Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe *32 winrscmde


  • This topic is locked This topic is locked
21 replies to this topic

#1 csharp01

csharp01

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 10 November 2012 - 11:39 AM

Hello, my wife's computer got infected with an very apparent disruptive bug about a week ago. To date I have tried the following:

I cannot run MBAM (in safe mode or otherwise as an administrator)
I cannot run AD-Aware (in safe mode or otherwise as an administrator)
I cannot run any software other than Internet explorer
I cannot run tdsskiller (in safe mode with .exe and file name changed)
I cannot run rkill or exehelper (multi variations of each)
I cannot run DDS logs

In a nutshell I cannot run anything on this computer. My observation is this; the process that is being formed is svchost.exe *32 with description winrscmde and it is only active when a program initiates. For instance, when I view the processes running in an idle setting this particular process is not there. The moment I open a program the process will pop-up for approx 10 secs and then shut itself and the program I am attempting to open down.
I have tried everything I can think of to stop/fix this problem and have yet to gain advantage over it. I am in need of help.
Thanks in advance for any help you can give.

The computer is running a Windows 7 64 Bit

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:02 PM

Posted 10 November 2012 - 11:47 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




I need to get some reports to get a base to start from so I need you to run these programs first.


-DeFogger-

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


-Download DDS-

  • Please download DDS from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3


    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs

  • In your next post I need the following

  • both reports from DDS
  • report from security check
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 csharp01

csharp01
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 10 November 2012 - 12:37 PM

Ok so here is the news.....there isnt any! I tried these programs as you have suggested and not a single one will run. The closest I can get to run is the defogger will bring up a empty window, which looks like a command prompt, and then it shuts down. As of now, I have tried all of the links, downloaded in normal mode, safe mode, and on a flash drive from another computer and I have even as a last resort attempted to change the file ext and name of each of these programs. Since this has not worked, I feel that the issue is being non-discriminate to a specific file type and it is simply being exclusive to all software which it is programed to allow to execute. THANK YOU for your help. I am completely lost as to where to go from here....anymore suggestions?

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:02 PM

Posted 10 November 2012 - 12:44 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 csharp01

csharp01
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 10 November 2012 - 01:39 PM

Same issue with this program; did as you instructed and it was a no go. Thank you. Is there way for me to manually compile information for you so that we can bypass the use of program?

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:02 PM

Posted 10 November 2012 - 07:11 PM

Hello

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 csharp01

csharp01
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 10 November 2012 - 07:54 PM

Thank you. I feel like we are getting somewhere. Here is frst.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10-11-2012 02
Ran by SYSTEM at 10-11-2012 19:38:52
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [x]
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [6245408 2010-05-25] (Realtek Semiconductor)
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [191784 2010-03-19] (Trend Micro Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-06-17] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [602168 2010-06-29] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [948672 2009-12-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2009-12-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [x]
HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [x]
HKU\Kelsey\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [x]
HKU\Kelsey\...\Run: [Google Update] "C:\Users\Kelsey\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-11-08] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ===================

2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-06-29] ()
3 Lavasoft Ad-Aware Service; "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe" [1737728 2012-09-22] (Lavasoft Limited )
2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=nb [x]

==================== Drivers (Whitelisted) =====================

3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [17152 2011-05-15] ()
0 Lbd; C:\Windows\System32\Drivers\Lbd.sys [69376 2011-04-29] (Lavasoft AB)
2 tmactmon; C:\Windows\System32\Drivers\tmactmon.sys [66576 2010-02-07] (Trend Micro Inc.)
2 tmcomm; C:\Windows\System32\Drivers\tmcomm.sys [135696 2010-02-07] (Trend Micro Inc.)
2 tmevtmgr; C:\Windows\System32\Drivers\tmevtmgr.sys [56336 2010-02-07] (Trend Micro Inc.)
1 tmtdi; C:\Windows\System32\Drivers\tmtdi.sys [100368 2009-11-23] (Trend Micro Inc.)
3 ZTEusbgps; C:\Windows\System32\Drivers\ZTEusbgps.sys [121344 2008-04-15] (ZTE Incorporated)
3 ZTEusbnmeaext; C:\Windows\System32\Drivers\ZTEusbnmeaext.sys [121344 2008-04-15] (ZTE Incorporated)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-10 12:23 - 2012-11-10 12:23 - 04998937 ____A (Swearware) C:\Users\Kelsey\Desktop\ComboFix.exe
2012-11-07 13:13 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-11-07 12:52 - 2012-11-07 12:52 - 00000017 ____A C:\Users\Kelsey\AppData\Local\resmon.resmoncfg
2012-11-04 18:50 - 2012-11-07 13:09 - 00000000 ____D C:\Windows\System32\SPReview
2012-11-04 18:48 - 2012-11-07 13:09 - 00000000 ____D C:\d9d339dc0af587de655d
2012-11-04 18:27 - 2012-11-10 10:00 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-11-04 18:27 - 2012-11-04 18:27 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-10-28 10:16 - 2012-10-28 10:16 - 00002233 ____A C:\Users\Kelsey\Desktop\Kindle.lnk
2012-10-21 06:49 - 2012-10-21 06:49 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-10-21 06:49 - 2012-10-21 06:49 - 00000000 ____D C:\Program Files\iTunes
2012-10-21 06:49 - 2012-10-21 06:49 - 00000000 ____D C:\Program Files\iPod
2012-10-21 06:49 - 2012-10-21 06:49 - 00000000 ____D C:\Program Files (x86)\iTunes


==================== One Month Modified Files and Folders =======

2012-11-10 12:23 - 2012-11-10 12:23 - 04998937 ____A (Swearware) C:\Users\Kelsey\Desktop\ComboFix.exe
2012-11-10 11:54 - 2009-07-13 21:13 - 00742218 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-10 11:50 - 2011-06-06 18:30 - 00058840 ____A C:\aaw7boot.log
2012-11-10 10:08 - 2010-10-14 00:41 - 01087597 ____A C:\Windows\WindowsUpdate.log
2012-11-10 10:00 - 2012-11-04 18:27 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-11-10 09:27 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-10 09:27 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-10 09:17 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-10 09:17 - 2009-07-13 20:51 - 00071282 ____A C:\Windows\setupact.log
2012-11-10 07:15 - 2011-11-08 18:40 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2785006086-222372012-980630261-1000UA.job
2012-11-07 13:58 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-11-07 13:24 - 2010-12-25 11:17 - 00000000 ____D C:\users\Kelsey
2012-11-07 13:10 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2012-11-07 13:10 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2012-11-07 13:10 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2012-11-07 13:10 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker
2012-11-07 13:10 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2012-11-07 13:10 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\TAPI
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sppui
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Speech
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Setup
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\oobe
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\MUI
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Dism
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sppui
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\spp
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Speech
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\oobe
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\MUI
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\migwiz
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\manifeststore
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Dism
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\security
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2012-11-07 13:10 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2012-11-07 13:09 - 2012-11-04 18:50 - 00000000 ____D C:\Windows\System32\SPReview
2012-11-07 13:09 - 2012-11-04 18:48 - 00000000 ____D C:\d9d339dc0af587de655d
2012-11-07 13:09 - 2010-10-14 01:29 - 00000000 ___RD C:\Users\Public\Recorded TV
2012-11-07 13:09 - 2010-10-14 00:55 - 00000000 ____D C:\Users\All Users\CinemaNow
2012-11-07 13:09 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Portable Devices
2012-11-07 13:09 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2012-11-07 13:09 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2012-11-07 13:06 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2012-11-07 12:58 - 2010-12-27 12:43 - 00000000 ____D C:\Users\Kelsey\AppData\Roaming\SoftGrid Client
2012-11-07 12:52 - 2012-11-07 12:52 - 00000017 ____A C:\Users\Kelsey\AppData\Local\resmon.resmoncfg
2012-11-04 18:34 - 2011-09-26 15:39 - 00000336 ____A C:\Windows\Tasks\HPCeeScheduleForKelsey.job
2012-11-04 18:27 - 2012-11-04 18:27 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-11-04 18:27 - 2011-09-10 12:35 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-11-04 18:24 - 2010-07-10 20:29 - 00000000 ____D C:\Users\All Users\Adobe
2012-11-04 16:46 - 2011-11-08 18:40 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2785006086-222372012-980630261-1000Core.job
2012-11-01 13:59 - 2012-09-09 07:00 - 00012561 ____A C:\Users\Kelsey\Documents\2012 Budget2.xlsx
2012-10-31 17:04 - 2011-06-19 18:25 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat
2012-10-31 17:04 - 2011-06-19 18:25 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat
2012-10-28 12:47 - 2011-01-30 16:24 - 00000000 ____D C:\Users\Kelsey\Documents\My Kindle Content
2012-10-28 12:47 - 2011-01-30 16:24 - 00000000 ____D C:\Users\Kelsey\AppData\Local\Amazon
2012-10-28 10:16 - 2012-10-28 10:16 - 00002233 ____A C:\Users\Kelsey\Desktop\Kindle.lnk
2012-10-26 19:55 - 2012-05-04 12:45 - 00000000 ____D C:\Users\Kelsey\Desktop\New folder5
2012-10-26 16:43 - 2011-12-19 08:28 - 00011759 ____A C:\Users\Kelsey\Documents\bills.xlsx
2012-10-21 06:49 - 2012-10-21 06:49 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-10-21 06:49 - 2012-10-21 06:49 - 00000000 ____D C:\Program Files\iTunes
2012-10-21 06:49 - 2012-10-21 06:49 - 00000000 ____D C:\Program Files\iPod
2012-10-21 06:49 - 2012-10-21 06:49 - 00000000 ____D C:\Program Files (x86)\iTunes


ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-04 18:50:10
Restore point made on: 2012-11-06 05:50:01
Restore point made on: 2012-11-07 06:21:36

==================== Memory info ===========================

Percentage of memory in use: 22%
Total physical RAM: 2810.9 MB
Available physical RAM: 2176.52 MB
Total Pagefile: 2809.05 MB
Available Pagefile: 2165.92 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:281.49 GB) (Free:211.34 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:16.31 GB) (Free:2.35 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: (CALEB SHARP) (Removable) (Total:0.93 GB) (Free:0.34 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 103 MB
Disk 1 Online 954 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 281 GB 200 MB
Partition 3 Primary 16 GB 281 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 281 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 16 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 953 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G CALEB SHARP FAT Removable 953 MB Healthy

=========================================================

Last Boot: 2012-11-06 19:59

==================== End Of Log =============================

Here is search.txt:

Farbar Recovery Scan Tool (x64) Version: 10-11-2012 02
Ran by SYSTEM at 2012-11-10 19:41:03
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Thanks again.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:02 PM

Posted 10 November 2012 - 07:58 PM

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 csharp01

csharp01
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 10 November 2012 - 08:12 PM

Hi Gringo, neither file will execute. The computer thinks for a moment and the file does not respond.

Thanks

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:02 PM

Posted 10 November 2012 - 08:36 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 csharp01

csharp01
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 10 November 2012 - 08:48 PM

Combofix does not run. The computer continues to not allow any software to run except iexplorer.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:02 PM

Posted 10 November 2012 - 09:18 PM

change combofix from combofix.exe to combofix.com


right click on combofix and select rename and rename it combofix.com
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 csharp01

csharp01
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 10 November 2012 - 09:23 PM

Same results.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:02 PM

Posted 10 November 2012 - 09:28 PM

have you tried system restore?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 csharp01

csharp01
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 10 November 2012 - 09:46 PM

Yes, that was my first step a few days ago. My wife followed through with a windows update for Service Pack 1 for Windows 7 and we initially thought this was the issue. I suppose this is the end of the line. The only productive piece of information I have seen is this message from the report frst.exe

ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

I suspect this is my issue but I have no idea on how to correct it. Even if I had a tool that I was certain would work, the system with not execute it as it has with all software. Thanks for all of your help; just wish we could have fixed it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users