MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

Page 10 of 11 FirstFirst ... 891011 LastLast

  1. Posts : 2,663
    Windows 8.1 Pro x64
       #91

    dsperber said:
    tom982 said:
    Cottonball, would you mind killing off this folder with FRST please?

    C:\Windows\winsxs\Temp\PendingDeletes
    So is this the last of it, and the two files inside it?

    Or was there some other third file that you'd noticed in the SFC log which also must be dealt with? That's what I thought you were pointing out.
    I'm in a rush so I've got to keep this short. The error didn't actually mention a file, but I suspect it was one of the two you found; in answer to your question, no there isn't a third file :)
      My Computer


  2. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #92

    cottonball said:
    Please run FRST again
    If the above shows no results, use this input instead:

    Code:
     
    C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2373a53dd39a.0000
    C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000
    Didn't work with the complete path/file in the search argument.

    But with just the file name in the search, it did do what you wanted.

    Log attached.


    Also run SystemLook:
    http://jpshortstuff.247fixes.com/SystemLook.exe

    •Double-click SystemLook.exe to run it.
    •Copy the content inside the codebox into the input field:
    Again, the search only expects the file name, not the complete path.

    Log attached.
    MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131 Attached Files
      My Computer


  3. Posts : 2,470
    Windows 7 Home Premium
       #93

    dsperber,

    Once again, please open notepad (Start > All Programs > Accessories > Notepad)

    Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
    Save it to the Desktop, and name it: fixlist.txt

    Note: The fixlist.txt and FRST must both be on the Desktop, or this will not work!

    Code:
    start
    C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000
    C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2373a53dd39a.0000
    end
    Now, please run FRST, and press the Fix button just once, and wait.

    When done, the tool creates a report on the Desktop called: Fixlog.txt

    Please post the Fixlog.txt in your reply.
      My Computer


  4. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #94

    cottonball said:
    dsperber,

    Once again, please open notepad (Start > All Programs > Accessories > Notepad)

    Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
    Save it to the Desktop, and name it: fixlist.txt

    Now, please run FRST, and press the Fix button just once, and wait.

    When done, the tool creates a report on the Desktop called: Fixlog.txt

    Please post the Fixlog.txt in your reply.
    Well, I do believe we're finished here! GONE.



    Log attached.

    'Twas a long, hard journey, but we have emerged victorious!

    Now this thread REALLY is "solved".

    Time to spread the "reps". Again, can't thank you all enough for your patience and help over this past week.
    MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131 Attached Files
      My Computer


  5. Posts : 10,485
    W7 Pro SP1 64bit
       #95

    Glad that you got it all sorted
      My Computer


  6. Posts : 2,470
    Windows 7 Home Premium
       #96



    Great job, dsperber!!!

    Please give me a day or so to go over the entire thread, and then we can wrap up.
      My Computer


  7. Posts : 2,752
    Windows 7 Pro x64 (1), Win7 Pro X64 (2)
    Thread Starter
       #97

    UsernameIssues said:
    Glad that you got it all sorted
    Indeed.

    And when it rains it pours...

    I finally got reconnected to my cousin's Win7 HP desktop machine in NY, using TeamViewer instead of RealVNC. I'd been prevented from connecting for the past few months ever since I changed the port-forwarding configuration on his Verizon modem/router for additional security (and to try and thwart "port scanners" who were trying to get through port 5900 on every RealVNC-enabled machine I support for friends and family). I think it's a problem with the Verizon router, but whatever the explanation I could never again get to the VNC Server running on his machine.

    Having recently learned about TeamViewer (which uses a different connectivity approach than VNC and does not require opening ports on a router and adding Windows Firewall exceptions), I had him install TeamViewer yesterday and now sure enough I was finally able to get onto his PC to help him out with what his real issue... which was DEADLY SLOW COMPUTER BEHAVIOR!

    I of course was immediately suspicious of some type of infection/malware, especially as he's an AOL user. And although I had long ago installed Microsoft Security Essentials on his machine I'd not been able to install Anti-Malware since I haven't had connectivity through VNC for several months now... at least not until yesterday when I had him install TeamViewer.

    Initial inspection through Task Manager showed constant 100% CPU usage. This was essentially from what appeared to be multiple copies of Internet Explorer running simultaneously, and burning up all the CPU.

    Ok. It took a VERY LONG time to get everything run (because I kept fighting with numerous seemingly self-launching copies of what Task Manager claimed were IEXPLORE.EXE and IEXPLORE32.EXE tasks, and when I'd END TASK them, and they'd just re-launch!) because the machine was so deadly slow. But eventually I finally completed running the same "recipe" of scan/DELETE malware-detecting utilities that I just came through myself this past week on my friend's Vista laptop in Florida.

    And sure enough, there was PLENTY OF MALWARE PRESENT.

    And with the results of each completed utility scan I also pushed the DELETE button to remove everything which had been discovered. This included MBAM Pro (which I installed on his machine) and RogueKiller, both of which detected various threats and objects worthy of deleting through their scans.

    And once again, it was HitmanPro which found (a) a Trojan, sorry can't remember its name and I've since deleted the log, along with Registry entries, and (b) even FIREFOX.EXE was "infected" and had to be quarantined (the rest of the items and cookies and dangerous PREFS.JS lines for Firefox could be permanently deleted)!

    I also uninstalled several "questionable" and obviously unwanted programs using Control Panel, as well as reverting his home page in IE from what had become (probably unnoticed by him) xol-dot-com instead of aol-dot-com as it should have been. To get Firefox back I also reinstalled a freshly downloaded v27 copy of the installer, since the infected FIREFOX.EXE had been quarantined.

    I also discovered that Windows Firewall had been disabled (actually, the Service had been disabled, probably by the malware) and I re-enabled that as well.

    And, in the end, the machine is now once again seemingly working perfectly and up-to-speed. Obviously it helps not to have 8 copies of "IE" trying to get started simultaneously, not to mention what plug-ins were previously active, not to mention what was happening when Firefox was launched (unaware that it was infected as well).

    You can't imagine how appreciative my cousin was to me (and, by implication, from me to all-of-you for what I learned this past week on this thread) for how his PC has now "come completely back to life", from being essentially "dead".

    Hopefully the newly installed presence of MBAM will help guard against possible future infections (again, AOL users seem to be particularly vulnerable of late).

    When it rains it pours.
      My Computer


  8. Posts : 10,485
    W7 Pro SP1 64bit
       #98

    I hope that you did most of that cleanup work while in the safe mode. Fewer bad things should be running while in the safe mode. Teamviewer works in the safe mode

    One of the computers that I remote into would not connect via TeamViewer today. This makes two computers this week that has not let me back in using TeamViewer. That is why I like to have a second or third way to get in.
      My Computer


  9. Posts : 2,470
    Windows 7 Home Premium
       #99

    Let's remove the following tools used and their reports, since these tools are updated frequently, and it is best to have a new copy:

    AdwCleaner > Run the tool, and press: Uninstall
    TDSSKiller
    RKill
    RogueKiller
    Junkware Removal Tool
    Farbar Recovery Scan Tool, its C:\FRST folder, and associated reports
    SFCFix.zip
    SFCFix.exe
    cbs logs

    The ESET Online Scan is a program you may want to use every so often.

    Also, make sure security software is ALL enabled and running!

    Thanks for following all the instructions and providing the reports!!

    Have a great week, dsperber!!
      My Computer


  10. Posts : 6,458
    x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
       #100

    I got power back yesterday and Internet back today, sorry for my absence. The storm itself wasn't that bad, but those early 20th century wires couldn't carry the weight of the ice. Transformers were blowing for 30 miles in all directions (mostly east and west). It was fun... like camping in the winter... cold and dark.... makes you appreciate what you have the rest of the time.

    First, I want to say that this was a great example of team effort - thanks go out to everyone.

    Second, make sure your friend keeps the machine protected with an up-to-date real time A/V program and that they practice safe surfing / messaging. Malware can get part even the best protection, so run a on-demand scanner once a month (ESET is good, but slow... Mbam and AdwCleaner are good quick checks) pick a few and run them periodically (those are the three that I use to see if anything got past Avast! be free)

    Third, I'll add to Cottonball's cleanup list - TDSSkiller logs on C:\ can be removed.

    Fourth, I learned a few things (as usual here on SF) -
    SFCfix will be new and improved!
    FRST can kill off winsxs files.. although one of the pending deletes required a restart - has that already been done?
    From the FRST fixlog:
    Could not move "C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000" => Scheduled to move on reboot.
    C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2373a53dd39a.0000 => Moved successfully.
    => Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-02-07 19:40:56)<=

    C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.rpcss.dll.01cf2163f246e720.0000 => Is moved successfully.
    So now you're helping your cousin in NY - did I read that corerctly?

    Good luck with that project - open a new thread if you think you need help on that.

    Bill
      My Computer


 
Page 10 of 11 FirstFirst ... 891011 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 03:48.
Find Us