MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

dsperber · 03 Feb 2014

Slartybart said:

Yeah, I'm going to ask other members to look at the Farbar and ESET logs.

I know nothing here about these things, so I will listen to any comments and/or advice from those more knowledgeable.

Under "Bamital & volsnap Check "

Where are you seeing this??

C:\Windows\system32\rpcss.dll

[2009-10-31 07:46] - [2009-04-11 01:28] - 0550912 ____A (Microsoft Corporation) 150DB93F1299491B4AF6025650035AFD
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.

I googled the MD5 and it is unique - no matched found.

I don't understand. What are you looking at? What are you looking at that shows that "attention" remark??

That RPCSS.DLL is no longer in C:\Windows\System32, having been deleted by HitmanPro.

In the Farbar Additional file, there are a number of recent (today) events in the event logs.
Look at the tail end of the file or use event viewer on the system.

What "recent events" are you referring to?

I'd feel more comfortable if a member on the security team took a look. Jacee has already stopped in and is a bit familiar with thread.

It was suggested that I invite Noeldp to look at this thread, and I've PM'd him.

- this is a Vista machine, correct?

Correct. A Dell laptop.

dsperber · 03 Feb 2014

Slartybart said:

Let's see what SFC can tell you about Sytem file integrity.

Well, not surprisingly, it's unhappy with the state of RPCSS.DLL... and if I read the details correctly also says it cannot do the repair because the backup is also damaged.

I've edited the SFCDETAILS.TXT file to contain only the relevant "problematic" sections, eliminating the insignificant lines.

You know... maybe the version that is over on the D Recovery Partition is a GOOD ONE, not a copy of the bad one! The date on the D-version is from 1/19/2008 2:36:17AM 547,328 bytes, whereas the problem one found by HitmanPro was dated 2009 and is 3,000 bytes larger.

So even though the repair of C's RPCSS.DLL cannot be done because the C-backup is also corrupt, it seems possible to recover it from the D-version if we believe it to be a valid one.

Thoughts??

dsperber · 04 Feb 2014

Do I need to run SFC /SCANNOW three times in a row, to eventually find the correct original 2008 backup?

If you look at my earlier screenshot where I was looking for RPCSS.DLL with Everything, you see that it occurs in MULTIPLE folders in C:\Winsxs. And there is one from 1/20/2008 which is the correct 535KB (which is the correct size, if we go by what is shown in the screenshot living on the D Recovery partition), whereas the later backups starting in 2009 are 538KB (which is the problematic size).

I've never used SFC /SCANNOW, but I do know that sometimes you need to run three "repairs" in order to finally get things fixed. I guess each subsequent repair uses a successively older backup??

Note from the following screenshot that it looks like the SFC repair I just did has restored a version of RPCSS.DLL into C:\Windows\System32... and it's the defective one.

I'm going to run the repair three more times, and see if I can recover that 2008 version which should be the right one.

dsperber · 04 Feb 2014

Well, I guess my guess was wrong. Doesn't pick up successively older backups with each running of SFC /SCANNOW. It just leaves the 550,912 byte version.

Obviously the 547,328 byte version from 2008 is now clearly recognized as the right original Windows version to shoot for (which matches the untouched version on the D Recovery partition).

Re-run of HitmanPro again again deletes that version (although it's been rendered "harmless" by the previous cleansing of the Registry of the crucial related entries, so that it will no longer start at boot time even if present). It also deletes the backup version. See attached log file.

Interestingly, there is a "$$DELETEME..." version of the corrupt RPCSS.DLL that I don't know exactly where it came from... either the SFC repair, or the rerun of HitmanPro (which seems unlikely)?? It won't go away, but it is the bad object.

I give up for now. I need further advice on how to manually recover the 547,328 version from 2008... either from the C:\Windows\Winsxs backup where it lives, or from the D Recovery partition.

Slartybart · 04 Feb 2014

Sorry dsperber, I shoveled a lot of snow yesterday and fell asleep early.

Let me catch up answering your posts.

Post 47 -> D:\Recovery.
The rpcss.ddl in D:\Recovery is the base install for a Dell Vista - or should be. A scan didn't pick it up so, it's probably NOT infected. If the MD5 is unique then you'll have to sig a little deeper, but methinks it's ok.

I would make the OEM Recovery discs before nuking D:

Post 48 -> ESET
C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988_rpcss.dll_fd3e269b
>> Win32/Patched.IB trojan error while cleaning
This is in the backup folder for Winsxs - ESET failed to clean it, perhaps because it's in winsxs.
I'm not sure what to do with it.

Post 51 -> Ervery thing you ask about was found in:
https://www.sevenforums.com/attachmen...arbar_frst.txt
or
https://www.sevenforums.com/attachmen...r_addition.txt

I'll look at the SFC log next.

Slartybart · 04 Feb 2014

Yep, you read it correctly. Noel might want to see the entire log.

The rpcss.dll in D:\Recovery is probably good, getting it might be difficult. On my HP, the part is hidden and has a destop.ini that puts up a HTML screen when you view the part. Getting around that is the easy part.

The base Windows files needed to begin a Recovery are or should be visible, but everything else is packed away in the install wim files.

Gregrocker is a whiz at this stuff.

Just make sure every one knows this is VISTA, Noel particularly. He might offer you replacement file(s) from Win7 if that is left unclear.

I'll go back thru the thread and collect your logs. I like to make it easier for people coming in cold to a thread. I'll match the log fiels to the malware guide, and try to make chronological order out of it.

Bill
.

Slartybart · 04 Feb 2014

dsperber is working on a friend's machine: Dell / Vista SP2

Post 1 -> Malwarebytes Pro alerted dsperber when it blocked IP addresses.
Mbam did not find or contain the threat.

Post 11 /12 - > AdwCleaner log wrapped in a code box on post.

Post 23: I directed dsperber to this: How to easily clean an infected computer (Malware Removal Guide)

Post 27 -> initial FRST log:

Scan_2014-2-1-14-54.txt

Jacee recommends clearing java cache and flushing DNS, dsperber complies.

Post 30 -> JRT run out os sequenct, no harm no foul - nothing found anyway

Post 36 -> Hitman Pro & Mbam logs

HitmanPro_20140202_1454.log

HitmanPro_20140202_1459.log

MBAM_log.txt

Post 43 -> Jacee alert re: Trojan password stealer, dsperber complies.

post 44 - > Farbar logs

Farbar_FRST.txt

Farbar_Addition.txt

Post 48 - ESET log

ESET.txt

Post 53 -> SFC log

sfcdetails.txt

The malware removal guide has more scanners in it than there are logs posted.
Can you backfill the logs for the scanners in red:
[a] Kaspersky TDSSKiller
[a] RKill
[a] Malwarebytes Anti-Malware Free
[a] HitmanPro
[a] RogueKiller
[a] AdwCleaner
[a] Junkware Removal Tool
Checking the system after the clean
[a] ESET Online Scanner.
[a] Emsisoft Emergency Kit.

Edit: Post 61 -> missing logs posted

Rkill.txt

RKreport[0]_D_02022014_151303.txt

JRT.txt

HitmanPro_20140204_0105.log

Post 64 - > EMSISoft log

EMSISoft.txt

Post 68 -> Kaspersky TDSSKiller log

TDSSKiller.3.0.0.19_02.02.2014_14.18.47_log.txt

Thanks,

Bill

Slartybart · 04 Feb 2014

The System Update Readiness Tool (SURT) might help, I'm not sure.
SURT used to carry a few cabs when it was used to prepare Vista for an ungrade to Win7.
Lately though, SURT on Win7 is related to Windows Update issues only.

Download the correct bit depth Vista version form here: What is the System Update Readiness Tool?

It's big and it's slow - just so you know.

Bill
.

tom982 · 04 Feb 2014

This will fix up your SFC corruption :)

SFCFix Script

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

Download SFCFix.exe (by niemiro) and save this to your Desktop.
Download the file below, SFCFix.zip, and save this to your Desktop. Ensure that this file is named SFCFix.zip - do not rename it.
Save any open documents and close all open windows.
On your Desktop, you should see two files: SFCFix.exe and SFCFix.zip.
Drag the file SFCFix.zip onto the file SFCFix.exe and release it.
SFCFix will now process the script.
Upon completion, a file should be created on your Desktop: SFCFix.txt.
Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.

https://dl.dropboxusercontent.com/u/...ber/SFCFix.zip

SFC Scan

Click on the Start button and in the search box, type Command Prompt
When you see Command Prompt on the list, right-click on it and select Run as administrator
When command prompt opens, copy and paste the following commands into it, press enter after each

sfc /scannow

Wait for this to finish before you continue

copy %windir%\logs\cbs\cbs.log %userprofile%\Desktop\cbs.txt
This will create a file, cbs.txt on your Desktop. Please attach this to your next post.

cottonball · 04 Feb 2014

dsperber,

tom982's guidance will fix the rpcss.dll issue, however, since you already downloaded and ran FRST, please do the following:

Please run FRST again and type the following in the input box after Search: rpcss.dll
Click the Search button

When done, a report, Search.txt, is created.

Please post the results of the Search.txt in your reply.

When tom is done, we need to use FRST again, and make sure there are no remnants lurking.

Thanks!