to name a few. there are a ton of them, but they do seem to end in /task/2000/ consistently.
Process: C:\Windows\system32\svchost.exe
it’s trying to play audio commercials and suchlike. scanning SVChost directly reports that the file is fine. I’ve been trying to troubleshoot this for a couple days now and i’ve run a variety of things google pointed me towards in an attempt to clean this up with no luck. symptoms began around 7:00 am on the first. I’m including my first Mbam log as well as my my most recent, hope that’s enough information!
Please download ComboFix by sUBsfrom here and save it to your Desktop. If you are unsure how ComboFix works please read this guide carefully. Note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix. If you are unsure how to do this please read this or this Instruction.
Run ComboFix. Click on I Agree!
[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.[/size]
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
[/i]
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
[*] Unzip/unrar MBAR in a folder to your Desktop and MBAR should run
[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”
[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
Please attach the two following logs from the mbar folder:
system-log.txt
and mbar-log-year-month-day (hour-minute-second).txt.
No problem, but it is still there in your quoted text in Reply #4 (when I quoted the text, I modified the quoted urls). The original poster has modified his first post, but he can’t modify the text ‘you’ quoted. Change the http to hXXp
Hi,
I’m having the same issues as OP, and have tried the same methods (and then some) to remove this bugger. Avast is the first program that has actually been able to find or block anything. Do I need to create my own thread or can I find help here as well?
I had run combofix and mbar before posting for aid, so that’s probably the peculiarity you noticed… Was trying things i found in similar threads. Sorry. ^^; For some reason I don’t have a ComboFix1 in this folder, just ComboFix2, which i guess i’ll upload just in case.
Edit: added the rest of the files you asked for. x-x’
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
[*]Type rpcss.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.
Unfortunately, but we have documented cases in other forums where this happened.
Sometimes replacing the patched file with legit one can be tricky. But, wait with reinstalling, we should be able to fix it.
We’ll try to do diagnostics and fix outside the active windows, in Recovery Environment.
[*]Plug the flashdrive into the infected PC.
[*]Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
[*]Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.
In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
[*] In the command window type in notepad and press Enter.
[*] When notepad opens, click File and select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter.
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
It will make a log (FRST.txt) on the flash drive.
NEXT …
[*]Type rpcss.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*] Now you may close the FRST program.
[*]Please attach FRST.txt and Search.txt to your reply.
i don’t know if this is going to be relevant, but just in case it is i recalled i had ubuntu on a disc and installed it without overwriting any windows things.
Sooort of figured my windows install was/is toast. ^^;
Are you been helpen elsewhere? I seen some malware removal used tools which are a favorite of some helpers?
Anyway, we do not have healthy rpcss.dll on your system. FRST was unable to find good file even in the virtual boot drive. As I can see in logs, it is most likely the cause of a system crash. Instead to patch malicious file with a legitimate file using CF, we have been patched malicious file with another inactive malicious or bad file. We have to make it right.
First, I shall provide you with a clean copy of rpcss.dll. You need to download that file and save it next to FRST tool, in root of your USB memory device.
Note: FRST in RE has been run from "F:", therefore, file location must be the following: F:\rpcss.dll as I will use that loaction in FRSTSScript (FixList.txt).
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-01-2014
Ran by SYSTEM on MININT-BEG6ON2 on 06-01-2014 10:30:03
[b]Running from F:\[/b]