Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

03 Feb 2014   #51
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by Slartybart View Post
Yeah, I'm going to ask other members to look at the Farbar and ESET logs.
I know nothing here about these things, so I will listen to any comments and/or advice from those more knowledgeable.


Quote:
Under "Bamital & volsnap Check "
Where are you seeing this??

Quote:
C:\Windows\system32\rpcss.dll
[2009-10-31 07:46] - [2009-04-11 01:28] - 0550912 ____A (Microsoft Corporation) 150DB93F1299491B4AF6025650035AFD
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
I googled the MD5 and it is unique - no matched found.
I don't understand. What are you looking at? What are you looking at that shows that "attention" remark??

That RPCSS.DLL is no longer in C:\Windows\System32, having been deleted by HitmanPro.


Quote:
In the Farbar Additional file, there are a number of recent (today) events in the event logs.
Look at the tail end of the file or use event viewer on the system.
What "recent events" are you referring to?


Quote:
I'd feel more comfortable if a member on the security team took a look. Jacee has already stopped in and is a bit familiar with thread.
It was suggested that I invite Noeldp to look at this thread, and I've PM'd him.


Quote:
- this is a Vista machine, correct?
Correct. A Dell laptop.


My System SpecsSystem Spec
.
03 Feb 2014   #52
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by Slartybart View Post
Let's see what SFC can tell you about Sytem file integrity.
Well, not surprisingly, it's unhappy with the state of RPCSS.DLL... and if I read the details correctly also says it cannot do the repair because the backup is also damaged.

I've edited the SFCDETAILS.TXT file to contain only the relevant "problematic" sections, eliminating the insignificant lines.

You know... maybe the version that is over on the D Recovery Partition is a GOOD ONE, not a copy of the bad one! The date on the D-version is from 1/19/2008 2:36:17AM 547,328 bytes, whereas the problem one found by HitmanPro was dated 2009 and is 3,000 bytes larger.

So even though the repair of C's RPCSS.DLL cannot be done because the C-backup is also corrupt, it seems possible to recover it from the D-version if we believe it to be a valid one.

Thoughts??


Attached Files
File Type: txt sfcdetails.txt (6.8 KB, 8 views)
My System SpecsSystem Spec
04 Feb 2014   #53
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Do I need to run SFC /SCANNOW three times in a row, to eventually find the correct original 2008 backup?

If you look at my earlier screenshot where I was looking for RPCSS.DLL with Everything, you see that it occurs in MULTIPLE folders in C:\Winsxs. And there is one from 1/20/2008 which is the correct 535KB (which is the correct size, if we go by what is shown in the screenshot living on the D Recovery partition), whereas the later backups starting in 2009 are 538KB (which is the problematic size).

I've never used SFC /SCANNOW, but I do know that sometimes you need to run three "repairs" in order to finally get things fixed. I guess each subsequent repair uses a successively older backup??

Note from the following screenshot that it looks like the SFC repair I just did has restored a version of RPCSS.DLL into C:\Windows\System32... and it's the defective one.



I'm going to run the repair three more times, and see if I can recover that 2008 version which should be the right one.
My System SpecsSystem Spec
.

04 Feb 2014   #54
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Well, I guess my guess was wrong. Doesn't pick up successively older backups with each running of SFC /SCANNOW. It just leaves the 550,912 byte version.

Obviously the 547,328 byte version from 2008 is now clearly recognized as the right original Windows version to shoot for (which matches the untouched version on the D Recovery partition).

Re-run of HitmanPro again again deletes that version (although it's been rendered "harmless" by the previous cleansing of the Registry of the crucial related entries, so that it will no longer start at boot time even if present). It also deletes the backup version. See attached log file.

Interestingly, there is a "$$DELETEME..." version of the corrupt RPCSS.DLL that I don't know exactly where it came from... either the SFC repair, or the rerun of HitmanPro (which seems unlikely)?? It won't go away, but it is the bad object.



I give up for now. I need further advice on how to manually recover the 547,328 version from 2008... either from the C:\Windows\Winsxs backup where it lives, or from the D Recovery partition.


Attached Files
File Type: log HitmanPro_20140204_0105.log (7.8 KB, 0 views)
My System SpecsSystem Spec
04 Feb 2014   #55
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Sorry dsperber, I shoveled a lot of snow yesterday and fell asleep early.

Let me catch up answering your posts.

Post 47 -> D:\Recovery.
The rpcss.ddl in D:\Recovery is the base install for a Dell Vista - or should be. A scan didn't pick it up so, it's probably NOT infected. If the MD5 is unique then you'll have to sig a little deeper, but methinks it's ok.

I would make the OEM Recovery discs before nuking D:

Post 48 -> ESET
C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988_rpcss.dll_fd3e269b
>> Win32/Patched.IB trojan error while cleaning
This is in the backup folder for Winsxs - ESET failed to clean it, perhaps because it's in winsxs.
I'm not sure what to do with it.

Post 51 -> Ervery thing you ask about was found in:
http://www.sevenforums.com/attachmen...arbar_frst.txt
or
http://www.sevenforums.com/attachmen...r_addition.txt

I'll look at the SFC log next.
My System SpecsSystem Spec
04 Feb 2014   #56
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Yep, you read it correctly. Noel might want to see the entire log.

The rpcss.dll in D:\Recovery is probably good, getting it might be difficult. On my HP, the part is hidden and has a destop.ini that puts up a HTML screen when you view the part. Getting around that is the easy part.

The base Windows files needed to begin a Recovery are or should be visible, but everything else is packed away in the install wim files.

Gregrocker is a whiz at this stuff.

Just make sure every one knows this is VISTA, Noel particularly. He might offer you replacement file(s) from Win7 if that is left unclear.

I'll go back thru the thread and collect your logs. I like to make it easier for people coming in cold to a thread. I'll match the log fiels to the malware guide, and try to make chronological order out of it.

Bill
.
My System SpecsSystem Spec
04 Feb 2014   #57
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

dsperber is working on a friend's machine: Dell / Vista SP2

Post 1 -> Malwarebytes Pro alerted dsperber when it blocked IP addresses.
Mbam did not find or contain the threat.

Post 11 /12 - > AdwCleaner log wrapped in a code box on post.

Post 23: I directed dsperber to this: How to easily clean an infected computer (Malware Removal Guide)

Post 27 -> initial FRST log:
Scan_2014-2-1-14-54.txt

Jacee recommends clearing java cache and flushing DNS, dsperber complies.

Post 30 -> JRT run out os sequenct, no harm no foul - nothing found anyway

Post 36 -> Hitman Pro & Mbam logs
HitmanPro_20140202_1454.log
HitmanPro_20140202_1459.log
MBAM_log.txt

Post 43 -> Jacee alert re: Trojan password stealer, dsperber complies.

post 44 - > Farbar logs
Farbar_FRST.txt
Farbar_Addition.txt

Post 48 - ESET log
ESET.txt

Post 53 -> SFC log
sfcdetails.txt

The malware removal guide has more scanners in it than there are logs posted.
Can you backfill the logs for the scanners in red:
[a] Kaspersky TDSSKiller
[a] RKill
[a] Malwarebytes Anti-Malware Free
[a] HitmanPro
[a] RogueKiller
[a] AdwCleaner
[a] Junkware Removal Tool
Checking the system after the clean
[a] ESET Online Scanner.
[a] Emsisoft Emergency Kit.


Edit: Post 61 -> missing logs posted
Rkill.txt
RKreport[0]_D_02022014_151303.txt
JRT.txt
HitmanPro_20140204_0105.log

Post 64 - > EMSISoft log
EMSISoft.txt

Post 68 -> Kaspersky TDSSKiller log
TDSSKiller.3.0.0.19_02.02.2014_14.18.47_log.txt

Thanks,

Bill
My System SpecsSystem Spec
04 Feb 2014   #58
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

The System Update Readiness Tool (SURT) might help, I'm not sure.
SURT used to carry a few cabs when it was used to prepare Vista for an ungrade to Win7.
Lately though, SURT on Win7 is related to Windows Update issues only.

Download the correct bit depth Vista version form here: What is the System Update Readiness Tool?

It's big and it's slow - just so you know.

Bill
.
My System SpecsSystem Spec
04 Feb 2014   #59
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 

This will fix up your SFC corruption

SFCFix Script

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.
  1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
  2. Download the file below, SFCFix.zip, and save this to your Desktop. Ensure that this file is named SFCFix.zip - do not rename it.
  3. Save any open documents and close all open windows.
  4. On your Desktop, you should see two files: SFCFix.exe and SFCFix.zip.
  5. Drag the file SFCFix.zip onto the file SFCFix.exe and release it.
  6. SFCFix will now process the script.
  7. Upon completion, a file should be created on your Desktop: SFCFix.txt.
  8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.

https://dl.dropboxusercontent.com/u/...ber/SFCFix.zip

SFC Scan
  1. Click on the Start button and in the search box, type Command Prompt
  2. When you see Command Prompt on the list, right-click on it and select Run as administrator
  3. When command prompt opens, copy and paste the following commands into it, press enter after each

    sfc /scannow

    Wait for this to finish before you continue

    copy %windir%\logs\cbs\cbs.log %userprofile%\Desktop\cbs.txt

  4. This will create a file, cbs.txt on your Desktop. Please attach this to your next post.
My System SpecsSystem Spec
04 Feb 2014   #60
cottonball

Windows 7 Home Premium
 
 

dsperber,

tom982's guidance will fix the rpcss.dll issue, however, since you already downloaded and ran FRST, please do the following:

Please run FRST again and type the following in the input box after Search: rpcss.dll
Click the Search button

When done, a report, Search.txt, is created.

Please post the results of the Search.txt in your reply.

When tom is done, we need to use FRST again, and make sure there are no remnants lurking.

Thanks!
My System SpecsSystem Spec
Reply

 MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Remove "Restore previous versions" and "Share with" from context menu
Hello! ... How about removing these two: "Restore previous versions" and "Share with"
Customization
"access denied" when using "assoc" and "ftype" from cmdline?
I tried to associate the file extension .txt to a new editor program with the well known cmdline programs ASSOC and FTYPE. No, assigning them through WinExplorer menu does not work. But this is another problem which should not discussed here. When I type now one of the following...
General Discussion
remove the "open" and "merge" entries from context menu?
safe to assume its impossible to remove the "open" and the "merge" entries from the context menu? I figure if i want to open or merge them i would simply double click. Clutter and redundency in this vein dont suit me :P
Customization
MBAM Pro settings - how to automatically get "missed updates"?
I've been struggling with this problem (clearly must be a settings issue), but cannot seem to figure out what to do in order to avoid the problem symptom. Either that, or it's a program bug (which I will report on the MBAM forum, but I hate to post there because of "attitude"). I would like...
System Security
Firefox culprit for "reduced leading" in PREFS.JS: FLASH PLUGIN!!!
As I continued to try and chase down my "reduced leading" problem whenever I visited certain forum web sites and then closed/re-opened Firefox, I carefully compared my PREFS.JS from a "perfect, working" copy vs. what PREFS.JS looked like right after closing the very first Firefox session after...
Browsers & Mail
Remove "labels" from drive types in "Computer" window?
Hi there, I didn't really know how to google for this (although I did), so I didn't find anything proper and like to ask you: How do I remove the "labels" from drive types in "Computer" window? What I mean: http://dl.getdropbox.com/u/16751/computer_labels.jpg These labels above the different...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 22:10.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App