Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Something strange

  • This topic is locked This topic is locked
2 replies to this topic

#1 jnord24


  • Members
  • 39 posts
  • Local time:07:59 AM

Posted 13 December 2011 - 03:42 PM

A couple of days ago I was using my computer early in the morning. I had my online school open in Firefox, and was working on homework in a couple of different windows. All of a sudden all of the Firefox windows started closing one by one, my mouse quite responding to me, windows started popping up delay write fail (hard drive failure), then errors popped up saying hard drive errors found and it wanted to scan. I said no, but then it popped up again and I said no again and it start to do so anyway. So, I tried to CTRL ALT DEL to get my task manager up, and it was gone as an option. Tried pulling up the administration tools and they were all gone! My virus scanner notification window popped up, but there was no item listed. So Iím like uhhhh ohh. So I immediately rebooted, did a hard drive check in the bios just to make sure and all was good. Booted back into safe mode, ran a system restore. Administrative tools were still gone. Booted back into regular mode and was able to run task manager. I found some weird gt processes (3 of time) and they appeared weird. There was no description and the properties showed the files to be in what appeared to be directory mirrored after the system32 folder located in c:\windows\sysWOW64 and there were three different services. Still without my admin tools, I manually launched the services snap in. Set the GT services to disabled and tried to stop themÖ.access denied. After doing so, the processes reset themselves to automatic start again! Dependencies showed they were hooked into the windows logon and rpcnet process. I went into the folder and found logs for the item, it looked like it was hooking in at not only the windows logon but anytime you try and stop the services & was also launched anytime rpcnet services started. So, I once again reset the gt services back to disabled, rebooted into safe mode and they didnít start. That enabled me to delete the folder, but when I tried to remove the services manually from a command prompt using the sc delete command, access denied. So, I had to go into the registry and delete each, then reboot again. After that, it appeared to be gone. I fixed my administrative tools afterwards and ran a virus scan with nothing found.

Today I was again working on homework logged into the schools online system (a final) and my computer just all of a sudden locked. Would not respond to CTRL+ALT+DEL or anything so I had to manually shut it down. Once I rebooted, I immediately checked the event viewer and found items relating back to gt services....it kept trying to start them and said they were not found and indicated as result it forced a shut down of the machine. I then checked the tasks no gt services there, however, my hypersnap which allows me to capture screen prints was gone (completely empty) and the task scheduler appeared on the start menu. So I went into services, and once again services for I thought that was weird because I have never even opened the task scheduler before. So I open it an find the entries for gpsvc, gupdate, and gupdatem all running. This time the description says these services are needed to keep your google software up to date. I find this strange since I don't have any google software installed including earth, chrome, etc. I go into the registry and find that gpsvc is using the "SeImpersonatePrivelege" and a few others which I snapped a screen print of. I also notice a rpcnet.exe starting from the same c:\windows\sysWow64\ folder. So I again disable the services, remove the registry entries and reboot but after doing so I check the task scheduler and find two interesting entries.

"GoogleUpdateTaskMachineCore which is triggered upon the logon of any user and daily at 6:01AM and repeats for every 1 hour per day, is jusing my username to start and starts c:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c.

Googleupdate.exe, digital signatures show the name of signer, but no email address or current timestamp.

The other "GoogleUpdateTaskMachineUA" also starts at 6:01am (but not upon login), and runs c:\Program Files (x86)\Google\Update\GoogleUpdate /ua / installsource scheduler

So I deleted both tasks, but now i have the rpcnept.exe which is in use and can't delete the entire c:\windows\sysWow64 folder and I'm left wondering what and why these gt services items are and how I can get rid of them since I don't have any google software installed, and I don't think they're really google related anyway. There are a whole bunch of other files in this folder with names that scare me as well such as a whole bunch of intsallers, dll's and rekeywiz.exe, rpcping, runcplelevated?

BC AdBot (Login to Remove)


#2 jnord24

  • Topic Starter

  • Members
  • 39 posts
  • Local time:07:59 AM

Posted 28 December 2011 - 09:30 AM

I just ran Malwarebytes again, and it found rogue.fake.hdd so I did a google search. Seems that the symptoms I have described (including the delayed write fail, programs folders empty on the start menu) are apart of that infection. Here is what I'm referencing: http://forums.malwarebytes.org/index.php?showtopic=101392.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,756 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 AM

Posted 28 December 2011 - 10:30 AM

I have moved (split away) your OTL log to the Virus, Trojan, Spyware, and Malware Removal Logs forum as they are not permitted in this forum.

Please go here, click on the Options button in the upper right corner of that thread and choose Track this topic. Subscribe to that topic to ensure you are notified when a helper replies.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take several days to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable. If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.

If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users