rpcss.dll infected file

Today I ran into more complicated malware that is putting up a fight. It all started with the customer complaining about their internet explorer crashing up, and freezing up when opening. As usually i went in and removed unwanted add-ons and removed the unwanted search engines. After that I went in and started a scan with Malwarebytes and hitman pro. Some malware was found and removed by the programs. Then I went in and restarted the computer. I managed to get IE working for a 3 days.

20140103-233447.jpg
After that I got the PC back again, the user complaining about the same issue. I went in and checked the Event manager, no luck. Then based on other issues with outlook freezing up and crashing, because of bad drive sectors, I went and did a check disk, nothing no luck. I then went took the computer home and started a defragmentation. After running for about 3 hours, i noticed that it got stuck on a single file. I then went and made a search for that file. Noticed that it was on the Temp folder, I went and deleted it. Immediately after I deleted the file, the AVG Virus warning came up. It said that it had found a Trojan running in the background. I then went and tried to delete it, no luck. Went I did a Hitman Pro scan, it found the file rpcss.dll infected with a Trojan. Unfortunately Hitman pro was unable to remove it, since it was a Windows system file. It was able to replace it, after 2 more scans, it stooped showing up as infected.
This infected file was the one causing all the issues, after removing that file, Internet Explorer worked ok not perfect, but ok. The only reason I was able to find this file was because of the defragmentation process that was being held by another file.

UPDATE:
Obtain a clean copy of rpcss.dll file here.

I was going through my stats, and noticed that there have been several searches for this file as a replacement.  Since people want a replacement files, I want to go ahead and give you guys a replacement file.

  • Boot to safemode and go to the c:\windows\system32\ folder.
  • rename the rpcss.dll file to rpcss.dll.old and bring the new file in, simply drag and drop.
  • Here is the rpcss.dll file inside a zip folder,
  • Save the zip folder on the desktop, and unzip, then drag and drop on system32 folder.

Windows XP file: rpcss

UPDATE:

Due to the fact that I get a lot of users searching for a rpcss.dll file for Windows 7, I have taken the time to copy a rpcss.dll file from a new Win 7 install.  I have this Windows 7 rpcss.dll in a zip folder here:

Windows 7 file: rpcss-Win7x64

Please comment.

 

Comments

This post currently has 25 responses

  • Check the hash on the rpcss.dll file with tdsskiller.exe
    making sure to enable “loaded modules” under “change parameters”
    You’ll have to reboot and it will scan the system files to make
    sure they are original. Also search your system for rpcss.dll and
    make sure it didn’t copy infected versions of itself to your system
    restore folders. If you can get this file off a clean system and
    replace the infected one, you should be ok.

    • Thanks
      I managed to get another file from another computer and paste it, rebooted and it worked ok
      Did a antivirus scan and removed the old infected file.
      Did another scan and it found the other files on the system restore store.
      Managed to delete them with avg

  • I removed the rpcss.dll file and it killed my computer. Super anti spyware will remove the rpcss.dll file. My computer would not start in safe mode either. So I removed the “C” drive and installed in my workbench computer. My work bench computer is running the same 64 bit operating system as the one killed by rpcss.dll. I then examined the drive and the infected file was gone. So what I did was use the copy past from the system 32 the same exact file rpcss.dll and pasted it into my sick “C”hard drive. I then removed the sick hard drive and put it back in the computer that was infected with the rpcss.dll file. It started up and runs fine. If you are running a computer with the same operating system you can get rid of rpcss.dll and not need to do a complete reinstall.

    • Yep, simply replacing the infected file will do the job. I am wondering why the sfc scan wont replace the file? I ran it twice and it didn’t replaced the file, but o well its running again 🙂

  • I went and attached a replacement rpcss.dll file to make the fix easier. I had obtained the file from a win xp install and it should work fine. Enjoy

  • I just wanted to say thank you very much for saving me from a reload of operating system. I had the rpcss.dll problem causing a schvhost file to eat up memory and I knew how to fix it but didn’t have an appropriate file to copy. I found one previously on the Internet but was not correct one and so that caused probs with operations but your file got me back functional.

  • Ok I have Windows 7. AVG said it found a virus system32 rcpss.dll. I also noticed the other day random music playing on the computer but no player was open. I had to mute the volume.

    I did exactly what is in the instruction above and it APPEARS that the problem is fixed. I am not sure if there are other viruses but AVG shows 0. Thank you for this easy fix. I looked at other sites and WOW it would have taken a long time. Do you think there are any other hidden viruses? ie system restore folder?

    Thank you so muck

    • Just to be sure, i would do some root kit removal, and then malwarebytes and again avg in safe mode, just to be sure

      • Ok will do. Thank you again. cc cleaner did find the unused OLD .dll.
        Should I allow cc to remove the unused .dll?

        • I would say that any unused .dll files that ccleaner finds are from unwanted programs that where installed, And it would be ok to remove

  • Hello,
    I’m trying to copy/paste your windows 7 replacement file put it says “You’ll need to provide administrative permission to copy this folder” (I’m only copying the file, not the folder). I click “Continue” which then asks did I want to copy/replace, copy both etc but it allow the copy. Any suggestions? Thank you

    • Simply download the file to the desktop, then open up a windows and go to where the old file is, then simply drag and drop the file in the folder where you want it. If it asks to allow the file to be replaced, click yes.

    • Thanks for posting the replacement file. I needed to copy and paste in Safe Mode, my system wouldn’t let otherwise. I have a Windows partition on my Mac. I had to go to Start>Run>MSCONFIG click Boot tab, select Safeboot and restart.

      Once in Safe Mode I changed the corrupted file name, copied/pasted the replacement file, and restarted again (undo Safeboot and restart). Then I deleted the corrupted file. So far, that’s worked. Thanks!

  • Hello, I tried over and over again and all I get was I needed permission to change the the .old … I have no idea how I can change it now
    Too frustrated not to continue

    • You might want to restart you computer in safe-mode, when you restart after the monitor goes off and on, then start pressing F8 key about every second, then it will boot up in safe-mode. it should work for you then.

  • Same issue with my laptop.
    I got message from Trojan Remover application that my laptop is using infected Patched/rpcss.dll file, which is a trojan.
    Then I tried to replace that dll file with new file which is downloaded from Internet.
    But then, my laptop started with only black screen with mouse pointer.
    This happened because I replaced rpcss.dll file. I was not able to do anything now.
    Then I used my bootable pen drive and again pasted my infected rpcss.dll file and my laptop started working. But it is still infected, I’m not able to get rid off it.
    I tried each and every possible solution but not getting success. And I don’t want to format my drive. So if anyone could have solution on this, Please help me. Because it slows down my laptop and disconnects me from internet at particular interval of time. 🙁

  • This worked for me, thank you so much.

    FWIW, I originally tried downloading the file from a DLL site, and that was incorrect. The Windows 7 64 above worked for me. Which is important, because:

    WARNING: If you just delete rpcss.dll, replace it with an invalid version, or system filecheck the file, you may not be able to boot afterward. I was getting the “black screen with mouse” error that you may see on other sites. So, in order to do it correctly, here were my steps:

    1) Save the zip above and extract the new rpcss.dll to c:\
    2) Reboot into Safe Mode with a Command Prompt
    3) From the system32 directory: rename rpcss.dll rpcss.dll.bad
    4) From the system32 directory: copy c:\rpcss.dll
    5) Restart Windows normally
    6) Delete rpcss.dll.bad
    7) Create a new Virus Free Restore Point so I never go back to before I fixed it.

    Hope this helps anyone who got stuck like me.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sidebar