MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

Page 9 of 11 FirstFirst ... 7891011 LastLast

  1. Posts : 2,470
    Windows 7 Home Premium
       #81

    Good job!!

    tom982 is probably getting some at this time, but, I'm sure he will be with you as soon as he can.

    Please do not run any other programs in the meantime.

    Thank you for your patience!
      My Computer


  2. Posts : 2,663
    Windows 8.1 Pro x64
       #82

    Great work, cottonball! Now that you're clean, we can perform the last bit of the fix:

    SFCFix Script

    Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

    1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
    2. Download the file below, SFCFix.zip, and save this to your Desktop. Ensure that this file is named SFCFix.zip - do not rename it.
    3. Save any open documents and close all open windows.
    4. On your Desktop, you should see two files: SFCFix.exe and SFCFix.zip.
    5. Drag the file SFCFix.zip onto the file SFCFix.exe and release it.
    6. SFCFix will now process the script.
    7. Upon completion, a file should be created on your Desktop: SFCFix.txt.
    8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.


    https://dl.dropboxusercontent.com/u/...ber/SFCFix.zip

    SFC Scan

    1. Click on the Start button and in the search box, type Command Prompt
    2. When you see Command Prompt on the list, right-click on it and select Run as administrator
    3. When command prompt opens, copy and paste the following commands into it, press enter after each

      sfc /scannow

      Wait for this to finish before you continue

      copy %windir%\logs\cbs\cbs.log %userprofile%\Desktop\cbs.txt

    4. This will create a file, cbs.txt on your Desktop. Please attach this to your next post.


    Tom
      My Computer


  3. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #83

    tom982 said:
    SFCFix Script

    Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

    1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
    2. Download the file below, SFCFix.zip, and save this to your Desktop. Ensure that this file is named SFCFix.zip - do not rename it.
    3. Save any open documents and close all open windows.
    4. On your Desktop, you should see two files: SFCFix.exe and SFCFix.zip.
    5. Drag the file SFCFix.zip onto the file SFCFix.exe and release it.
    6. SFCFix will now process the script.
    7. Upon completion, a file should be created on your Desktop: SFCFix.txt.
    8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.


    https://dl.dropboxusercontent.com/u/...ber/SFCFix.zip
    Step 2 is still running, so I thought I'd post the results of the above Step 1.

    Log is attached.

    Here is a screenshot of the current state of things regarding RPCSS.DLL following the above SFCFix.



    I will post the results of the /SCANNOW along with a second screenshot again showing the whereabouts of RPCSS.DLL in my next reply, when it finishes.
    MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131 Attached Files
      My Computer


  4. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #84

    tom982 said:
    SFC Scan

    1. Click on the Start button and in the search box, type Command Prompt
    2. When you see Command Prompt on the list, right-click on it and select Run as administrator
    3. When command prompt opens, copy and paste the following commands into it, press enter after each

      sfc /scannow

      Wait for this to finish before you continue

      copy %windir%\logs\cbs\cbs.log %userprofile%\Desktop\cbs.txt
    4. This will create a file, cbs.txt on your Desktop. Please attach this to your next post.
    I believe we have liftoff!

    Looks like SFC /SCANNOW has correctly replaced the infected 550,912 byte version of RPCSS.DLL (which just a moment ago was in C:\Windows\System32) with the new 550,400 byte clean one you provided in the ZIP file going into SFCFix.



    I'm attaching the log from the /SCANNOW.


    Now... the only remaining item is that there are now TWO copies of the infected version of RPCSS.DLL still living in \Winsxs\Temp\PendingDeletes of the form $$DELETEME.... Previously there was only one. So obviously it is the SFC /SCANNOW which is creating these.

    However I myself cannot delete them (access denied). So how are they supposed to get deleted??? I don't want them on my system, as they are the infected versions. Even though HitmanPro long ago (several days ago) removed the crucial activating Registry entries so that these two $$DELETEME versions are harmless, I still want to delete them... as their name suggests was intended.

    So, how does one go about deleting them??


    Anyway, this long and arduous process does appear to be just about at its true completion once these two $$DELETEME files are finally deleted. They are the only existing copies of the infected RPCSS.DLL remaining on the disk.

    Can't thank all of you who contributed anything at all enough. Reps will be given all around!
      My Computer


  5. Posts : 2,470
    Windows 7 Home Premium
       #85

    dsperber,

    Not to worry...

    There are several hours of time difference between tom982 and us, so, we need to wait for his assessment of the replacement by SFC.
      My Computer


  6. Posts : 2,663
    Windows 8.1 Pro x64
       #86

    Excellent! The repair went through, and SFC has been able to reform the hardlinks:

    Code:
    RtlRunPrimitiveOperationsFromCallbacksAgainstSil(...)[gle=0xd0000121]
    2014-02-06 14:41:47, Info                  CSI    000001bc [SR] Unable to complete Verify and Repair transaction because some of the files that need to be repaired are in use. A reboot is required to complete this operation.
    2014-02-06 14:41:47, Info                  CSI    000001bd [SR] Repairing 1 components
    2014-02-06 14:41:47, Info                  CSI    000001be [SR] Beginning Verify and Repair transaction
    2014-02-06 14:41:47, Info                  CSI    000001bf Hashes for file member \??\C:\Windows\System32\rpcss.dll do not match actual file [l:18{9}]"rpcss.dll" :
      Found: {l:32 b:LoH+3oc4UsIVMAq3bp2C8hqqNYK8qz7aMTs/OXlfwY4=} Expected: {l:32 b:7AKkEtpf3ix1mkosWQRXnhznxJmc6HFFgS81T8j14YM=}
    2014-02-06 14:41:47, Info                  CSI    000001c0 [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:18{9}]"rpcss.dll" from store
    2014-02-06 14:41:47, Info                  CSI    000001c1 Repair results created:
    POQ 85 starts:
         0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\7afaf9787323cf01d22300005c133c07._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
        1: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\9a1e01797323cf01d32300005c133c07.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
        2: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\7a050d797323cf01d42300005c133c07.$$_system32_21f9a9c4a2f8b514.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms"
        3: Hard Link File: Source = [l:246{123}]"\SystemRoot\WinSxS\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988\rpcss.dll", Destination = [l:66{33}]"\??\C:\Windows\System32\rpcss.dll"
    
    POQ 85 ends.
    2014-02-06 14:41:47, Info                  CSI    000001c2 [SR] Repair complete
    So we've fixed rpcss.dll; now for the next issue! I suspect this issue will be fixed if you reboot, so reboot your computer and let me know how it goes. This error is a little worrying though, it's unusual for an issue like this to return a fatal (F) error like this:

    Code:
    2014-02-06 14:41:47, Error                 CSI    000001bb (F) STATUS_CANNOT_DELETE #4098596# from
    If they don't get removed over a reboot then we'll have to do it manually.

    Tom
      My Computer


  7. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #87

    tom982 said:
    now for the next issue! I suspect this issue will be fixed if you reboot, so reboot your computer and let me know how it goes.
    Well, I re-booted but I don't know what you expect to happen. I had already re-booted previously (following the SFC /SCANNOW) and the results posted reflected that re-boot. And there were still the two $$DELETEME versions of the corrupted RPCSS.DLL still sitting there in \Winsxs\Temp\PendingDeletes, having been created there by SFC but not actually deleted.

    So I didn't have any expectations about seeing those two files disappear upon a new re-boot. And in fact they did NOT disappear. They're still there.



    So I don't know what else you've described as "the next issue". Is it these two files that don't seem to actually ever get deleted? Or is it some other file?

    Also, I ran my own screenshot looking for RPCSS.DLL, posted above. But if you wanted me to run some other scan utility you didn't mention it. So I don't know what you expected me to provide in this reply that would tell you "how it went"?? What log file or other output are you wanting me to generate and post for you to look at, now that I've re-booted?

    I'd like to get rid of those two $$DELETEME files, and it sounds like you've seen (in the SFC log) a third file that didn't get deleted either... although I don't know what that file is.

    Waiting for your next instructions.
      My Computer


  8. Posts : 2,663
    Windows 8.1 Pro x64
       #88

    Cottonball, would you mind killing off this folder with FRST please? I'm not sure what permissions are on this folder and it's subfiles, but I'm guessing it will be a little more than a right click > delete and the only tools I know to do a job like this are the malware removal ones, ie tools I'm not allowed to use yet (the fun ones!)

    C:\Windows\winsxs\Temp\PendingDeletes

    Tom
      My Computer


  9. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #89

    tom982 said:
    Cottonball, would you mind killing off this folder with FRST please?

    C:\Windows\winsxs\Temp\PendingDeletes
    So is this the last of it, and the two files inside it?

    Or was there some other third file that you'd noticed in the SFC log which also must be dealt with? That's what I thought you were pointing out.
      My Computer


  10. Posts : 2,470
    Windows 7 Home Premium
       #90

    @tom982:

    Not quite sure we can nuke: PendingDeletes
    To my understanding, the files in it are files that Windows has designated for deletion in the future...??

    On the CSI issue you pointed out, have no clue on what it is.
    My idea of CSI is "Crime Scene Investigation"

    @dsperber:

    Let's find the path of the files, and will press on from there.

    Please run FRST again and type the following in the input box after Search:
    Code:
     
    C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.*
    Click the Search button

    When done, a report, Search.txt, is created.

    Please post the results of the Search.txt in your reply.

    If the above shows no results, use this input instead:

    Code:
     
    C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2373a53dd39a.0000
    C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000
    Also run SystemLook:
    http://jpshortstuff.247fixes.com/SystemLook.exe

    •Double-click SystemLook.exe to run it.
    •Copy the content inside the codebox into the input field:

    Code:
     
    :filefind
    C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.*
    C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2373a53dd39a.0000
    C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000
    •Click the Look button to start the scan.
    •When finished, a notepad window opens with the results of the scan.

    Also post the SystemLook report in your reply.

    Thanks.


    .
    Last edited by cottonball; 07 Feb 2014 at 14:03.
      My Computer


 
Page 9 of 11 FirstFirst ... 7891011 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 09:03.
Find Us