DCOM Restart Issue

Solved
By TimSimm2
Jan 2, 2014
  1. Ok, so for the past I'd say 2 days, I've had a reoccurring issue. At first, my CPU would be at 100% and my entire laptop would be incredibly slow and along with that I keep getting a error saying DCOM has encountered an issue (or something like that) and windows must restart. I also have been having a plug and play error that says the exact same thing. It tends to happen at random. I've ran malwarebytes and my virus scanner which is Microsoft Security Essentials, Malwarebytes picked up 29 viruses which I cleaned and got rid of. then MSE, encountered a severe virus. I removed it then restarted my laptop and that fixed the cpu problem, but since then I've gotten the DCOM error once. I've tried running rootkit killer and it didnt detect anything. Also I tried system restore and it says I don't have any restore points. So now my question is, what do I do now? I know how to stop the restarting but it's still an annoying issue. I'm not sure if this is a virus or not but I figured I'd post here instead of the other forums.

    Specs:
    Windows 7 Home Premium 64 Bit
    Intel Celeron GPU (yea I know, its not a high perfomance laptop but it works for me)
    2.00 GB Ram (1.87 Usable)

    If you need any more information let me know please.

    I already posted this in another section of the forum but someone said to post it here also so thats why I have 2 topics about the same thing incase anyone was wondering
  2. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    Will do. Also it turns out the cpu issue is back. I just have Skype open and is jumping from 40 to 100%
  4. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    I can't comment without seeing some logs.
  5. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    Here you go.

    DDS

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: BrowserJavaVersion: 10.25.2
    Run by Tim at 11:41:13 on 2014-01-03
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1913.312 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Program Files\Sandboxie\SbieSvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Jump Desktop\JumpService.exe
    C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\taskeng.exe
    C:\Windows\SysWOW64\Rundll32.exe
    C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\TightVNC\tvnserver.exe
    C:\Windows\SysWOW64\TODDSrv.exe
    C:\Program Files\TightVNC\tvnserver.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonSvc.exe
    C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\Jump Desktop\JumpDesktop.exe
    C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VolumeControl.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    c:\Program Files\Microsoft Security Client\MpCmdRun.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.plusnetwork.com/?sp=blatbf
    uURLSearchHooks: {93c338de-5fb5-4fb5-ab4e-0eedc0bd9f3a} - <orphaned>
    mWinlogon: Userinit = userinit.exe,
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
    BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO: FBDownloader BHO: {553318DA-D010-469E-84B1-496563CAE1BF} - C:\Program Files (x86)\HTTO Group, Ltd\FBDownloader IE Add-on\FBDownloader.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    uRun: [AdobeBridge] <no file>
    dRun: [SearchProtect] \SearchProtect\bin\cltmng.exe
    dRunOnce: [KodakHomeCenter] "C:\Program Files (x86)\Kodak\AiO\Center\AiOHomeCenter.exe"
    StartupFolder: C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VolumeControl.exe
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: SoftwareSASGeneration = dword:1
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    TCP: NameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{C3A52576-225F-45F2-9EFB-7EF8ECC24B6C} : DHCPNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{C3A52576-225F-45F2-9EFB-7EF8ECC24B6C}\3594D4D4F4E43523437484A5 : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{C3A52576-225F-45F2-9EFB-7EF8ECC24B6C}\4586963745F6F6B664F62756675627D27657563747 : DHCPNameServer = 192.168.1.254
    TCP: Interfaces\{C3A52576-225F-45F2-9EFB-7EF8ECC24B6C}\D41627369775962756C6563737D27657563747 : DHCPNameServer = 209.18.47.61 209.18.47.62 192.168.33.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SSODL: WebCheck - <orphaned>
    x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
    x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
    x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
    x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    x64-Run: [tvncontrol] "C:\Program Files\TightVNC\tvnserver.exe" -controlservice -slave
    x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    x64-Notify: igfxcui - igfxdev.dll
    x64-SSODL: WebCheck - <orphaned>
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\pbe9g5bx.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2612669&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2612669&SearchSource=2&CUI=UN24983925733010682&UM=2&q=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: C:\Users\Tim\AppData\Local\Autodesk\123DPlugins\Autodesk 123D Shapes321.0.129\npAutodesk123DShapes32.dll
    FF - plugin: C:\Users\Tim\AppData\Local\Facebook\Messenger\2.1.4814.0\npFbDesktopPlugin.dll
    FF - plugin: C:\Users\Tim\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll
    FF - plugin: C:\Users\Tim\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - plugin: C:\Users\Tim\AppData\Roaming\Autodesk\Autodesk123D32\1.0.8\npAutodesk123D32.dll
    FF - plugin: C:\Windows\System32\Wat\npWatWeb.dll
    FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_170.dll
    FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
    FF - ExtSQL: 2013-12-16 09:29; jid1-BYcQOfYfmBMd9A@jetpack; C:\Users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\pbe9g5bx.default\extensions\jid1-BYcQOfYfmBMd9A@jetpack.xpi
    .
    ---- FIREFOX POLICIES ----
    .
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    .
    =============== File Associations ===============
    .
    FileExt: .chm: Applications\notepad.exe=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
    .
    =============== Created Last 30 ================
    .
    2014-01-02 23:13:24 -------- d-----w- C:\Users\Tim\AppData\Local\ElevatedDiagnostics
    2014-01-02 21:36:37 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4D1A74A1-C3D9-4ECB-A93C-AC3E6080F8EE}\offreg.dll
    2014-01-02 03:28:55 10315576 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4D1A74A1-C3D9-4ECB-A93C-AC3E6080F8EE}\mpengine.dll
    2013-12-31 21:23:01 10315576 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2013-12-23 05:03:06 -------- d-----w- C:\zsnesw151
    2013-12-10 20:33:20 9293192 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
    .
    ==================== Find3M ====================
    .
    2013-12-10 20:34:52 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2013-12-10 20:34:51 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-11-19 10:21:41 267936 ------w- C:\Windows\System32\MpSigStub.exe
    .
    ============= FINISH: 11:59:20.80 ===============

    MalwareBytes

    I cant seem to get malwarebytes to run, everytime I run it it ends up not responding, ill try again later
  6. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    [​IMG] Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

    [​IMG] Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    If normal mode still doesn't work, run the tool from safe mode.

    When the scan is done Notepad will open with rKill log.
    Post it in your next reply.

    NOTE. rKill.txt log will also be present on your desktop.
  7. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    Got it. will do sometime today, but so far when I try to create a restore point, if I go back to try to restore from it it shows that I have none
  8. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    O and also, the dcom and plug n play restart prompts havent popped up since I unplugged my mouse for some reason but the main issue here is the cpu running at 100% even if I just have my browser running and also the physical memory is at the max most of the time. ill do what you said though and let you know the results soon
  9. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    When trying to run roguekiller it ilsays windows cannot access the specified path or file. You may not have the appropriate permissions to access the item. I ran it as administrator and I tried changing the name but no luck
  10. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    Nvm I restarted and I got it to run
    Last edited: Jan 4, 2014
  11. Broni

    Broni Malware Annihilator Posts: 46,132   +251

     
  12. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    Rouge Killer

    RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Tim [Admin rights]
    Mode : Scan -- Date : 01/04/2014 14:46:42
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 2 ¤¤¤
    [SUSP PATH][DLL] rundll32.exe -- C:\Users\Tim\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll [7] -> rundll32.exe KILLED [TermProc]
    [SUSP PATH] VolumeControl.exe -- C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VolumeControl.exe [-] -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 4 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : BackgroundContainer ("C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Tim\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun [7][7][x]) -> FOUND
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Tim\AppData\Local\{0c551b16-1acb-5251-4b28-c404ed1a4fcc}\n. [x]) -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Browser Addons : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][Folder] U : C:\Users\Tim\AppData\Local\{0c551b16-1acb-5251-4b28-c404ed1a4fcc}\U [-] --> FOUND
    [ZeroAccess][Folder] L : C:\Windows\Installer\{0c551b16-1acb-5251-4b28-c404ed1a4fcc}\L [-] --> FOUND
    [ZeroAccess][Folder] L : C:\Users\Tim\AppData\Local\{0c551b16-1acb-5251-4b28-c404ed1a4fcc}\L [-] --> FOUND

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ZeroAccess ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts




    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST9250315AS ATA Device +++++
    --- User ---
    [MBR] 2f9937933b067ab1c616869912760027
    [BSP] 41d6a5d01ac5402d00e911e2bb2e5cb4 : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 238373 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_S_01042014_144642.txt >>


    RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Tim [Admin rights]
    Mode : Remove -- Date : 01/04/2014 14:46:58
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 2 ¤¤¤
    [SUSP PATH][DLL] rundll32.exe -- C:\Users\Tim\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll [7] -> rundll32.exe KILLED [TermProc]
    [SUSP PATH] VolumeControl.exe -- C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VolumeControl.exe [-] -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 4 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : BackgroundContainer ("C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Tim\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun [7][7][x]) -> DELETED
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Tim\AppData\Local\{0c551b16-1acb-5251-4b28-c404ed1a4fcc}\n. [x]) -> REPLACED (C:\Windows\system32\shell32.dll)

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Browser Addons : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][Folder] U : C:\Users\Tim\AppData\Local\{0c551b16-1acb-5251-4b28-c404ed1a4fcc}\U [-] --> DELETED
    [ZeroAccess][Folder] L : C:\Windows\Installer\{0c551b16-1acb-5251-4b28-c404ed1a4fcc}\L [-] --> DELETED
    [ZeroAccess][Folder] L : C:\Users\Tim\AppData\Local\{0c551b16-1acb-5251-4b28-c404ed1a4fcc}\L [-] --> DELETED

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ZeroAccess ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts




    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST9250315AS ATA Device +++++
    --- User ---
    [MBR] 2f9937933b067ab1c616869912760027
    [BSP] 41d6a5d01ac5402d00e911e2bb2e5cb4 : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 238373 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_D_01042014_144657.txt >>
    RKreport[0]_S_01042014_144642.txt

    RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Tim [Admin rights]
    Mode : Scan [Aborted] -- Date : 01/04/2014 14:48:19
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 2 ¤¤¤
    [SUSP PATH][DLL] rundll32.exe -- C:\Users\Tim\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll [7] -> rundll32.exe KILLED [TermProc]
    [SUSP PATH] VolumeControl.exe -- C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VolumeControl.exe [-] -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 0 ¤¤¤

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Browser Addons : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts




    ¤¤¤ MBR Check: ¤¤¤

    Finished : << RKreport[0]_S_01042014_144818.txt >>
    RKreport[0]_D_01042014_144657.txt;RKreport[0]_S_01042014_144642.txt


    Antiroot Kit is still scanning and has been for the past hour. not sure if its stuck or not but its been on the same file for over an hour. it says it detects one malware at c:\windows\system32\rpcss.dll
  13. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Stop MBAR for now and go ahead with rKill.
  14. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    Alright sure
  15. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    Malwarebytes anti-toolkit isnt closing, when I try to close the process it says it cant be terminated. so far rkill seems to be running ok, atm its doing a misc check
  16. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    After you post rKill log restart computer to kill MBAR.
  17. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    Alright. rkill is still scanning for misc stuff. is it supposed to take this long?
  18. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Stop that as well.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
    Code:
    :filefind
    rpcss.dll
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  19. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    Nvm its moved on to searching for missing digital signatures
  20. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    Rkill 2.6.4 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2014 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 01/04/2014 04:40:18 PM in x64 mode.
    Windows Version: Windows 7 Home Premium Service Pack 1

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * No malware processes found to kill.

    Checking Registry for malware related settings:

    * Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

    Backup Registry file created at:
    C:\Users\Tim\Desktop\rkill\rkill-01-04-2014-04-40-47.reg

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * No issues found.

    Checking Windows Service Integrity:

    * (BFE) is not Running.
    Startup Type set to:

    * Windows Update (wuauserv) is not Running.
    Startup Type set to: Disabled

    * Windows Firewall Authorization Driver (mpsdrv) is not Running.
    Startup Type set to: Manual

    * BFE [Missing ImagePath]
    * iphlpsvc [Missing ImagePath]
    * MpsSvc [Missing ImagePath]
    * WinDefend [Missing ImagePath]
    * wscsvc [Missing ImagePath]

    Searching for Missing Digital Signatures:

    * C:\Windows\System32\rpcss.dll : 512,512 : 11/20/2010 08:27 AM : 13d0557bc6f720e056f234faa8d2e346 [NoSig]
    +-> C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll : 509,440 : 07/13/2009 08:41 PM : 7266972e86890e2b30c0c322e906b027 [Pos Repl]
    +-> C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll : 512,000 : 11/20/2010 08:27 AM : 5c627d1b1138676c0a7ab2c2c190d123 [Pos Repl]

    * C:\Windows\System32\UxTheme.dll : 332,288 : 07/09/2013 10:18 AM : 8bf20c54ffb37cfb960f708ffa813fa7 [NoSig]
  21. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning.
    • Click the Script tab and copy/paste the following text there:
    Code:
    CopyFile:
    C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll C:\Windows\System32\rpcss.dll
    
    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\
  22. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    Ok will do after systemlook finishes
  23. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    I don't need SystemLook anymore since rKill ran.
  24. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

  25. TimSimm2

    TimSimm2 Newcomer, in training Topic Starter Posts: 87

    It says unknown command


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.