Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleaned system, but fixing rpcss.dll = Vista Black Screen white cursor


  • This topic is locked This topic is locked
3 replies to this topic

#1 urbanriot

urbanriot

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 03 March 2014 - 03:26 PM

Problem

 

So I'm very familiar with the Windows Vista black screen + white cursor issue and have documented many ways of resolving it on my end, but this one I cannot. This post revolves around a Windows Vista w/SP2 x86 system with all the latest updates and patches after a number of trojans were removed like zero access, Zbot, etc., and lots of toolbars and savings junk removed properly through Programs and Features.

 

 

Backstory

 

Booted system up and it spawned numerous COM Surrogates in task manager using up all the memory. This lead me to run a number of malware removal applications / scans which found a few sneaky trojans which other applications would not find and after removing them, the system worked great.

 

In fact, the system does work great, I can run Windows updates, the system performs as well as it should... except for one problem.

 

If I run sfc /scannow it will state that rpcss.dll hash is off and will replace it with a proper version. Once rpcss.dll is fixed, I get the Vista black screen w/white cursor.

 

 

Utilities Utilized

 

Avira Antivir   (antivirus)

Bitdefender   (antivirus)

Sophos   (antivirus)

Kaspersky    (antivirus)

Combofix

Roguekiller

ADWCleaner

Hijackthis     (everything normal now)

Junkware Removal Tool (JRT)    (shows "ERROR: Access is denied" after 'Checking Registry' but does complete)

Rkill

McAfee's rootkitremover

Norton Power Eraser

 

I also checked the MBR and it's clean.

 

So at this point we're at a fully operational post-cleaning situation where everything seems to be working great with one exception - replacing rpcss.dll with a proper file will break the system.

 

 

Additional Steps

 

- Checked to make sure that RpcSs is running as NT AUTHORITY\NetworkService

- SFC /scannow (which causes the issue)

- chkdsk /f

- winlogon registry keys are as they should be

- last known good configuration won't resolve this

 

 

Rkill log

 

Rkill 2.6.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/03/2014 02:52:59 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * DFSR [Missing Service]

Searching for Missing Digital Signatures:

 * C:\Windows\System32\rpcss.dll : 551,936 : 04/11/2009 01:28 AM : 18ed8bf2719e33c7c9ca19ab0f833702 [NoSig]
 +-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.16830_none_67c4315e40d1bb6c\rpcss.dll : 549,888 : 03/02/2009 11:19 PM : 7b981222a257d076885bffb66f19b7ce [Pos Repl]
 +-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.21023_none_685b771559e4be8c\rpcss.dll : 550,400 : 03/02/2009 11:17 PM : b1bb45e24717a7f790b4411c4446ef5e [Pos Repl]
 +-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18000_none_69cadbfc3ddffe3c\rpcss.dll : 547,328 : 01/20/2008 09:24 PM : 33fb1f0193ee2051067441492d56113c [Pos Repl]
 +-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18226_none_69bb41ac3deac876\rpcss.dll : 551,424 : 03/02/2009 11:39 PM : 301ae00e12408650baddc04dbc832830 [Pos Repl]
 +-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.22389_none_6a06ffcd57365beb\rpcss.dll : 551,424 : 03/02/2009 11:32 PM : 4dfcbdef3ccaa98f99038ded78945253 [Pos Repl]
 +-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988\rpcss.dll : 550,400 : 04/11/2009 01:28 AM : 3b5b4d53fec14f7476ca29a20cc31ac9 [Pos Repl]

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 03/03/2014 02:54:35 PM
Execution time: 0 hours(s), 1 minute(s), and 36 seconds(s)

 

 



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:12 AM

Posted 03 March 2014 - 03:29 PM

Hi,

 

You got hit with the latest version of Zekos. One of your system files (rpcss.dll) has been patched.
You'll need more advanced tools to replace that file.
 
Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 urbanriot

urbanriot
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 03 March 2014 - 04:08 PM

As requested, dds logs are listed here:

http://www.bleepingcomputer.com/forums/t/526374/zekos-fixing-rpcssdll-leads-to-vista-black-screen-white-mouse-cursor/

 

Thank you! Also exploring Zekos information in the event that's related.



#4 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:03:12 AM

Posted 04 March 2014 - 12:10 PM

Hello,

Now that you have posted a log linked in your reply above, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users