MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

Page 8 of 11 FirstFirst ... 678910 ... LastLast

  1. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #71

    tom982 said:
    This is the file you need
    You're confirming that the ZIP file you provided is correct, and that the 550,400 byte version of RPCSS.DLL is the right one we want to place in the 6002.18005 backup folder as well as end up with eventually in C:\Windows\System32?


    but since Jacee has mentioned there are rootkits at work here, you shouldn't run this fix until you've been cleaned by one of our security analysts.
    You're saying I should NOT run the SFCFix and ZIP that you provided earlier?? I thought you said it was the right one.


    Nothing will be able to repair this file though, so you will need to fix it after the malware has been removed.
    I don't follow. What can't be fixed?? And how is the malware now to be removed... HitmanPro? Something else.

    I'm confused.


    Regarding your question on my SFCFix script, all it does is copies this file into winsxs and deals with all of the hardlinks, permissions and ownership data so your computer isn't left open to attack.
    So should I run it or not? Now, or later after some other preliminary step?

    I'm confused. What do I run or not run, and if I'm waiting for "further instructions" from you or someone else please let me know.

    Thanks.
      My Computer


  2. Posts : 2,470
    Windows 7 Home Premium
       #72

    dsperber,

    My apology for the confusion we have caused.

    The issue is that your Operating System shows infected by Trojan.Patched.Zekos

    This particular trojan may display with Trojan.Patched.Sirefef, identified as the ZeroAccess Rootkit.

    On the last Farbar Recovery Scan Tool report you posted, there was no sign of the Sirefef/ZeroAccess Rootkit. I do not recall seeing it in other reports either.

    However, since malware works fast, and in strange ways, at this point, the best thing you can do is remove the copy of the Farbar Recovery Scan Tool that you have, including its C:\FRST folder, and download a new and updated copy.

    Download: Farbar Recovery Scan Tool Download
    Select the version that applies to your system: 32-bit

    Save it to your Desktop.

    Double-click the downloaded file to run it.
    When the tool opens, click Yes to the disclaimer.
    Also check the Addition.txt, if not already checked.

    Press the Scan button.

    When done, the tool makes a log, FRST.txt, on the Desktop.

    Please provide the FRST.txt in your reply.

    It also creates another log: Addition.txt
    Also post the Addition.txt in your reply.


    Using the new FRST information, we'll prepare a script for you to run, and get rid of any malicious files that show.

    We can also address the rcpss issue using FRST, but since you already ran SFC, tom982, who is with no doubt, an expert in solving SFC issues, will re-enter the game, and work on replacing the rpcss.dll

    You are in good hands, so please hang in there, please, do not run any more programs, and let FRST and tom982's SFCfix files (.exe and .zip) do the work for you!!!

    If you have any other questions, feel free to ask!

    Thank you for your understanding and your patience.


    .
      My Computer


  3. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #73

    cottonball said:
    dsperber,

    My apology for the confusion we have caused.

    The issue is that your Operating System shows infected by Trojan.Patched.Zekos

    This particular trojan may display with Trojan.Patched.Sirefef, identified as the ZeroAccess Rootkit.

    On the last Farbar Recovery Scan Tool report you posted, there was no sign of the Sirefef/ZeroAccess Rootkit. I do not recall seeing it in other reports either.
    I believe it had been observed and identified as Trojan.Patched.Zekos in my [presumed] "success" post #37, via HitmanPro.

    But you're right, it never showed as Trojan.Patched.Sirefef or ZeroAccess Rootkit.

    I had assumed it got removed by HitmanPro, although there is that "Pending Delete" annotation which I am not clear about although I definitely DID re-boot after that scan and pushing its DELETE button. And yet, there is still they mysterious $$DELETEME... item in \PendingDeletes which has yet to go away, and that I'm still asking for someone to explain to me.

    Nevertheless... I will not run anything more unless specifically told to. There is currently no outgoing access to the problem IP's, so the effect of the malware does appear to be "removed" even if all remnants are not.


    However, since malware works fast, and in strange ways, at this point, the best thing you can do is remove the copy of the Farbar Recovery Scan Tool that you have, including its C:\FRST folder, and download a new and updated copy.

    Download: Farbar Recovery Scan Tool Download
    Select the version that applies to your system: 32-bit

    Save it to your Desktop.

    Double-click the downloaded file to run it.
    When the tool opens, click Yes to the disclaimer.
    Also check the Addition.txt, if not already checked.

    Press the Scan button.

    When done, the tool makes a log, FRST.txt, on the Desktop.

    Please provide the FRST.txt in your reply.

    It also creates another log: Addition.txt
    Also post the Addition.txt in your reply.
    Both logs from most recent Farbar SCAN just performed attached below.

    Thank you very much for your patience, help and guidance. Note that I have NOT gone beyond this, and have not run SFC again nor SFCFix using Tom's originally posted recipe. I will await further new and specific instructions before doing anything.
    MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131 Attached Files
      My Computer


  4. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #74

    Slartybart said:
    AHA!

    I just looked at the most recent of these logs that I was asked to produce from a fresh run of Farbar, and sure enough the things I had asked you about were absolutely right there!

    I didn't realize originally that you were actually quoting from those very original logs in your post. I thought you had done your own post-processing or further analysis of what had been revealed. I now see them in the new logs as well.

    My misunderstanding. Now clarified. Thanks.
      My Computer


  5. Posts : 2,470
    Windows 7 Home Premium
       #75

    dsperber,

    Glad things are a little clearer... :)

    On:
    C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll
    Looks as if HitmanPro is not the program to handle this.

    tom982 will take care of it with the SFCfix after we clean up the files everything else missed.

    Will take a look at the FRST reports a little later today, and will get back to you this evening with the action required for your system.

    Thanks for your patience.
      My Computer


  6. Posts : 2,663
    Windows 8.1 Pro x64
       #76

    dsperber said:
    tom982 said:
    This is the file you need
    You're confirming that the ZIP file you provided is correct, and that the 550,400 byte version of RPCSS.DLL is the right one we want to place in the 6002.18005 backup folder as well as end up with eventually in C:\Windows\System32?
    Yes, the file I uploaded was correct. I don't have time to check all the sizes but I know I've uploaded the right file as per the hashes in my previous post. Yes it will end up in winsxs and system32 (technically it's just one file linked to both locations).

    but since Jacee has mentioned there are rootkits at work here, you shouldn't run this fix until you've been cleaned by one of our security analysts.
    You're saying I should NOT run the SFCFix and ZIP that you provided earlier?? I thought you said it was the right one.
    Correct, do not run my script until the malware has been removed. It is the right file, but I'm not sure who would win in a fight between the malware and SFCFix Whatever you still have on board is patching this file and may well be protecting it, so there's not much point trying to repair it until we've removed the malware.

    Nothing will be able to repair this file though, so you will need to fix it after the malware has been removed.
    I don't follow. What can't be fixed?? And how is the malware now to be removed... HitmanPro? Something else.
    None of the malware removal tools will be able to replace rpcss.dll with a clean copy as there isn't a clean copy on your computer to replace it with - this is something we will have to do at the end with my SFCFix script. I can't comment on the malware removal I'm afraid, I'm still in training and am under strict rules not to assist with malware removal during this time.

    I'm confused.
    Hope this clears it up :)

    Regarding your question on my SFCFix script, all it does is copies this file into winsxs and deals with all of the hardlinks, permissions and ownership data so your computer isn't left open to attack.
    So should I run it or not? Now, or later after some other preliminary step?
    Once again, do not run my script until I give you the go ahead :) Wait for cottonball/Jacee to clean your computer, then we can get to work.

    Tom
      My Computer


  7. Posts : 2,470
    Windows 7 Home Premium
       #77

    dsperber,

    FRST was run from here: Running from C:\BBS\Farbar

    As requested, please have FRST on the Desktop!

    Next, please open notepad (Start > All Programs > Accessories > Notepad)

    Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
    Save it to the Desktop, where FRST is now located, and name it: fixlist.txt

    Note: The fixlist.txt and FRST must both be on the Desktop, or this will not work!

    Code:
    start
    HKLM\...\Run: [] - [X]
    HKU\S-1-5-21-1484120312-2850907632-530992151-1000\...\MountPoints2: G - G:\LaunchU3.exe
    HKU\S-1-5-21-1484120312-2850907632-530992151-1000\...\MountPoints2: {6acf7da0-e49b-11de-bc1c-00038a000015} - G:\LaunchU3.exe
    SearchScopes: HKLM - DefaultScope value is missing.
    2014-01-29 21:29 - 2014-01-29 21:29 - 00000000 ____S () C:\Windows\system32\ubwvq.dqs
    2014-01-28 19:01 - 2014-01-28 19:01 - 00000000 ____S () C:\Windows\system32\ifmhg.xgj
    2014-01-26 08:56 - 2014-01-26 08:56 - 00028672 _____ () C:\Windows\system32\fdnzvw.cnw
    2014-01-26 08:45 - 2014-02-02 14:10 - 00000078 _____ () C:\Windows\system32\ntkziiv.ccs
    2014-01-26 08:45 - 2014-01-26 08:56 - 00000100 _____ () C:\Windows\system32\ohwyn.tgy
    2014-01-26 08:45 - 2014-01-26 08:45 - 00000064 _____ () C:\Windows\system32\yqqn.sxt
    2014-01-04 11:46 - 2014-01-04 11:46 - 00101213 ____S () C:\Windows\system32\cdklx.uaf
    end
    NOTICE: This script is written specifically for this computer!!!
    Running this on another computer may cause damage to the Operating System.

    Now, please run FRST, and press the Fix button just once, and wait.

    When done, the tool creates a report on the Desktop called: Fixlog.txt

    Please post the Fixlog.txt in your reply.
      My Computer


  8. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #78

    cottonball said:
    dsperber,

    FRST was run from here: Running from C:\BBS\Farbar
    Yes, sorry. Didn't think it was crucial for the scan. The actual "owner" of the laptop likes to keep the desktop "clean" so I was trying to keep the tools for this project in a private folder. Didn't want to lose anything even if I were to purge the items I had used from the desktop when done, so I thought this method would be acceptable... at least for the scan.


    As requested, please have FRST on the Desktop!
    Yes, I placed now got it on the Desktop for use in the upcoming FIX step.


    Next, please open notepad (Start > All Programs > Accessories > Notepad)

    Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
    Save it to the Desktop, where FRST is now located, and name it: fixlist.txt

    Note: The fixlist.txt and FRST must both be on the Desktop, or this will not work!
    Understood.


    Now, please run FRST, and press the Fix button just once, and wait.

    When done, the tool creates a report on the Desktop called: Fixlog.txt

    Please post the Fixlog.txt in your reply.
    Attached.
    MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131 Attached Files
      My Computer


  9. Posts : 2,470
    Windows 7 Home Premium
       #79

    Good job, dsperber!!

    Since you already have the program installed, please use: Malwarebytes Anti-Malware (MBAM)
    Double-click the MBAM file to run it.

    If an update is found, the program automatically updates itself.
    At the program console, on the Scanner tab, select: Perform Quick Scan

    Next, click on the Scan button.

    When the scan is completed, click on: Show Results

    When presented with a screen showing the malware detected, take a good look at the items shown, and, if present, uncheck:
    C:\Windows\System32\rpcss.dll

    (MBAM cannot disinfect the file and make it whole again, and we do not want the file removed! We want it replaced!)

    Next, checkmark whatever else is found, and click on: Remove Selected

    When removal is completed, a report opens in Notepad.

    Please provide the entire contents of the MBAM report in your reply.


    Thanks!


    .
      My Computer


  10. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #80

    cottonball said:
    please use: Malwarebytes Anti-Malware (MBAM)
    Double-click the MBAM file to run it.

    At the program console, on the Scanner tab, select: Perform Quick Scan

    Next, click on the Scan button.

    When the scan is completed, click on: Show Results
    There was nothing malicious found. No "show results" opportunity.

    See attached log.
    MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131 Attached Files
      My Computer


 
Page 8 of 11 FirstFirst ... 678910 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 09:30.
Find Us