Any problems afterwards since you installed the program?? just want to hear it from a fellow bit-techer..
I really don't want to spoil it for you, especially after such a long struggle, but you have to be realistic and admit that the malicious code is still there. All you managed to do is block it from receiving instructions on how to act. But it is still there and running.
Its not really running - as it doesnt run until it gets a message back, its wanting to run, but it isn't. To be fair - it's not the most elegant of fixes, but its not doing anything bad at the moment, as it hasnt got its bounceback instructing it to be naughty. Thus the white screen hasnt appeared. Until computrace or HP sort out the problem, I dont think there is anything else that can be done. Well done burnout
That's the very problem, its an issue with computrace. They've been hijacked or something because once rcpnetp dials out to their servers the 'virus' is injected into the system. And as Margo said, until HP and computrace sort it out, this is the best possible fix available if Windows is to be used. I can't even mod the firmware or bios without HP's own protection stepping in and preventing it being updated.
I still don't believe that rpcnetp dialling out is actually the problem. I rather believe that it triggers the virus which has probably hidden itself in the HPA of the HDD replacing the Computrace code. This then locks the system. The ideal solution would of course be to remove the Computrace Option ROM from the BIOS, but as Burnout and myself had to realize this isn't possible, since HP has put an additional checksum in place. Bar trying a clean HDD it seems that blocking rpcnetd via a firewall is currently the best solution.
I also think that even replacing the HDD for a clean "brand spanking new one" isn't an option either, the malicious code must be building a HPA on any HDD installed and using the HPA to repair itself when the machine is reflashed. (I still think its avoiding the re-flash) I tried to track down the hidden HPA, but its very elusive only once did I see a rogue 2mb appear and then disappear. I believe the HPA in question is part of the computrace persistence module . The whole point of the rcpnetp.exe is to allow computrace to collect information about the user who is has stolen the computer, which means their must be a backdoor to allow traffic back and forth between the host and computrace servers. Its this communication that has been breached allowing for malicious code to be injected.
Been following this closely from the start but could only provide usefull links to information. Well done for getting this sorted mate and to everyone that has help you what a community.
Wow Awesome job on figuring out how to beat this (even if it is not the fix you were initially looking for) Great job glad you got it sorted. I hope your dad has a case of beer for you and you mom makes you a huge fresh CHEESE CAKE!!!!!!!!! P.S. It is still working correct? Please up date this thread if HP issues a fix. Mechh69
Well the machine went to the In-laws on the 18th, and I've heard of no issues so far.. Fingers crossed.
Burnout what is the computer/motherboard you have that has bios flash protection? If you know any desktop models I could look for that came with bios protection please do tell. Like you said the combination of a locked down os and bios protected hardware seems to be the ticket.
All bios's in the last 10 years I think have write protection, its just the end user to enable it. I think you need to go back the beginning and re-read the problem I faced, as "bios protected hardware" was the problem.
Well you should contact the companies and direct them to this thread so they can figure out what to do from there and try to fix this issue..
See the problem I faced was to circumnavigate an anti-theft device built into the machine, in order to over come the virus/breech. Upon informing said companies about the issue, either they'll take note and not care, or ask for the machine so they can get hands on with it, then ask where the machine came from. The machine was a lucky find by the In-laws on ebay for an absolute bargain, sealed in box. Now as much as I hope this machine is all up and above the law, part of me wondered "is it nicked, and is this why it's triggered...". Either way, I fixed it and moved it on back to them. I suggested since it's fixed and got a virgin install of windows, to shift it back on ebay and let me source them something that isn't bodged together with the software version of duct tape... they declined and still use the machine to this day. Since it's still a bug that isn't wide spread then I shall just keep quiet for now, if it does pop up in a big way then experts will nail it pretty quickly in comparison to my meager attempt. Technically my fix, just re-routes all traffic via comodo's DNS, and they act like a giant industrial firewall, nice big friendly giant.
