New
#81
Great work, cottonball! Now that you're clean, we can perform the last bit of the fix:
SFCFix Script
Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.
- Download SFCFix.exe (by niemiro) and save this to your Desktop.
- Download the file below, SFCFix.zip, and save this to your Desktop. Ensure that this file is named SFCFix.zip - do not rename it.
- Save any open documents and close all open windows.
- On your Desktop, you should see two files: SFCFix.exe and SFCFix.zip.
- Drag the file SFCFix.zip onto the file SFCFix.exe and release it.
- SFCFix will now process the script.
- Upon completion, a file should be created on your Desktop: SFCFix.txt.
- Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please - put
[CODE][/CODE] tags around the log to break up the text.
https://dl.dropboxusercontent.com/u/...ber/SFCFix.zip
SFC Scan
- Click on the Start button and in the search box, type Command Prompt
- When you see Command Prompt on the list, right-click on it and select Run as administrator
- When command prompt opens, copy and paste the following commands into it, press enter after each
sfc /scannow
Wait for this to finish before you continue
copy %windir%\logs\cbs\cbs.log %userprofile%\Desktop\cbs.txt
- This will create a file, cbs.txt on your Desktop. Please attach this to your next post.
Tom
Step 2 is still running, so I thought I'd post the results of the above Step 1.
Log is attached.
Here is a screenshot of the current state of things regarding RPCSS.DLL following the above SFCFix.
I will post the results of the /SCANNOW along with a second screenshot again showing the whereabouts of RPCSS.DLL in my next reply, when it finishes.
I believe we have liftoff!
Looks like SFC /SCANNOW has correctly replaced the infected 550,912 byte version of RPCSS.DLL (which just a moment ago was in C:\Windows\System32) with the new 550,400 byte clean one you provided in the ZIP file going into SFCFix.
I'm attaching the log from the /SCANNOW.
Now... the only remaining item is that there are now TWO copies of the infected version of RPCSS.DLL still living in \Winsxs\Temp\PendingDeletes of the form $$DELETEME.... Previously there was only one. So obviously it is the SFC /SCANNOW which is creating these.
However I myself cannot delete them (access denied). So how are they supposed to get deleted??? I don't want them on my system, as they are the infected versions. Even though HitmanPro long ago (several days ago) removed the crucial activating Registry entries so that these two $$DELETEME versions are harmless, I still want to delete them... as their name suggests was intended.
So, how does one go about deleting them??
Anyway, this long and arduous process does appear to be just about at its true completion once these two $$DELETEME files are finally deleted. They are the only existing copies of the infected RPCSS.DLL remaining on the disk.
Can't thank all of you who contributed anything at all enough. Reps will be given all around!
dsperber,
Not to worry...
There are several hours of time difference between tom982 and us, so, we need to wait for his assessment of the replacement by SFC.
Excellent! The repair went through, and SFC has been able to reform the hardlinks:
So we've fixed rpcss.dll; now for the next issue! I suspect this issue will be fixed if you reboot, so reboot your computer and let me know how it goes. This error is a little worrying though, it's unusual for an issue like this to return a fatal (F) error like this:Code:RtlRunPrimitiveOperationsFromCallbacksAgainstSil(...)[gle=0xd0000121] 2014-02-06 14:41:47, Info CSI 000001bc [SR] Unable to complete Verify and Repair transaction because some of the files that need to be repaired are in use. A reboot is required to complete this operation. 2014-02-06 14:41:47, Info CSI 000001bd [SR] Repairing 1 components 2014-02-06 14:41:47, Info CSI 000001be [SR] Beginning Verify and Repair transaction 2014-02-06 14:41:47, Info CSI 000001bf Hashes for file member \??\C:\Windows\System32\rpcss.dll do not match actual file [l:18{9}]"rpcss.dll" : Found: {l:32 b:LoH+3oc4UsIVMAq3bp2C8hqqNYK8qz7aMTs/OXlfwY4=} Expected: {l:32 b:7AKkEtpf3ix1mkosWQRXnhznxJmc6HFFgS81T8j14YM=} 2014-02-06 14:41:47, Info CSI 000001c0 [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:18{9}]"rpcss.dll" from store 2014-02-06 14:41:47, Info CSI 000001c1 Repair results created: POQ 85 starts: 0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\7afaf9787323cf01d22300005c133c07._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms" 1: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\9a1e01797323cf01d32300005c133c07.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms" 2: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\7a050d797323cf01d42300005c133c07.$$_system32_21f9a9c4a2f8b514.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms" 3: Hard Link File: Source = [l:246{123}]"\SystemRoot\WinSxS\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988\rpcss.dll", Destination = [l:66{33}]"\??\C:\Windows\System32\rpcss.dll" POQ 85 ends. 2014-02-06 14:41:47, Info CSI 000001c2 [SR] Repair complete
If they don't get removed over a reboot then we'll have to do it manually.Code:2014-02-06 14:41:47, Error CSI 000001bb (F) STATUS_CANNOT_DELETE #4098596# from
Tom
Well, I re-booted but I don't know what you expect to happen. I had already re-booted previously (following the SFC /SCANNOW) and the results posted reflected that re-boot. And there were still the two $$DELETEME versions of the corrupted RPCSS.DLL still sitting there in \Winsxs\Temp\PendingDeletes, having been created there by SFC but not actually deleted.
So I didn't have any expectations about seeing those two files disappear upon a new re-boot. And in fact they did NOT disappear. They're still there.
So I don't know what else you've described as "the next issue". Is it these two files that don't seem to actually ever get deleted? Or is it some other file?
Also, I ran my own screenshot looking for RPCSS.DLL, posted above. But if you wanted me to run some other scan utility you didn't mention it. So I don't know what you expected me to provide in this reply that would tell you "how it went"?? What log file or other output are you wanting me to generate and post for you to look at, now that I've re-booted?
I'd like to get rid of those two $$DELETEME files, and it sounds like you've seen (in the SFC log) a third file that didn't get deleted either... although I don't know what that file is.
Waiting for your next instructions.
Cottonball, would you mind killing off this folder with FRST please? I'm not sure what permissions are on this folder and it's subfiles, but I'm guessing it will be a little more than a right click > delete and the only tools I know to do a job like this are the malware removal ones, ie tools I'm not allowed to use yet (the fun ones!)
C:\Windows\winsxs\Temp\PendingDeletes
Tom
@tom982:
Not quite sure we can nuke: PendingDeletes
To my understanding, the files in it are files that Windows has designated for deletion in the future...??
On the CSI issue you pointed out, have no clue on what it is.
My idea of CSI is "Crime Scene Investigation"
@dsperber:
Let's find the path of the files, and will press on from there.
Please run FRST again and type the following in the input box after Search:
Click the Search buttonCode:C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.*
When done, a report, Search.txt, is created.
Please post the results of the Search.txt in your reply.
If the above shows no results, use this input instead:
Also run SystemLook:Code:C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2373a53dd39a.0000 C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000
http://jpshortstuff.247fixes.com/SystemLook.exe
•Double-click SystemLook.exe to run it.
•Copy the content inside the codebox into the input field:
•Click the Look button to start the scan.Code::filefind C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.* C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2373a53dd39a.0000 C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000
•When finished, a notepad window opens with the results of the scan.
Also post the SystemLook report in your reply.
Thanks.
.
Last edited by cottonball; 07 Feb 2014 at 14:03.