Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 Patched in RPCSS.dll file


  • Please log in to reply
11 replies to this topic

#1 benjeen

benjeen

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 15 March 2014 - 11:02 AM

Hi,

 

I am running Windows XP SP3.  A few days ago, the computer was infected with the Win32/Patched virus. The virus was detected by AVG Antivirus Free Version. AVG is not able to remove the threat. Several threats will pop up on the "AVG Detection" screen. They will all be Win32 Patched affecting rpcss.dll.

 

I have run Malwarebytes and it located some malware which I removed. I restarted the computer. I ran Hitmanpro. Nothing malicious was found by Hitmanpro 32bit. I then ran RogueKiller. It found some registry entries but I did not remove any of them as I had no idea what they were. The virus will still be detected by AVG even now. The detection screen listing this threat will pop up immediately at startup.

 

Would a system restore solve this problem?

 

Thanks for your help.



BC AdBot (Login to Remove)

 


m

#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:54 PM

Posted 15 March 2014 - 04:13 PM

Hello benjeen and Welcome -

 

Please run these few scans for me

Download them to desktop and Copy and Paste all responses.

 

 

First -

Download Screen317 Security Check and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Please post the contents of that document.
Note:: If any security program requests permission to access the Internet, allow it to do so.

 

 

Next -

Please download MiniToolBox to desktop to run it.
Checkmark following boxes:
* List last 10 Event Viewer log
* List Installed Programs
* List Devices (do NOT change any settings here)
* List Users, Partitions and Memory size
Click Go and Copy / Paste the result. (result.txt)

 

Please post those 2 back first, as this will take much longer.

 

Now -

Run ESETOnlineScanner Please use Internet Explorer as the scanner uses ActiveX
If you will not use Internet Explorer, please see 3 - 1 & 3 - 2
1 .Hold down Control (Ctrl) key, and click on This link to open ESET OnlineScan in a new window.
2 .Click the eset online button.
3 .For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
3 - 1 .Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
3 - 2 .Double click on esetsmartinstaller_enu on your desktop.
4 .Check "YES, I accept the Terms of Use."
5 .Click the Start button.
6 .Accept any security warnings from your browser, Temporarily Disable Your Anti-virus if requested.
7 .Under scan settings, check "Scan ArchivesDo not check "Remove found threats" as we do not know what this is.
8 .Click Advanced settings and select the following:
 

* Scan potentially unwanted applications
* Scan for potentially unsafe applications
* Enable Anti-Stealth technology

9 .ESET will then download updates for itself, install itself, and begin scanning your computer.

.................Please be patient as this will take some time............... 2 hours or more are not unusual for a first scan.
10 .When the scan completes, click List Threats
11 .Click Export, and save the file to your desktop using a unique name, such as ESETScan.
- Include the contents of this report in your next reply.
12 .Click the Back button.
13 .Click the Finish button.
* NOTE:Sometimes if ESET finds no infections it will not create a log, so just tell me.



#3 benjeen

benjeen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 17 March 2014 - 01:55 PM

Thank you for your help! Just ran SecurityCheck and MiniToolBox. Running ESET now

 

Results of screen317's Security Check version 0.99.80  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 AVG 2014     
`````````Anti-malware/Other Utilities Check:`````````
 Ad-Aware
 Out of date HijackThis  installed!
 SpyHunter     
 Spybot - Search & Destroy
 SUPERAntiSpyware Free Edition   
 Malwarebytes Anti-Malware version 1.75.0.1300  
 HijackThis 2.0.2    
 CCleaner     
 Java™ 6 Update 16  
 Java™ 6 Update 4  
 Java™ 6 Update 5  
 Java™ 6 Update 7  
 Java version out of Date!
 Adobe Flash Player     12.0.0.77  
 Adobe Reader XI  
 Mozilla Firefox (27.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Ad-Aware AAWService.exe
 Ad-Aware AAWTray.exe is disabled!
 AVG avgwdsvc.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 21% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

MiniToolBox by Farbar  Version: 23-01-2014
Ran by Tilly (administrator) on 17-03-2014 at 13:52:21
Running from "C:\Documents and Settings\Tilly\desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/16/2014 02:49:52 AM) (Source: EventSystem) (User: )
Description: The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.

Error: (03/13/2014 00:01:40 PM) (Source: EventSystem) (User: )
Description: The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.

Error: (03/13/2014 11:46:26 AM) (Source: EventSystem) (User: )
Description: The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.

Error: (03/09/2014 08:26:56 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 27.0.1.5156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (03/09/2014 08:25:25 PM) (Source: Application Error) (User: )
Description: Faulting application plugin-container.exe, version 27.0.1.5156, faulting module mozalloc.dll, version 27.0.1.5156, fault address 0x0000119c.
Processing media-specific event for [plugin-container.exe!ws!]

Error: (03/09/2014 08:25:24 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 27.0.1.5156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (03/09/2014 01:19:00 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 27.0.1.5156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (03/07/2014 09:11:30 PM) (Source: Application Error) (User: )
Description: Faulting application mplayerc.exe, version 6.4.9.1, faulting module qdvd.dll, version 6.5.2600.6169, fault address 0x00011723.
Processing media-specific event for [mplayerc.exe!ws!]

Error: (03/06/2014 00:53:47 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 27.0.1.5156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (03/06/2014 00:50:17 PM) (Source: Application Error) (User: )
Description: Faulting application plugin-container.exe, version 27.0.1.5156, faulting module mozalloc.dll, version 27.0.1.5156, fault address 0x0000119c.
Processing media-specific event for [plugin-container.exe!ws!]


System errors:
=============
Error: (03/17/2014 01:46:13 PM) (Source: 0) (User: )
Description: TILLY          :2010.0.0.210.0.0.16

Error: (03/17/2014 01:46:13 PM) (Source: Server) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{42B329BA-4844-4C48-833C-C72004CDBD14} because another computer on the network has the same name.  The server could not start.

Error: (03/17/2014 01:46:13 PM) (Source: 0) (User: )
Description: TILLY          :010.0.0.210.0.0.16

Error: (03/16/2014 02:51:28 AM) (Source: 0) (User: )
Description: TILLY          :2010.0.0.210.0.0.16

Error: (03/16/2014 02:51:28 AM) (Source: Server) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{42B329BA-4844-4C48-833C-C72004CDBD14} because another computer on the network has the same name.  The server could not start.

Error: (03/16/2014 02:48:52 AM) (Source: Service Control Manager) (User: )
Description: The Remote Procedure Call (RPC) service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

Error: (03/16/2014 02:48:49 AM) (Source: Service Control Manager) (User: )
Description: The Terminal Services service terminated unexpectedly.  It has done this 1 time(s).

Error: (03/16/2014 02:48:49 AM) (Source: Service Control Manager) (User: )
Description: The DCOM Server Process Launcher service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

Error: (03/16/2014 02:40:11 AM) (Source: 0) (User: )
Description: TILLY          :2010.0.0.210.0.0.16

Error: (03/16/2014 02:40:11 AM) (Source: Server) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{42B329BA-4844-4C48-833C-C72004CDBD14} because another computer on the network has the same name.  The server could not start.


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Ad-Aware (Version: 7.1.0.7)
Adobe Flash Player 12 Plugin (Version: 12.0.0.77)
Adobe Flash Player ActiveX (Version: 9.0.115.0)
Adobe Reader XI (11.0.06) (Version: 11.0.06)
AIM Search
AIM Toolbar
AMD Catalyst Install Manager (Version: 8.0.877.0)
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
ArcSoft Print Creations (Version: 2.8.255.384)
AVG 2014 (Version: 14.0.3722)
AVG 2014 (Version: 14.0.4336)
AVG 2014 (Version: 2014.0.4336)
BitComet 1.03 (Version: 1.03)
Bonjour (Version: 2.0.4.0)
Browser Address Error Redirector (Version: 1.00.0000)
Canon IJ Network Scanner Selector EX
Canon IJ Network Tool
Canon MG5300 series MP Drivers
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center (Version: 2012.1116.1445.26409)
Catalyst Control Center Graphics Previews Common (Version: 2012.1116.1445.26409)
Catalyst Control Center InstallProxy (Version: 2012.1116.1445.26409)
Catalyst Control Center Localization All (Version: 2012.1116.1445.26409)
CCC Help Chinese Standard (Version: 2012.1116.1444.26409)
CCC Help Chinese Traditional (Version: 2012.1116.1444.26409)
CCC Help Czech (Version: 2012.1116.1444.26409)
CCC Help Danish (Version: 2012.1116.1444.26409)
CCC Help Dutch (Version: 2012.1116.1444.26409)
CCC Help English (Version: 2012.1116.1444.26409)
CCC Help Finnish (Version: 2012.1116.1444.26409)
CCC Help French (Version: 2012.1116.1444.26409)
CCC Help German (Version: 2012.1116.1444.26409)
CCC Help Greek (Version: 2012.1116.1444.26409)
CCC Help Hungarian (Version: 2012.1116.1444.26409)
CCC Help Italian (Version: 2012.1116.1444.26409)
CCC Help Japanese (Version: 2012.1116.1444.26409)
CCC Help Korean (Version: 2012.1116.1444.26409)
CCC Help Norwegian (Version: 2012.1116.1444.26409)
CCC Help Polish (Version: 2012.1116.1444.26409)
CCC Help Portuguese (Version: 2012.1116.1444.26409)
CCC Help Russian (Version: 2012.1116.1444.26409)
CCC Help Spanish (Version: 2012.1116.1444.26409)
CCC Help Swedish (Version: 2012.1116.1444.26409)
CCC Help Thai (Version: 2012.1116.1444.26409)
CCC Help Turkish (Version: 2012.1116.1444.26409)
ccc-utility (Version: 2012.1116.1445.26409)
CCleaner (Version: 3.06)
CCScore (Version: 7.00.0000.0001)
Counter-Strike: Source
Day of Defeat: Source
Defraggler (Version: 2.00)
Dell Driver Reset Tool (Version: 1.02.0000)
Dell Network Assistant (Version: 3.0.0.0)
Dell Support Center (Support Software) (Version: 2.2.09085)
Download Updater (AOL LLC)
DVD Flick 1.3.0.6 (Version: 1.3.0.6)
ESSBrwr (Version: 8.00.0000.0001)
ESSCDBK (Version: 8.00.0000.0001)
ESScore (Version: 8.00.0000.0001)
ESSgui (Version: 8.00.0000.0001)
ESSini (Version: 8.00.0000.0001)
ESSPCD (Version: 7.01.0000.0001)
ESSPDock (Version: 6.03.0001.0004)
ESSTOOLS (Version: 5.00.0000.0004)
essvatgt (Version: 8.00.0000.0001)
ffdshow [rev 1723] [2007-12-24] (Version: 1.0)
Fitbit Base Station (Driver Removal)
Fitbit v2.1.0 (Version: 2.1.0)
Foxit Reader (Version: 6.0.3.524)
Gigabyte Wireless LAN Card (Version: 1.00.0000)
Glary Utilities Pro 2.41.0.1358 (Version: 2.41.0.1358)
Google Chrome (Version: 33.0.1750.154)
Google Desktop (Version: -)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4805.320)
Google Update Helper (Version: 1.3.22.5)
High Definition Audio Driver Package - KB835221 (Version: 20040219.000000)
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
HijackThis 2.0.2 (Version: 2.0.2)
ImgBurn (Version: 2.4.2.0)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections 12.1.8.0 (Version: )
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
Java™ 6 Update 16 (Version: 6.0.160)
Java™ 6 Update 4 (Version: 1.6.0.40)
Java™ 6 Update 5 (Version: 1.6.0.50)
Java™ 6 Update 7 (Version: 1.6.0.70)
Kodak EasyShare software
LINE (Version: 3.3.2.102)
Logitech ImageStudio (Version: 7.30.0000)
Logitech Vid (Version: 1.10.1009)
Logitech Webcam Software (Version: 12.10.1113)
Logitech Webcam Software Driver Package (Version: 12.10.1110)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Enterprise 2007 (Version: 12.0.4518.1014)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6215.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs (Version: 12.0.4518.1014)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft Software Update for Web Folders  (English) 12 (Version: 12.0.4518.1014)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 (KENHLI) (Version: 9.2.3042.00)
Microsoft SQL Server 2005 Backward compatibility (Version: 8.05.2312)
Microsoft SQL Server 2005 Tools (Version: 9.2.3042.00)
Microsoft SQL Server Management Studio Express (Version: 9.00.3042.00)
Microsoft SQL Server Native Client (Version: 9.00.3042.00)
Microsoft SQL Server Setup Support Files (English) (Version: 9.00.3042.00)
Microsoft SQL Server VSS Writer (Version: 9.00.3042.00)
Microsoft VC9 runtime libraries (Version: 1.0.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mozilla Firefox 27.0.1 (x86 en-US) (Version: 27.0.1)
Mozilla Maintenance Service (Version: 27.0.1)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
netbrdg (Version: 7.01.0000.0001)
OfotoXMI (Version: 7.02.0000.0001)
OpenOffice.org 3.1 (Version: 3.1.9420)
PDFill PDF Editor with FREE Writer and FREE Tools (Version: 9.0)
PenPower Jr. 4.0
Plex Media Server (Version: 0.9.818)
PowerDVD (Version: 7.0)
PrimoPDF -- brought to you by Nitro PDF Software (Version: 5)
QlikView OCX (Version: 8.0.4783.11)
QuickTime Alternative 2.9.0 (Version: 2.9.0)
Real Alternative 1.9.0 (Version: 1.9.0)
Realtek High Definition Audio Driver (Version: 5.10.0.5408)
REALTEK RTL8187B Wireless LAN Driver and Utility (Version: Package:1.00.0065 Driver:5.1135.625.2008 UI:600.1552.716.2008)
Roxio Activation Module (Version: 1.0)
Roxio Creator Audio (Version: 3.5.0)
Roxio Creator BDAV Plugin (Version: 3.5.0)
Roxio Creator Copy (Version: 3.5.0)
Roxio Creator Data (Version: 3.5.0)
Roxio Creator DE (Version: 3.5.0)
Roxio Creator Tools (Version: 3.5.0)
Roxio Drag-to-Disc (Version: 9.1)
Roxio Update Manager (Version: 6.0.0)
Sage MIP Fund Accounting Server 10.2.0.0 (Version: 10.2.0.0)
Sage MIP Fund Accounting Workstation 10.2.0.0 (Version: 10.2.0.0)
Samsung ML-1710 Series
Samsung Printer Status Monitor
SearchAssist
SFR (Version: 7.01.0000.0003)
SHASTA (Version: 7.01.0000.0001)
skin0001 (Version: 8.00.0000.0001)
SKINXSDK (Version: 7.01.0000.0001)
Skype Click to Call (Version: 5.6.8442)
Skype™ 6.14 (Version: 6.14.104)
Sonic CinePlayer Decoder Pack (Version: 4.2.0)
Spybot - Search & Destroy (Version: 1.6.2)
SpyHunter (Version: 3.10)
staticcr (Version: 8.00.0000.0001)
Steam™ (Version: 1.0.0.0)
SUPER © Version 2009.bld.35 (Jan 5, 2009) (Version: Version 2009.bld.35 (Jan 5, 2009))
SUPERAntiSpyware Free Edition (Version: 4.23.0.1006)
Tax Forms and E-Filing by Aatrix (Version: 6.9.18)
TVersity Codec Pack 1.2 (Version: 1.2)
Ultra RM Converter 4.2.0322
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
Update for Windows XP (KB2904266) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Viewpoint Media Player
Visual Studio 2012 x86 Redistributables (Version: 14.0.0.1)
VLC media player 2.0.7 (Version: 2.0.7)
VNC Enterprise Edition E4.3.2 (Version: E4.3.2)
VNC Mirror Driver 1.7.1 (Version: 1.7.1)
VPRINTOL (Version: 7.01.0000.0001)
Vuze (Version: 5.3.0.0)
Vuze Remote Toolbar v7.0 (Version: 7.0)
WebFldrs XP (Version: 9.50.7523)
Winamp (Version: 5.531 )
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Imaging Component (Version: 3.0.0.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format Runtime
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR archiver
WIRELESS (Version: 7.02.0000.0001)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 50%
Total physical RAM: 3070.1 MB
Available physical RAM: 1511.07 MB
Total Pagefile: 4432.52 MB
Available Pagefile: 2853.56 MB
Total Virtual: 2047.88 MB
Available Virtual: 1976.95 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:119.2 GB) (Free:10.31 GB) NTFS

========================= Users: ========================================

User accounts for \\TILLY

Administrator            Guest                    HelpAssistant            
SUPPORT_388945a0         Tilly


**** End of log ****
 



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:54 PM

Posted 17 March 2014 - 03:40 PM

Ad-Aware
 Out of date HijackThis  installed!
 SpyHunter    
 Spybot - Search & Destroy
Glary Utilities Pro 2.41.0.1358 (Version: 2.41.0.1358)
UNINSTALL all of the above programs (at a minimum), they are not needed
Java™ 6 Update 16 
 Java™ 6 Update 4 
 Java™ 6 Update 5 
 Java™ 6 Update 7 
Java versions are All out of Date!
Go to Control Panel > Add / Remove and remove all versions of Java.
If you need Java, go Version7 Update51 here to install the latest version.
Untick any offers for Chrome or other downloads, as they are just advertising extras

Total Fragmentation on Drive C:: 21% Defragment your hard drive soon! (Do NOT defrag if SSD!)
Go - Start > Programs > Accessories > System Tools > Defragment > Click the Defragment tab at the top, and just let it run. It may take quite a while to finish, but it is Needed.

 

 

When you finish these please Update and run a Full Scan with Malwarebytes Anti-Malware



#5 benjeen

benjeen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 17 March 2014 - 04:40 PM

C:\Documents and Settings\Tilly\desktop\computer set up\cbsidlm-tr1_13-Media_Player_Classic_Home_Cinema-SEO-199375.exe    Win32/DownloadAdmin.G potentially unwanted application
C:\Documents and Settings\Tilly\desktop\computer set up\FoxitReader603.0524_enu_Setup.exe    a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
C:\Program Files\Azureus\bunndle.zip    a variant of Win32/Bunndle potentially unsafe application
C:\Program Files\Azureus\.install4j\user\BunndleOfferManager.dll    a variant of Win32/Bunndle potentially unsafe application
C:\Program Files\Azureus\.install4j\user\VuzeToolbar-stub-1.exe    a variant of Win32/Toolbar.Widgi.B potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.10    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.11    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.12    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.13    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.14    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.15    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.16    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.17    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.18    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.19    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.20    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.21    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.5    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.6    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.7    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.8    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\FF\components\vuzeFF.dll.9    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files\Vuze Remote Toolbar\IE\7.0\vuzeToolbarIE.dll    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\WINDOWS\Installer\c13110.msi    probably a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\WINDOWS\system32\rpcss.dll    Win32/Patched.IB trojan
Operating memory    multiple threats
 



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:54 PM

Posted 17 March 2014 - 05:19 PM

Hi -

Mostly Toolbars and unwanted extras from Firefox browser.

After that list Please download
avast! Browser Cleanup to Desktop
This quick tool serves to delete pesky and unwanted toolbars and plug-ins from your browser(s). Simply download and run the Browser Cleanup utility. Once you run the utility, you will see a list of bad and good toolbars and plug-ins and be able to disable or to remove them.

If you are not sure of any, please post them back here.

 

More info here if interested: http://www.avast.com/faq.php?article=AVKB115

 

 

I would run Disk Check now (no CD required)

Run a Disk Check on your C: drive in Windows XP:
• Click Start and open My Computer
• Right-click on C: (or your main hard drive letter) and select Properties
• Click on the Tools tab
• Under Error-checking click the Check Now... button
• Mark the 2 boxes next to Automatically fix file system errors and Scan for and attempt recovery of bad sectors
• Click on the Start button
• When the message box pops up, click the Schedule disk check button and Restart your computer
• Once your computer restarts it will check the drive, don't press any keys so that it is allowed to do so
This will take (on average) 1 to 2 hours depending on your system, so please let it finish.
DO NOT force a reboot once started a you will lose data and may damage the computer
NOTE - If this is a Laptop please plug it into a reliable power source, as batteries may fail.
The computer will reboot to normal mode once it has completed all 5 stages -

 

 

How is the computer now

What are your problems.



#7 benjeen

benjeen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 17 March 2014 - 09:28 PM

Hi,

 

I ran the avast browser cleanup utility and it cannot remove the Vuze toolbar and AVG safe search toolbar after running the cleanup utility for at least 45 minutes. I'll run it overnight and see if it can remove it.

 

I am running diskcleanup right now,

 

When the OS starts up, I still receive a message from AVG stating that there is still the Win32 Patched virus affecting RPCSS.dll file. The "AVG Detection" will list multiple threats of this virus affecting this dll file.

 

Thanks,



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:54 PM

Posted 17 March 2014 - 10:02 PM

OK -

We have not run any Rootkit tools yet, and RPCSS.dll is often found with these scans.

 

Malwarebytes Anti-Rootkit

1. Download Malwarebytes Anti-Rootkit
2. Unzip the contents to a folder in a convenient location. (usually desktop)
3. Open the folder where the contents were unzipped and run mbar.exe
4. Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5. Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6. Wait while the system shuts down and the cleanup process is performed.
7. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8. If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

  • •Internet access
    •Windows Update
    •Windows Firewall

9. If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10. Verify that your system is now functioning normally.

 

Include the reports and update me with your next post



#9 benjeen

benjeen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 18 March 2014 - 12:33 AM

Thanks! It detected 1 malware (the virus in the RPCSS.dll). It cleaned the virus and I rebooted. AVG did not show the threat any longer.

 

I am running another scan with Malwarebytes Anti Rootkit to verify that no threats remain.



#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:54 PM

Posted 18 March 2014 - 02:44 AM

That is great -

 

Please post the first (or any) logs from the scan.



#11 benjeen

benjeen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 18 March 2014 - 10:27 PM

Thanks for your help! Computer has been running without problem. Here are the results from the first scan:

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2014.03.18.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
 :: TILLY [administrator]

3/17/2014 11:57:05 PM
mbar-log-2014-03-17 (23-57-05).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 267766
Time elapsed: 19 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\system32\rpcss.dll (Trojan.Zekos.PatchedXP3) -> Replace on reboot.

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 



#12 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:54 PM

Posted 19 March 2014 - 01:32 AM

Just some general information on the infection.

 

Trojan Zekos is created to aggressively attack your computer. If you click on unknown links, for example, links released by evil hackers, open spam email attachments, download free media sources or visit malicious websites, your computer may get infected with this Trojan. You should be very cautious when surfing on the Internet.

 

This is often downloaded from Torrent sites, or not taking care with opening emails.

Hacked games and insecure files will infect your system very quickly.

 

 

Please try to Defrag your system (unless you run a SSD).






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users