Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: MBAM cannot remove "culprit" access to

03 Feb 2014   #51

Windows 7 Pro x64 (1), Win7 Pro X64 (2)

Quote   Quote: Originally Posted by Slartybart View Post
Yeah, I'm going to ask other members to look at the Farbar and ESET logs.
I know nothing here about these things, so I will listen to any comments and/or advice from those more knowledgeable.

Under "Bamital & volsnap Check "
Where are you seeing this??

[2009-10-31 07:46] - [2009-04-11 01:28] - 0550912 ____A (Microsoft Corporation) 150DB93F1299491B4AF6025650035AFD
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
I googled the MD5 and it is unique - no matched found.
I don't understand. What are you looking at? What are you looking at that shows that "attention" remark??

That RPCSS.DLL is no longer in C:\Windows\System32, having been deleted by HitmanPro.

In the Farbar Additional file, there are a number of recent (today) events in the event logs.
Look at the tail end of the file or use event viewer on the system.
What "recent events" are you referring to?

I'd feel more comfortable if a member on the security team took a look. Jacee has already stopped in and is a bit familiar with thread.
It was suggested that I invite Noeldp to look at this thread, and I've PM'd him.

- this is a Vista machine, correct?
Correct. A Dell laptop.

My System SpecsSystem Spec
03 Feb 2014   #52

Windows 7 Pro x64 (1), Win7 Pro X64 (2)

Quote   Quote: Originally Posted by Slartybart View Post
Let's see what SFC can tell you about Sytem file integrity.
Well, not surprisingly, it's unhappy with the state of RPCSS.DLL... and if I read the details correctly also says it cannot do the repair because the backup is also damaged.

I've edited the SFCDETAILS.TXT file to contain only the relevant "problematic" sections, eliminating the insignificant lines.

You know... maybe the version that is over on the D Recovery Partition is a GOOD ONE, not a copy of the bad one! The date on the D-version is from 1/19/2008 2:36:17AM 547,328 bytes, whereas the problem one found by HitmanPro was dated 2009 and is 3,000 bytes larger.

So even though the repair of C's RPCSS.DLL cannot be done because the C-backup is also corrupt, it seems possible to recover it from the D-version if we believe it to be a valid one.


Attached Files
File Type: txt sfcdetails.txt (6.8 KB, 8 views)
My System SpecsSystem Spec
04 Feb 2014   #53

Windows 7 Pro x64 (1), Win7 Pro X64 (2)

Do I need to run SFC /SCANNOW three times in a row, to eventually find the correct original 2008 backup?

If you look at my earlier screenshot where I was looking for RPCSS.DLL with Everything, you see that it occurs in MULTIPLE folders in C:\Winsxs. And there is one from 1/20/2008 which is the correct 535KB (which is the correct size, if we go by what is shown in the screenshot living on the D Recovery partition), whereas the later backups starting in 2009 are 538KB (which is the problematic size).

I've never used SFC /SCANNOW, but I do know that sometimes you need to run three "repairs" in order to finally get things fixed. I guess each subsequent repair uses a successively older backup??

Note from the following screenshot that it looks like the SFC repair I just did has restored a version of RPCSS.DLL into C:\Windows\System32... and it's the defective one.

I'm going to run the repair three more times, and see if I can recover that 2008 version which should be the right one.
My System SpecsSystem Spec

04 Feb 2014   #54

Windows 7 Pro x64 (1), Win7 Pro X64 (2)

Well, I guess my guess was wrong. Doesn't pick up successively older backups with each running of SFC /SCANNOW. It just leaves the 550,912 byte version.

Obviously the 547,328 byte version from 2008 is now clearly recognized as the right original Windows version to shoot for (which matches the untouched version on the D Recovery partition).

Re-run of HitmanPro again again deletes that version (although it's been rendered "harmless" by the previous cleansing of the Registry of the crucial related entries, so that it will no longer start at boot time even if present). It also deletes the backup version. See attached log file.

Interestingly, there is a "$$DELETEME..." version of the corrupt RPCSS.DLL that I don't know exactly where it came from... either the SFC repair, or the rerun of HitmanPro (which seems unlikely)?? It won't go away, but it is the bad object.

I give up for now. I need further advice on how to manually recover the 547,328 version from 2008... either from the C:\Windows\Winsxs backup where it lives, or from the D Recovery partition.

Attached Files
File Type: log HitmanPro_20140204_0105.log (7.8 KB, 0 views)
My System SpecsSystem Spec
04 Feb 2014   #55

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem

Sorry dsperber, I shoveled a lot of snow yesterday and fell asleep early.

Let me catch up answering your posts.

Post 47 -> D:\Recovery.
The rpcss.ddl in D:\Recovery is the base install for a Dell Vista - or should be. A scan didn't pick it up so, it's probably NOT infected. If the MD5 is unique then you'll have to sig a little deeper, but methinks it's ok.

I would make the OEM Recovery discs before nuking D:

Post 48 -> ESET
>> Win32/Patched.IB trojan error while cleaning
This is in the backup folder for Winsxs - ESET failed to clean it, perhaps because it's in winsxs.
I'm not sure what to do with it.

Post 51 -> Ervery thing you ask about was found in:

I'll look at the SFC log next.
My System SpecsSystem Spec
04 Feb 2014   #56

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem

Yep, you read it correctly. Noel might want to see the entire log.

The rpcss.dll in D:\Recovery is probably good, getting it might be difficult. On my HP, the part is hidden and has a destop.ini that puts up a HTML screen when you view the part. Getting around that is the easy part.

The base Windows files needed to begin a Recovery are or should be visible, but everything else is packed away in the install wim files.

Gregrocker is a whiz at this stuff.

Just make sure every one knows this is VISTA, Noel particularly. He might offer you replacement file(s) from Win7 if that is left unclear.

I'll go back thru the thread and collect your logs. I like to make it easier for people coming in cold to a thread. I'll match the log fiels to the malware guide, and try to make chronological order out of it.

My System SpecsSystem Spec
04 Feb 2014   #57

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem

dsperber is working on a friend's machine: Dell / Vista SP2

Post 1 -> Malwarebytes Pro alerted dsperber when it blocked IP addresses.
Mbam did not find or contain the threat.

Post 11 /12 - > AdwCleaner log wrapped in a code box on post.

Post 23: I directed dsperber to this: How to easily clean an infected computer (Malware Removal Guide)

Post 27 -> initial FRST log:

Jacee recommends clearing java cache and flushing DNS, dsperber complies.

Post 30 -> JRT run out os sequenct, no harm no foul - nothing found anyway

Post 36 -> Hitman Pro & Mbam logs

Post 43 -> Jacee alert re: Trojan password stealer, dsperber complies.

post 44 - > Farbar logs

Post 48 - ESET log

Post 53 -> SFC log

The malware removal guide has more scanners in it than there are logs posted.
Can you backfill the logs for the scanners in red:
[a] Kaspersky TDSSKiller
[a] RKill
[a] Malwarebytes Anti-Malware Free
[a] HitmanPro
[a] RogueKiller
[a] AdwCleaner
[a] Junkware Removal Tool
Checking the system after the clean
[a] ESET Online Scanner.
[a] Emsisoft Emergency Kit.

Edit: Post 61 -> missing logs posted

Post 64 - > EMSISoft log

Post 68 -> Kaspersky TDSSKiller log


My System SpecsSystem Spec
04 Feb 2014   #58

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem

The System Update Readiness Tool (SURT) might help, I'm not sure.
SURT used to carry a few cabs when it was used to prepare Vista for an ungrade to Win7.
Lately though, SURT on Win7 is related to Windows Update issues only.

Download the correct bit depth Vista version form here: What is the System Update Readiness Tool?

It's big and it's slow - just so you know.

My System SpecsSystem Spec
04 Feb 2014   #59

Microsoft Community Contributor Award Recipient

Windows 8.1 Pro x64

This will fix up your SFC corruption :)

SFCFix Script

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.
  1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
  2. Download the file below,, and save this to your Desktop. Ensure that this file is named - do not rename it.
  3. Save any open documents and close all open windows.
  4. On your Desktop, you should see two files: SFCFix.exe and
  5. Drag the file onto the file SFCFix.exe and release it.
  6. SFCFix will now process the script.
  7. Upon completion, a file should be created on your Desktop: SFCFix.txt.
  8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.

SFC Scan
  1. Click on the Start button and in the search box, type Command Prompt
  2. When you see Command Prompt on the list, right-click on it and select Run as administrator
  3. When command prompt opens, copy and paste the following commands into it, press enter after each

    sfc /scannow

    Wait for this to finish before you continue

    copy %windir%\logs\cbs\cbs.log %userprofile%\Desktop\cbs.txt

  4. This will create a file, cbs.txt on your Desktop. Please attach this to your next post.
My System SpecsSystem Spec
04 Feb 2014   #60

Windows 7 Home Premium


tom982's guidance will fix the rpcss.dll issue, however, since you already downloaded and ran FRST, please do the following:

Please run FRST again and type the following in the input box after Search: rpcss.dll
Click the Search button

When done, a report, Search.txt, is created.

Please post the results of the Search.txt in your reply.

When tom is done, we need to use FRST again, and make sure there are no remnants lurking.

My System SpecsSystem Spec

 MBAM cannot remove "culprit" access to

Thread Tools

Similar help and support threads
Thread Forum
MBAM Team seeks "Bugfixes" and "Features" for new version
>>Disclaimer #1: I do not work for Malwarebytes, so please do not shoot the messenger.<< >>Disclaimer #2: Please submit your feedback directly to the Malwarebytes Team Members in the links provided below, rather than here in this thread (I cannot guarantee that they will see your comments and...
System Security
"access denied" when using "assoc" and "ftype" from cmdline?
I tried to associate the file extension .txt to a new editor program with the well known cmdline programs ASSOC and FTYPE. No, assigning them through WinExplorer menu does not work. But this is another problem which should not discussed here. When I type now one of the following...
General Discussion
Crippling "server is busy" errors on boot, can't find culprit process
Hello ! It's been a while now that my Windows 7 computer gets a crippling "server is busy" error. My problem, in a nutshell : I don't manage to identify WHICH process is responsible for this, I also don't know if recognizable patterns are logged as events, or not :( Description of the...
General Discussion
MBAM Pro settings - how to automatically get "missed updates"?
I've been struggling with this problem (clearly must be a settings issue), but cannot seem to figure out what to do in order to avoid the problem symptom. Either that, or it's a program bug (which I will report on the MBAM forum, but I hate to post there because of "attitude"). I would like...
System Security
Firefox culprit for "reduced leading" in PREFS.JS: FLASH PLUGIN!!!
As I continued to try and chase down my "reduced leading" problem whenever I visited certain forum web sites and then closed/re-opened Firefox, I carefully compared my PREFS.JS from a "perfect, working" copy vs. what PREFS.JS looked like right after closing the very first Firefox session after...
Browsers & Mail

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 15:13.
Twitter Facebook Google+