cannot use panda online scan

I will try to help keep you moving along while SPD is not around.

First a couple questions!

• I see a couple items in your ShowNew log.
  • C:\WINDOWS\system32\rpcnetp.dll
  • C:\WINDOWS\system32\rpcnetp.exe

Bitdefender said it deleted these, so I'm surprised to still see them in the ShowNew log. Did you run ShowNew before or after Bitdefender (or at the same time)?



​

• Is your copy of Ewido a paid or free trial version?

Let's begin by getting a couple of items updated!

First install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Then uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2

 

After completing what is in my last message (and answering the questions) continue here.


****NOTE *** It is very important that in the below instructions you only Stop, Disable, and delete the EXACT service name that I give to you. DO NOT TOUCH the below two valid services which have similar names to the bad one:

• Remote Procedure Call (RPC)
• Remote Procedure Call (RPC) Locator

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Remote Procedure Call (RPC) Net ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Rpcnet

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.


Start by downloading a tools we will need

- Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (if you don't find both of them or either of them, just continue).
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\asrupdate.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKCU\..\Run: [asrupdate.exe] C:\WINDOWS\system32\asrupdate.exe

After clicking Fix, exit HJT.
Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\asrupdate.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\rpcnetp.exe
C:\WINDOWS\system32\rpcnetp.dlli

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.


After reboot delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Owner\Local Settings\Temp

Now attach a new HJT log and tell me how the steps went.
Also attach a new log from ShowNew.
Make sure you tell me how things are working now!

 

Only the rpcnetp.dll file remains! I had a typo in my previous instructions that had an 'i' at the end of the rpcnetp.dll filename. This is probably why it did not delete. However you did not stop, disable and delete the Remote Procedure Call (RPC) Net service like I requested. So let's try this again and make sure to follow the steps exactly and tell me what happens! Especially if you have any problems.


****NOTE *** It is very important that in the below instructions you only Stop, Disable, and delete the EXACT service name that I give to you. DO NOT TOUCH the below two valid services which have similar names to the bad one:

• Remote Procedure Call (RPC)
• Remote Procedure Call (RPC) Locator

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Remote Procedure Call (RPC) Net ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Rpcnet

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will reboot later with Killbox.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\rpcnetp.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.


After reboot download the current version of ShowNew (it has been updated).

Then attach a new HJT log and a new log from ShowNew.

Make sure you tell me how things are working now!

 

They are returning because you are not getting the service I stopped and disabled and then deleted. You must follow those instructions exactly. The below O23 line in your HJT log will be gone when you do this correctly:

Add all the files to the list of things to fix with Killbox.

 

Are you following the directions for Stopping, Disabling and Deleting this service. Tell me step by step what happens when you follow those directions!

Yes they are problems!

Download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

 

Is this a laptop and have you ever heard of a product called Lojack For Laptops and was it installed on this PC! Or perhaps the program was called CompuTrace. This is tracking software for stolen laptops.


While I have info reporting these files to be malware, it is possible they are for Lojack!

 

That's because I soft deleted it after posting it. I wanted to wait until I found out about Lojack first.

If it is not there immediately after reboot, can you figure out when exactly it comes back? Does it only come back after Internet Explorer is run?

Is this a private PC or was it purchased for a company/business?

 

Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection in your antuvirus program, please allow this to run)

In the dialog that opens enter the following:

rpcnet

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and attach it to this thread.

 

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCNET
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Rpcnet
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCNET
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCNETP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Rpcnet
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rpcnetp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCNET
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpcnet

To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixME.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigateone at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, right click on it and select Delete. Let me know if you have to do this and if you get any error messages at this point.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Then reboot your PC!

Now repeat the search using RegSrch and attach a new log.

Also attach a new HJT log

 

Did you take ownership of them? Did you get any error messages while trying to take ownership of them? MAKE SURE nothings else is running when you do this (NO BROWSERS and even unplug your cable to the internet.) Even repeat in safe mode if necessary.

Did you notice that in your current HJT log, the below line was no longer there?
O23 - Service: rpcnetp - Unknown owner - C:\WINDOWS\System32\rpcnetp.exe (file missing)

 

Please try taking ownership at a higher level in the registry path. Take owner ship of these keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet

Now using Registrar Lite, see if you can navigate to and manually delete the bad keys related to RPCNET (the ones in message number 24)

 

Do you receive any message from Registrar Lite when you try to take ownership? If so, give the exact message.

When you try to delete the keys using Registrar Lite, do you receive any messages? If so, give the exact message.

 

Try booting into safe mode and log into the account that is named Administrator. Then run Registrar Lite and take ownership (at the higher level) then don't use the registry patch, just right click on the rpcnet keys we are trying to remove and select Delete. Does that work?

 

Normally taking ownership is only required at the higher level and then all keys underneath should be owned. Also the same logic normally applies to deletion. Thus taking ownership of ControlSet002 should have give you ownership of everything under it and then when you attempt to delete the Rpcnet, LEGACY_RPCNET, LEGACY_RPCNETP, ... etc. then everything under them would normal be removed.

Some process hiding on your system must be respawing these. Are you sure that they only respawn during a reboot? Are you sure that if you did not reboot but just kept on running your PC as usual that they don't come back after a certain time frame or after a particular program is run.

I'm going to give you a procedure below that depends on them not just respawing at reboot but possibly at some other time.

Make sure you read thru all of the below so you know exactly what you need to do and can do it quickly.

Download and extract the below two tools to a folder named C:\SysInternals

Filemon v7.03 - we may need this later

Regmon v7.03

Now before running RegMon or FileMon! Use the procedures we have been using to delete all of the RPCNet registry keys (i.e., take ownership and manually delete them by what ever process is needed). DO NOT reboot afterwards.


Now Run Regmon

When you see the Regmon Filter window, enter the below string into the box that is labeled Include:

HKLM\SYSTEM\ControlSet002

Then click Apply and then OK.

Now continue to use your PC and monitor the RegMon window as it logs all activity to the ControlSet002 registry key. Perform all your normal tasks, do some browsing, open and close some applications in an attempt to see what will trigger the RPCNet stuff to come back.

Once something triggers it to come back, you can stop the RegMon capture bu clicking File and then uncheck the Capture Events selection to stop the capture process. Then use File, Save As to save the log to a file like regmon.log and post it back here as an attachment.


Let me know the results!

If the capture file gets very large, you may need to compress it into a ZIP file to upload it.