MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

Slartybart said:

dsperber is working on a friend's machine: Dell / Vista SP2

Many thanks for your summarizing the chronological essence of this thread.

Most significant "inflection point" regarding progress came on 2/2 at around 14:55PM when I ran HitmanPro and it found and removed MyWebSearch infection, which included the infected RPCSS.DLL as well as related Registry entries to launch it at system startup.

So any logs posted earlier in this thread should be viewed in the context of that 2/2 at 14:55PM turning point. Anything before that was with MyWebSearch still present, and anything after was "post-removal" by HitmanPro.

And then yesterday 2/3 per recommendation I ran SFC /SCANNOW. Apparently the fact that RPCSS.DLL was now missing from C:\Windows\System32 was discovered, and the "backup" version of RPCSS.DLL got restored from the 6002_18005 folder in C:\Windows\Winsxs. Unfortunately that version was itself the infected one. So I now had the infected version once again in C:\Windows\System32, though it appeared completely "harmless" since the necessary Registry entries to launch it into its evil state had actually been deleted on 2/2 by HitmanPro.

So I then again ran HitmanPro just to once again hopefully delete that infected version of RPCSS.DLL from C:\Windows\System32. This time HitmanPro discovered the backup version in the 6002_18005 folder (which it deleted, per its log) but it doesn't seem to have found and deleted it in C:\Windows\System32. I had thought it had disappeared from both locations following this step, but when I look now it appears to be back in C:\Windows\System32.

As you can see from the following screenshot, if we believe SearchMyFiles it appears that Windows is seemingly doing its own "restore" of the just-deleted version into C:\Windows\System32, perhaps caused by the effects of the SFC /SCANNOW. I admit I'm confused by the current state of things where for some reason SearchMyFiles discovers a version in C:\Windows\System32 whereas Everything and HitmanPro (just re-run again and latest log attached) do not.



Furthermore, there is still that "$$DELETEME..." infected version in \Winsxs\Temp\PendingDelete which I don't know how it got there and is not being deleted by anything.



The good news is that the infected version of RPCSS.DLL, no matter whether it's truly present or not in C:\Windows\System32, is apparently NOT ACTIVE. There are still no new "blocked IP" entries in the MBAM log, so the active malware definitely seems to be purged from the system.


A few more things observe, regarding the dates and sizes of the various versions of RPCSS.DLL now present on this Vista machine. The dates of the several infected versions of the file are misleading and inconsistent I think.

(1) Based on the D version it would appear that 547,328 is the true original size. And a date of either 1/19/2008 or 1/20/2008 is the correct original date per this Dell build.

(2) It looks like the original infected size of RPCSS.DLL was 549,888. This version is now living in backup folder 6000.16830 in \Winsxs.

(3) What looks like a second "decoy" infected version with size 549,888+512=550,400 is now living in backup folder 6000.21023 in \Winsxs.

(4) The true infected version with size 550,400+512=550,912 was previously stored in backup folder 6002.18005 but has now been deleted by a recent run of HitmanPro. But this infected version does seem to still somehow be present in C:\Windows\System32 according to SearchMyFiles, though it's not seen by Everything or HitmanPro (just re-run again). Quite a mystery here. In any case it is definitely NOT ACTIVE.

(5) Another "decoy" with size 550,912+512=551,424 is present in two backup folders, 6001.18226 as well as 6001.22389.

(6) None of the "decoys" gets detected by any scan, and they remain present. Only the 550,912 version has ever been detected by HitmanPro... and this program is currently convinced that it is no longer present.

The malware removal guide has more scanners in it than there are logs posted.

Can you backfill the logs for the scanners in red:
Kaspersky TDSSKiller
RKill
Malwarebytes Anti-Malware Free
HitmanPro
RogueKiller
AdwCleaner
Junkware Removal Tool
Checking the system after the clean
ESET Online Scanner.
Emsisoft Emergency Kit.

The TDSSKiller log came from running the program in "Windows safe mode" with my friend's manual assistance. He told me the program said NOTHING FOUND. If there was a log from this execution I'm afraid it's lost or was never created. But I don't have it.

I'm attaching the requested additional logs for RKill, RogueKiller, and Junkware Removal Tool, along with the most recent HitmanPro log (from just a little while ago).

I hadn't run Emsisoft, but am doing so now. It seems fairly slow so I'll add its log to this post when if finally finishes.

cottonball said:

dsperber,

tom982's guidance will fix the rpcss.dll issue, however, since you already downloaded and ran FRST, please do the following:

Please run FRST again and type the following in the input box after Search: rpcss.dll
Click the Search button

When done, a report, Search.txt, is created.

Please post the results of the Search.txt in your reply.

Attached.

Interestingly, FRST seems to confirm SearchMyFiles discovery of RPCSS.DLL (the infected version size) in C:\Windows\System32 whereas it now appears undiscovered by both Everything and HitmanPro. This is only since running SFC /SCANNOW yesterday.

Oh well. Hopefully Tom982's guidance will get this all sorted out and end up with the correct original RPCSS.DLL restored into C:\Windows\System32 once and for all.

Note that the 1/20/2008 version in backup folder 6001.18000, size 547,328 bytes, is the true original Vista version that we ultimately want to restore.

tom982 said:

This will fix up your SFC corruption :)

SFCFix Script

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
2. Download the file below, SFCFix.zip, and save this to your Desktop. Ensure that this file is named SFCFix.zip - do not rename it.
3. Save any open documents and close all open windows.
4. On your Desktop, you should see two files: SFCFix.exe and SFCFix.zip.
5. Drag the file SFCFix.zip onto the file SFCFix.exe and release it.
6. SFCFix will now process the script.
7. Upon completion, a file should be created on your Desktop: SFCFix.txt.
8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.

https://dl.dropboxusercontent.com/u/...ber/SFCFix.zip

Tom,

Much appreciation for your help and guidance.

I haven't run this yet as the Emsisoft scan is still running on the infected laptop. But I've looked inside the SFCFix.zip file and am curious about its contents. I've never used these SFCFix tools before and don't yet have an understanding about what it's trying to do.

But looking inside the zip file it appears that you have the 6002.18005 backup folder (same as is on the Vista laptop), with a copy of RPCSS.DLL that is dated 4/11/2009 and has size 550,400. Actually, that isn't the original content of that backup folder from the Vista laptop. The original version of RPCSS.DLL that was in there was a duplicate of the true infected version living in C:\Windows\System32 and which got purged by HitmanPro, and was originally of size 550,912 bytes. That is the size of the infected RPCSS.DLL which along with the critical Registry entries was causing the original problem.

Again, I don't know what your goal here is, but I believe that this version is actually a "cousin", i.e. is "one decoy removed" (i.e. 550,912 - 512 = 550,400) from the true 550,912 infected version which is what was found and cleansed away by HitmanPro. I don't believe this 550,400 version is correct.

I would have expected to see the original Vista version of size 547,328 in your "fix" package, rather than an incorrectly sized "cousin of the infected 550,912 version". Am I wrong? Do I not understand what will actually happen via SFCFix and this incorrect 550,400 version of RPCSS.DLL?

Or is this 550,400 version from Vista SP2??

Is this my ignorance showing? I'd like to understand what SFCFix will do when I drop the script onto it, and I'm puzzled by the version of RPCSS.DLL that I see inside that ZIP.

Can you please explain what's going to happen here.

Many thanks again.

Ok. The EMSISoft scan finally finished. Log attached.

Very strange.

(1) It found the 6002.18005 backup folder version of RPCSS.DLL (and deleted it), which had presumably been deleted by HitmanPro. This version did exist previously, but presumably no longer exists and is undetected by both SearchMyFiles and Everything, as well as FRST and HitmanPro.

So how can it now be found by EMSISoft if it's deleted??

(2) But it did not find the C:\Windows\System32 version of RPCSS.DLL that SearchMyFiles and FRST currently sees and that HitmanPro and Everything do not see.

How can this file be "visible" to some scans and "invisible" to others? Seems the file is either active and present in the file system and "visible", or it is deleted and gone from the file system and should not be seen by any tool. How can it be both??

And... WHAT IS THAT $$DELETEME... version in \Winsxs\Temp\PendingDeletes (see my screenshot above in post 61)?? Who created that, and why didn't it ever actually get deleted?? Is it some "quarantine" version from SFC or some other tool? How is it supposed to be deleted, as I cannot ("access denied")?

Anyway, attached is the requested log.

Slartybart said:

Can you backfill the logs for the scanners in red:
[ ] Kaspersky TDSSKiller -> the TDSSkiller log is on C:\ and should be easily identified

You were right. It was definitely there.

Attached.

tom982 said:

Can you upload a full CBS log please? Then I can explain everything and prove to you it's the right file :)

C:\Windows\Logs\CBS\CBS.log

Tom

This log seems to be an ongoing accumulation, and actually went back to 2/1 when I ran my first scan. I think this is a distraction.

I just ran a brand new fresh SFC /SCANNOW and edited the log to only include the output from this latest scan. Hopefully that is what you really want. If you want the complete log (going all the way back to 2/1) I can ZIP it and attach it.

But hopefully the attached most recent log contribution is what you want.

Also, here is what SearchMyFiles finds on my system following the SFC /SCANNOW just run. Note that the infected RPCSS.DLL (550,912) has once again returned to C:\Windows\System32 as a result of the "repair" done by SFC!!

==> I am STILL looking for an answer as to what the "$$DELETEME..." item is, and why it has not been deleted by whoever created it.