Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

05 Feb 2014   #71
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by tom982 View Post
This is the file you need
You're confirming that the ZIP file you provided is correct, and that the 550,400 byte version of RPCSS.DLL is the right one we want to place in the 6002.18005 backup folder as well as end up with eventually in C:\Windows\System32?


Quote:
but since Jacee has mentioned there are rootkits at work here, you shouldn't run this fix until you've been cleaned by one of our security analysts.
You're saying I should NOT run the SFCFix and ZIP that you provided earlier?? I thought you said it was the right one.


Quote:
Nothing will be able to repair this file though, so you will need to fix it after the malware has been removed.
I don't follow. What can't be fixed?? And how is the malware now to be removed... HitmanPro? Something else.

I'm confused.


Quote:
Regarding your question on my SFCFix script, all it does is copies this file into winsxs and deals with all of the hardlinks, permissions and ownership data so your computer isn't left open to attack.
So should I run it or not? Now, or later after some other preliminary step?

I'm confused. What do I run or not run, and if I'm waiting for "further instructions" from you or someone else please let me know.

Thanks.


My System SpecsSystem Spec
.
05 Feb 2014   #72
cottonball

Windows 7 Home Premium
 
 

dsperber,

My apology for the confusion we have caused.

The issue is that your Operating System shows infected by Trojan.Patched.Zekos

This particular trojan may display with Trojan.Patched.Sirefef, identified as the ZeroAccess Rootkit.

On the last Farbar Recovery Scan Tool report you posted, there was no sign of the Sirefef/ZeroAccess Rootkit. I do not recall seeing it in other reports either.

However, since malware works fast, and in strange ways, at this point, the best thing you can do is remove the copy of the Farbar Recovery Scan Tool that you have, including its C:\FRST folder, and download a new and updated copy.

Download: Farbar Recovery Scan Tool Download
Select the version that applies to your system: 32-bit

Save it to your Desktop.

Double-click the downloaded file to run it.
When the tool opens, click Yes to the disclaimer.
Also check the Addition.txt, if not already checked.

Press the Scan button.

When done, the tool makes a log, FRST.txt, on the Desktop.

Please provide the FRST.txt in your reply.

It also creates another log: Addition.txt
Also post the Addition.txt in your reply.


Using the new FRST information, we'll prepare a script for you to run, and get rid of any malicious files that show.

We can also address the rcpss issue using FRST, but since you already ran SFC, tom982, who is with no doubt, an expert in solving SFC issues, will re-enter the game, and work on replacing the rpcss.dll

You are in good hands, so please hang in there, please, do not run any more programs, and let FRST and tom982's SFCfix files (.exe and .zip) do the work for you!!!

If you have any other questions, feel free to ask!

Thank you for your understanding and your patience.


.
My System SpecsSystem Spec
05 Feb 2014   #73
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by cottonball View Post
dsperber,

My apology for the confusion we have caused.

The issue is that your Operating System shows infected by Trojan.Patched.Zekos

This particular trojan may display with Trojan.Patched.Sirefef, identified as the ZeroAccess Rootkit.

On the last Farbar Recovery Scan Tool report you posted, there was no sign of the Sirefef/ZeroAccess Rootkit. I do not recall seeing it in other reports either.
I believe it had been observed and identified as Trojan.Patched.Zekos in my [presumed] "success" post #37, via HitmanPro.

But you're right, it never showed as Trojan.Patched.Sirefef or ZeroAccess Rootkit.

I had assumed it got removed by HitmanPro, although there is that "Pending Delete" annotation which I am not clear about although I definitely DID re-boot after that scan and pushing its DELETE button. And yet, there is still they mysterious $$DELETEME... item in \PendingDeletes which has yet to go away, and that I'm still asking for someone to explain to me.

Nevertheless... I will not run anything more unless specifically told to. There is currently no outgoing access to the problem IP's, so the effect of the malware does appear to be "removed" even if all remnants are not.


Quote:
However, since malware works fast, and in strange ways, at this point, the best thing you can do is remove the copy of the Farbar Recovery Scan Tool that you have, including its C:\FRST folder, and download a new and updated copy.

Download: Farbar Recovery Scan Tool Download
Select the version that applies to your system: 32-bit

Save it to your Desktop.

Double-click the downloaded file to run it.
When the tool opens, click Yes to the disclaimer.
Also check the Addition.txt, if not already checked.

Press the Scan button.

When done, the tool makes a log, FRST.txt, on the Desktop.

Please provide the FRST.txt in your reply.

It also creates another log: Addition.txt
Also post the Addition.txt in your reply.
Both logs from most recent Farbar SCAN just performed attached below.

Thank you very much for your patience, help and guidance. Note that I have NOT gone beyond this, and have not run SFC again nor SFCFix using Tom's originally posted recipe. I will await further new and specific instructions before doing anything.


Attached Files
File Type: txt FRST.txt (66.9 KB, 7 views)
File Type: txt Addition.txt (22.7 KB, 4 views)
My System SpecsSystem Spec
.

05 Feb 2014   #74
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by Slartybart View Post
AHA!

I just looked at the most recent of these logs that I was asked to produce from a fresh run of Farbar, and sure enough the things I had asked you about were absolutely right there!

I didn't realize originally that you were actually quoting from those very original logs in your post. I thought you had done your own post-processing or further analysis of what had been revealed. I now see them in the new logs as well.

My misunderstanding. Now clarified. Thanks.
My System SpecsSystem Spec
05 Feb 2014   #75
cottonball

Windows 7 Home Premium
 
 

dsperber,

Glad things are a little clearer...

On:
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll
Looks as if HitmanPro is not the program to handle this.

tom982 will take care of it with the SFCfix after we clean up the files everything else missed.

Will take a look at the FRST reports a little later today, and will get back to you this evening with the action required for your system.

Thanks for your patience.
My System SpecsSystem Spec
05 Feb 2014   #76
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 

Quote   Quote: Originally Posted by dsperber View Post
Quote   Quote: Originally Posted by tom982 View Post
This is the file you need
You're confirming that the ZIP file you provided is correct, and that the 550,400 byte version of RPCSS.DLL is the right one we want to place in the 6002.18005 backup folder as well as end up with eventually in C:\Windows\System32?
Yes, the file I uploaded was correct. I don't have time to check all the sizes but I know I've uploaded the right file as per the hashes in my previous post. Yes it will end up in winsxs and system32 (technically it's just one file linked to both locations).

Quote:
Quote:
but since Jacee has mentioned there are rootkits at work here, you shouldn't run this fix until you've been cleaned by one of our security analysts.
You're saying I should NOT run the SFCFix and ZIP that you provided earlier?? I thought you said it was the right one.
Correct, do not run my script until the malware has been removed. It is the right file, but I'm not sure who would win in a fight between the malware and SFCFix Whatever you still have on board is patching this file and may well be protecting it, so there's not much point trying to repair it until we've removed the malware.

Quote:
Quote:
Nothing will be able to repair this file though, so you will need to fix it after the malware has been removed.
I don't follow. What can't be fixed?? And how is the malware now to be removed... HitmanPro? Something else.
None of the malware removal tools will be able to replace rpcss.dll with a clean copy as there isn't a clean copy on your computer to replace it with - this is something we will have to do at the end with my SFCFix script. I can't comment on the malware removal I'm afraid, I'm still in training and am under strict rules not to assist with malware removal during this time.

Quote:
I'm confused.
Hope this clears it up

Quote:
Quote:
Regarding your question on my SFCFix script, all it does is copies this file into winsxs and deals with all of the hardlinks, permissions and ownership data so your computer isn't left open to attack.
So should I run it or not? Now, or later after some other preliminary step?
Once again, do not run my script until I give you the go ahead Wait for cottonball/Jacee to clean your computer, then we can get to work.

Tom
My System SpecsSystem Spec
05 Feb 2014   #77
cottonball

Windows 7 Home Premium
 
 

dsperber,

FRST was run from here: Running from C:\BBS\Farbar

As requested, please have FRST on the Desktop!

Next, please open notepad (Start > All Programs > Accessories > Notepad)

Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the Desktop, where FRST is now located, and name it: fixlist.txt

Note: The fixlist.txt and FRST must both be on the Desktop, or this will not work!

Code:
start
HKLM\...\Run: [] - [X]
HKU\S-1-5-21-1484120312-2850907632-530992151-1000\...\MountPoints2: G - G:\LaunchU3.exe
HKU\S-1-5-21-1484120312-2850907632-530992151-1000\...\MountPoints2: {6acf7da0-e49b-11de-bc1c-00038a000015} - G:\LaunchU3.exe
SearchScopes: HKLM - DefaultScope value is missing.
2014-01-29 21:29 - 2014-01-29 21:29 - 00000000 ____S () C:\Windows\system32\ubwvq.dqs
2014-01-28 19:01 - 2014-01-28 19:01 - 00000000 ____S () C:\Windows\system32\ifmhg.xgj
2014-01-26 08:56 - 2014-01-26 08:56 - 00028672 _____ () C:\Windows\system32\fdnzvw.cnw
2014-01-26 08:45 - 2014-02-02 14:10 - 00000078 _____ () C:\Windows\system32\ntkziiv.ccs
2014-01-26 08:45 - 2014-01-26 08:56 - 00000100 _____ () C:\Windows\system32\ohwyn.tgy
2014-01-26 08:45 - 2014-01-26 08:45 - 00000064 _____ () C:\Windows\system32\yqqn.sxt
2014-01-04 11:46 - 2014-01-04 11:46 - 00101213 ____S () C:\Windows\system32\cdklx.uaf
end
NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please run FRST, and press the Fix button just once, and wait.

When done, the tool creates a report on the Desktop called: Fixlog.txt

Please post the Fixlog.txt in your reply.
My System SpecsSystem Spec
05 Feb 2014   #78
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by cottonball View Post
dsperber,

FRST was run from here: Running from C:\BBS\Farbar
Yes, sorry. Didn't think it was crucial for the scan. The actual "owner" of the laptop likes to keep the desktop "clean" so I was trying to keep the tools for this project in a private folder. Didn't want to lose anything even if I were to purge the items I had used from the desktop when done, so I thought this method would be acceptable... at least for the scan.


Quote:
As requested, please have FRST on the Desktop!
Yes, I placed now got it on the Desktop for use in the upcoming FIX step.


Quote:
Next, please open notepad (Start > All Programs > Accessories > Notepad)

Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the Desktop, where FRST is now located, and name it: fixlist.txt

Note: The fixlist.txt and FRST must both be on the Desktop, or this will not work!
Understood.


Quote:
Now, please run FRST, and press the Fix button just once, and wait.

When done, the tool creates a report on the Desktop called: Fixlog.txt

Please post the Fixlog.txt in your reply.
Attached.


Attached Files
File Type: txt Fixlog.txt (2.3 KB, 2 views)
My System SpecsSystem Spec
05 Feb 2014   #79
cottonball

Windows 7 Home Premium
 
 

Good job, dsperber!!

Since you already have the program installed, please use: Malwarebytes Anti-Malware (MBAM)
Double-click the MBAM file to run it.

If an update is found, the program automatically updates itself.
At the program console, on the Scanner tab, select: Perform Quick Scan

Next, click on the Scan button.

When the scan is completed, click on: Show Results

When presented with a screen showing the malware detected, take a good look at the items shown, and, if present, uncheck:
C:\Windows\System32\rpcss.dll

(MBAM cannot disinfect the file and make it whole again, and we do not want the file removed! We want it replaced!)

Next, checkmark whatever else is found, and click on: Remove Selected

When removal is completed, a report opens in Notepad.

Please provide the entire contents of the MBAM report in your reply.


Thanks!


.
My System SpecsSystem Spec
05 Feb 2014   #80
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by cottonball View Post
please use: Malwarebytes Anti-Malware (MBAM)
Double-click the MBAM file to run it.

At the program console, on the Scanner tab, select: Perform Quick Scan

Next, click on the Scan button.

When the scan is completed, click on: Show Results
There was nothing malicious found. No "show results" opportunity.

See attached log.


Attached Files
File Type: txt mbam-log-2014-02-05 (22-50-10).txt (1.9 KB, 3 views)
My System SpecsSystem Spec
Reply

 MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Remove "Restore previous versions" and "Share with" from context menu
Hello! ... How about removing these two: "Restore previous versions" and "Share with"
Customization
"access denied" when using "assoc" and "ftype" from cmdline?
I tried to associate the file extension .txt to a new editor program with the well known cmdline programs ASSOC and FTYPE. No, assigning them through WinExplorer menu does not work. But this is another problem which should not discussed here. When I type now one of the following...
General Discussion
remove the "open" and "merge" entries from context menu?
safe to assume its impossible to remove the "open" and the "merge" entries from the context menu? I figure if i want to open or merge them i would simply double click. Clutter and redundency in this vein dont suit me :P
Customization
MBAM Pro settings - how to automatically get "missed updates"?
I've been struggling with this problem (clearly must be a settings issue), but cannot seem to figure out what to do in order to avoid the problem symptom. Either that, or it's a program bug (which I will report on the MBAM forum, but I hate to post there because of "attitude"). I would like...
System Security
Firefox culprit for "reduced leading" in PREFS.JS: FLASH PLUGIN!!!
As I continued to try and chase down my "reduced leading" problem whenever I visited certain forum web sites and then closed/re-opened Firefox, I carefully compared my PREFS.JS from a "perfect, working" copy vs. what PREFS.JS looked like right after closing the very first Firefox session after...
Browsers & Mail
Remove "labels" from drive types in "Computer" window?
Hi there, I didn't really know how to google for this (although I did), so I didn't find anything proper and like to ask you: How do I remove the "labels" from drive types in "Computer" window? What I mean: http://dl.getdropbox.com/u/16751/computer_labels.jpg These labels above the different...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 17:13.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App