BleepingComputer.com: svchost.exe and possible virus (WORM_RORPIAN.D)?

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

svchost.exe and possible virus (WORM_RORPIAN.D)?

#16 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 23 August 2011 - 07:00 PM

Try this temp file cleaner:


Download TFC to your desktop
Mirror
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#17 User is offline   aquadeath2 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 16-August 11

Posted 24 August 2011 - 04:01 PM

I was instructed to run that application yesterday and it didn't help.

#18 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 24 August 2011 - 04:39 PM

Please do the following:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
*srvB2C*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#19 User is offline   aquadeath2 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 16-August 11

Posted 24 August 2011 - 06:11 PM

It was too big to post so I had to zip and attach it.

Attached File(s)


#20 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 24 August 2011 - 06:52 PM

Hi

Please do the following:

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


    :Files
C:\Documents and Settings\Jason Reinhard\Recent\Legacy_SRVB2C.reg.dat.lnk       
C:\Program Files\Trend Micro\Internet Security\Quarantine\srvB2C.tmp    
C:\Program Files\Trend Micro\Internet Security\Quarantine\srvB2C_*
ipconfig /flushdns /c

:Commands
[resethosts]
[emptyflash]
[purity]
[emptytemp]
[Reboot]



  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#21 User is offline   aquadeath2 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 16-August 11

Posted 24 August 2011 - 07:14 PM

I had to zip and attach again.

Attached File(s)


#22 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 24 August 2011 - 07:40 PM

Has that resolved the issue with the files in quarantine now?

How is the computer running?
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#23 User is offline   aquadeath2 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 16-August 11

Posted 24 August 2011 - 08:07 PM

The computer is and has been running fine, I just can't clean up the quarantine and I STILL cannot delete them from the quarantine (same error). I noticed those files aren't in the _OTL\MovedFiles folder (dunno if that matters).

#24 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 24 August 2011 - 08:32 PM

That's quite odd as the log reports they were moved.

The only thing I can think of is to uninstall Trend Micro Completely which should take the quarantine folder with it, or post on the Trend Micro Forum to find out if there is a setting that needs to be altered in order to empty the quarantine

Are you following these directions?

http://esupport.trendmicro.com/Pages/How-do-I-delete-the-quarantined-files-in-Trend-Micro-Internet-Security.aspx
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#25 User is offline   aquadeath2 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 16-August 11

Posted 24 August 2011 - 08:40 PM

Yes it's weird, the files are there but they aren't. And yes, what Trend says to do I am doing. I'll give uninstalling it a shot and see what happens. Thank you very much for your help with my initial problem and being patient through trying to help me with this final cleanup. I'll say this is the end of the help I'll need from you; thank you!

#26 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 24 August 2011 - 08:45 PM

OK,

To clean up the OTL program, do the following:


  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#27 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 25 August 2011 - 08:09 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users