Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Volume Shadow Copy Service stopped working and was closed


  • Please log in to reply
34 replies to this topic

#1 jimbarba

jimbarba

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Vista, Arizona, USA
  • Local time:06:51 AM

Posted 17 June 2014 - 05:17 PM

Acer Aspire AS 1410

Vista Home Premium sp2 32bit

 

The above error message shows up shortly after bootup.

Other symptoms are System Restore and Backup and Restore fail. When manually creating a System Restore Point, the failure message is:  “The restore point could not be created for the following reason:  The Remote Procedure Call failed  0x800706BE”.

 

Also, two windows updates fail to install, even when attempted separately, they are:  KB2957689 and KB2808679 with an error code of “8E5E03FA Windows encountered unknown errors”.

 

What I have done so far:

 

In Services, I checked “Microsoft Software Shadow Copy Provider”. It was stopped and set to Manual. I set it to Automatic and Started. I did the same for “Volume Shadow Copy”. In this case, the service started but stopped with the same above error after about 10 seconds. The dependencies for both services are the same:  “Remote Procedure Call (RPC)” and “DCOM Server Process Launcher”. I checked both and found them set to Automatic and were already Started.

 

In Msconfig, I found nothing unchecked in Startup or Services.

 

At the command prompt I performed “sfc /scannow”. It produced a report indicating it found errors but I do not know how to read the file. I have the almost 3MB CBS.log file available. There is a possibility it could not correct all errors.

 

In the Advanced Boot Settings (F8) I enabled Boot Logging and have the ntbtlog.txt available as well. The drivers it said it did not load are as follows:

 

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\system32\DRIVERS\cdrom.sys

Did not load driver \SystemRoot\System32\DRIVERS\srv.sys

 

Note: This computer does not have an optical drive installed.

 

I also ran the following malware scanners:

 

Avast Home Free (resident) Full Scan

MBAM Full Scan

SuperAntiMalware Full Scan

AdwCleaner_v_3.211

TDSSKiller_v_3.0.0.39

 

I ran Rkill prior to running these scans.

 

A few items were found and Quarantined.

 

I also ran Speccy and saved a .speccy snapshot of the system configuration.

 

 

I have a feeling some of the issues are related to the Volume Shadow Copy error.

Attached Files


Edited by hamluis, 20 June 2014 - 11:07 AM.
Moved from Vista to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 wpgwpg

wpgwpg

  • Members
  • 1,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US of A
  • Local time:09:51 AM

Posted 17 June 2014 - 05:22 PM

A search at the MS web site yields a lot of info here:

http://www.microsoft.com/en-us/search/results.aspx?q=0x800706BE

 

Good luck.


Everyone with a computer should back his system up to an external hard drive regularly.  :thumbsup:

#3 Willy22

Willy22

  • Members
  • 945 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Planet Earth
  • Local time:02:51 PM

Posted 17 June 2014 - 10:17 PM

The VSS Service Always runs for a while and is automatically stopped. Just as it should be.



#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:51 AM

Posted 19 June 2014 - 11:23 AM

Please post the sfc /scannow log.

 

To find sfc /scannow log, type cmd in the Search programs and files box. 
 
cmd will appear above the search box under Apps., right click on it and choose Run as administrator, this will open the Elevated Command Prompt.  This will look simlare to the image above.
 
copy and paste the following in the Search programs and files box, then press Enter.  
 
findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >%userprofile%\Desktop\sfcdetails.txt
 
This will place a new icon on the desktop titled sfcdetails.  Click on this to open the log, copy it and paste it in your topic. 
 
 
Please post the logs for the security scans you ran.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 jimbarba

jimbarba
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Vista, Arizona, USA
  • Local time:06:51 AM

Posted 20 June 2014 - 12:32 AM

Hi dc3 and all,

 

Thanks for your interest in helping untangle this Vista machine. I have done quite a bit of sleuthing around over the last 24hr. I have a number of logs and other info that might help.

 

With regards to the sfc output, I have already ran one using the command string a little different than you asked for but may contain what you want. It seems sfc duplicated some of the finds as you will see. I edited the file to include the command I used. I since renamed the text file.  Let me know if it gives you what you want.

 

I also was playing around with Sysinternals Sigcheck using the VirusTotal –v switch. I was looking for unsigned files and VirusTotal results. I focused on c:\windows\system32 and c:\windows\system32\drivers. In drivers I found no unsigned files. I found many unsigned files in system32. I did a bunch of copy and pasting to create a text file showing only the unsigned files in system32. Some of them match up with un-repairable files from sfc. This file might be of interest to you. (It is the first time I have played around with sigcheck.) I am also monitoring the machine with Process Explorer with VirusTotal enabled.

 

I also am including the ‘logs’ from MBAM, Avast, and AdwCleaner. SuperAntispyware did not find anything. I ran TDSKiller but for some reason cannot find its log.

 

I am also including a Speccy output as a text file that includes, as you likely know, considerable info about this machine including running and stopped processes.

 

Other things I have done:

 

I used Process Monitor to capture what happens when I Start Volume Shadow Copy in Services. I stopped the recording just after Volume Shadow Copy stops and produces the error that is the title of this thread. Unfortunately, even after filtering a bit, I cannot make heads or tails of it. Also unfortunately, even when paired down, the output file size exceeds what the limit is for attaching documents in this forum.

 

Also I heard a damaged user profile could cause issues. I made a new Admin User. Logged into it and found no joy. I still get the Volume Shadow Copy error and System Restore fails.

 

Thanks to you or anyone else who might want to take a stab at this!

 

The big unfortunate thing about this machine is it did not come with a disk and there is not a hidden recovery partition. Even if I/we could ID files to replace, I do not know where I could find the replacements.

 

Respectfully Jim

Attached Files



#6 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:51 AM

Posted 20 June 2014 - 12:38 AM

After looking at those logs, looks like you got hold of some infections there.

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#7 jimbarba

jimbarba
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Vista, Arizona, USA
  • Local time:06:51 AM

Posted 20 June 2014 - 02:31 AM

Well Cat,

 

I don't doubt this computer has been infected. The question is do I have damage from infections past and can the damage be repaired? If I have continued malware, they must be hiding pretty well!

 

I am curious, if a computer repair shop needs to do a clean install on a badly damaged machine, and the customer has no disk, how do they do it?

 

Jim



#8 ElfBane

ElfBane

  • Members
  • 775 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:51 AM

Posted 20 June 2014 - 04:21 AM

 

 

I am curious, if a computer repair shop needs to do a clean install on a badly damaged machine, and the customer has no disk, how do they do it?

 

Jim

 

If you have an OEM sticker on the PC, then they will load up one of their copies, but use the OEM code.

But you may have a Recovery partition on that lappy. You can use that and DIY.


Edited by ElfBane, 20 June 2014 - 04:23 AM.


#9 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:51 AM

Posted 20 June 2014 - 11:11 AM

I have requested that this topic be moved to the Am I Infected forum.
 
Did you restart the computer after running Malwarebytes?
 
Please run Malwarebytes again and post the log in your topic.  Pleas do not use the host website and do not wrap the log in code.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  When the log opens, scroll down toward the bottom of the log to Quarantined Items.  Copy and paste this in your next post.  
 
Look at the date on the log to be sure the one you copy is the most recent.


Please run the ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#10 jimbarba

jimbarba
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Vista, Arizona, USA
  • Local time:06:51 AM

Posted 20 June 2014 - 02:09 PM

Hi dc3,

 

Thanks for your interest in helping me out!

 

While I get started on the scans, I have a few questions:

 

First, to answer your question about MBAM, yes I did restart. Also, I first ran MBAM free v_1.75.0.1300 a few weeks ago. I ran MBAM again a few days ago and was informed of a new version, which I let it upgrade too. It is version 2.0.2.1012, now installed on the computer. I also just downloaded the MBAM-Check-2.1.0.0002. Since you recommended this one, I will use MBAM-Check. I would like to know if running the installed v 2.0.2.1012 would have been ok.

 

I just downloaded ESET Smart Installer onto a thumb drive and will copy it to the effected desktop and follow your instructions after the MBAM scan. (And restart.)

 

Also, do you recommend running Rkill prior to these scans? I have v 2.6.6.0 on hand.

 

Since I want to get going on this, I will run Rkill prior to MBAM, and see if I hear back from you on the subject before running ESET.

 

Also, you recommended this topic be moved to the Am I Infected forum. Sounds good to me. Is there anything I need to do?

 

Also, what is the appropriateness of attaching a file as opposed to pasting into the topic? I could see if the content is small, paste, but if not, attaching a file. What should I do?

 

Respectfully

 

Jim



#11 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:51 AM

Posted 20 June 2014 - 02:29 PM

The 2.0 version of Malwarebytes has the Chameleon mode incorprated, so it should be able to see most of what is out there.  It wouldn't hurt to run RKill just in case.  You are aware that you need to run the RKill first, and without restarting computer run the malwarebytes and Eset online scanner.

 

Please post all of the Malwarebytes logs.

 

 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  When the log opens, scroll down toward the bottom of the log to Quarantined Items.  Copy and paste this in your next post.
 
Please label these with the date of the scan so I will know which is which.
 
The way you attached the files in your first post requires me to download these.  I don't like to download anything which I'm not absolutely sure what it is that I'm downloading to my computer.  Copy and paste actually should be quicker since you don't have to go to another website to set up the download.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#12 jimbarba

jimbarba
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Vista, Arizona, USA
  • Local time:06:51 AM

Posted 20 June 2014 - 03:25 PM

Hi dc3,

 

Thanks for your interest in helping me out!

 

While I get started on the scans, I have a few questions:

 

First, to answer your question about MBAM, yes I did restart. Also, I first ran MBAM free v_1.75.0.1300 a few weeks ago. I ran MBAM again a few days ago and was informed of a new version, which I let it upgrade too. It is version 2.0.2.1012, now installed on the computer. I also just downloaded the MBAM-Check-2.1.0.0002. Since you recommended this one, I will use MBAM-Check. I would like to know if running the installed v 2.0.2.1012 would have been ok.

 

I just downloaded ESET Smart Installer onto a thumb drive and will copy it to the effected desktop and follow your instructions after the MBAM scan. (And restart.)

 

Also, do you recommend running Rkill prior to these scans? I have v 2.6.6.0 on hand.

 

Since I want to get going on this, I will run Rkill prior to MBAM, and see if I hear back from you on the subject before running ESET.

 

Also, you recommended this topic be moved to the Am I Infected forum. Sounds good to me. Is there anything I need to do?

 

Also, what is the appropriateness of attaching a file as opposed to pasting into the topic? I could see if the content is small, paste, but if not, attaching a file. What should I do?

 

Respectfully

 

Jim

 

 

 

OK dc3,

 

Here is what I got from MBAM-check, which I now realize was not a scanner. Paste it is. Here is the bottom of the output:

 

C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs

mbam-log-2014-06-17 (22-47-50).xml           File Size: 3582      BYTES      FileVersion:  N/A            MD5: [da0a90756035328c3f3ecec6159a7bd9]

protection-log-2014-06-17.xml                       File Size: 664       BYTES       FileVersion:  N/A            MD5: [b78b0e5451bd3ef2248d564eddb11baa]

protection-log-2014-06-20.xml                       File Size: 666       BYTES       FileVersion:  N/A            MD5: [cf1b67b49fdcae83356e7cc3be451ca9]

 

C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Quarantine

0847126052.data                                File Size: 746       BYTES       FileVersion:  N/A            MD5: [5c22ad6f2e453173691c33004244e861]

0847126052.quar                                File Size: 3932160   BYTES   FileVersion:  N/A            MD5: [d2cc8cc99cb99a265c4f669be758c5da]

6375858319.data                                File Size: 754       BYTES       FileVersion:  N/A            MD5: [51602f7f1f404c6162993399933f84a3]

6375858319.quar                                File Size: 536       BYTES       FileVersion:  N/A            MD5: [13b6a04dd77d8c68b4332caa9ce75d7f]

9567467611.data                                File Size: 838       BYTES       FileVersion:  N/A            MD5: [cb40dd8e31a60f813516072d22f1a3b3]

 

Malware Exclusions:

===================

Unable to access exclusion information: Error code 20001Web Exclusions:

================

Unable to access exclusion information: Error code 20001Quarantined Items:

===================

Unable to access quarantine information: Error code 20001===============================================================

END OF FILE

 

 

------------------------

 

The file “mbam-log-2014-06-17 (22-47-50).xml        File Size: 3582      BYTES” 6-18-2014  8:01AM MST (AZ time, we don’t want to ‘save’ daylight in AZ!) is the one I previously sent but here is the contents:

 

<?xml version="1.0" encoding="UTF-16" ?>

<mbam-log>

<header>

<date>2014/06/17 22:48:12 -0700</date>

<logfile>mbam-log-2014-06-17 (22-47-50).xml</logfile>

<isadmin>yes</isadmin>

</header>

<engine>

<version>2.00.2.1012</version>

<malware-database>v2014.06.18.01</malware-database>

<rootkit-database>v2014.06.02.01</rootkit-database>

<license>free</license>

<file-protection>disabled</file-protection>

<web-protection>disabled</web-protection>

<self-protection>disabled</self-protection>

</engine>

<system>

<osversion>Windows Vista Service Pack 2</osversion>

<arch>x86</arch>

<username>Lisa</username>

<filesys>NTFS</filesys>

</system>

<summary>

<type>custom</type>

<result>completed</result>

<objects>399275</objects>

<time>6013</time>

<processes>0</processes>

<modules>0</modules>

<keys>1</keys>

<values>1</values>

<datas>0</datas>

<folders>0</folders>

<files>0</files>

<sectors>0</sectors>

</summary>

<options>

<memory>enabled</memory>

<startup>enabled</startup>

<filesystem>enabled</filesystem>

<archives>enabled</archives>

<rootkits>enabled</rootkits>

<deeprootkit>disabled</deeprootkit>

<heuristics>enabled</heuristics>

<pup>enabled</pup>

<pum>enabled</pum>

</options>

<items>

<key><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\DynConIE</path><vendor>PUP.Optional.MultiIE.A</vendor><action>success</action><hash>aa0822512c4fc27445fd8d6b798a06fa</hash></key>

<value><path>HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path><valuename>Updater</valuename><vendor>Trojan.Agent</vendor><action>success</action><valuedata>C:\ProgramData\Updater\Updater.exe</valuedata><hash>d7db7cf7dba07db9082beafd7f84b44c</hash></value>

</items>

</mbam-log>

 

---------------------

 

Now the other two logs I will also include here. First is “protection-log-2014-06-17.xml” 6-17-2014 1044PM MST (AZ time). (Note this was made prior to the scan log above.):

 

 

<?xml version="1.0" encoding="UTF-8" ?>

<logs>

   <record severity="debug" LoggingEventType="1" datetime="2014-06-17T22:44:21.328880-07:00" source="Manual" type="Update" username="SYSTEM" systemname="LISA-PC" fromVersion="2014.2.20.1" last_modified_tag="c878487d-6f54-4708-9468-a3e49bf11638" name="Rootkit Database" toVersion="2014.6.2.1"></record>

   <record severity="debug" LoggingEventType="1" datetime="2014-06-17T22:44:35.010080-07:00" source="Manual" type="Update" username="SYSTEM" systemname="LISA-PC" fromVersion="2014.3.4.9" last_modified_tag="b479e8ec-0184-4182-88aa-e0cdc5554b07" name="Malware Database" toVersion="2014.6.18.1"></record>

</logs>

 

-----------------

 

These protection-log files seem to be made automatically by the MBAM (free) I have installed. It is called:  “protection-log-2014-06-20.xml”, with a date and time stamp of: 6-20-2014 11:28am MST (AZ time). The contents are:

 

<?xml version="1.0" encoding="UTF-8" ?>

<logs>

   <record severity="debug" LoggingEventType="1" datetime="2014-06-20T11:27:59.380173-07:00" source="Manual" type="Update" username="SYSTEM" systemname="LISA-PC" fromVersion="2014.6.2.1" last_modified_tag="7ac1bdb3-32fc-47ee-826a-82e96a4d7a71" name="Rootkit Database" toVersion="2014.6.19.1"></record>

   <record severity="debug" LoggingEventType="1" datetime="2014-06-20T11:28:15.853773-07:00" source="Manual" type="Update" username="SYSTEM" systemname="LISA-PC" fromVersion="2014.6.18.1" last_modified_tag="187842d9-c87c-45ce-b5fd-cf96b7ce47c4" name="Malware Database" toVersion="2014.6.20.11"></record>

</logs>

 

----------------------

 

FYI, Rkill did not find much, here is its report:

 

Rkill 2.6.6 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2014 BleepingComputer.com

More Information about Rkill can be found at this link:

 http://www.bleepingcomputer.com/forums/topic308364.html

 

Program started at: 06/20/2014 12:13:33 PM in x86 mode.

Windows Version: Windows Vista ™ Home Premium Service Pack 2

 

Checking for Windows services to stop:

 

 * No malware services found to stop.

 

Checking for processes to terminate:

 

 * No malware processes found to kill.

 

Checking Registry for malware related settings:

 

 * No issues found in the Registry.

 

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

 

Performing miscellaneous checks:

 

 * No issues found.

 

Checking Windows Service Integrity:

 

 * No issues found.

 

Searching for Missing Digital Signatures:

 

 * No issues found.

 

Checking HOSTS File:

 

 * HOSTS file entries found:

 

  127.0.0.1       localhost

  ::1             localhost

 

Program finished at: 06/20/2014 12:14:13 PM

Execution time: 0 hours(s), 0 minute(s), and 40 seconds(s)

 

-----------------------

 

A last question for clarification. Since now I know the MBAM-check was not a scanner, would using the installed latest MBAM v 2.0.2.1012 be ok, or should I use an online scanner as you mentioned?

 

I now am running ESET.

 

I will need to take off on an errand which will take many hours but will wait a bit to see what ESET comes up with.

 

Regards,

Jim



#13 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:51 AM

Posted 21 June 2014 - 09:32 AM

Please post the Eset log when you finish the scan.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#14 jimbarba

jimbarba
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Vista, Arizona, USA
  • Local time:06:51 AM

Posted 21 June 2014 - 10:37 AM

Hi dc3,

 

I ran ESET and it found two items. It indicated it Deleted and Quarantined them. I should have written them down but did not believing a log will be available. I was presented with a screen with two choices. One was to buy ESET now and the other to start a 30day trial. Knowing that having two active antimalware programs going at once can cause problems, I elected to quit the screen.

 

I searched everywhere for a log but could not find one. Any suggestions on where ESET puts its log and quarantine?

I rebooted and the problems persist. Should I rerun ESET and perhaps accept the 30 day trial?

 

After this, I ran a full scan with MBAM  v 2.0.2.1012 installed on the computer and it found no threats.

 

Jim



#15 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:51 AM

Posted 21 June 2014 - 11:28 AM

Read the instruction in the topic at Eset to find the log.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users