Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

01 Feb 2014   #31
UsernameIssues

W7 Pro SP1 64bit
 
 

Teamviewer lets you reboot to the safe mode and still reconnect. If you tell TV to make the computer reboot, it should offer an option to "wait on partner". That should notify you when the reboot has completed and offer to reconnect you. I use VNC as a backup to TV.

I'll keep playing with the AOL/nordstrom thing. I had only played with 9.7 for an issue in another forum.


My System SpecsSystem Spec
.
01 Feb 2014   #32
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
Teamviewer lets you reboot to the safe mode and still reconnect. If you tell TV to make the computer reboot, it should offer an option to "wait on partner". That should notify you when the reboot has completed and offer to reconnect you. I use VNC as a backup to TV.

I'll keep playing with the AOL/nordstrom thing. I had only played with 9.7 for an issue in another forum.
Just found this VERY interesting web page on the useragentstring.com web site.

It shows that using AOL 9.5 there is no way IE9 can be presented properly in the "useragentstring" value!!

Apparently, you must be using AOL 9.6 in order to present even IE8 (which is the maximum value possible with AOL 9.6). This is higher than IE7, and may well have been acceptable to the Nordstrom site which doesn't support IE7 any longer but might support IE8 and higher.

And you must be using AOL 9.7 if you want to present IE9. I already know that it's possible to present IE10 with AOL 9.7, because I already verified that. So this web page does at least appear to be somewhat out-of-date.

I'm going to upgrade from 9.5 to 9.7 and see if that makes this all go away! Seems like it can't hurt, and she's used to using 9.7 anyway (on that Win7 laptop) when they're home in Boston.
My System SpecsSystem Spec
01 Feb 2014   #33
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

That poor Vista system.... all of those things running.

The herdProtect log has a lot in it, some are probably false positives (some valid HP stuff shows up as malware on my machine) Some of it might only be suspicious.

If you want, you can kill herdProtect - it's a report scan only.

Do run the scanners in the order listed, they compliment each other nicely that way. Don't sweat JRT out of sequence (it was a quick check), but do run it again in the order specified in the guide.

There is a reason.

It's almost Saturday night, a friend has a gig and I'm going to support the band.
A bunch of old guys rockin' out - not exactly ZZ Top though.
My System SpecsSystem Spec
.

01 Feb 2014   #34
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Just to report MISSION ACCOMPLISHED on the other issue, the AOL problem accessing the Nordstrom site (discussed in my other "browsers" thread)!

In the end it only needed to upgrade through AOL 9.7 instead of AOL 9.5, to support IE9 which was now installed. That's all it was. Period. Case closed. Thread marked "solved".

WHEW!!!


Ok. Back to this one. I need some lunch, and some sleep.

I will run the whole sequence of scans later today when my friend gets back from the movies and can assist.
My System SpecsSystem Spec
02 Feb 2014   #35
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

AOL is A-OK now - that's good news I suppose

How are you making out with the Malware scans?
There are a few follow up scans, ops after running through the guide. Farbar, OT-TFC, restore hosts to default, maybe a few others.

You want to be sure that whatever was on the machine is erradicated and that those bad IP addresses aren't referenced by anything else.

Bill
.
My System SpecsSystem Spec
02 Feb 2014   #36
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by Slartybart View Post
AOL is A-OK now - that's good news I suppose
Yes. And I also have now also upgraded two other Win7 desktop machines which were using AOL 9.5 with IE11 and experiencing the same issues with assorted web sites complaining about "no longer support your browser" (which we now know was due to the "useragentstring" sent by AOL 9.5 which showed "MSIE 7.0").

Both systems are now upgraded to AOL 9.7, and all issues with problem web sites have disappeared.


Quote:
How are you making out with the Malware scans?
Well, now HERE WE INDEED HAVE A MIRACLE!! SUCCESS!! CASE CLOSED!! MALWARE REMOVED!!

And I would attribute the accomplishment to the "recipe" link you provided previously (from Malwaretips.com), and specifically to the use of HitmanPro in that sequence, based on the timings and MBAM logs which showed exactly when the blocked IP accesses finally ceased.

The few steps performed prior to HitmanPro all found nothing. This included TDSSKiller which had to run in safe mode. And the MBAM log continued to show blocked IP addresses right up until the HitmanPro "delete" step, after which they appeared to stop. And this cessation of blocked IP accesses continued across several re-boots.

The later products which followed HitmanPro may have identified a handful of "minor" items, which I deleted, but none of them was really relevant to this deeply buried access to those Russian IP's.

I'm convinced now that it was tied to the MyWebSearch item, which I tried to uninstall and remove but couldn't ever complete successfully. And several of the anti-malware products I'd tried previously certainly identified breadcrumbs of MyWebSearch, but whatever they found and removed did not seem to be a solution.

Only HitmanPro seemed to again locate even further additional remnants of MyWebSearch, along with what I believe to have been the "hiding place" of the culprit object code:
C:\Windows\system32\rpcss.dll
as well as related crucial pieces (including another mention of DcomLaunch):
Startup
HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunch\
HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\
I'm attaching the two HitmanPro logs (the "found" log before I pushed DELETE, and the "action taken" log recording everything removed), as well as the current final state of the MBAM log (which shows the ongoing blocked IP access before running HitmanPro, and then the post-HitmanPro "silence").

I double-checked with TASKMGR, and there is no longer a DcomLaunch PID active disguised as SVCHOST.EXE and sending out requests to those two Russian static IP addresses. Silence.

Note that I didn't run anything past Step 7 (Junkware Removal Tool). I actually did start Step 8 (ESET) but after about 30 minutes of VERY SLOW PROGRESS scanning and having only gotten through about 35% of what it had to do and having found nothing so far, I decided to just cancel that scan. I hadn't yet looked at the MBAM log to see if whatever had been found and removed by any of the earlier steps had been successful, and was just itching to look.

So I re-booted, did some miscellaneous things (like general Internet access through Firefox and IE) which would previously have guaranteed access to those IP's if they hadn't already occurred, and then looked at the MBAM log. I was thrilled to see that they had long-since ceased, and the moment of disappearance coincided with the removals done by HitmanPro.

THEREFORE...

I thank you (and the whole set of anti-malware software developers and vendors) for setting down a "recipe" that does indeed seem to cover all bases. Certainly MBAM itself, along with ADWCleaner and RogueKiller which did all find something to remove over the course of the past several days, well they all must have helped.

But in this particular malware case, I believe it was this thing called MyWebSearch which was the culprit. And it was definitely HitmanPro which finally managed to find every single last loose-end remaining piece of it and remove it.

I WILL NOW MARK THIS THREAD "SOLVED"!!

Thanks again to everyone who participated and helped out. (incidentally, there still is NO response to my similar thread on the Malwarebytes Forum)


Attached Files
File Type: log HitmanPro_20140202_1454.log (10.4 KB, 7 views)
File Type: log HitmanPro_20140202_1459.log (10.8 KB, 5 views)
File Type: txt MBAM_log.txt (6.2 KB, 6 views)
My System SpecsSystem Spec
03 Feb 2014   #37
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Yeah, ESET is slow, but it finds stuff other scanners don't.

I'm glad you got through all of that and a solution was found.

If you're still on the Vista system, I think a Farbar scan would be a good "final check" - if it finds anything, it might be a two step process (scan, then clean with a custom script).

See this post for step one of the Farbar instructions


I'm not cetain if this threat was contianed - it might have needed a reboot to resolve it completely

HitmanPro log2
Malware
C:\Windows\system32\rpcss.dll -> PendingDelete
Size . . . . . . . : 550,912 bytes
Age . . . . . . . : 1555.3 days (2009-10-31 07:46:13)
Entropy . . . . . : 5.6
SHA-256 . . . . . : 0A22F667B7D77EC22D623CE5AE3C4218160386EE84EA90DC64036C60371EC763
Product . . . . . : Microsoft® Windows® Operating System
Publisher . . . . : Microsoft Corporation
Description . . . : Distributed COM Services
Version . . . . . : 6.0.6002.18005
Copyright . . . . : © Microsoft Corporation. All rights reserved.
Service . . . . . : RpcSs
> Bitdefender . . . : Trojan.Patched.Zekos.A
> Kaspersky . . . . : Trojan.Win32.Patched.pj
Fuzzy . . . . . . : 109.0
Startup
HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunch\
HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\


Farbar will tell you more.

Bill
.
My System SpecsSystem Spec
03 Feb 2014   #38
UsernameIssues

W7 Pro SP1 64bit
 
 

The tendency is to want to clean infections quickly...
...but this is one time when I would have liked to have seen how well the Process Monitor/Virustotal combo would have worked to locate such an item.

MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131-capture.png


My System SpecsSystem Spec
03 Feb 2014   #39
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by Slartybart View Post
If you're still on the Vista system, I think a Farbar scan would be a good "final check" - if it finds anything, it might be a two step process (scan, then clean with a custom script).

See this post for step one of the Farbar instructions
I will give this a try overnight tonight, just to see what it says.

Also I may re-run that ESET scan and let it run for the several hours it appears it's going to take.


Quote:
I'm not certain if this threat was contained - it might have needed a reboot to resolve it completely
I DID reboot. I posted the "before cleanup" log and also the "after cleanup". But there was a message from HitmanPro saying that the re-boot was required to complete the cleanup.

It was prescribed as required by HitmanPro, because it had to do that in order to remove the RPCSS.DLL object.

I'm good, I'm sure, as the MBAM log shows. But when I get back on the Vista machine I will confirm that RPCSS.DLL is no longer present.
My System SpecsSystem Spec
03 Feb 2014   #40
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
The tendency is to want to clean infections quickly...
...but this is one time when I would have liked to have seen how well the Process Monitor/Virustotal combo would have worked to locate such an item.
I actually DID enable the Virustotal column during my work over the weekend. But it showed 0 from that PID, so I didn't think to post it here as nothing was discovered by the known offending task.

I probably should have posted it.

Bottom line: only HitmanPro found (and was able to delete) RPCSS.DLL, and the relevant HKLM startup Registry entries that kicked it off along with the "villain" PID task, along with the other supporting Registry entries. All the other products I used did NOT find those objects, which were all related to the culprit MyWebSearch.

I believe ADWCleaner found some of the pieces of MyWebSearch and theoretically removed them, but for all I know they may have "regenerated themselves". I don't recall if the same ones later found by HitmanPro duplicated the originals found by ADWCleaner or not (I'll see if there are all logs still present or if I deleted them, as maybe that will be demonstrated).

For sure, MBAM did NOT find any of this. Once my initial Quick Scan (and I also ran a FULL Scan) with MBAM discovered about 15 assorted miscellaneous items (none of which related to MyWebSearch) it never found anything significant again. On a later second scan it found two more of something, but the final scan (as one step in the "8-step recipe") showed "clean" which was obviously not yet true as the HitmanPro step came MBAM.

Of course it was MBAM now running on the machine that did provide the initial clues that the machine was infected, due to the incessant "blocked IP" popups regarding those two Russian/Netherlands IP addresses. So were it not for MBAM, this MyWebSearch culprit would never have found and then eliminated thanks to HitmanPro.
My System SpecsSystem Spec
Reply

 MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Remove "Restore previous versions" and "Share with" from context menu
Hello! ... How about removing these two: "Restore previous versions" and "Share with"
Customization
"access denied" when using "assoc" and "ftype" from cmdline?
I tried to associate the file extension .txt to a new editor program with the well known cmdline programs ASSOC and FTYPE. No, assigning them through WinExplorer menu does not work. But this is another problem which should not discussed here. When I type now one of the following...
General Discussion
remove the "open" and "merge" entries from context menu?
safe to assume its impossible to remove the "open" and the "merge" entries from the context menu? I figure if i want to open or merge them i would simply double click. Clutter and redundency in this vein dont suit me :P
Customization
MBAM Pro settings - how to automatically get "missed updates"?
I've been struggling with this problem (clearly must be a settings issue), but cannot seem to figure out what to do in order to avoid the problem symptom. Either that, or it's a program bug (which I will report on the MBAM forum, but I hate to post there because of "attitude"). I would like...
System Security
Firefox culprit for "reduced leading" in PREFS.JS: FLASH PLUGIN!!!
As I continued to try and chase down my "reduced leading" problem whenever I visited certain forum web sites and then closed/re-opened Firefox, I carefully compared my PREFS.JS from a "perfect, working" copy vs. what PREFS.JS looked like right after closing the very first Firefox session after...
Browsers & Mail
Remove "labels" from drive types in "Computer" window?
Hi there, I didn't really know how to google for this (although I did), so I didn't find anything proper and like to ask you: How do I remove the "labels" from drive types in "Computer" window? What I mean: http://dl.getdropbox.com/u/16751/computer_labels.jpg These labels above the different...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 11:21.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App