rs32net.exe removal guide
Malware - Harmful EXE

rs32net.exe is a filname that is found in several virus sample analysis reports. I have no idea if the same filename is also part of some legitimate application. Make sure to find that out before deleting it from your computer. At least it is not a part of Microsoft Windows. The two locations where it is found is the system folder. By Default system folder would be C:\Windows\System32 in XP and Higher version of windows. Another location where it was seen was in the temp folder. If you run a temp files cleaner like CCleaner, which is an excellent freeware, that would eliminate half the threat. As this file is also made to run each time the computer starts, you should be able to see it running in the Task Manager, you should End the process if you find it in the Task Manager (article). 

Now let us see what this virus does on an infected computer. The analysis reports suggest that it is a Trojan Horse virus, which collects email addresses from your computer, and then sends them to the hacker's computer, the hacker then sends spam on these mail addresses, probably they appear to have been sent from your emai address.
Another thing that this virus does, is contacts several IP addresses/ sites and downloads more harmful files thus further infecting your computer. 
So, if you find this process rs32net.exe in the task manager, use the windows search utility to search on your hard disk for this file. If you find it in the system32 folder, or the Temp folder, you can be sure , it belongs to a virus. If you find it anywhere else even then it could be a virus.  Delete it if you do not know which program it belongs to. 
I have written each step that you can follow in order to remove it effectively from your computer. 

Aliases: You can see a list of the aliases on this link 

 Turn system restore Off : The malicious files are also saved in the system restore backup. You need to turn system restore off in order to remove them. You can turn it on again after cleaning the computer. Click here to read more...

 Delete Files: These are the locations where rs32net.exe was found on different infected computers

%System%\rs32net.exe
%Temp%\virus\rs32net.exe


%System%  refers to the System folder. By default C:\Windows\System (in Windows 95/98/Me), C:\Winnt\System32 (in Windows NT/2000), or C:\Windows\System32 (in Windows XP and Vista).
%Temp% is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (in Windows NT/2000/XP/Vista)

 View Hidden Files: Before you could delete rs32net.exe   and its associated files you need to search for them, and before doing that you need to enable to view hidden files and folders  Click here to read more
 Boot in safe mode: If you are not able to delete rs32net.exe , in that case you should boot in safe mode and then try to delete it.  Click here to read more
 End Process in the Task Manager:  If you find rs32net.exe running in the Task Manager, you can select it  and press End process button after making sure that it belogs to the virus and is not a legitimate process, that will help you to delete it from the hard disk later. Click here to read more
 Remove entry from Windows Startup:  Look in the windows startup, by opening the system configuration utility and remove the entry of rs32net.exe  Click here to read more
 Run CCleaner :  If you manage to find rs32net.exe , even then there will be associated entries in the windows registry. If you run a free temp files/registry cleaner called CCleaner, that will help you to automatically clean the registry from the virus entries as well as the temp folder . Click here to read more

 Block the sites/ ports:  Keep yourself protected with a firewall, you can see the logs of the firewall to see if there is any suspicious communication to and from your computer which you are not aware of.This virus contacts a random selection of sites on port 80. Here are some of the IP addresses that are detected
195.2.253.199   
194.8.75.216
94.247.3.46
70.38.68.137
91.212.65.57
216.195.63.22
66.45.246.146
216.195.63.22
206.51.226.14
195.2.252.220

 Delete the registry keys manually: If you are brave enough to do so. You can edit the registry by using the windows built in registry editor. Click here to read more

This is the registry key added by the virus on an infected computer. You can delete it manually, or if youmanage to delete rs32net.exe first, then run the registry menu of CCleaner, that will automatically remove the registry keys. 

   * [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          o rs32net = "%System%\rs32net.exe"

      so that rs32net.exe runs every time Windows starts
    * [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
          o rs32net = "%System%\rs32net.exe"

      (this makes file rs32net.exe run every time the computer starts) 

 All the Best

reference with permission from Threatexpert
Comments
Add New Search
Write comment
Name:
Email:
 
Title:
 

3.26 Copyright (C) 2008 Compojoom.com / Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

< Prev   Next >
 
Privacy Policy