Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32/Patched rpcss.dll svchost virus


  • This topic is locked This topic is locked
18 replies to this topic

#16 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 PM

Posted 26 February 2014 - 05:26 PM

The downloaded file might be corrupted. Please delete the ESET installer, download a new copy and try again.



BC AdBot (Login to Remove)

 


#17 greenlight20

greenlight20
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 27 February 2014 - 02:57 AM

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=ed9ca9cf9ad65142b1403ef4d46bddf8
# engine=17241
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-02-27 07:47:37
# local_time=2014-02-27 02:47:37 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776638 100 100 85652598 230094786 0 0
# scanned=342612
# found=53
# cleaned=0
# scan_time=32442
sh=79CE167F8CA12752835BEBE022D4ED26DC63A6A5 ft=1 fh=523314521a2f749e vn="Win32/Patched.IB trojan" ac=I fn="C:\FRST\Quarantine\rpcss.dll26-02-2014_15-38-11"
sh=19A5BE2003EE53F29FF00C007FEF9387E11F96A3 ft=1 fh=a4921d312a5cb083 vn="a variant of Win32/OutBrowse.D potentially unwanted application" ac=I fn="C:\Users\Timothy Davis\AppData\Local\temp\DM1393266902.exe"
sh=CB6CF7094F32CBBFA052031084D63C66BA2A364F ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\Timothy Davis\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\3c3f1ac1-77560f47"
sh=CB6CF7094F32CBBFA052031084D63C66BA2A364F ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\Timothy Davis\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\35b4174c-551795ed"
sh=90819E664A015A2556EEDDF13B0FF8D879C26000 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\Timothy Davis\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\a45a392-6fe01419"
sh=A09D63262CEC92F97F72919190E16B76BB3B60F1 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\Timothy Davis\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\71775e82-72ada781"
sh=782B0AD083F61778890592C5488892B44CE896FC ft=0 fh=0000000000000000 vn="Java/TrojanDownloader.Agent.NDR trojan" ac=I fn="C:\Users\Timothy Davis\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\790f16c2-15a1b748"
sh=CB6CF7094F32CBBFA052031084D63C66BA2A364F ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\Timothy Davis\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\2c9404e6-63d084d7"
sh=A09D63262CEC92F97F72919190E16B76BB3B60F1 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\Timothy Davis\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\2469c8b0-650eba5c"
sh=95DDE228C605041E9D1F3012D95612BD597832DA ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\Timothy Davis\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\68b2c3f4-6c80cda1"
sh=A09D63262CEC92F97F72919190E16B76BB3B60F1 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\Timothy Davis\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\54f22277-6510d3cb"
sh=D694533AF3F1C267FFD1CED66C207294D2D18FE5 ft=0 fh=0000000000000000 vn="PHP/Obfuscated.F potentially unwanted application" ac=I fn="C:\Users\Timothy Davis\Desktop\Desktop\IMGP\WP SuperInstaller\wp super installer.rar"
sh=A398504060D48E7CF753C72606BB4609BDEA25E2 ft=1 fh=8b0bf2dafa64b09a vn="a variant of Win32/InstallCore.D potentially unwanted application" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\Backup\ecommerce research\dropshipping_university\BONUSES\Kurlo_windows_1_3_exe.exe"
sh=41B5143BD7C62A4159A64725DC83D6DF8E736F14 ft=0 fh=0000000000000000 vn="PHP/WebShell.NAH trojan" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\backups\orgreenic_1_2012-06-14_11-22-17.zip"
sh=A3C313952584BA0923CB324107B9C5D7DEEE012B ft=0 fh=0000000000000000 vn="PHP/WebShell.NAH trojan" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\backups\orgreenic_1_2012-06-14_11-32-49.zip"
sh=30DB7B6E09EDA88B146DAB097C8295B88F786ACB ft=0 fh=0000000000000000 vn="PHP/WebShell.NAH trojan" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\backups\orgreenic_1_2012-06-17_03-04-40.zip"
sh=EAB235011DB6A66739B44EC90A77E280FD6B1630 ft=0 fh=0000000000000000 vn="PHP/WebShell.NAH trojan" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\backups\orgreenic_1_2012-06-24_03-04-33.zip"
sh=1C33710DE7481E9C1133A6DA7AB4B499D5A29B7C ft=0 fh=0000000000000000 vn="PHP/WebShell.NAH trojan" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\backups\orgreenic_1_2012-07-01_03-10-32.zip"
sh=DD1E0F93AE945BBC5567CE83F15B5514420AABCD ft=0 fh=0000000000000000 vn="PHP/WebShell.NAH trojan" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\backups\orgreenic_1_2012-07-08_03-10-09.zip"
sh=D4957728EBC8DEF2935655E03285B1D19008E75D ft=0 fh=0000000000000000 vn="PHP/WebShell.NAH trojan" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\backups\orgreenic_1_2012-07-15_03-36-31.zip"
sh=F13F35B6EF1997675A565CD78D2168311BEB088B ft=0 fh=0000000000000000 vn="HTML/Phishing.Agent.G trojan" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\backups\orgreenic_1_2012-07-22_03-21-49.zip"
sh=BBEDCEE6CDABD638EE8F740218D5731E1493BBF8 ft=0 fh=0000000000000000 vn="HTML/Phishing.Agent.G trojan" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\backups\orgreenic_1_2012-07-29_03-05-45.zip"
sh=76536C1ABB14E4A44EF5489634EEF4ECCB5073D8 ft=0 fh=0000000000000000 vn="HTML/Phishing.Agent.G trojan" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\backups\orgreenic_1_2012-08-05_03-05-05.zip"
sh=48816D219176C6C0B5AED55FFBDF903EFE73B5DB ft=0 fh=0000000000000000 vn="HTML/Phishing.Agent.G trojan" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\backups\orgreenic_1_2012-08-12_03-39-29.zip"
sh=FE3AD0618713A5300248559930F3BDD14C622F07 ft=0 fh=0000000000000000 vn="HTML/Phishing.Agent.G trojan" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\backups\orgreenic_1_2012-08-19_03-10-00.zip"
sh=B1A162100C0450A9784E646794313E105A1979ED ft=0 fh=0000000000000000 vn="HTML/Phishing.Agent.G trojan" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\backups\orgreenic_1_2012-08-26_03-04-55.zip"
sh=72F00B81F96F94ECEBCD4896C58070FD585C5A59 ft=0 fh=0000000000000000 vn="PHP/Obfuscated.F potentially unwanted application" ac=I fn="C:\Users\Timothy Davis\Desktop\Dropbox\Enirose\Temp_WebsiteBackups\SellBrokenElect.zip"
sh=A398504060D48E7CF753C72606BB4609BDEA25E2 ft=1 fh=8b0bf2dafa64b09a vn="a variant of Win32/InstallCore.D potentially unwanted application" ac=I fn="C:\Users\Timothy Davis\Desktop\ecommerce research\dropshipping_university\BONUSES\Kurlo_windows_1_3_exe.exe"
sh=2130ED278DF2DAEA7672C3A764D0CFE10E08A77C ft=0 fh=0000000000000000 vn="PHP/WebShell.NAH trojan" ac=I fn="C:\Users\Timothy Davis\Downloads\backup-3.19.2012_00-41-07_orgreen.tar.gz"
sh=A8A37E54DB53B64808D4DE3DDBB505859E9F4269 ft=1 fh=b799c6fdeb2be9bc vn="Win32/Bundled.Toolbar.Google.E potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup311.exe"
sh=9663CAB5F4802FDAD8C719864F2E390BB99F195C ft=1 fh=02a711254bf91c09 vn="Win32/Bundled.Toolbar.Google.E potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup316.exe"
sh=F39A1D9201D021180B9FC8543783D8CE69054DCE ft=1 fh=10783dd2892ae31b vn="Win32/Bundled.Toolbar.Google.E potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup317.exe"
sh=2E9FC5EE22DDB3588857BAEB1EC51885EB3D3C27 ft=1 fh=78aa2c558c3526a3 vn="Win32/Bundled.Toolbar.Google.E potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup318.exe"
sh=2C16CF7AF335A0943C5973070050474E2565691B ft=1 fh=dbab1590fe63551b vn="Win32/Bundled.Toolbar.Google.E potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup319.exe"
sh=7EF1CA17E9835CBBA989D1F2CFEF4B794D928D13 ft=1 fh=c7fc25b20d8e6134 vn="Win32/Bundled.Toolbar.Google.E potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup320.exe"
sh=B876F5F15137EF8A1680C2AC04DC786D2A191DC9 ft=1 fh=850ac12ce80cbbb1 vn="Win32/Bundled.Toolbar.Google.E potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup322.exe"
sh=03659459CF218748D115AB0EBD09E04AE43D9BC4 ft=1 fh=b7fea6e53bda36e3 vn="Win32/Bundled.Toolbar.Google.E potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup323.exe"
sh=D3DF3B07ECA2121949D1C17AC957D0117072E4B6 ft=1 fh=dbddf532259a68ab vn="Win32/Bundled.Toolbar.Google.E potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup324.exe"
sh=25CF9B7BB46B581ED8DE03DDC56E1574087CACAA ft=1 fh=10c5a1651be6049d vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup326.exe"
sh=180C8ED7C81E3AE7B0507B26C927EA93584B017C ft=1 fh=b0b83453fcc7b480 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup327.exe"
sh=3D84C7C0E316EAD02DD7A59E746EC798DAB8BC0C ft=1 fh=ce50a11e70bad71c vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup328.exe"
sh=2FEC2BB06C11B711B37E7D1BAC0004F8F25A4C7B ft=1 fh=9586b0754c97a9e0 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup401.exe"
sh=A4854C3C5A7277D3C02F88330D2023AAD3667533 ft=1 fh=818bd9cd8f0d2ffa vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup403.exe"
sh=59C75B45AC46FAC8C4018205544938C46B1BA631 ft=1 fh=ab462a0af6e69b03 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup405.exe"
sh=ADF2AD3B94EB35DC371AB7A1A49B004B7C76BFA5 ft=1 fh=f95766f30bc4ebc6 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup406.exe"
sh=DD6E088E22874B283348A15DB5159C7B20CC6D22 ft=1 fh=fe9dda6ca79832a6 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup407.exe"
sh=6585F3BCD797EFC2F81599CDE50115668B677D52 ft=1 fh=c4c5afd1d69feff3 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup408 (1).exe"
sh=6585F3BCD797EFC2F81599CDE50115668B677D52 ft=1 fh=c4c5afd1d69feff3 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup408.exe"
sh=932E042070F1567ED5A116E98E3C04D7D07E0681 ft=1 fh=3bf8f6c29b1c29c3 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\ccsetup409.exe"
sh=003591A0F73C481E5A6E47E0E5BEC56CA27D4B0D ft=1 fh=8b0bf2da70c3d92b vn="a variant of Win32/InstallCore.D potentially unwanted application" ac=I fn="C:\Users\Timothy Davis\Downloads\cnet_traffic_travis_zip.exe"
sh=6597E0C7FA3FD0ECB6B30F6C6E5BA10B09128CFE ft=1 fh=3abec4c280fdf559 vn="Win32/Bundled.Toolbar.Google.E potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\dfsetup210.exe"
sh=8FED8B0A2D646AECA2C5EF60FD7A98901AA9CAC3 ft=1 fh=531c0e216047db7b vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\Timothy Davis\Downloads\dfsetup216.exe"
sh=B873BE1075B345B80C3ECB4A2BA109B505C041B3 ft=1 fh=2213f28e190a9bad vn="Win32/Toolbar.Zugo potentially unwanted application" ac=I fn="C:\Users\Timothy Davis\Downloads\freeripmp3-setup.exe"
 



#18 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 PM

Posted 27 February 2014 - 03:05 AM

Great, not a single one of these found threats is active malware!
They all are just some remnants, backups that contain some not so clean stuff and install setups that are bundled with adware.


That's it! Your logs look clean to me at the moment.
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!



Clean Up

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Rename Combofix.exe in Uninstall.exe and execute it with a double click. (Beware that file extensions might be hidden. So don't add a double extension Uninstall.exe.exe.)
  • Download DelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.

 

 

 

Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefor it's very important to always keep your software up-to-date.
The following software is outdated. Make sure you remove all old versions and install the current one instead if you need the program:


Java 7 Update 45




Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.



#19 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 PM

Posted 12 March 2014 - 12:05 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users