Adlice forum

Software feedback => RogueKiller => Topic started by: shawnnepc on July 11, 2014, 05:52:07 PM

Title: Zekos - unable to resolve
Post by: shawnnepc on July 11, 2014, 05:52:07 PM

Roguekiller finds the patched rpcss.dll but stalls on removal.

MBAM doesn't see the infection at all.

VT: https://www.virustotal.com/en/file/297ce6ed6b025b3c8c3ba87a34478eae1983b340f8a24fb2b6dbd8dd243be6c0/analysis/1405093483/
Direct link to file: https://www.dropbox.com/s/u9zm73qc3q3bh6c/rpcss.zip


Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Mona [Admin rights]
Mode : Scan -- Date : 07/11/2014  11:59:25
Switches : -nokill

¤¤¤ Bad processes : 4 ¤¤¤
[Root.Zekos] svchost.exe --

• -> [NoKill]

[Root.Zekos] svchost.exe --

• -> [NoKill]

[Root.Zekos] svchost.exe --

• -> [NoKill]

[Root.Zekos] mbam.exe -- C:\Program Files\Malwarebytes Anti-Malware\mbam.exe[7] -> [NoKill]

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Root.Zekos][File] rpcss.dll -- C:\Windows\System32\rpcss.dll -> FOUND

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1   localhost

¤¤¤ Antirootkit : 2 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\PxHelp20 @ Unknown (\SystemRoot\system32\drivers\amdxata.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\System32\Drivers\Fs_Rec.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3500413AS ATA Device +++++
--- User ---
[MBR] 843e10b5bb6fd48bb30772aabb487e13
[BSP] e58f3ebcd03e6deb444b498b09cac1b6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: HP Officejet 6500 E USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

Any help will be greatly appreciated

Title: Re: Zekos - unable to resolve
Post by: Tigzy on July 11, 2014, 07:25:11 PM

Hello
What the report says on removal?

Title: Re: Zekos - unable to resolve
Post by: shawnnepc on July 12, 2014, 01:46:23 AM

Nothing, it stalls on removal...

Title: Re: Zekos - unable to resolve
Post by: Tigzy on July 14, 2014, 11:50:15 AM

It's because searching a file to replace the infected one.
Please wait, can take up to 20-30 minutes.