Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

05 Feb 2014   #81
cottonball

Windows 7 Home Premium
 
 

Good job!!

tom982 is probably getting some at this time, but, I'm sure he will be with you as soon as he can.

Please do not run any other programs in the meantime.

Thank you for your patience!


My System SpecsSystem Spec
.
06 Feb 2014   #82
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 

Great work, cottonball! Now that you're clean, we can perform the last bit of the fix:

SFCFix Script

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.
  1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
  2. Download the file below, SFCFix.zip, and save this to your Desktop. Ensure that this file is named SFCFix.zip - do not rename it.
  3. Save any open documents and close all open windows.
  4. On your Desktop, you should see two files: SFCFix.exe and SFCFix.zip.
  5. Drag the file SFCFix.zip onto the file SFCFix.exe and release it.
  6. SFCFix will now process the script.
  7. Upon completion, a file should be created on your Desktop: SFCFix.txt.
  8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.

https://dl.dropboxusercontent.com/u/...ber/SFCFix.zip

SFC Scan
  1. Click on the Start button and in the search box, type Command Prompt
  2. When you see Command Prompt on the list, right-click on it and select Run as administrator
  3. When command prompt opens, copy and paste the following commands into it, press enter after each

    sfc /scannow

    Wait for this to finish before you continue

    copy %windir%\logs\cbs\cbs.log %userprofile%\Desktop\cbs.txt

  4. This will create a file, cbs.txt on your Desktop. Please attach this to your next post.

Tom
My System SpecsSystem Spec
06 Feb 2014   #83
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by tom982 View Post
SFCFix Script

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.
  1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
  2. Download the file below, SFCFix.zip, and save this to your Desktop. Ensure that this file is named SFCFix.zip - do not rename it.
  3. Save any open documents and close all open windows.
  4. On your Desktop, you should see two files: SFCFix.exe and SFCFix.zip.
  5. Drag the file SFCFix.zip onto the file SFCFix.exe and release it.
  6. SFCFix will now process the script.
  7. Upon completion, a file should be created on your Desktop: SFCFix.txt.
  8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.

https://dl.dropboxusercontent.com/u/...ber/SFCFix.zip
Step 2 is still running, so I thought I'd post the results of the above Step 1.

Log is attached.

Here is a screenshot of the current state of things regarding RPCSS.DLL following the above SFCFix.



I will post the results of the /SCANNOW along with a second screenshot again showing the whereabouts of RPCSS.DLL in my next reply, when it finishes.


Attached Files
File Type: txt SFCFix.txt (2.4 KB, 4 views)
My System SpecsSystem Spec
.

06 Feb 2014   #84
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by tom982 View Post
SFC Scan
  1. Click on the Start button and in the search box, type Command Prompt
  2. When you see Command Prompt on the list, right-click on it and select Run as administrator
  3. When command prompt opens, copy and paste the following commands into it, press enter after each

    sfc /scannow

    Wait for this to finish before you continue

    copy %windir%\logs\cbs\cbs.log %userprofile%\Desktop\cbs.txt
  4. This will create a file, cbs.txt on your Desktop. Please attach this to your next post.
I believe we have liftoff!

Looks like SFC /SCANNOW has correctly replaced the infected 550,912 byte version of RPCSS.DLL (which just a moment ago was in C:\Windows\System32) with the new 550,400 byte clean one you provided in the ZIP file going into SFCFix.



I'm attaching the log from the /SCANNOW.


Now... the only remaining item is that there are now TWO copies of the infected version of RPCSS.DLL still living in \Winsxs\Temp\PendingDeletes of the form $$DELETEME.... Previously there was only one. So obviously it is the SFC /SCANNOW which is creating these.

However I myself cannot delete them (access denied). So how are they supposed to get deleted??? I don't want them on my system, as they are the infected versions. Even though HitmanPro long ago (several days ago) removed the crucial activating Registry entries so that these two $$DELETEME versions are harmless, I still want to delete them... as their name suggests was intended.

So, how does one go about deleting them??


Anyway, this long and arduous process does appear to be just about at its true completion once these two $$DELETEME files are finally deleted. They are the only existing copies of the infected RPCSS.DLL remaining on the disk.

Can't thank all of you who contributed anything at all enough. Reps will be given all around!
My System SpecsSystem Spec
06 Feb 2014   #85
cottonball

Windows 7 Home Premium
 
 

dsperber,

Not to worry...

There are several hours of time difference between tom982 and us, so, we need to wait for his assessment of the replacement by SFC.
My System SpecsSystem Spec
07 Feb 2014   #86
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 

Excellent! The repair went through, and SFC has been able to reform the hardlinks:

Code:
RtlRunPrimitiveOperationsFromCallbacksAgainstSil(...)[gle=0xd0000121]
2014-02-06 14:41:47, Info                  CSI    000001bc [SR] Unable to complete Verify and Repair transaction because some of the files that need to be repaired are in use. A reboot is required to complete this operation.
2014-02-06 14:41:47, Info                  CSI    000001bd [SR] Repairing 1 components
2014-02-06 14:41:47, Info                  CSI    000001be [SR] Beginning Verify and Repair transaction
2014-02-06 14:41:47, Info                  CSI    000001bf Hashes for file member \??\C:\Windows\System32\rpcss.dll do not match actual file [l:18{9}]"rpcss.dll" :
  Found: {l:32 b:LoH+3oc4UsIVMAq3bp2C8hqqNYK8qz7aMTs/OXlfwY4=} Expected: {l:32 b:7AKkEtpf3ix1mkosWQRXnhznxJmc6HFFgS81T8j14YM=}
2014-02-06 14:41:47, Info                  CSI    000001c0 [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:18{9}]"rpcss.dll" from store
2014-02-06 14:41:47, Info                  CSI    000001c1 Repair results created:
POQ 85 starts:
     0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\7afaf9787323cf01d22300005c133c07._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
    1: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\9a1e01797323cf01d32300005c133c07.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
    2: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\7a050d797323cf01d42300005c133c07.$$_system32_21f9a9c4a2f8b514.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms"
    3: Hard Link File: Source = [l:246{123}]"\SystemRoot\WinSxS\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988\rpcss.dll", Destination = [l:66{33}]"\??\C:\Windows\System32\rpcss.dll"

POQ 85 ends.
2014-02-06 14:41:47, Info                  CSI    000001c2 [SR] Repair complete
So we've fixed rpcss.dll; now for the next issue! I suspect this issue will be fixed if you reboot, so reboot your computer and let me know how it goes. This error is a little worrying though, it's unusual for an issue like this to return a fatal (F) error like this:

Code:
2014-02-06 14:41:47, Error                 CSI    000001bb (F) STATUS_CANNOT_DELETE #4098596# from
If they don't get removed over a reboot then we'll have to do it manually.

Tom
My System SpecsSystem Spec
07 Feb 2014   #87
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by tom982 View Post
now for the next issue! I suspect this issue will be fixed if you reboot, so reboot your computer and let me know how it goes.
Well, I re-booted but I don't know what you expect to happen. I had already re-booted previously (following the SFC /SCANNOW) and the results posted reflected that re-boot. And there were still the two $$DELETEME versions of the corrupted RPCSS.DLL still sitting there in \Winsxs\Temp\PendingDeletes, having been created there by SFC but not actually deleted.

So I didn't have any expectations about seeing those two files disappear upon a new re-boot. And in fact they did NOT disappear. They're still there.



So I don't know what else you've described as "the next issue". Is it these two files that don't seem to actually ever get deleted? Or is it some other file?

Also, I ran my own screenshot looking for RPCSS.DLL, posted above. But if you wanted me to run some other scan utility you didn't mention it. So I don't know what you expected me to provide in this reply that would tell you "how it went"?? What log file or other output are you wanting me to generate and post for you to look at, now that I've re-booted?

I'd like to get rid of those two $$DELETEME files, and it sounds like you've seen (in the SFC log) a third file that didn't get deleted either... although I don't know what that file is.

Waiting for your next instructions.
My System SpecsSystem Spec
07 Feb 2014   #88
tom982

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64
 
 

Cottonball, would you mind killing off this folder with FRST please? I'm not sure what permissions are on this folder and it's subfiles, but I'm guessing it will be a little more than a right click > delete and the only tools I know to do a job like this are the malware removal ones, ie tools I'm not allowed to use yet (the fun ones!)

C:\Windows\winsxs\Temp\PendingDeletes

Tom
My System SpecsSystem Spec
07 Feb 2014   #89
dsperber

Windows 7 Pro x64 (1), Win7 Pro X64 (2)
 
 

Quote   Quote: Originally Posted by tom982 View Post
Cottonball, would you mind killing off this folder with FRST please?

C:\Windows\winsxs\Temp\PendingDeletes
So is this the last of it, and the two files inside it?

Or was there some other third file that you'd noticed in the SFC log which also must be dealt with? That's what I thought you were pointing out.
My System SpecsSystem Spec
07 Feb 2014   #90
cottonball

Windows 7 Home Premium
 
 

@tom982:

Not quite sure we can nuke: PendingDeletes
To my understanding, the files in it are files that Windows has designated for deletion in the future...??

On the CSI issue you pointed out, have no clue on what it is.
My idea of CSI is "Crime Scene Investigation"

@dsperber:

Let's find the path of the files, and will press on from there.

Please run FRST again and type the following in the input box after Search:
Code:
 
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.*
Click the Search button

When done, a report, Search.txt, is created.

Please post the results of the Search.txt in your reply.

If the above shows no results, use this input instead:

Code:
 
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2373a53dd39a.0000
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000
Also run SystemLook:
http://jpshortstuff.247fixes.com/SystemLook.exe

•Double-click SystemLook.exe to run it.
•Copy the content inside the codebox into the input field:

Code:
 
:filefind
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.*
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2373a53dd39a.0000
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000
•Click the Look button to start the scan.
•When finished, a notepad window opens with the results of the scan.

Also post the SystemLook report in your reply.

Thanks.


.
My System SpecsSystem Spec
Reply

 MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Remove "Restore previous versions" and "Share with" from context menu
Hello! ... How about removing these two: "Restore previous versions" and "Share with"
Customization
"access denied" when using "assoc" and "ftype" from cmdline?
I tried to associate the file extension .txt to a new editor program with the well known cmdline programs ASSOC and FTYPE. No, assigning them through WinExplorer menu does not work. But this is another problem which should not discussed here. When I type now one of the following...
General Discussion
remove the "open" and "merge" entries from context menu?
safe to assume its impossible to remove the "open" and the "merge" entries from the context menu? I figure if i want to open or merge them i would simply double click. Clutter and redundency in this vein dont suit me :P
Customization
MBAM Pro settings - how to automatically get "missed updates"?
I've been struggling with this problem (clearly must be a settings issue), but cannot seem to figure out what to do in order to avoid the problem symptom. Either that, or it's a program bug (which I will report on the MBAM forum, but I hate to post there because of "attitude"). I would like...
System Security
Firefox culprit for "reduced leading" in PREFS.JS: FLASH PLUGIN!!!
As I continued to try and chase down my "reduced leading" problem whenever I visited certain forum web sites and then closed/re-opened Firefox, I carefully compared my PREFS.JS from a "perfect, working" copy vs. what PREFS.JS looked like right after closing the very first Firefox session after...
Browsers & Mail
Remove "labels" from drive types in "Computer" window?
Hi there, I didn't really know how to google for this (although I did), so I didn't find anything proper and like to ask you: How do I remove the "labels" from drive types in "Computer" window? What I mean: http://dl.getdropbox.com/u/16751/computer_labels.jpg These labels above the different...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 06:50.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App