I’ve been testing IDrive as an online backup option. Yesterday a chat support rep asked needed to look at my system, and at his request I downloaded and installed “RemoteSupportHost_317082.exe”, apparently provided by remotepc.net. I was not particularly surprised to find that this started a UNC server. I was a little surprised to find that it allowed the rep to control BOTH of my screens, and that I did not have to grant permission for control (as opposed to viewing). But now I see that it installed an “RPCHD service” and did not remove it upon completion.
Image may be NSFW.
Clik here to view.
I noticed this from event log monitoring today. I see the following events in the System event log:
Log Name: System
Source: Service Control Manager
Date: 3/4/2013 1:32:43 PM
Event ID: 7045
Level: Information
Description:
A service was installed in the system.
Service Name: RPCHD
Service File Name: Ú\Dummy.exe
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Log Name: System
Source: Service Control Manager
Date: 3/4/2013 1:32:43 PM
Event ID: 7030
Description:
The RPCHD service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log Name: System
Source: Service Control Manager
Date: 3/4/2013 1:32:43 PM
Event ID: 7040
Description:
The start type of the RPCHD service was changed from demand start to auto start.
Log Name: System
Source: Service Control Manager
Date: 3/4/2013 1:32:43 PM
Event ID: 7000
Description:
The RPCHD service failed to start due to the following error:
The system cannot find the file specified.
Note that this system does not have a U: drive, much less a Ú drive. I do wonder what the service would do if it was configured correctly. RPCHD might be Remote Procedure Call Hard Drive, perhaps a remote disk access program.
I did a full system scan with Malwarebytes and no infection was found. I don’t think this is malicious. However, I don’t want it on my system. I’m going to do a System Restore to before the support call, which should remove the service.
