agilesp Posted July 3, 2014 ID:848808 Share Posted July 3, 2014 I have been trying to rid a friends computer of Trojan.Zekos.Patched and I'm having trouble fully removing it. I would greatly appreciate any and all assistance in neutralizing this threat! There are and never were any audio ads that we know of, but Malwarebytes keeps displaying a blocked threat even after I ran MBAR which said it was removed and replaced. Attached are logs from FRST. Thank you for your time!FRST.txtAddition.txt Link to post Share on other sites More sharing options...
MrCharlie Posted July 3, 2014 ID:848813 Share Posted July 3, 2014 This is the problem: rpcss.dll is patched C:\Windows\System32\rpcss.dll[2014-06-11 23:01] - [2010-11-20 09:27] - 0512512 ____N (Microsoft Corporation) D7869A8E778FB52845D8CBE167D025A9ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected. -----------------------------------------------------Run FRST again and.............Type the following in the edit box after "Search:".rpcss.dllIt then should look like:Search: rpcss.dllClick Search button and post the log (Search.txt) it makes to your reply.MrC Link to post Share on other sites More sharing options...
agilesp Posted July 3, 2014 Author ID:848820 Share Posted July 3, 2014 Thank you again for your time! I have done as you asked and have attached the Search.txt log to my reply.Search.txt Link to post Share on other sites More sharing options...
MrCharlie Posted July 3, 2014 ID:848829 Share Posted July 3, 2014 Download the attached fixlist.txt to the same folder as FRST.exe. Run FRST.exe and click Fix only once and wait The tool will create a log (Fixlog.txt) in the folder, please post it to your reply. MrC Link to post Share on other sites More sharing options...
agilesp Posted July 3, 2014 Author ID:848837 Share Posted July 3, 2014 I have done as you asked and the Fixlog.txt is attached.Fixlog.txt Link to post Share on other sites More sharing options...
MrCharlie Posted July 3, 2014 ID:848839 Share Posted July 3, 2014 How is it now?? MrC Link to post Share on other sites More sharing options...
agilesp Posted July 3, 2014 Author ID:848844 Share Posted July 3, 2014 Rebooted the machine, and now I get a black screen of death before reaching the windows log in screen. Link to post Share on other sites More sharing options...
MrCharlie Posted July 3, 2014 ID:848850 Share Posted July 3, 2014 Is there any error message?? MrC Link to post Share on other sites More sharing options...
agilesp Posted July 3, 2014 Author ID:848861 Share Posted July 3, 2014 No error message. Perhaps it is a problem with the permissions of the new .dll file? I'm not entirely sure how to fix it if so. Link to post Share on other sites More sharing options...
agilesp Posted July 3, 2014 Author ID:848867 Share Posted July 3, 2014 I used a live PE to browse the files of my windows, and now I can see that the rpcss.dll file is actually completely missing. Should I download a replacement to a flash drive and manually replace the .dll & set the permissions? Link to post Share on other sites More sharing options...
MrCharlie Posted July 3, 2014 ID:848872 Share Posted July 3, 2014 There's already copies on your computer to use, don't download any.I used the one in the ERUNT folderSo I would copy that one over to the system32 folder and see what happens: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll[2013-10-31 18:28][2010-11-20 09:27] 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123 [File is signed]C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll[2009-07-13 20:00][2009-07-13 21:41] 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027 [File is signed]C:\Windows\erdnt\cache64\rpcss.dll[2013-10-22 14:40][2009-07-13 21:41] 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027 [File is signed]C:\Users\Doom Satan\Downloads\rpcss.dll[2014-06-11 23:00][2014-06-11 23:00] 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680 Link to post Share on other sites More sharing options...
agilesp Posted July 3, 2014 Author ID:848877 Share Posted July 3, 2014 I have replaced the missing rpcss.dll file with the one from the erdnt folder and it has booted normally again! No messages from MBAM saying that it has blocked anything. I will run a scan with MBAM and MBAR to be on the safe side...but it's looking good so far! Thank you so much for your time and assistance! Link to post Share on other sites More sharing options...
MrCharlie Posted July 3, 2014 ID:848880 Share Posted July 3, 2014 Sorry about that but according to the fix log it was replaced.I'm not sure what happened but glad you got it fixed. C:\Windows\System32\rpcss.dll => Moved successfully.C:\Windows\erdnt\cache64\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll Take a look at My Preventive Maintenance to avoid being infected again. (My Preventive Maintenance also found HERE) Good Luck and Thanks for using the forum, MrC Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 13, 2014 Root Admin ID:852424 Share Posted July 13, 2014 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts