Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

c:\windows\svchost.exe - Preventing applications from launching


  • Please log in to reply
26 replies to this topic

#1 bigbaldlarry

bigbaldlarry

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 August 2013 - 08:34 PM

I'm looking at a friend's laptop that will not launch any programs. I've dug around enough to find the C:\Windows\svchost.exe file that seems to be involved in stopping processes. I can see it launch in the task manager everytime I try to launch a browser or nearly any other programs.  This happens in both regular and safe mode.  I have downloaded several of the malware tools mentioned on this and other sites, but most of them get immediately shutdown when I try to launch them, including DDS. I am able to use FRST64. I've seen several topics on here that are very similar to mine, but figured it best to enter my own since the fixlist files are so specific.

 

Here is the output from the FRST.txt file.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 17-08-2013
Ran by User (administrator) on 18-08-2013 21:17:10
Running from E:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\AMSP_LogServer.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\TMIDS\PwmSvc.exe
(Microsoft Corporation) C:\Windows\system32\taskmgr.exe
(Microsoft Corporation) \\.\globalroot\systemroot\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\WerFault.exe

==================== Registry (Whitelisted) ==================

HKLM-x32\...\runonceex: [Flags] - 128
HKLM-x32\...\runonceex: [Title] - UnHackMe Rootkit Check
BootExecute: autocheck autochk * Partizan

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1078\TmIEPlg.dll (Trend Micro Inc.)
BHO: Trend Micro DirectPass BHO - {3F019D1C-7EAA-4F25-A765-FBA635BD0AFF} - C:\Program Files\Trend Micro\TMIDS\PwmIEBHO64.dll (Trend Micro Inc.)
BHO: TmBpIeBHO Class - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\TmBpIe64.dll (Trend Micro Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1078\TmIEPlg32.dll (Trend Micro Inc.)
BHO-x32: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll (AOL Inc.)
BHO-x32: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll (BitComet)
BHO-x32: Trend Micro DirectPass BHO - {3F019D1C-7EAA-4F25-A765-FBA635BD0AFF} - C:\Program Files\Trend Micro\TMIDS\PwmIEBHO32.dll (Trend Micro Inc.)
BHO-x32: TmBpIeBHO Class - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\TmBpIe32.dll (Trend Micro Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Trend Micro DirectPass Toolbar - {9B4B91FC-EC4D-4018-9575-96FA5A3C03C5} - C:\Program Files\Trend Micro\TMIDS\PwmIEBHO64.dll (Trend Micro Inc.)
Toolbar: HKLM-x32 - Trend Micro DirectPass Toolbar - {9B4B91FC-EC4D-4018-9575-96FA5A3C03C5} - C:\Program Files\Trend Micro\TMIDS\PwmIEBHO32.dll (Trend Micro Inc.)
Toolbar: HKLM-x32 - Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll (AOL Inc.)
Toolbar: HKCU - No Name - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} -  No File
DPF: HKLM-x32 {D4B68B83-8710-488B-A692-D74B50BA558E} http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: HKLM-x32 {E705A591-DA3C-4228-B0D5-A356DBA42FBF} http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\TmBpIe64.dll (Trend Micro Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1078\TmIEPlg.dll (Trend Micro Inc.)
Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\TmBpIe32.dll (Trend Micro Inc.)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1078\TmIEPlg32.dll (Trend Micro Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

Chrome:
=======
CHR HomePage: hxxp://www.google.com/
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR Plugin: (Shockwave Flash) - C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.89\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\User\AppData\Local\Google\Chrome\Application\22.0.1229.94\gcswf32.dll No File
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\User\AppData\Local\Google\Chrome\Application\22.0.1229.94\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\User\AppData\Local\Google\Chrome\Application\22.0.1229.94\pdf.dll No File
CHR Plugin: (Trend Micro DirectPass) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\idkknaphebegndgimgdpfnconcickdfn\1.3.0.3050_0\plugins/NPPwmChromeHelper.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Google Update) - C:\Users\User\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
CHR Plugin: (Java™ Platform SE 7 U3) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (VLC Web Plugin) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
CHR Extension: (Trend Micro DirectPass) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\idkknaphebegndgimgdpfnconcickdfn\1.3.0.3050_0
CHR HKLM-x32\...\Chrome\Extension: [idkknaphebegndgimgdpfnconcickdfn] - C:\Program Files\Trend Micro\TMIDS\PwmChromeExt\PwmChromeExt.crx

==================== Services (Whitelisted) =================

S2 AffinegyService; C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe [563104 2012-02-23] (Affinegy, Inc.)
S3 BITCOMET_HELPER_SERVICE; C:\Program Files\BitComet\tools\BitCometService.exe [1296728 2010-12-28] (www.BitComet.com)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [399432 2012-09-07] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [676936 2012-09-07] (Malwarebytes Corporation)
R2 PwmSvc; C:\Program Files\Trend Micro\TMIDS\PwmSvc.exe [342064 2012-08-22] (Trend Micro Inc.)
R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [x]

==================== Drivers (Whitelisted) ====================

S3 Alpham1; C:\Windows\System32\DRIVERS\Alpham164.sys [52992 2007-07-23] (Ideazon Corporation)
S3 Alpham2; C:\Windows\System32\DRIVERS\Alpham264.sys [21760 2007-03-20] (Ideazon Corporation)
S3 kbfilter; C:\Windows\System32\DRIVERS\kbfilter.sys [66896 2012-10-11] (Trend Micro Inc.)
R3 L1C; C:\Windows\System32\DRIVERS\L1C60x64.sys [72744 2009-12-22] (Atheros Communications, Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2012-09-07] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2012-09-07] (Malwarebytes Corporation)
S3 Mo3Fltr; C:\Windows\System32\drivers\Mo3Fltr.sys [12800 2010-08-11] ()
R1 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [91920 2011-07-12] (Trend Micro Inc.)
R1 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [167696 2011-07-12] (Trend Micro Inc.)
R1 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [70928 2011-07-12] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105744 2011-08-02] (Trend Micro Inc.)
S3 WRfiltv; C:\Windows\System32\drivers\WRfiltv.sys [25600 2009-07-31] (Creative Technology Ltd.)
U0 Partizan; system32\drivers\Partizan.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-18 21:07 - 2013-08-18 21:07 - 00262144 _____ C:\Windows\Minidump\081813-41979-01.dmp
2013-08-17 17:39 - 2009-07-13 21:14 - 00020480 _____ (Microsoft Corporation) C:\Windows\svchost.exe
2013-08-17 15:12 - 2013-08-17 15:12 - 00000000 ____D C:\FRST
2013-08-17 14:19 - 2013-08-18 21:07 - 309828932 _____ C:\Windows\MEMORY.DMP
2013-08-17 14:19 - 2013-08-17 14:19 - 00262144 _____ C:\Windows\Minidump\081713-62930-01.dmp
2013-08-17 11:31 - 2013-08-18 21:07 - 00000392 _____ C:\Windows\setupact.log
2013-08-17 11:31 - 2013-08-17 11:31 - 00000000 _____ C:\Windows\setuperr.log
2013-08-17 10:05 - 2013-08-15 22:10 - 04745728 _____ (AVAST Software) C:\aswMBR.exe
2013-08-15 22:59 - 2013-08-17 15:52 - 00000000 ____D C:\Windows\pss
2013-08-15 22:03 - 2013-08-17 10:00 - 02237968 _____ (Kaspersky Lab ZAO) C:\tdsskiller.exe
2013-08-15 22:03 - 2013-08-15 21:25 - 01893504 _____ (Bleeping Computer, LLC) C:\rkill.exe
2013-08-15 20:47 - 2012-07-28 16:45 - 04719842 ____R (Swearware) C:\ComboFix.exe
2013-08-13 19:45 - 2012-11-30 01:45 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2013-08-13 19:45 - 2012-11-30 01:45 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2013-08-13 19:45 - 2012-11-30 01:45 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2013-08-13 19:45 - 2012-11-30 01:45 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2013-08-13 19:45 - 2012-11-30 01:43 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2013-08-13 19:45 - 2012-11-30 01:41 - 01161216 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2013-08-13 19:45 - 2012-11-30 01:41 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:54 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-13 19:45 - 2012-11-30 00:53 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2013-08-13 19:45 - 2012-11-30 00:53 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2013-08-13 19:45 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2013-08-13 19:45 - 2012-11-29 23:23 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2013-08-13 19:45 - 2012-11-29 22:44 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-13 19:45 - 2012-11-29 22:44 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-13 19:45 - 2012-11-29 22:44 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-13 19:45 - 2012-11-29 22:44 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-13 19:45 - 2012-11-29 22:38 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2013-08-13 19:45 - 2012-11-29 22:38 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-13 19:45 - 2012-11-29 22:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-13 19:45 - 2012-11-29 22:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2013-08-13 19:45 - 2012-11-29 19:17 - 00420064 _____ C:\Windows\SysWOW64\locale.nls
2013-08-13 19:45 - 2012-11-29 19:15 - 00420064 _____ C:\Windows\system32\locale.nls
2013-08-13 19:44 - 2013-05-10 01:49 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\cryptdlg.dll
2013-08-13 19:44 - 2013-05-09 23:20 - 00024576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-08-13 19:43 - 2013-01-24 02:01 - 00223752 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\fvevol.sys
2013-08-13 19:42 - 2013-05-13 01:51 - 01464320 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-08-13 19:42 - 2013-05-13 01:51 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2013-08-13 19:42 - 2013-05-13 01:51 - 00139776 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2013-08-13 19:42 - 2013-05-13 01:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\system32\certenc.dll
2013-08-13 19:42 - 2013-05-13 00:45 - 01160192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-13 19:42 - 2013-05-13 00:45 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-13 19:42 - 2013-05-13 00:45 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-13 19:42 - 2013-05-12 23:43 - 01192448 _____ (Microsoft Corporation) C:\Windows\system32\certutil.exe
2013-08-13 19:42 - 2013-05-12 23:08 - 00903168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-08-13 19:42 - 2013-05-12 23:08 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-08-13 19:39 - 2012-07-26 00:55 - 00785512 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Wdf01000.sys
2013-08-13 19:39 - 2012-07-26 00:55 - 00054376 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdfLdr.sys
2013-08-13 19:39 - 2012-07-25 22:36 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\Wdfres.dll
2013-08-13 19:39 - 2012-06-02 10:35 - 00000003 _____ C:\Windows\system32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2013-08-13 19:38 - 2012-12-16 13:11 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2013-08-13 19:38 - 2012-12-16 10:45 - 00367616 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2013-08-13 19:38 - 2012-12-16 10:13 - 00295424 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2013-08-13 19:38 - 2012-12-16 10:13 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2013-08-13 19:36 - 2012-07-25 23:08 - 00744448 _____ (Microsoft Corporation) C:\Windows\system32\WUDFx.dll
2013-08-13 19:36 - 2012-07-25 23:08 - 00229888 _____ (Microsoft Corporation) C:\Windows\system32\WUDFHost.exe
2013-08-13 19:36 - 2012-07-25 23:08 - 00194048 _____ (Microsoft Corporation) C:\Windows\system32\WUDFPlatform.dll
2013-08-13 19:36 - 2012-07-25 23:08 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\WUDFSvc.dll
2013-08-13 19:36 - 2012-07-25 23:08 - 00045056 _____ (Microsoft Corporation) C:\Windows\system32\WUDFCoinstaller.dll
2013-08-13 19:36 - 2012-07-25 22:26 - 00198656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WUDFRd.sys
2013-08-13 19:36 - 2012-07-25 22:26 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WUDFPf.sys
2013-08-13 19:36 - 2012-06-02 10:57 - 00000003 _____ C:\Windows\system32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf

==================== One Month Modified Files and Folders =======

2013-08-18 21:17 - 2009-07-14 00:45 - 00015136 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-18 21:17 - 2009-07-14 00:45 - 00015136 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-18 21:15 - 2012-09-06 14:40 - 01745445 _____ C:\Windows\WindowsUpdate.log
2013-08-18 21:15 - 2012-04-06 12:14 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-18 21:10 - 2012-04-10 21:29 - 00000258 __RSH C:\ProgramData\ntuser.pol
2013-08-18 21:08 - 2012-07-23 14:12 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-08-18 21:08 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-18 21:07 - 2013-08-18 21:07 - 00262144 _____ C:\Windows\Minidump\081813-41979-01.dmp
2013-08-18 21:07 - 2013-08-17 14:19 - 309828932 _____ C:\Windows\MEMORY.DMP
2013-08-18 21:07 - 2013-08-17 11:31 - 00000392 _____ C:\Windows\setupact.log
2013-08-18 21:07 - 2012-09-10 12:14 - 00000246 _____ C:\Windows\SysWOW64\PARTIZAN.TXT
2013-08-18 21:07 - 2012-08-16 03:25 - 00000000 ____D C:\Windows\Minidump
2013-08-17 15:52 - 2013-08-15 22:59 - 00000000 ____D C:\Windows\pss
2013-08-17 15:25 - 2013-06-23 21:49 - 00000024 _____ C:\Users\User\AppData\Roaming\mbam.context.scan
2013-08-17 15:12 - 2013-08-17 15:12 - 00000000 ____D C:\FRST
2013-08-17 14:54 - 2012-07-23 14:12 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-17 14:19 - 2013-08-17 14:19 - 00262144 _____ C:\Windows\Minidump\081713-62930-01.dmp
2013-08-17 13:45 - 2012-09-16 21:35 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-405503321-2356324249-112303934-1000UA.job
2013-08-17 11:31 - 2013-08-17 11:31 - 00000000 _____ C:\Windows\setuperr.log
2013-08-17 11:09 - 2012-05-01 21:59 - 00228352 ___SH C:\Users\User\Documents\Thumbs.db
2013-08-17 10:00 - 2013-08-15 22:03 - 02237968 _____ (Kaspersky Lab ZAO) C:\tdsskiller.exe
2013-08-16 21:45 - 2012-09-16 21:35 - 00000852 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-405503321-2356324249-112303934-1000Core.job
2013-08-15 22:59 - 2012-04-05 15:59 - 00000000 ___RD C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-08-15 22:10 - 2013-08-17 10:05 - 04745728 _____ (AVAST Software) C:\aswMBR.exe
2013-08-15 21:52 - 2012-04-10 17:41 - 00000000 ____D C:\Users\User\AppData\Local\Deployment
2013-08-15 21:25 - 2013-08-15 22:03 - 01893504 _____ (Bleeping Computer, LLC) C:\rkill.exe
2013-08-15 20:32 - 2009-07-14 01:13 - 00741900 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-14 03:58 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache
2013-08-13 19:56 - 2009-07-14 00:45 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT

Files to move or delete:
====================
C:\Windows\svchost.exe
ATTENTION ====> Check for partition/boot infection.

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-08-13 21:36

==================== End Of Log ============================

 

Attached Files

  • Attached File  FRST.txt   26.57KB   2 downloads


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 PM

Posted 23 August 2013 - 10:14 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+


#3 bigbaldlarry

bigbaldlarry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 25 August 2013 - 07:19 PM

Here is the log from the delete cycle of Rogue Killer:

 

RogueKiller V8.6.6 _x64_ [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : User [Admin rights]
Mode : Remove -- Date : 08/25/2013 20:17:06
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 4 ¤¤¤
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-405503321-2356324249-112303934-1000UA.job : C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> DELETED
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-405503321-2356324249-112303934-1000Core.job : C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> DELETED
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-405503321-2356324249-112303934-1000Core : C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> DELETED
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-405503321-2356324249-112303934-1000UA : C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> ERROR DELETING TASK

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400BEVT-22A0RT0 ATA Device +++++
--- User ---
[MBR] 19f1344425891c3feeb7c9a9e0a9aff7
[BSP] f6c04bc87a344fc54231937ddd0d9f82 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 610378 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] c18e244b1e5e4d20318b54f399676e3d
[BSP] f6c04bc87a344fc54231937ddd0d9f82 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 610378 Mo

Finished : << RKreport[0]_D_08252013_201706.txt >>
RKreport[0]_S_08252013_201643.txt


 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 PM

Posted 26 August 2013 - 08:11 AM


The RogueKiller did not find the RootKit.

Let start check the MBR (Master Boot Record)

Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
    tdss1.png
  • Click Change parameters
    settings20121003115955.png
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
    tdss3.png
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    tdss4.jpg
  • When it finishes, you will either see a report that no threats were found like below:
    tdss5.jpg
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    tdss7.jpg
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    tdss6.jpg
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Paste the log to your next reply, DO NOT ATTACH IT.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

#5 bigbaldlarry

bigbaldlarry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 26 August 2013 - 08:44 PM

Neither of these will run. They start, but never fully launch. I can see a process start in task manager, but stops immediatly. 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 PM

Posted 27 August 2013 - 09:04 AM

Run this tool if you can.

Download Malwarebytes Anti-Rootkit. Follow the instructions on this page.

How to use Malwarebytes Anti-Rootkit to remove rootkits from a Computer.
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit/

Post the log in you next reply.

#7 bigbaldlarry

bigbaldlarry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 27 August 2013 - 09:19 AM

Same as the previous post.  It never fully launches; it is getting killed before it even opens the window.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 PM

Posted 27 August 2013 - 09:48 AM

Boot to Safe Mode, Vista - Windows 7
http://www.computerhope.com/issues/chsafe.htm#03

Then run the TDSSKiller and the aswMBR.exe as suggested in post no. 4.

#9 bigbaldlarry

bigbaldlarry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 27 August 2013 - 10:06 AM

Same results in safe mode. I do notice that if I watch in task manager when starting these, I can see the process spawn, but then an svchost.exe *32 process starts with the description of winrscmde which closes after just a second or two. this process respawns itself every 20-30 seconds and closes again after just a second or two.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 PM

Posted 27 August 2013 - 01:07 PM

Boot to Safe Mode.

Open the Computer and look for the file in bold in the C:\Windows folder

C:\Windows\svchost.exe

If found rename the file svchost.exe.old

Restart the computer normally.

p.s.
DO NOT REMOVE THE SAME FILE IN THE System32 folder.
C:\Windows\system32\svchost.exe

Keep me posted.

#11 bigbaldlarry

bigbaldlarry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 27 August 2013 - 01:40 PM

I've tried that before. I can rename it, delete it, move it, it comes right back after a few seconds; in both regular and safe modes.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 PM

Posted 28 August 2013 - 07:22 AM


You will need a flash drive to execute these instructions.
  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flashdrive into the infected PC.
    :spacer:
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt
    :spacer:
  • Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
===

#13 bigbaldlarry

bigbaldlarry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 28 August 2013 - 09:27 AM

I can do a fresh one when I get home this evening, but that is what was included in my first post.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 PM

Posted 28 August 2013 - 09:47 AM

I want you to run it via the System Recovery Options.

#15 bigbaldlarry

bigbaldlarry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 28 August 2013 - 09:52 AM

I have before, but the output attached above may be from the regular boot up. I'll redo it from system recovery after work, and post it.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users