Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rpcss.dll infected with trojan.zekos.patched & a black screen


  • This topic is locked This topic is locked
24 replies to this topic

#1 Kosis

Kosis

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 31 July 2014 - 07:14 PM

Hello, this is my first time using this forum!

I ran a scan with Malwarebytes about 3 or so months ago and a threat named trojan.zekos.patched was detected on rpcss.dll, which Malwarebytes seems to have trouble completely getting rid of. From looking online I can see that this virus is rather known here. I don't receive ads or other sounds of the sorts and I have experienced a DCOM service crash and I believe two Plug-in-Play crashes. I wasn't able to get rid of it earlier because I've been rather busy during the summer.

Just before I set out to camp for a few days (which I just got back from as I post), I did another scan with Malwarebytes and it looks like the antivirus program constantly tries to delete the infected file but fails. I shut down my computer the day after only to be greeted with a black screen and a movable cursor. I usually don't get viruses so I'm completely stuck here.

I look forward to any helpful replies! :)

BC AdBot (Login to Remove)

 


m

#2 Kosis

Kosis
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 31 July 2014 - 07:16 PM

Also forgot to include: I use Windows 7 64-bit with Microsoft Security Essentials and Malwarebytes. I don't think there's an edit button as I'm currently posting on phone.

#3 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 AM

Posted 01 August 2014 - 03:33 AM

Hello and welcome!

I shut down my computer the day after only to be greeted with a black screen and a movable cursor.

So you are not able to boot into Windows now? In this case please run a FRST scan from recovery environment as follows:


On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html




To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========


Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


#4 Kosis

Kosis
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 01 August 2014 - 04:23 AM

Thanks for replying! When I tap F8 during start up, it asks for a boot device and displays four different devices, my flash drive being one of them. There is also an option for "Enter Setup".

#5 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 AM

Posted 01 August 2014 - 04:27 AM

Try to tap F8 not at the very beginning of the start up but a little bit later.

#6 Kosis

Kosis
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 01 August 2014 - 04:38 AM

Still shows a boot device selection. I'm probably doing something very wrong here haha but it's 2:30 and I'm willing to remove this thing.
I start to tap on F8 when I see an Asus logo appear before telling me that Windows did not successfully shut down. I've also tried pressing F8 during the later seconds of the screen.

#7 Kosis

Kosis
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 01 August 2014 - 04:45 AM

Oh, got it! Alright, I'll continue with procedure.

#8 Kosis

Kosis
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 01 August 2014 - 05:05 AM

Unfortunately I'll have to wait about 6 hours in order to post the log as everyone is asleep and that means I can't use the other computers at the moment. From my quick understanding according to what I see in the log(in bamital & volsnap check), rpcss.dll is missing along with an "attention!" pointing towards it.

#9 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 AM

Posted 01 August 2014 - 05:39 AM

That's ok, just post the logs when you can. Then we should be able to fix it quickly.

#10 Kosis

Kosis
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 01 August 2014 - 12:00 PM

Okay, got the log. :)

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 31-07-2014 02
Ran by SYSTEM on MININT-FVHEV5E on 01-08-2014 02:50:01
Running from g:\
Platform: Windows 7 Professional (X64) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7202520 2013-08-19] (Realtek Semiconductor)
HKLM\...\Run: [Nvtmru] => C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe [1028384 2013-11-08] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2279712 2013-12-09] (NVIDIA Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => "D:\iTunes\iTunesHelper.exe"
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-20] (Adobe Systems Incorporated)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2014-05-12] (Malwarebytes Corporation)
HKU\Marcus\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [21446272 2014-05-08] (Skype Technologies S.A.)
HKU\Marcus\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_9_900_152_Plugin.exe [830344 2013-11-22] (Adobe Systems Incorporated)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-03] (Intel Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
S2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1494304 2013-12-09] (NVIDIA Corporation)
S2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [15129376 2013-12-09] (NVIDIA Corporation)
S2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-04-23] ()
S2 WTabletServiceCon; C:\Program Files\Tablet\Pen\WTabletServiceCon.exe [627992 2014-01-13] (Wacom Technology, Corp.)
S2 DcomLaunch; %SystemRoot%\system32\rpcss.dll [X]
S2 RpcSs; %SystemRoot%\system32\rpcss.dll [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S0 asahci64; C:\Windows\System32\DRIVERS\asahci64.sys [47512 2013-01-10] (Asmedia Technology)
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2012-08-22] ()
S3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [495376 2013-11-22] (Intel Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-07-27] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation)
S3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-09-03] (Intel Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-12-05] (NVIDIA Corporation)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-01 02:49 - 2014-08-01 02:50 - 00000000 ____D () C:\FRST
2014-07-27 20:45 - 2014-07-27 20:45 - 00000000 ____D () C:\Users\Marcus\AppData\Roaming\wtablet
2014-07-24 19:43 - 2014-07-24 19:43 - 00011423 _____ () C:\Users\Marcus\AppData\Local\recently-used.xbel

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-01 02:50 - 2014-08-01 02:49 - 00000000 ____D () C:\FRST
2014-08-01 01:33 - 2013-11-22 23:08 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-08-01 01:33 - 2013-11-22 22:55 - 00022504 _____ () C:\Windows\PFRO.log
2014-07-28 07:22 - 2013-11-24 20:05 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-07-28 07:22 - 2013-11-22 22:43 - 01389361 _____ () C:\Windows\WindowsUpdate.log
2014-07-28 07:21 - 2013-11-22 23:27 - 00000000 ____D () C:\Users\Marcus\AppData\Roaming\Skype
2014-07-28 07:21 - 2013-11-22 22:49 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-07-28 03:58 - 2013-11-23 00:09 - 00000000 ____D () C:\Users\Marcus\AppData\Roaming\Audacity
2014-07-27 20:45 - 2014-07-27 20:45 - 00000000 ____D () C:\Users\Marcus\AppData\Roaming\wtablet
2014-07-27 10:28 - 2013-11-22 22:49 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-07-27 03:58 - 2014-05-10 23:44 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-07-24 19:47 - 2013-11-23 00:03 - 00000000 ____D () C:\Users\Marcus\.gimp-2.8
2014-07-24 19:43 - 2014-07-24 19:43 - 00011423 _____ () C:\Users\Marcus\AppData\Local\recently-used.xbel
2014-07-24 19:43 - 2013-12-07 02:20 - 00000000 ____D () C:\Users\Marcus\AppData\Local\gtk-2.0
2014-07-02 01:46 - 2009-07-13 20:45 - 00013248 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-07-02 01:46 - 2009-07-13 20:45 - 00013248 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

Files to move or delete:
====================
C:\ProgramData\hash.dat
C:\Users\Marcus\jagex_cl_runescape_LIVE.dat
C:\Users\Marcus\random.dat


Some content of TEMP:
====================
C:\Users\Marcus\AppData\Local\Temp\bdfilters.dll
C:\Users\Marcus\AppData\Local\Temp\fp_pl_pfs_installer.exe
C:\Users\Marcus\AppData\Local\Temp\jansi-32-git-MCPC-Plus-jenkins-MCPC-Plus-164-235.dll
C:\Users\Marcus\AppData\Local\Temp\jansi-32-git-MCPC-Plus-jenkins-MCPC-Plus-164-251.dll
C:\Users\Marcus\AppData\Local\Temp\jansi-32-git-MCPC-Plus-jenkins-MCPC-Plus-164-262.dll
C:\Users\Marcus\AppData\Local\Temp\jansi-32.dll
C:\Users\Marcus\AppData\Local\Temp\nv3DVStreaming.dll
C:\Users\Marcus\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Marcus\AppData\Local\Temp\nvStereoApiI.dll
C:\Users\Marcus\AppData\Local\Temp\nvStInst.exe
C:\Users\Marcus\AppData\Local\Temp\sonarinst.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys
[2013-11-22 23:12] - [2011-02-24 22:36] - 0295296 ____A (Microsoft Corporation) C9D0EAF58D6BA71E128E715EA43AD87D


==================== Restore Points  =========================

Restore point made on: 2014-07-09 04:15:09
Restore point made on: 2014-07-12 22:27:46
Restore point made on: 2014-07-16 14:50:01
Restore point made on: 2014-07-20 02:36:33
Restore point made on: 2014-07-23 15:57:30
Restore point made on: 2014-07-27 03:53:33

==================== Memory info ===========================

Percentage of memory in use: 9%
Total physical RAM: 8131.14 MB
Available physical RAM: 7346.44 MB
Total Pagefile: 8129.29 MB
Available Pagefile: 7341.88 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:195.21 GB) (Free:102.31 GB) NTFS
Drive e: () (Fixed) (Total:736.2 GB) (Free:357.9 GB) NTFS
Drive g: (Lexar) (Removable) (Total:14.9 GB) (Free:12.16 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 584C2B37)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=195 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=736 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 15 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.


LastRegBack: 2014-07-28 04:49

==================== End Of Log ============================



#11 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 AM

Posted 01 August 2014 - 12:22 PM

Indeed, the rpcss.dll has been wiped instead of desinfected..
So let's search for a clean replacement:


Start your computer in the System Recovery Options again and open FRST.
  • Write the following text into the Search: textbox:
    rpcss.dll
  • Click on the Search File(s) button.
  • When the search is finished a log file (Search.txt) is save on your flash drive.
    Copy and paste it in your next reply.

Edited by aharonov, 01 August 2014 - 01:38 PM.


#12 Kosis

Kosis
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 01 August 2014 - 01:15 PM

Sorry, life caught up again and I'll be out hiking until the evening so I'll get to that once I return!

#13 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 AM

Posted 01 August 2014 - 01:39 PM

No problem, have a nice hike. :)

#14 Kosis

Kosis
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 01 August 2014 - 09:51 PM

Farbar Recovery Scan Tool (x64) Version: 31-07-2014 02
Ran by SYSTEM at 2014-08-01 19:42:07
Running from g:\
Boot Mode: Recovery

================== Search Files: "rpcss.dll" =============

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 16:00][2009-07-13 17:41] 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

X:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 16:00][2009-07-13 17:41] 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

X:\Windows\System32\rpcss.dll
[2009-07-13 16:00][2009-07-13 17:41] 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027

====== End Of Search ======



#15 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:00 AM

Posted 02 August 2014 - 07:49 AM

Ok, now please run the following fix. Afterwards restart your computer. Does it boot normally into Windows again?


Please download this attached Attached File  fixlist.txt   165bytes   5 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users