MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

It's disappointing to hear that Process Explorer did not find the infected DLL. Did you enable the view as shown in my screenshot above?

My guess is that the EXE was not infected, it was just being used to load the infected DLL.

Slartybart said:

I'll take a look at the Farbar and ESET logs when you post them.

I'm attaching both of the Farbar logs... FRST and ADDITION.

ESET is just getting started so it will be probably 2 hours before its log is ready.

Also, even though it's 2/3 MBAM has not yet even produced a new log (i.e. the 2/2 log is the last one shown), because there has been ZERO reason. Last entry on the 2/2 log was at around 6PM EST regarding starting protection following the daily database update, with the previous last update about 2 hours prior.

I think we have emerged victorious.

There's another good tool to empty all temp locations in case anything is hiding there.
I'll post it after the logs are up and you can run it at your convenience.

I had done my own manual cleaning out of everything from the various TEMP folders on the machine as part of my early housecleaning and uninstall of any programs I saw in Control Panel that were unwanted, unnecessary, or possibly suspicious.

But I'll be glad to use whatever tool you can point me to that does the same thing automatically or perhaps more rigorously.

Take a look at all browsers on the system (specifically home page, toolbars, and search engines) remove any add-ons that are not readily recognized. They can always be added back if they're needed.

Took care of these over the weekend.

I think we're in pretty good shape now.

Jacee said:

This Trojan is also a 'password stealing' Trojan. I would suggest that you let the client know, and have them change ALL their passwords, using a known "clean" computer.

Good idea. Thanks for the suggestion.

I've just left them a phone message advising to do this. She's a "shopper".

UsernameIssues said:

It's disappointing to hear that Process Explorer did not find the infected DLL. Did you enable the view as shown in my screenshot above?

Yes. And I showed the same Virus/Total column in read as your screenshot showed. It's just that the Virus count was 0.

My guess is that the EXE was not infected, it was just being used to load the infected DLL.

Agreed.

Slartybart said:

HitmanPro log2
Malware
C:\Windows\system32\rpcss.dll -> PendingDelete
Size . . . . . . . : 550,912 bytes
Age . . . . . . . : 1555.3 days (2009-10-31 07:46:13)
Entropy . . . . . : 5.6
SHA-256 . . . . . : 0A22F667B7D77EC22D623CE5AE3C4218160386EE84EA90DC64036C60371EC763
Product . . . . . : Microsoft® Windows® Operating System
Publisher . . . . : Microsoft Corporation
Description . . . : Distributed COM Services
Version . . . . . : 6.0.6002.18005
Copyright . . . . : © Microsoft Corporation. All rights reserved.
Service . . . . . : RpcSs
> Bitdefender . . . : Trojan.Patched.Zekos.A
> Kaspersky . . . . : Trojan.Win32.Patched.pj
Fuzzy . . . . . . : 109.0
Startup
HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunch\
HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\

Interestingly, it would appear that a second copy of that DLL was stored on D, in the 15GB Dell Recovery Partition copy of Windows!!! And it was not discovered by any scan, and thus clearly also not deleted. But it's there... same as it was on the primary infected C, in D:\Windows\System32. I have to assume it's the same infected DLL (which is NOT present any longer in C in that original location).



Is it safe for me to just delete it manually myself from D?? And what about the possibility that Registry entries on that D version of Windows might have also been affected?

Actually, I'm all for just nuking that partition anyway using Partition Wizard and just resizing C (currently 85GB free out of 135GB partition) along with allocating a brand new D to be used for "system image" backup using Macrium Reflect. That's the right type of "recovery" that is needed to get CURRENT things back if needed, not through the Dell method to put things back to "factory".

Again, this is an old old but perfectly reliable and usable Vista machine and is in all likelihood NEVER going to need "recovery" using this arcane method, assuming it could even still be used.

I think I'm going to vaporize D, and then re-create it along with a resized C, to serve as an internal "backup" partition. Obviously in all the years they've had this Dell laptop they haven't had a need for this, but given what I see now I think it's a sensible thing to do.

Slartybart said:

I'll take a look at the Farbar and ESET logs when you post them.

Posted Farbar log earlier.

Here's the ESET log (took 4 hours to complete).

Note that ESET found one "threat", which was I'm guessing somehow a "backup copy" of the RPCSS.DLL? It's got a different size, and it has a date from just a few days ago (Friday)... around the time when I think I may have been getting started on the disinfection process.

I'm not sure exactly what this is. But I did push the "delete quarantined items" button on ESET. However the item is still where it was found, so I don't think it really got deleted.

Concerned, I just ran HitmanPro again, and it found ZERO threats. So that's reassuring. Don't know why/how ESET would have noticed it and HitmanPro didn't.

Advice?? Should I (can I) manually delete it myself? Will Windows let me, or will it just restore it?