Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

04 Feb 2014   #61
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by Slartybart View Post
dsperber is working on a friend's machine: Dell / Vista SP2
Many thanks for your summarizing the chronological essence of this thread.

Most significant "inflection point" regarding progress came on 2/2 at around 14:55PM when I ran HitmanPro and it found and removed MyWebSearch infection, which included the infected RPCSS.DLL as well as related Registry entries to launch it at system startup.

So any logs posted earlier in this thread should be viewed in the context of that 2/2 at 14:55PM turning point. Anything before that was with MyWebSearch still present, and anything after was "post-removal" by HitmanPro.

And then yesterday 2/3 per recommendation I ran SFC /SCANNOW. Apparently the fact that RPCSS.DLL was now missing from C:\Windows\System32 was discovered, and the "backup" version of RPCSS.DLL got restored from the 6002_18005 folder in C:\Windows\Winsxs. Unfortunately that version was itself the infected one. So I now had the infected version once again in C:\Windows\System32, though it appeared completely "harmless" since the necessary Registry entries to launch it into its evil state had actually been deleted on 2/2 by HitmanPro.

So I then again ran HitmanPro just to once again hopefully delete that infected version of RPCSS.DLL from C:\Windows\System32. This time HitmanPro discovered the backup version in the 6002_18005 folder (which it deleted, per its log) but it doesn't seem to have found and deleted it in C:\Windows\System32. I had thought it had disappeared from both locations following this step, but when I look now it appears to be back in C:\Windows\System32.

As you can see from the following screenshot, if we believe SearchMyFiles it appears that Windows is seemingly doing its own "restore" of the just-deleted version into C:\Windows\System32, perhaps caused by the effects of the SFC /SCANNOW. I admit I'm confused by the current state of things where for some reason SearchMyFiles discovers a version in C:\Windows\System32 whereas Everything and HitmanPro (just re-run again and latest log attached) do not.



Furthermore, there is still that "$$DELETEME..." infected version in \Winsxs\Temp\PendingDelete which I don't know how it got there and is not being deleted by anything.



The good news is that the infected version of RPCSS.DLL, no matter whether it's truly present or not in C:\Windows\System32, is apparently NOT ACTIVE. There are still no new "blocked IP" entries in the MBAM log, so the active malware definitely seems to be purged from the system.


A few more things observe, regarding the dates and sizes of the various versions of RPCSS.DLL now present on this Vista machine. The dates of the several infected versions of the file are misleading and inconsistent I think.

(1) Based on the D version it would appear that 547,328 is the true original size. And a date of either 1/19/2008 or 1/20/2008 is the correct original date per this Dell build.

(2) It looks like the original infected size of RPCSS.DLL was 549,888. This version is now living in backup folder 6000.16830 in \Winsxs.

(3) What looks like a second "decoy" infected version with size 549,888+512=550,400 is now living in backup folder 6000.21023 in \Winsxs.

(4) The true infected version with size 550,400+512=550,912 was previously stored in backup folder 6002.18005 but has now been deleted by a recent run of HitmanPro. But this infected version does seem to still somehow be present in C:\Windows\System32 according to SearchMyFiles, though it's not seen by Everything or HitmanPro (just re-run again). Quite a mystery here. In any case it is definitely NOT ACTIVE.

(5) Another "decoy" with size 550,912+512=551,424 is present in two backup folders, 6001.18226 as well as 6001.22389.

(6) None of the "decoys" gets detected by any scan, and they remain present. Only the 550,912 version has ever been detected by HitmanPro... and this program is currently convinced that it is no longer present.


Quote:
The malware removal guide has more scanners in it than there are logs posted.

Can you backfill the logs for the scanners in red:
Kaspersky TDSSKiller
RKill

Malwarebytes Anti-Malware Free
HitmanPro
RogueKiller
AdwCleaner
Junkware Removal Tool
Checking the system after the clean
ESET Online Scanner.
Emsisoft Emergency Kit.
The TDSSKiller log came from running the program in "Windows safe mode" with my friend's manual assistance. He told me the program said NOTHING FOUND. If there was a log from this execution I'm afraid it's lost or was never created. But I don't have it.

I'm attaching the requested additional logs for RKill, RogueKiller, and Junkware Removal Tool, along with the most recent HitmanPro log (from just a little while ago).

I hadn't run Emsisoft, but am doing so now. It seems fairly slow so I'll add its log to this post when if finally finishes.




Attached Files
File Type: txt Rkill.txt (5.1 KB, 1 views)
File Type: txt RKreport[0]_D_02022014_151303.txt (2.6 KB, 3 views)
File Type: txt JRT.txt (771 Bytes, 2 views)
File Type: log HitmanPro_20140204_0105.log (7.8 KB, 4 views)
My System SpecsSystem Spec
.
04 Feb 2014   #62
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by cottonball View Post
dsperber,

tom982's guidance will fix the rpcss.dll issue, however, since you already downloaded and ran FRST, please do the following:

Please run FRST again and type the following in the input box after Search: rpcss.dll
Click the Search button

When done, a report, Search.txt, is created.

Please post the results of the Search.txt in your reply.
Attached.

Interestingly, FRST seems to confirm SearchMyFiles discovery of RPCSS.DLL (the infected version size) in C:\Windows\System32 whereas it now appears undiscovered by both Everything and HitmanPro. This is only since running SFC /SCANNOW yesterday.

Oh well. Hopefully Tom982's guidance will get this all sorted out and end up with the correct original RPCSS.DLL restored into C:\Windows\System32 once and for all.

Note that the 1/20/2008 version in backup folder 6001.18000, size 547,328 bytes, is the true original Vista version that we ultimately want to restore.


Attached Files
File Type: txt Search.txt (1.5 KB, 3 views)
My System SpecsSystem Spec
04 Feb 2014   #63
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by tom982 View Post
This will fix up your SFC corruption

SFCFix Script

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.
  1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
  2. Download the file below, SFCFix.zip, and save this to your Desktop. Ensure that this file is named SFCFix.zip - do not rename it.
  3. Save any open documents and close all open windows.
  4. On your Desktop, you should see two files: SFCFix.exe and SFCFix.zip.
  5. Drag the file SFCFix.zip onto the file SFCFix.exe and release it.
  6. SFCFix will now process the script.
  7. Upon completion, a file should be created on your Desktop: SFCFix.txt.
  8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.

https://dl.dropboxusercontent.com/u/...ber/SFCFix.zip
Tom,

Much appreciation for your help and guidance.

I haven't run this yet as the Emsisoft scan is still running on the infected laptop. But I've looked inside the SFCFix.zip file and am curious about its contents. I've never used these SFCFix tools before and don't yet have an understanding about what it's trying to do.

But looking inside the zip file it appears that you have the 6002.18005 backup folder (same as is on the Vista laptop), with a copy of RPCSS.DLL that is dated 4/11/2009 and has size 550,400. Actually, that isn't the original content of that backup folder from the Vista laptop. The original version of RPCSS.DLL that was in there was a duplicate of the true infected version living in C:\Windows\System32 and which got purged by HitmanPro, and was originally of size 550,912 bytes. That is the size of the infected RPCSS.DLL which along with the critical Registry entries was causing the original problem.

Again, I don't know what your goal here is, but I believe that this version is actually a "cousin", i.e. is "one decoy removed" (i.e. 550,912 - 512 = 550,400) from the true 550,912 infected version which is what was found and cleansed away by HitmanPro. I don't believe this 550,400 version is correct.

I would have expected to see the original Vista version of size 547,328 in your "fix" package, rather than an incorrectly sized "cousin of the infected 550,912 version". Am I wrong? Do I not understand what will actually happen via SFCFix and this incorrect 550,400 version of RPCSS.DLL?

Or is this 550,400 version from Vista SP2??

Is this my ignorance showing? I'd like to understand what SFCFix will do when I drop the script onto it, and I'm puzzled by the version of RPCSS.DLL that I see inside that ZIP.

Can you please explain what's going to happen here.

Many thanks again.
My System SpecsSystem Spec
.

04 Feb 2014   #64
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Ok. The EMSISoft scan finally finished. Log attached.

Very strange.

(1) It found the 6002.18005 backup folder version of RPCSS.DLL (and deleted it), which had presumably been deleted by HitmanPro. This version did exist previously, but presumably no longer exists and is undetected by both SearchMyFiles and Everything, as well as FRST and HitmanPro.

So how can it now be found by EMSISoft if it's deleted??

(2) But it did not find the C:\Windows\System32 version of RPCSS.DLL that SearchMyFiles and FRST currently sees and that HitmanPro and Everything do not see.

How can this file be "visible" to some scans and "invisible" to others? Seems the file is either active and present in the file system and "visible", or it is deleted and gone from the file system and should not be seen by any tool. How can it be both??

And... WHAT IS THAT $$DELETEME... version in \Winsxs\Temp\PendingDeletes (see my screenshot above in post 61)?? Who created that, and why didn't it ever actually get deleted?? Is it some "quarantine" version from SFC or some other tool? How is it supposed to be deleted, as I cannot ("access denied")?

Anyway, attached is the requested log.


Attached Files
File Type: txt EMSISoft.txt (846 Bytes, 3 views)
My System SpecsSystem Spec
04 Feb 2014   #65
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 

Can you upload a full CBS log please? Then I can explain everything and prove to you it's the right file

C:\Windows\Logs\CBS\CBS.log

Tom
My System SpecsSystem Spec
04 Feb 2014   #66
cottonball

Windows 7 Home Premium
 
 

Quote:
Oh well. Hopefully Tom982's guidance will get this all sorted out and end up with the correct original RPCSS.DLL restored into C:\Windows\System32 once and for all.
^^ You got it!!

He is a "software distributor" for rpcss!!!



The MalwareTips link, although well intended, may have provided you too much info at one time.
It addresses "...viruses, ransomware, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue security software and other malicious programs..." Wheeww!!

Running all those programs is not necessary in every case. In your case, a Trojan Horse: Trojan.Patched.Zekos.A

Malwaretips really means to provide you options, but one needs to sort out what is necessary.

Getting half cross-eyed when trying to figure out all the ins and outs of this stuff is not uncommon for any and/or all of us!!
My System SpecsSystem Spec
04 Feb 2014   #67
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

You all know this is a Rootkit, doncha'? Let's think about Win/32sirefef
My System SpecsSystem Spec
05 Feb 2014   #68
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by Slartybart View Post
Can you backfill the logs for the scanners in red:
[ ] Kaspersky TDSSKiller -> the TDSSkiller log is on C:\ and should be easily identified
You were right. It was definitely there.

Attached.


Attached Files
File Type: txt TDSSKiller.3.0.0.19_02.02.2014_14.18.47_log.txt (173.9 KB, 6 views)
My System SpecsSystem Spec
05 Feb 2014   #69
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by tom982 View Post
Can you upload a full CBS log please? Then I can explain everything and prove to you it's the right file

C:\Windows\Logs\CBS\CBS.log

Tom
This log seems to be an ongoing accumulation, and actually went back to 2/1 when I ran my first scan. I think this is a distraction.

I just ran a brand new fresh SFC /SCANNOW and edited the log to only include the output from this latest scan. Hopefully that is what you really want. If you want the complete log (going all the way back to 2/1) I can ZIP it and attach it.

But hopefully the attached most recent log contribution is what you want.

Also, here is what SearchMyFiles finds on my system following the SFC /SCANNOW just run. Note that the infected RPCSS.DLL (550,912) has once again returned to C:\Windows\System32 as a result of the "repair" done by SFC!!

==> I am STILL looking for an answer as to what the "$$DELETEME..." item is, and why it has not been deleted by whoever created it.

My System SpecsSystem Spec
05 Feb 2014   #70
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 

Thanks, that's fine too. Okay, looking at the SFC results, we can see it's still flagging rpcss.dll as corrupt:

Code:
2014-02-05 00:32:25, Info                  CSI    000001b5 [SR] Verify complete
2014-02-05 00:32:25, Info                  CSI    000001b6 [SR] Repairing 1 components
2014-02-05 00:32:25, Info                  CSI    000001b7 [SR] Beginning Verify and Repair transaction
2014-02-05 00:32:25, Info                  CSI    000001b8 [SR] Cannot repair member file [l:18{9}]"rpcss.dll" of Microsoft-Windows-COM-Base-QFE-RPCSS, Version = 6.0.6002.18005, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2014-02-05 00:32:25, Info                  CSI    000001b9 [SR] Unable to repair \SystemRoot\WinSxS\Manifests\\[l:18{9}]"rpcss.dll"
2014-02-05 00:32:25, Info                  CSI    000001ba [SR] Cannot repair member file [l:18{9}]"rpcss.dll" of Microsoft-Windows-COM-Base-QFE-RPCSS, Version = 6.0.6002.18005, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2014-02-05 00:32:25, Info                  CSI    000001bb [SR] This component was referenced by [l:160{80}]"Package_25_for_KB948465~31bf3856ad364e35~x86~~6.0.1.18005.948465-113_neutral_GDR"
2014-02-05 00:32:25, Info                  CSI    000001bc Hashes for file member \??\C:\Windows\System32\rpcss.dll do not match actual file [l:18{9}]"rpcss.dll" :
  Found: {l:32 b:LoH+3oc4UsIVMAq3bp2C8hqqNYK8qz7aMTs/OXlfwY4=} Expected: {l:32 b:7AKkEtpf3ix1mkosWQRXnhznxJmc6HFFgS81T8j14YM=}
2014-02-05 00:32:25, Info                  CSI    000001bd [SR] Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:18{9}]"rpcss.dll"; source file in store is also corrupted
Notice this lists the hashes:

Code:
Found: {l:32 b:LoH+3oc4UsIVMAq3bp2C8hqqNYK8qz7aMTs/OXlfwY4=} 
Expected: {l:32 b:7AKkEtpf3ix1mkosWQRXnhznxJmc6HFFgS81T8j14YM=}
As you would expect with a corrupt file, the hash found differs from the expected value. The replacement file we need needs to return a hash of 7AKkEtpf3ix1mkosWQRXnhznxJmc6HFFgS81T8j14YM=, so let's see what I uploaded:

Code:
[2: 1] C:\Users\Tom\Desktop\rpcss.dll 
File is untraceable.
 Found: 7AKkEtpf3ix1mkosWQRXnhznxJmc6HFFgS81T8j14YM=
 Found: 6.0.6002.18005
Trace not available.
Exactly the same This is the file you need, but since Jacee has mentioned there are rootkits at work here, you shouldn't run this fix until you've been cleaned by one of our security analysts. Nothing will be able to repair this file though, so you will need to fix it after the malware has been removed.

Regarding your question on my SFCFix script, all it does is copies this file into winsxs and deals with all of the hardlinks, permissions and ownership data so your computer isn't left open to attack.

Tom
My System SpecsSystem Spec
Reply

 MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Remove "Restore previous versions" and "Share with" from context menu
Hello! ... How about removing these two: "Restore previous versions" and "Share with"
Customization
"access denied" when using "assoc" and "ftype" from cmdline?
I tried to associate the file extension .txt to a new editor program with the well known cmdline programs ASSOC and FTYPE. No, assigning them through WinExplorer menu does not work. But this is another problem which should not discussed here. When I type now one of the following...
General Discussion
remove the "open" and "merge" entries from context menu?
safe to assume its impossible to remove the "open" and the "merge" entries from the context menu? I figure if i want to open or merge them i would simply double click. Clutter and redundency in this vein dont suit me :P
Customization
MBAM Pro settings - how to automatically get "missed updates"?
I've been struggling with this problem (clearly must be a settings issue), but cannot seem to figure out what to do in order to avoid the problem symptom. Either that, or it's a program bug (which I will report on the MBAM forum, but I hate to post there because of "attitude"). I would like...
System Security
Firefox culprit for "reduced leading" in PREFS.JS: FLASH PLUGIN!!!
As I continued to try and chase down my "reduced leading" problem whenever I visited certain forum web sites and then closed/re-opened Firefox, I carefully compared my PREFS.JS from a "perfect, working" copy vs. what PREFS.JS looked like right after closing the very first Firefox session after...
Browsers & Mail
Remove "labels" from drive types in "Computer" window?
Hi there, I didn't really know how to google for this (although I did), so I didn't find anything proper and like to ask you: How do I remove the "labels" from drive types in "Computer" window? What I mean: http://dl.getdropbox.com/u/16751/computer_labels.jpg These labels above the different...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 21:27.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App