.
It wouldn't be any serious trouble anyway... but did you install the Microsoft RPC patch (released shortly after the Blaster worm spread)?

It's absolutely normal that some files cannot be accessed when the OS is running - they are in use and locked (e.g. the swap file). If you need some more info, you can post the names of the files that were not scanned.

[gtaillandier]

I don't remember to have installed this patch : Windows XP is configured to launch Windows Update automatically.

If you can tell me how I can find whether the patch is installed, please let me know.

Sincerely.

[.: Mac :.]

if you run automatic update then it is probaly installed. But I set mine to install the updates as soon as they are downloaded without prompting me