Hello Can someone help please? Spyware / Adaware problems!

Welcome to MGs!

ZoneAlarm is not part of the READ & RUN ME sticky thread for cleaning your PC but it is part of the How to Protect thread. It will not block your internet access unless you told to do so. You need to allow various applications like Internet Explorer (iexplore.exe) to have access to the internet. You probably blocked it.

You need to follow all the directions in the READ & RUN ME sticky and attach the requested logs froms steps 6 & 7. DO NOT attach a HijackThis log without doing what is request in steps 0 thru 6 including attaching the logs from step 6. If you cannot run Ad-Aware skip it but are you running it in safe mode as required. You could also try it in normal boot mode which is better than no scan at all.

Also it would be useful if you attached your Ewido log.

 

Okay! Just attach the requested logs when you finish. This should be four logs:

- your log from Ewido
- BitDefender log per step 6
- PandaActiveScan log per step 6
- HijackThis log per step 7

 

You forgot your Bitdefender log!

Also you did not read step 3 of the READ ME close enough. You have both McAfee and Sophos Antivirus installed. You must uninstall one of them.

Also you must install HijackThis as instructed in step 7 of the READ ME.

After you do the above and attach a new HJT log along with your BitDefender log we can continue.

Make sure you attach the logs! Please do not post them inline like you previously did.

When you said "lot of rubbish there I would love to get rid of." What specifically is it that you want to get rid of (besides the malware)?

 

I thought you said Panda would not work! What's different this time that it worked?

You still need to complete the rest of what I requested in message #6.

And that is:
1) Uninstall one the the antivirus applications
2) getting HijackThis installed properly and attaching a new log.


Also IMPORTANT question: Does this PC have TheftGuard install on it. See this: http://www.geek.com/news/geeknews/2003May/gee20030528020151.htm

 

Hahahaha! Cute! But spelled wrong.

Are you saying that you do not need Napster or AOL and you cannot uninstall them using Add/Remove programs? Also I did not see them in your HJT log. Are they actually on your PC? But there is a remnant service from AOL left over we can remove. I'll post instructions in my next message.

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to AOL Spyware Protection Service (or if not found, look for AOLService) ... then right click the entry, select 'Properties' and press 'Stop Service'. When
it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.
Now repeat the above steps for:
Remote Procedure Call (RPC) Net or if not found, look for Rpcnet

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the
lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste
the following into the box that opens, and press "OK":

AOLService

Now repeat the above HijackThis steps for: Rpcnet

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix
some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\WINDOWS\SYSTEM32\Rpcnet.exe <-- this may not show anymore since doing the above. Just continue!

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\200622821118_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\200622821131_mcappins.exe /v=3 /cleanup
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,23/mcgdmgr.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\MATTHE~1\Local Settings\Temp <--- delete everything it allows in this folder
C:\Program Files\McAfee <--- delete the whole folder
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\WINDOWS\SYSTEM32\Rpcnet.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

RPCNet is no longer in your HJT log. Perhaps you just forgot to empty your Recycle Bin and Prefetch folder as instructed and that is what Ewido found.

Attach the Ewido log if it occurs again.

Did you actually find and delete the files I gave? These two:
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\WINDOWS\SYSTEM32\Rpcnet.dll

 

No, no, no! You should never change anything that does not exactly match the instructions we give you. The one you mentioned above is a valid OS and if you actually permanently stopped it and deleted the file, your PC would be almost unusable. Their are two valid services that mention Remote Procedure Call. They are as below with the settings indicated:

Remote Procedure Call (RPC) - Status = Started, Startup type = Automatic

Remote Procedure Call (RPC) Locator - Status = Stopped, Startup type = Manual

Make sure that you see them and that they are set as indicated.

 

Use the same procedure as given last time to stop and disable the service. Then reboot into safe mode and delete the file.

 

The above makes no sense!

First it is not in your HJT log, thus it should not be a problem.
Also why are you saying it is still there if you deleted it two minutes ago. That is what I asked you to do to begin with.

I'm not following what you are trying to tell me.

Are you allowing this program to have internet access thru your firewall wall. You need to look in ZoneAlarms list and make sure you are completely blocking it.

 

rcp.exe is a valid Windows files.

And the 'Generic Host for Win32 Services' is svchost.exe which is also valid as long as it is running from the system32 folder. Just allow it access thru ZoneAlarm and have it always allowed.

 

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

If it was a message about an incoming attempt towards your PC, you should be okay since ZoneAlarm is blocking it. You don't see those processes or files on your PC again do you?

Check with your ISP for your email problems. Since all of your logs were clean, I doubt it is malware. You may need to reinstall some software.