Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Zekos? Fixing rpcss.dll leads to Vista Black Screen, white mouse cursor

  • This topic is locked This topic is locked
2 replies to this topic

#1 urbanriot


  • Members
  • 3 posts
  • Local time:09:17 PM

Posted 03 March 2014 - 04:07 PM

Lots more detail is here and it was suggested Zekos was the culprit:



The system checks out clean by a long list of malware removal tools (see above) but replacing rpcss.dll with a clean version results in a Windows Vista SP2 black screen w/white mouse cursor.


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16533
Run by Mary at 15:52:27 on 2014-03-03
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.2.1033.18.3071.2069 [GMT -5:00]
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
============== Running Processes ================
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
============== Pseudo HJT Report ===============
uSearchAssistant = about:blank
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
TCP: NameServer =
TCP: Interfaces\{7F5A5DF5-5963-46BB-B876-B241DAF07C2D} : DHCPNameServer =
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
============= SERVICES / DRIVERS ===============
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]
R1 MpKsle35efe14;MpKsle35efe14;c:\programdata\microsoft\microsoft antimalware\definition updates\{93062951-0b69-4217-99ff-ab9ecdbb67c5}\MpKsle35efe14.sys [2014-3-3 39464]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-7-8 176128]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 104768]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-10-23 280288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2012-7-22 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
=============== Created Last 30 ================
2014-03-03 20:50:28 39464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{93062951-0b69-4217-99ff-ab9ecdbb67c5}\MpKsle35efe14.sys
2014-03-03 20:23:06 -------- d-----w- c:\users\mary\appdata\local\NPE
2014-03-03 20:23:06 -------- d-----w- c:\programdata\Norton
2014-03-03 19:54:43 7947048 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{93062951-0b69-4217-99ff-ab9ecdbb67c5}\mpengine.dll
2014-03-03 19:42:44 -------- d-----w- c:\windows\ERUNT
2014-02-28 21:56:45 765968 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f87ebec4-d060-4dc4-b1b9-e15abdf73928}\gapaengine.dll
2014-02-28 21:53:38 7947048 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-02-28 21:49:45 71168 ----a-w- c:\windows\system32\telnet.exe
2014-02-26 18:21:56 -------- d-----w- C:\bd_logs
2014-02-26 16:28:45 -------- d-----w- C:\TDSSKiller_Quarantine
2014-02-26 15:52:15 -------- d-----w- C:\MGTools
2014-02-23 14:25:30 -------- d-----w- c:\programdata\F-Secure(2)
2014-02-20 22:01:46 -------- d-sh--w- C:\$RECYCLE.BIN
2014-02-14 23:56:58 -------- d-----w- c:\program files\Motorola
2014-02-13 03:02:05 1248768 ----a-w- c:\windows\system32\msxml3.dll
==================== Find3M  ====================
2014-02-20 19:13:48 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-20 19:13:48 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-02-05 08:56:17 1806848 ----a-w- c:\windows\system32\jscript9.dll
2014-02-05 08:50:39 1129472 ----a-w- c:\windows\system32\wininet.dll
2014-02-05 08:49:56 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2014-02-05 08:48:40 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2014-02-05 08:48:27 421376 ----a-w- c:\windows\system32\vbscript.dll
2014-02-05 08:47:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2014-01-19 07:32:23 231584 ------w- c:\windows\system32\MpSigStub.exe
============= FINISH: 15:53:12.76 ===============

Attached Files

BC AdBot (Login to Remove)



#2 aharonov


  • Malware Response Team
  • 2,441 posts
  • Gender:Male
  • Local time:03:17 AM

Posted 04 March 2014 - 03:58 AM

Hi there,
this might be a permission issue. Please try this:
Please download Farbar Recovery Scan Tool and save it to a flash drive.
Download this attached Attached File  fixlist.txt   324bytes   24 downloads and save it on the same flash drive as FRST.

  • Plug the flashdrive into the infected PC and enter System Recovery Options as follows.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt


Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Fix button.
  • It will make a log (Fixlog.txt) on the flash drive. Please copy and paste it to your reply.

#3 aharonov


  • Malware Response Team
  • 2,441 posts
  • Gender:Male
  • Local time:03:17 AM

Posted 18 March 2014 - 05:37 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users