Popups

Please attach the log from CounterSpy as requested.

Possibly because you did not follow the directions in step 6 and uninstall all of your old Sun Java version and install the current version!

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0
Mozilla Firefox (1.0.4)

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Now try Bitdefender and Panda again. Any luck?

Are you using a non-english Windows Version?

Is the below something you installed??
O4 - Startup: Shortcut to XBALANCE.lnk = C:\Program Files\XBALANCE.EXE

Is this a laptop PC and did you purchase a security item with it name Lojack (to recover lost/stolen PCs)? Or anything by Absolute Software Corp or Computrace? You may not even know you have this!


To check this.
Click Start, Run and type msconfig, and click OK. This will openthe System Configuration Utility. Click the Services tab and put a check in the "Hide All Microsoft Services" scroll down to see if it shows Absolute Software Corp.

 

That's strange. Are you studying Chinese or do you access lots of Chinese websites. Many things I see on your system keep pointing towards Chinese web pages. Even the below from your Panda log points to Chinese sites.

Code:

                                                               
Adware:Adware/BaiduBar   Not disinfected  C:\Program Files\Kingsoft\Powerword 2006\Regbaidu.exe                                                                                  

Do a Google Search on Regbaidu.exe and see what I mean.

And even PowerWord 2006 brings up hits to Chinese. Is PowerWord something you installed? If so, then perhaps the above is not a problem.

You would not be able to see it. It is embedded in hardware. Since it is a school PC, that explains it. They purchase these PCs with this hardware installed to prevent and also track down PC thiefs.

 

Let's try the below!

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - CÅ
AB8C6-FB22-4D17-8834-064E2BA0A6F0} - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - XCÅ
0B48F-617D-4F73-A20F-D3D54357F103} - (no file)
O2 - BHO: (no name) - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - (no file)
O2 - BHO: (no name) - ¨
Å
¨
Å
3-0D84-45aa-81EC-CC629BC07566} - (no file)
O2 - BHO: (no name) - ØBÅ
49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Startup: Shortcut to XBALANCE.lnk = C:\Program Files\XBALANCE.EXE

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\XBALANCE.EXE
C:\WINDOWS\system32\instw32.exe
C:\WINDOWS\system\s6\iexplorer.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\spywaretools\Counterspy

Now shut down all applications especially browsers (even this one where you are reading this message) before doing the below.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Is that O2 BHO line gone now?

 

Yes that is what we are working on!


Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}
HKEY_classes_root\clsid\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}

To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixME.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

Is the O2 BHO gone now?
Does Yahoo come up clean?

 

But did you try the manual delete as requested?

 

Remember back in message number 2 when I asked you about:

That is what this file is for and it is not possible to permanently delete this. Even if we delete the files using special procedures, they will come back after a reboot. They are embedded into this PC locating hardware that is embedded in your PC's hardware.

It is also related to the below service:
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe

 

Wait a minute!!!!

Are you sure it said they were in c:\windows\system and not c:\windows\system32


Look in c:\windows\system and tell me if you see those files and what are the file dates?

Also attach a new log from ShowNew.

 

Perhaps it is due to a recent update in your antivirus programs definitions. Those files were always there and you will see their dates change probably after each reboot since they are added back in by the hardware. You have a few options:

• talk to the your school and see how they are handling this problem. They are the ones who purchased the PC with this PITA hardware installed.
• talk to the PC manufacturer and explain the situation (you will probably not have any luck doing this at all)
• talk to McAfee and tell them they need to know the difference between real malware and these files add by Lojack, Absolute Software Corp, Computrace or what ever it may be called now.
• see if there is an option in McAfee to ignore these files
• uninstall McAfee and see if you have better luck with another antivirus application

 

You forgot one. The below is what is actually in your system32 folder:

Code:

"C:\WINDOWS\system32\"
rpcnet.exe    Feb 15 2007       35840  "rpcnet.exe"
rpcnetp.exe   Mar  8 2007       17408  "rpcnetp.exe"
 
"C:\WINDOWS\system32\"
rpcnet.dll    Mar  8 2007       35840  "rpcnet.dll"

 

That would be your best option. This group of files is well known by most REAL malware experts and we know that they are due to hardware built-into the PCs. Many novices are still trying to remove them all the time and they will not be able to do so on a permanent basis. You can get the files to delete if you know what you are doing, but as soon as you reboot, they will be back again.