MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

Page 4 of 11 FirstFirst ... 23456 ... LastLast

  1. Posts : 10,485
    W7 Pro SP1 64bit
       #31

    Teamviewer lets you reboot to the safe mode and still reconnect. If you tell TV to make the computer reboot, it should offer an option to "wait on partner". That should notify you when the reboot has completed and offer to reconnect you. I use VNC as a backup to TV.

    I'll keep playing with the AOL/nordstrom thing. I had only played with 9.7 for an issue in another forum.
      My Computer


  2. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #32

    UsernameIssues said:
    Teamviewer lets you reboot to the safe mode and still reconnect. If you tell TV to make the computer reboot, it should offer an option to "wait on partner". That should notify you when the reboot has completed and offer to reconnect you. I use VNC as a backup to TV.

    I'll keep playing with the AOL/nordstrom thing. I had only played with 9.7 for an issue in another forum.
    Just found this VERY interesting web page on the useragentstring.com web site.

    It shows that using AOL 9.5 there is no way IE9 can be presented properly in the "useragentstring" value!!

    Apparently, you must be using AOL 9.6 in order to present even IE8 (which is the maximum value possible with AOL 9.6). This is higher than IE7, and may well have been acceptable to the Nordstrom site which doesn't support IE7 any longer but might support IE8 and higher.

    And you must be using AOL 9.7 if you want to present IE9. I already know that it's possible to present IE10 with AOL 9.7, because I already verified that. So this web page does at least appear to be somewhat out-of-date.

    I'm going to upgrade from 9.5 to 9.7 and see if that makes this all go away! Seems like it can't hurt, and she's used to using 9.7 anyway (on that Win7 laptop) when they're home in Boston.
      My Computer


  3. Posts : 6,458
    x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
       #33

    That poor Vista system.... all of those things running.

    The herdProtect log has a lot in it, some are probably false positives (some valid HP stuff shows up as malware on my machine) Some of it might only be suspicious.

    If you want, you can kill herdProtect - it's a report scan only.

    Do run the scanners in the order listed, they compliment each other nicely that way. Don't sweat JRT out of sequence (it was a quick check), but do run it again in the order specified in the guide.

    There is a reason.

    It's almost Saturday night, a friend has a gig and I'm going to support the band.
    A bunch of old guys rockin' out - not exactly ZZ Top though.
    Last edited by Slartybart; 01 Feb 2014 at 18:49.
      My Computer


  4. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #34

    Just to report MISSION ACCOMPLISHED on the other issue, the AOL problem accessing the Nordstrom site (discussed in my other "browsers" thread)!

    In the end it only needed to upgrade through AOL 9.7 instead of AOL 9.5, to support IE9 which was now installed. That's all it was. Period. Case closed. Thread marked "solved".

    WHEW!!!


    Ok. Back to this one. I need some lunch, and some sleep.

    I will run the whole sequence of scans later today when my friend gets back from the movies and can assist.
      My Computer


  5. Posts : 6,458
    x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
       #35

    AOL is A-OK now - that's good news I suppose :)

    How are you making out with the Malware scans?
    There are a few follow up scans, ops after running through the guide. Farbar, OT-TFC, restore hosts to default, maybe a few others.

    You want to be sure that whatever was on the machine is erradicated and that those bad IP addresses aren't referenced by anything else.

    Bill
    .
      My Computer


  6. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #36

    Slartybart said:
    AOL is A-OK now - that's good news I suppose :)
    Yes. And I also have now also upgraded two other Win7 desktop machines which were using AOL 9.5 with IE11 and experiencing the same issues with assorted web sites complaining about "no longer support your browser" (which we now know was due to the "useragentstring" sent by AOL 9.5 which showed "MSIE 7.0").

    Both systems are now upgraded to AOL 9.7, and all issues with problem web sites have disappeared.


    How are you making out with the Malware scans?
    Well, now HERE WE INDEED HAVE A MIRACLE!! SUCCESS!! CASE CLOSED!! MALWARE REMOVED!!

    And I would attribute the accomplishment to the "recipe" link you provided previously (from Malwaretips.com), and specifically to the use of HitmanPro in that sequence, based on the timings and MBAM logs which showed exactly when the blocked IP accesses finally ceased.

    The few steps performed prior to HitmanPro all found nothing. This included TDSSKiller which had to run in safe mode. And the MBAM log continued to show blocked IP addresses right up until the HitmanPro "delete" step, after which they appeared to stop. And this cessation of blocked IP accesses continued across several re-boots.

    The later products which followed HitmanPro may have identified a handful of "minor" items, which I deleted, but none of them was really relevant to this deeply buried access to those Russian IP's.

    I'm convinced now that it was tied to the MyWebSearch item, which I tried to uninstall and remove but couldn't ever complete successfully. And several of the anti-malware products I'd tried previously certainly identified breadcrumbs of MyWebSearch, but whatever they found and removed did not seem to be a solution.

    Only HitmanPro seemed to again locate even further additional remnants of MyWebSearch, along with what I believe to have been the "hiding place" of the culprit object code:
    C:\Windows\system32\rpcss.dll
    as well as related crucial pieces (including another mention of DcomLaunch):
    Startup
    HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunch\
    HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\
    I'm attaching the two HitmanPro logs (the "found" log before I pushed DELETE, and the "action taken" log recording everything removed), as well as the current final state of the MBAM log (which shows the ongoing blocked IP access before running HitmanPro, and then the post-HitmanPro "silence").

    I double-checked with TASKMGR, and there is no longer a DcomLaunch PID active disguised as SVCHOST.EXE and sending out requests to those two Russian static IP addresses. Silence.

    Note that I didn't run anything past Step 7 (Junkware Removal Tool). I actually did start Step 8 (ESET) but after about 30 minutes of VERY SLOW PROGRESS scanning and having only gotten through about 35% of what it had to do and having found nothing so far, I decided to just cancel that scan. I hadn't yet looked at the MBAM log to see if whatever had been found and removed by any of the earlier steps had been successful, and was just itching to look.

    So I re-booted, did some miscellaneous things (like general Internet access through Firefox and IE) which would previously have guaranteed access to those IP's if they hadn't already occurred, and then looked at the MBAM log. I was thrilled to see that they had long-since ceased, and the moment of disappearance coincided with the removals done by HitmanPro.

    THEREFORE...

    I thank you (and the whole set of anti-malware software developers and vendors) for setting down a "recipe" that does indeed seem to cover all bases. Certainly MBAM itself, along with ADWCleaner and RogueKiller which did all find something to remove over the course of the past several days, well they all must have helped.

    But in this particular malware case, I believe it was this thing called MyWebSearch which was the culprit. And it was definitely HitmanPro which finally managed to find every single last loose-end remaining piece of it and remove it.

    I WILL NOW MARK THIS THREAD "SOLVED"!!

    Thanks again to everyone who participated and helped out. (incidentally, there still is NO response to my similar thread on the Malwarebytes Forum)
    MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131 Attached Files
      My Computer


  7. Posts : 6,458
    x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
       #37

    Yeah, ESET is slow, but it finds stuff other scanners don't.

    I'm glad you got through all of that and a solution was found.

    If you're still on the Vista system, I think a Farbar scan would be a good "final check" - if it finds anything, it might be a two step process (scan, then clean with a custom script).

    See this post for step one of the Farbar instructions


    I'm not cetain if this threat was contianed - it might have needed a reboot to resolve it completely

    HitmanPro log2
    Malware
    C:\Windows\system32\rpcss.dll -> PendingDelete
    Size . . . . . . . : 550,912 bytes
    Age . . . . . . . : 1555.3 days (2009-10-31 07:46:13)
    Entropy . . . . . : 5.6
    SHA-256 . . . . . : 0A22F667B7D77EC22D623CE5AE3C4218160386EE84EA90DC64036C60371EC763
    Product . . . . . : Microsoft® Windows® Operating System
    Publisher . . . . : Microsoft Corporation
    Description . . . : Distributed COM Services
    Version . . . . . : 6.0.6002.18005
    Copyright . . . . : © Microsoft Corporation. All rights reserved.
    Service . . . . . : RpcSs
    > Bitdefender . . . : Trojan.Patched.Zekos.A
    > Kaspersky . . . . : Trojan.Win32.Patched.pj
    Fuzzy . . . . . . : 109.0
    Startup
    HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunch\
    HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\


    Farbar will tell you more.

    Bill
    .
      My Computer


  8. Posts : 10,485
    W7 Pro SP1 64bit
       #38

    The tendency is to want to clean infections quickly...
    ...but this is one time when I would have liked to have seen how well the Process Monitor/Virustotal combo would have worked to locate such an item.

    MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131-capture.png
      My Computer


  9. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #39

    Slartybart said:
    If you're still on the Vista system, I think a Farbar scan would be a good "final check" - if it finds anything, it might be a two step process (scan, then clean with a custom script).

    See this post for step one of the Farbar instructions
    I will give this a try overnight tonight, just to see what it says.

    Also I may re-run that ESET scan and let it run for the several hours it appears it's going to take.


    I'm not certain if this threat was contained - it might have needed a reboot to resolve it completely
    I DID reboot. I posted the "before cleanup" log and also the "after cleanup". But there was a message from HitmanPro saying that the re-boot was required to complete the cleanup.

    It was prescribed as required by HitmanPro, because it had to do that in order to remove the RPCSS.DLL object.

    I'm good, I'm sure, as the MBAM log shows. But when I get back on the Vista machine I will confirm that RPCSS.DLL is no longer present.
      My Computer


  10. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #40

    UsernameIssues said:
    The tendency is to want to clean infections quickly...
    ...but this is one time when I would have liked to have seen how well the Process Monitor/Virustotal combo would have worked to locate such an item.
    I actually DID enable the Virustotal column during my work over the weekend. But it showed 0 from that PID, so I didn't think to post it here as nothing was discovered by the known offending task.

    I probably should have posted it.

    Bottom line: only HitmanPro found (and was able to delete) RPCSS.DLL, and the relevant HKLM startup Registry entries that kicked it off along with the "villain" PID task, along with the other supporting Registry entries. All the other products I used did NOT find those objects, which were all related to the culprit MyWebSearch.

    I believe ADWCleaner found some of the pieces of MyWebSearch and theoretically removed them, but for all I know they may have "regenerated themselves". I don't recall if the same ones later found by HitmanPro duplicated the originals found by ADWCleaner or not (I'll see if there are all logs still present or if I deleted them, as maybe that will be demonstrated).

    For sure, MBAM did NOT find any of this. Once my initial Quick Scan (and I also ran a FULL Scan) with MBAM discovered about 15 assorted miscellaneous items (none of which related to MyWebSearch) it never found anything significant again. On a later second scan it found two more of something, but the final scan (as one step in the "8-step recipe") showed "clean" which was obviously not yet true as the HitmanPro step came MBAM.

    Of course it was MBAM now running on the machine that did provide the initial clues that the machine was infected, due to the incessant "blocked IP" popups regarding those two Russian/Netherlands IP addresses. So were it not for MBAM, this MyWebSearch culprit would never have found and then eliminated thanks to HitmanPro.
      My Computer


 
Page 4 of 11 FirstFirst ... 23456 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:15.
Find Us