RPC

NEW HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

Page

If you're not finding what you're looking for please go to this forum and submit a new startup entry.

Key:

"Y" - Normally leave to run at start-up
"N" - Not required - typically infrequently used tasks that can be started manually if necessary
"U" - User's choice - depends whether a user deems it necessary
"X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
"?" - Unknown

	Startup Name	Process Name	Details
X	asdx	xwinrpc32.exe	"Added by the AGOBOT.VO WORM!"
X	Generic Host Process for Win32 Service	rpchost.exe	"Added by the IRCBOT.DCN WORM!"
N	GrpConv	grpconv.exe	"Microsoft Windows Program Group Converter - used by installers (ONLY in the RunOnce keys) - provides the translation of groups and group items to folders and links. Also see this MS Knowledge Base article"
Y	InoRPC	InoRpc.exe	"Associated with eTrust Antivirus/InoculateIT"
X	Microsft Remote Procedure Daemon	msrpcd.exe	"Added by a variant of the IRCBOT BACKDOOR!"
X	Microsoft Visual Studio VSA	varpc32.exe	"Added by a variant of the SPYBOT WORM!"
X	Microsoft Windows Secure Server	rpcxWindows.exe	"Added by the RBOT-LL WORM!"
X	Microsoft Windows Secure Update	rpcxwinupdt.exe	Added by an unidentified WORM or TROJAN!
X	MS Remote Procedure Call	msrpc32.exe	"Added by the RBOT-QL WORM!"
X	MSN RPC Manager	msnrpcmgr.exe	"Added by an unidentified WORM or TROJAN! See here"
X	MSVsmt	rpcxctx.exe	Added by an unidentified WORM or TROJAN!
X	myCleanerPC	myCleanerPC.exe	"MyCleanerPC rogue spyware remover - not recommended"
U	NaverPCGreen	NPCGreenUpgrader.exe	"Related to Naver_Anti-virus Realtime Monitor From NHNCorp"
U	PRPCMonitor	PRPCUI.exe	"Intel® SpeedStep™ interface. This automatically detects whether a mobile PC is using battery or AC power. When using battery power
U	Rapid Restore	rrpcsb.exe	"XPoint ""Rapid Restore PC"" - ""a Managed Recovery solution that enables IT Administrators to protect the corporate image
X	Remote Procedure Call	winrpc.exe	"Added by the RBOT-KM WORM!"
X	Remote Procedure Call	winsysrpc.exe	"Added by the SDBOT-PS WORM!"
X	Remote Procedure Call For Windows 32bit	rpc.exe	"Added by the RBOT-MD WORM!"
X	Remote Procedure Calls	mswinrpc.exe	"Added by the RBOT.KJ WORM!"
?	roketpipe	rpclient.exe	"??"
X	RPC	MSschost.exe	"Added by a variant of the AGOBOT/GAOBOT WORM!"
X	RPC DCOM Vulnerability Patch	msgfix.exe	"Added by the RBOT.S WORM!"
X	RPC Drivers	rpcall.exe	"Added by the SDBOT.FLY WORM!"
X	RPC Patcher	[path to worm]	"Added by the BOLGI WORM!"
X	RPC Service	[random filename]	"Added by the BDOOR-AAD BACKDOOR!"
X	rpc Win32	shost32.exe	"Added by the RBOT-ABL WORM!"
X	rpc Win32	spoolscv.exe	"Added by a variant of the RBOT WORM!"
X	RPCall_WIN2K	Kurawas.exe	"Added by the BHARAT.A WORM!"
X	RPCall_[ComputerName]	smhost.exe	"Added by the REDPLUT-B TROJAN!"
X	rpcc	rpcc.exe	"Added by the SPAMMIT-E TROJAN!"
X	rpcda Win32	rpcda.exe	"Added by the RBOT-AEE WORM!"
X	RPCInstall	[path to trojan]	"Added by the AGENT-DQM TROJAN!"
X	RpcLocator	explorer.exe	"Added by the RBOT-GSA WORM! Note - the legitimate Windows Explorer (same filename) is located in %Windir% and would not normally appear in Msconfig/Startup unless you added it manually! This one is located in %System%"
X	RPCser32g	services.exe	"Added by the RITDOOR-C WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
X	RPCser32g1	services.exe	"Added by the PREX.D WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
X	RPCser32g3	services.exe	"Added by the PREXOT.D BACKDOOR! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
X	RPCser32g4	services.exe	"Added by the PREXOT.E BACKDOOR! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
X	RPCserr32g	winlogon.exe	"Added by the RITDOOR-B WORM! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
X	RPCserv32	services.exe	"Added by the MYDOOM.AL WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
X	RPCserv32g	services.exe	"Added by the BOBAX.AA WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
X	RPCserv32g	CSRSS.EXE	"Added by the BOBAX.AD WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
X	RPCserv32g	MSDEFR.EXE	"Added by the BOBAX.AD WORM!"
X	RPCserv32g	NB32EXT2.EXE	"Added by the BOBAX.AD WORM!"
X	RPCserv32g	WINLOGON.EXE	"Added by the BOBAX.AD WORM! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
Y	RPCSS.exe	rpcss.exe	"Remote Procedure Call. Required by windows for programs to communicate with each other on networks/different machines. Originally for NT only but now installed with Win98/98se. Under Win98/98se
X	RpcxWindows Extensions	rpcxwinex.exe	"Added by the RBOT.ACP WORM!"
X	Social Security Agency	rpcxsocsa.exe	"Added by a variant of the RBOT WORM!"
X	Srv RPCrom	NClienti386.exe	"Added by the WATSOON.A TROJAN!"
X	SuspenzorPC	GDC.exe	"SuspenzorPC Czech rogue privacy tool - not recommended. A member of the PCPrivacyTool family"
X	Sysmon	rpcmon.exe	"Added by the RANDEX.ATX WORM!"
X	System Setup	rpcxcmod.exe	Added by an unidentified WORM or TROJAN!
X	updatexwin	winxrpc.exe	"Added by the AGOBOT-KJ WORM!"
X	uprpcw	uprpcw.exe	"PrivacyProtector rogue privacy tool - not recommended
X	UserInit StartUp	rpcxuisu.exe	"Added by a variant of the SDBOT WORM!"
X	win	xwinxrpc32.exe	"Added by the AGOBOT-MV WORM!"
X	win	xwinxrpc.exe	"Added by the AGOBOT-MV WORM!"
X	WindowsHive	rpcc.exe	"Added by the DLENA-A TROJAN!"
X	windowsupdate	RPC[RANDOM CHARACTERS].exe	"Added by the IRCBOT.B TROJAN!"
X	WinRPC	winrpcmx.exe	"Added by the BANKER-EEI TROJAN!"
X	WSAConfiguration	rpcxmn32.exe	"Added by the AGOBOT.ABG WORM!"

DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.