Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

07 Feb 2014   #91
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 

Quote   Quote: Originally Posted by dsperber View Post
Quote   Quote: Originally Posted by tom982 View Post
Cottonball, would you mind killing off this folder with FRST please?

C:\Windows\winsxs\Temp\PendingDeletes
So is this the last of it, and the two files inside it?

Or was there some other third file that you'd noticed in the SFC log which also must be dealt with? That's what I thought you were pointing out.
I'm in a rush so I've got to keep this short. The error didn't actually mention a file, but I suspect it was one of the two you found; in answer to your question, no there isn't a third file


My System SpecsSystem Spec
.
07 Feb 2014   #92
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by cottonball View Post
Please run FRST again
If the above shows no results, use this input instead:

Code:
 
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2373a53dd39a.0000
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000
Didn't work with the complete path/file in the search argument.

But with just the file name in the search, it did do what you wanted.

Log attached.


Quote:
Also run SystemLook:
http://jpshortstuff.247fixes.com/SystemLook.exe

•Double-click SystemLook.exe to run it.
•Copy the content inside the codebox into the input field:
Again, the search only expects the file name, not the complete path.

Log attached.


Attached Files
File Type: txt Search.txt (453 Bytes, 2 views)
File Type: txt SystemLook.txt (8.2 KB, 4 views)
My System SpecsSystem Spec
07 Feb 2014   #93
cottonball

Windows 7 Home Premium
 
 

dsperber,

Once again, please open notepad (Start > All Programs > Accessories > Notepad)

Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the Desktop, and name it: fixlist.txt

Note: The fixlist.txt and FRST must both be on the Desktop, or this will not work!

Code:
start
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2373a53dd39a.0000
end
Now, please run FRST, and press the Fix button just once, and wait.

When done, the tool creates a report on the Desktop called: Fixlog.txt

Please post the Fixlog.txt in your reply.
My System SpecsSystem Spec
.

07 Feb 2014   #94
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by cottonball View Post
dsperber,

Once again, please open notepad (Start > All Programs > Accessories > Notepad)

Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the Desktop, and name it: fixlist.txt

Now, please run FRST, and press the Fix button just once, and wait.

When done, the tool creates a report on the Desktop called: Fixlog.txt

Please post the Fixlog.txt in your reply.
Well, I do believe we're finished here! GONE.



Log attached.

'Twas a long, hard journey, but we have emerged victorious!

Now this thread REALLY is "solved".

Time to spread the "reps". Again, can't thank you all enough for your patience and help over this past week.


Attached Files
File Type: txt Fixlog.txt (944 Bytes, 2 views)
My System SpecsSystem Spec
07 Feb 2014   #95
UsernameIssues

W7 Pro SP1 64bit
 
 

Glad that you got it all sorted :-)
My System SpecsSystem Spec
07 Feb 2014   #96
cottonball

Windows 7 Home Premium
 
 



Great job, dsperber!!!

Please give me a day or so to go over the entire thread, and then we can wrap up.
My System SpecsSystem Spec
07 Feb 2014   #97
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
Glad that you got it all sorted :-)
Indeed.

And when it rains it pours...

I finally got reconnected to my cousin's Win7 HP desktop machine in NY, using TeamViewer instead of RealVNC. I'd been prevented from connecting for the past few months ever since I changed the port-forwarding configuration on his Verizon modem/router for additional security (and to try and thwart "port scanners" who were trying to get through port 5900 on every RealVNC-enabled machine I support for friends and family). I think it's a problem with the Verizon router, but whatever the explanation I could never again get to the VNC Server running on his machine.

Having recently learned about TeamViewer (which uses a different connectivity approach than VNC and does not require opening ports on a router and adding Windows Firewall exceptions), I had him install TeamViewer yesterday and now sure enough I was finally able to get onto his PC to help him out with what his real issue... which was DEADLY SLOW COMPUTER BEHAVIOR!

I of course was immediately suspicious of some type of infection/malware, especially as he's an AOL user. And although I had long ago installed Microsoft Security Essentials on his machine I'd not been able to install Anti-Malware since I haven't had connectivity through VNC for several months now... at least not until yesterday when I had him install TeamViewer.

Initial inspection through Task Manager showed constant 100% CPU usage. This was essentially from what appeared to be multiple copies of Internet Explorer running simultaneously, and burning up all the CPU.

Ok. It took a VERY LONG time to get everything run (because I kept fighting with numerous seemingly self-launching copies of what Task Manager claimed were IEXPLORE.EXE and IEXPLORE32.EXE tasks, and when I'd END TASK them, and they'd just re-launch!) because the machine was so deadly slow. But eventually I finally completed running the same "recipe" of scan/DELETE malware-detecting utilities that I just came through myself this past week on my friend's Vista laptop in Florida.

And sure enough, there was PLENTY OF MALWARE PRESENT.

And with the results of each completed utility scan I also pushed the DELETE button to remove everything which had been discovered. This included MBAM Pro (which I installed on his machine) and RogueKiller, both of which detected various threats and objects worthy of deleting through their scans.

And once again, it was HitmanPro which found (a) a Trojan, sorry can't remember its name and I've since deleted the log, along with Registry entries, and (b) even FIREFOX.EXE was "infected" and had to be quarantined (the rest of the items and cookies and dangerous PREFS.JS lines for Firefox could be permanently deleted)!

I also uninstalled several "questionable" and obviously unwanted programs using Control Panel, as well as reverting his home page in IE from what had become (probably unnoticed by him) xol-dot-com instead of aol-dot-com as it should have been. To get Firefox back I also reinstalled a freshly downloaded v27 copy of the installer, since the infected FIREFOX.EXE had been quarantined.

I also discovered that Windows Firewall had been disabled (actually, the Service had been disabled, probably by the malware) and I re-enabled that as well.

And, in the end, the machine is now once again seemingly working perfectly and up-to-speed. Obviously it helps not to have 8 copies of "IE" trying to get started simultaneously, not to mention what plug-ins were previously active, not to mention what was happening when Firefox was launched (unaware that it was infected as well).

You can't imagine how appreciative my cousin was to me (and, by implication, from me to all-of-you for what I learned this past week on this thread) for how his PC has now "come completely back to life", from being essentially "dead".

Hopefully the newly installed presence of MBAM will help guard against possible future infections (again, AOL users seem to be particularly vulnerable of late).

When it rains it pours.
My System SpecsSystem Spec
07 Feb 2014   #98
UsernameIssues

W7 Pro SP1 64bit
 
 

I hope that you did most of that cleanup work while in the safe mode. Fewer bad things should be running while in the safe mode. Teamviewer works in the safe mode :-)

One of the computers that I remote into would not connect via TeamViewer today. This makes two computers this week that has not let me back in using TeamViewer. That is why I like to have a second or third way to get in.
My System SpecsSystem Spec
08 Feb 2014   #99
cottonball

Windows 7 Home Premium
 
 

Let's remove the following tools used and their reports, since these tools are updated frequently, and it is best to have a new copy:

AdwCleaner > Run the tool, and press: Uninstall
TDSSKiller
RKill
RogueKiller
Junkware Removal Tool
Farbar Recovery Scan Tool, its C:\FRST folder, and associated reports
SFCFix.zip
SFCFix.exe
cbs logs

The ESET Online Scan is a program you may want to use every so often.

Also, make sure security software is ALL enabled and running!

Thanks for following all the instructions and providing the reports!!

Have a great week, dsperber!!
My System SpecsSystem Spec
09 Feb 2014   #100
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

I got power back yesterday and Internet back today, sorry for my absence. The storm itself wasn't that bad, but those early 20th century wires couldn't carry the weight of the ice. Transformers were blowing for 30 miles in all directions (mostly east and west). It was fun... like camping in the winter... cold and dark.... makes you appreciate what you have the rest of the time.

First, I want to say that this was a great example of team effort - thanks go out to everyone.

Second, make sure your friend keeps the machine protected with an up-to-date real time A/V program and that they practice safe surfing / messaging. Malware can get part even the best protection, so run a on-demand scanner once a month (ESET is good, but slow... Mbam and AdwCleaner are good quick checks) pick a few and run them periodically (those are the three that I use to see if anything got past Avast! be free)

Third, I'll add to Cottonball's cleanup list - TDSSkiller logs on C:\ can be removed.

Fourth, I learned a few things (as usual here on SF) -
SFCfix will be new and improved!
FRST can kill off winsxs files.. although one of the pending deletes required a restart - has that already been done?
From the FRST fixlog:
Could not move "C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000" => Scheduled to move on reboot.
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2373a53dd39a.0000 => Moved successfully.
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-02-07 19:40:56)<=

C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000 => Is moved successfully.
So now you're helping your cousin in NY - did I read that corerctly?

Good luck with that project - open a new thread if you think you need help on that.

Bill
My System SpecsSystem Spec
Reply

 MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Remove "Restore previous versions" and "Share with" from context menu
Hello! ... How about removing these two: "Restore previous versions" and "Share with"
Customization
"access denied" when using "assoc" and "ftype" from cmdline?
I tried to associate the file extension .txt to a new editor program with the well known cmdline programs ASSOC and FTYPE. No, assigning them through WinExplorer menu does not work. But this is another problem which should not discussed here. When I type now one of the following...
General Discussion
remove the "open" and "merge" entries from context menu?
safe to assume its impossible to remove the "open" and the "merge" entries from the context menu? I figure if i want to open or merge them i would simply double click. Clutter and redundency in this vein dont suit me :P
Customization
MBAM Pro settings - how to automatically get "missed updates"?
I've been struggling with this problem (clearly must be a settings issue), but cannot seem to figure out what to do in order to avoid the problem symptom. Either that, or it's a program bug (which I will report on the MBAM forum, but I hate to post there because of "attitude"). I would like...
System Security
Firefox culprit for "reduced leading" in PREFS.JS: FLASH PLUGIN!!!
As I continued to try and chase down my "reduced leading" problem whenever I visited certain forum web sites and then closed/re-opened Firefox, I carefully compared my PREFS.JS from a "perfect, working" copy vs. what PREFS.JS looked like right after closing the very first Firefox session after...
Browsers & Mail
Remove "labels" from drive types in "Computer" window?
Hi there, I didn't really know how to google for this (although I did), so I didn't find anything proper and like to ask you: How do I remove the "labels" from drive types in "Computer" window? What I mean: http://dl.getdropbox.com/u/16751/computer_labels.jpg These labels above the different...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 15:24.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App