Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

03 Feb 2014   #41
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Thanks for the updates dsperber,

I'll take a look at the Farbar and ESET logs when you post them.

There's another good tool to empty all temp locations in case anything is hiding there.
I'll post it after the logs are up and you can run it at your connvenience.

Take a look at all broswers on the system (specifically home page, toolbars, and search engines) remove any add-ons that are not readily recognized. They can always be added back if they're needed.

Bill
.


My System SpecsSystem Spec
.
03 Feb 2014   #42
UsernameIssues

W7 Pro SP1 64bit
 
 

It's disappointing to hear that Process Explorer did not find the infected DLL. Did you enable the view as shown in my screenshot above?

My guess is that the EXE was not infected, it was just being used to load the infected DLL.
My System SpecsSystem Spec
03 Feb 2014   #43
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

This Trojan is also a 'password stealing' Trojan. I would suggest that you let the client know, and have them change ALL their passwords, using a known "clean" computer.
My System SpecsSystem Spec
.

03 Feb 2014   #44
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by Slartybart View Post
I'll take a look at the Farbar and ESET logs when you post them.
I'm attaching both of the Farbar logs... FRST and ADDITION.

ESET is just getting started so it will be probably 2 hours before its log is ready.

Also, even though it's 2/3 MBAM has not yet even produced a new log (i.e. the 2/2 log is the last one shown), because there has been ZERO reason. Last entry on the 2/2 log was at around 6PM EST regarding starting protection following the daily database update, with the previous last update about 2 hours prior.

I think we have emerged victorious.


Quote:
There's another good tool to empty all temp locations in case anything is hiding there.
I'll post it after the logs are up and you can run it at your convenience.
I had done my own manual cleaning out of everything from the various TEMP folders on the machine as part of my early housecleaning and uninstall of any programs I saw in Control Panel that were unwanted, unnecessary, or possibly suspicious.

But I'll be glad to use whatever tool you can point me to that does the same thing automatically or perhaps more rigorously.


Quote:
Take a look at all browsers on the system (specifically home page, toolbars, and search engines) remove any add-ons that are not readily recognized. They can always be added back if they're needed.
Took care of these over the weekend.

I think we're in pretty good shape now.


Attached Files
File Type: txt Farbar_FRST.txt (66.4 KB, 9 views)
File Type: txt Farbar_Addition.txt (19.9 KB, 2 views)
My System SpecsSystem Spec
03 Feb 2014   #45
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by Jacee View Post
This Trojan is also a 'password stealing' Trojan. I would suggest that you let the client know, and have them change ALL their passwords, using a known "clean" computer.
Good idea. Thanks for the suggestion.

I've just left them a phone message advising to do this. She's a "shopper".
My System SpecsSystem Spec
03 Feb 2014   #46
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
It's disappointing to hear that Process Explorer did not find the infected DLL. Did you enable the view as shown in my screenshot above?
Yes. And I showed the same Virus/Total column in read as your screenshot showed. It's just that the Virus count was 0.


Quote:
My guess is that the EXE was not infected, it was just being used to load the infected DLL.
Agreed.
My System SpecsSystem Spec
03 Feb 2014   #47
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by Slartybart View Post
HitmanPro log2
Malware
C:\Windows\system32\rpcss.dll -> PendingDelete
Size . . . . . . . : 550,912 bytes
Age . . . . . . . : 1555.3 days (2009-10-31 07:46:13)
Entropy . . . . . : 5.6
SHA-256 . . . . . : 0A22F667B7D77EC22D623CE5AE3C4218160386EE84EA90DC64036C60371EC763
Product . . . . . : Microsoft® Windows® Operating System
Publisher . . . . : Microsoft Corporation
Description . . . : Distributed COM Services
Version . . . . . : 6.0.6002.18005
Copyright . . . . : © Microsoft Corporation. All rights reserved.
Service . . . . . : RpcSs
> Bitdefender . . . : Trojan.Patched.Zekos.A
> Kaspersky . . . . : Trojan.Win32.Patched.pj
Fuzzy . . . . . . : 109.0
Startup
HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunch\
HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\
Interestingly, it would appear that a second copy of that DLL was stored on D, in the 15GB Dell Recovery Partition copy of Windows!!! And it was not discovered by any scan, and thus clearly also not deleted. But it's there... same as it was on the primary infected C, in D:\Windows\System32. I have to assume it's the same infected DLL (which is NOT present any longer in C in that original location).



Is it safe for me to just delete it manually myself from D?? And what about the possibility that Registry entries on that D version of Windows might have also been affected?

Actually, I'm all for just nuking that partition anyway using Partition Wizard and just resizing C (currently 85GB free out of 135GB partition) along with allocating a brand new D to be used for "system image" backup using Macrium Reflect. That's the right type of "recovery" that is needed to get CURRENT things back if needed, not through the Dell method to put things back to "factory".

Again, this is an old old but perfectly reliable and usable Vista machine and is in all likelihood NEVER going to need "recovery" using this arcane method, assuming it could even still be used.

I think I'm going to vaporize D, and then re-create it along with a resized C, to serve as an internal "backup" partition. Obviously in all the years they've had this Dell laptop they haven't had a need for this, but given what I see now I think it's a sensible thing to do.
My System SpecsSystem Spec
03 Feb 2014   #48
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by Slartybart View Post
I'll take a look at the Farbar and ESET logs when you post them.
Posted Farbar log earlier.

Here's the ESET log (took 4 hours to complete).

Note that ESET found one "threat", which was I'm guessing somehow a "backup copy" of the RPCSS.DLL? It's got a different size, and it has a date from just a few days ago (Friday)... around the time when I think I may have been getting started on the disinfection process.

I'm not sure exactly what this is. But I did push the "delete quarantined items" button on ESET. However the item is still where it was found, so I don't think it really got deleted.

Concerned, I just ran HitmanPro again, and it found ZERO threats. So that's reassuring. Don't know why/how ESET would have noticed it and HitmanPro didn't.

Advice?? Should I (can I) manually delete it myself? Will Windows let me, or will it just restore it?


Attached Files
File Type: txt ESET.txt (185 Bytes, 4 views)
My System SpecsSystem Spec
03 Feb 2014   #49
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Yeah, I'm going to ask other members to look at the Farbar and ESET logs.

In the Fabar these "One month modified ..." might need to be verified
2014-01-31 18:36 - 2006-11-02 01:32 - 00008798 _____ () C:\Windows\system32\icrav03.rat
2014-01-31 18:36 - 2006-11-02 01:32 - 00001988 _____ () C:\Windows\system32\ticrf.rat
2014-01-29 21:29 - 2014-01-29 21:29 - 00000000 ____S () C:\Windows\system32\ubwvq.dqs
2014-01-28 19:01 - 2014-01-28 19:01 - 00000000 ____S () C:\Windows\system32\ifmhg.xgj
2014-01-26 08:56 - 2014-01-26 08:56 - 00028672 _____ () C:\Windows\system32\fdnzvw.cnw
2014-01-26 08:56 - 2014-01-26 08:45 - 00000100 _____ () C:\Windows\system32\ohwyn.tgy
2014-01-26 08:45 - 2014-01-26 08:45 - 00000064 _____ () C:\Windows\system32\yqqn.sxt

2014-01-04 11:46 - 2014-01-04 11:46 - 00101213 ____S () C:\Windows\system32\cdklx.uaf

2014-01-12 20:26 - 2013-12-20 17:02 - 00000000 ____D () C:\Users\susan\Desktop\T.MK801.S.14

Under "Bamital & volsnap Check "
C:\Windows\system32\rpcss.dll
[2009-10-31 07:46] - [2009-04-11 01:28] - 0550912 ____A (Microsoft Corporation) 150DB93F1299491B4AF6025650035AFD
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
I googled the MD5 and it is unique - no matched found.

In the Farbar Additional file, there are a number of recent (today) events in the event logs.
Look at the tail end of the file or use event viewer on the system.

I'd feel more comfortable if a member on the security team took a look. Jacee has already stopped in and is a bit familiar with thread.
- this is a Vista machine, correct?

Recap scans: How to easily clean an infected computer (Malware Removal Guide) and Farbar FRST

Bill
.
My System SpecsSystem Spec
03 Feb 2014   #50
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Let's see what SFC can tell you about Sytem file integrity.

Follow Option Two and Option Three in: http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html
My System SpecsSystem Spec
Reply

 MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Remove "Restore previous versions" and "Share with" from context menu
Hello! ... How about removing these two: "Restore previous versions" and "Share with"
Customization
"access denied" when using "assoc" and "ftype" from cmdline?
I tried to associate the file extension .txt to a new editor program with the well known cmdline programs ASSOC and FTYPE. No, assigning them through WinExplorer menu does not work. But this is another problem which should not discussed here. When I type now one of the following...
General Discussion
remove the "open" and "merge" entries from context menu?
safe to assume its impossible to remove the "open" and the "merge" entries from the context menu? I figure if i want to open or merge them i would simply double click. Clutter and redundency in this vein dont suit me :P
Customization
MBAM Pro settings - how to automatically get "missed updates"?
I've been struggling with this problem (clearly must be a settings issue), but cannot seem to figure out what to do in order to avoid the problem symptom. Either that, or it's a program bug (which I will report on the MBAM forum, but I hate to post there because of "attitude"). I would like...
System Security
Firefox culprit for "reduced leading" in PREFS.JS: FLASH PLUGIN!!!
As I continued to try and chase down my "reduced leading" problem whenever I visited certain forum web sites and then closed/re-opened Firefox, I carefully compared my PREFS.JS from a "perfect, working" copy vs. what PREFS.JS looked like right after closing the very first Firefox session after...
Browsers & Mail
Remove "labels" from drive types in "Computer" window?
Hi there, I didn't really know how to google for this (although I did), so I didn't find anything proper and like to ask you: How do I remove the "labels" from drive types in "Computer" window? What I mean: http://dl.getdropbox.com/u/16751/computer_labels.jpg These labels above the different...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 09:05.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App