4/17/2023 0 Comments Toshibe mysafe softwareI don't want my computer running programs I never approved.I don't like that someone collects my personal info without my permission.What's the big deal?Now, this rootkit does no harm. Note that you can forget about the checkdisk tool forever.Note that this crap will come back after reinstalling Windows.Delete the files rpcnetp.exe, rpcnetp.dll from your system. If you find this process ("rcpnetp.exe") in the processes list, follow these steps: This crap has even created screenshots of my wife's activity and placed the JPG files into the %WinDir% folder, it gathered system reports about the laptop, our external IP-address etc.This crap is white-listed by most known antivirus packages that's why it was not found by my antivirus.It also verifies the registry key "BootExecute"= autocheck autochk. Then it hijacks "autochk.exe" substituting its own code instead, which unpacks and starts the "rcpnetp" process. When the system starts, it searches for "autochk.exe" in your system folder, supporting both FAT and NTFS drives. I'll summarize what I've found out so far: One issue this rootkit may cause: chkdsk will not run during boot like it is supposed to. It is written by Absolute Software and provided to laptop manufacturers so they can include it in the BIOSes they supply for their laptops.ĬompuTrace is a rootkit it will hijack the AUTOCHK.EXE process that normally runs during Windows boot, and instead run its own code. If your laptop is stolen, CompuTrace can notify a server where your laptop is. It's a "security" software built into the BIOS of many laptops called CompuTrace. It turns out the files are loaded from BIOS: And found some links (the second link is in Russian). I tried several antiviruses, manual registry search, SysInternals tools. I spent hours trying to figure, where this monster launches from. Imagine my frustration when those processes were back there, up and running! I decided to kill the process, delete those files from the "System32" folder and reboot the laptop. I opened Autoruns (God bless SysInternals #2) trying to find some registry key or something that launched this "rcpnetp" process. A-ha! The tool that is supposed to launch startup disk scan! This can't be a coincidence. Why hello there! The process has no "Description" and "Company Name" fields, it loads "rcpnetp.dll" via AUTOCHK.EXE. May be there's a virus preventing this? So I opened the Process Explorer tool (God bless SysInternals) and found a suspicious process called " rcpnetp.exe". The command went up to 47% and aborted with the error message "Windows Resource Protection could not perform the requested operation". So, I figured that the checkdisk file itself might be corrupted, so I ran "SFC /scannow" command that, supposedly, should restore it. I just couldn't launch checkdisk or schedule it for the next startup. I tried everything: rebooting to safe-mode, marking the disk as a "dirty" one with the "CHKNTFS" tool, booting with recovery disk - nothing helped. No big deal, right?Įxcept - there was no disk scan when I rebooted. No problem - I launched the "CHKDSK" utility and scheduled a disk scan on restart. And, to be honest, I'm angry as a bear.It all started with some corrupted files & folders on my wife's laptop. Please try to imagine where I am right now and please accept my apologies - I just finished dealing with this issue, like, 10 minutes ago. But first things first.įirst, let me apologize for the tone of this post and kinda incoherent writing. That even captured and sent-out screenshots of my wife's work. A non-removable malicious software application right from the manufacturer. Sorry for the offtopic, this post has nothing to do with startups, web-development or entrepreneurship, but I felt I should still write thisI've just discovered a built-in rootkit in my wife's brand new Toshiba laptop.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |