[hi-marsh]

My computer became infected recently when my AV (Symantec) recognized a virus.  I do not remember the name of that virus, but the AV quarantined it immediately.  As I was running an AV scan to look for additional trouble, a window popped up announcing some sort of 'exception' and the 60 second timer and the machine began rebooting, timing out on the timer, and rebooting again in a loop.  Safe mode did not stop the timer.  I found a DOS command that would stop the timer in safe mode ("cmd" 'enter') then ("shutdown -a" 'enter').  The timer iteration stopped at that point, but will reappear every time I reboot the PC.  

 

I am running XP.  I ran an AV scan that turned up nothing.  I ran a 'FixBlast' removal tool on the hope that might fix the problem but it found nothing.  I installed Malwarebytes and ran a scan and that found nothing.  I tried AdwCleaner and that did not locate any known problems.  I found some forums and ran the FRST and also the OTL scan tools.  Then I read that I should not load additional programs or run tools more than once. 

 

All the infection started on 5/21/14.  Since that day, I have not connected to the internet when booting the PC.  I have started the PC twice since then and run the scans previously mentioned.

 

Since I have done both FRST and OTL, I will attach the logs, not knowing which you may be interested in.  Will greatly appreciate any assistance.

Attached Files

•  FRST.txt   21.11KB   224 downloads
•  OTL.Txt   57.09KB   249 downloads

[Advertisements]

Greetings!
 
My name's Naathim, I'm a GeekU Minion and I'm pleased to meet you!
Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat
I know that it is quite frustrating to have an infected machine because I was once in your shoes. Don't worry! Maybe I'm not a super-human, I don't know everything nor I am limitless, but I promise to do my best to fix your issues!
 
Here are some notes that should make our work faster and easier, please take a look and stay familiar with them
 

 
Malware removal is a long-time process due to tough analysis and research. Stay with me until I say we're done.
Read my instructions completely before proceeding and always run the tools in the order given!
Don't try to fix anything on your own or run any other tools. They may interfere what may lead to prevent your System from the next boot-up.
To make my work easier post the logs directly in your replies, unless asked to attach them.
 

 
If any unexpected problem will appear, interrupt processing and return here with a note!
Never be afraid to ask if in doubt!
 
Now that we have formalities out of the way, let's get started!

 

 

I see that you also managed to run ComboFix. This tool is not a toy and should be used only if told to do so by a Malware Analyst. Refrain from using it on your own.

But since you did it already, please post for my review its logfile: it should be located in C:\ComboFix.txt

 

I will go through your logs and post back shortly.

 

Cheers,

Naat

[Naathim]

Greetings!
 
My name's Naathim, I'm a GeekU Minion and I'm pleased to meet you!
Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat
I know that it is quite frustrating to have an infected machine because I was once in your shoes. Don't worry! Maybe I'm not a super-human, I don't know everything nor I am limitless, but I promise to do my best to fix your issues!
 
Here are some notes that should make our work faster and easier, please take a look and stay familiar with them
 

 
Malware removal is a long-time process due to tough analysis and research. Stay with me until I say we're done.
Read my instructions completely before proceeding and always run the tools in the order given!
Don't try to fix anything on your own or run any other tools. They may interfere what may lead to prevent your System from the next boot-up.
To make my work easier post the logs directly in your replies, unless asked to attach them.
 

 
If any unexpected problem will appear, interrupt processing and return here with a note!
Never be afraid to ask if in doubt!
 
Now that we have formalities out of the way, let's get started!

 

 

I see that you also managed to run ComboFix. This tool is not a toy and should be used only if told to do so by a Malware Analyst. Refrain from using it on your own.

But since you did it already, please post for my review its logfile: it should be located in C:\ComboFix.txt

 

I will go through your logs and post back shortly.

 

Cheers,

Naat

[Dakeyras]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[Dakeyras]

Topic re-opened per OP's request...

[Naathim]

Hi

Please post for my review log made by ComboFix: it should be located in C:\ComboFix.txt
If it won't be there, do not run it again unless requested!
 


Also, as there have been a couple of days, please provide me a fresh set of FRST reports.


Performing general FRST scan

Please re-run Farbar Recovery Scan Tool

• Right click on to run as administrator (XP users click run after receipt of Windows Security Warning - Open File).
• When the tool opens click Yes to disclaimer.
• You will be presented with a window like below:
  

  

 

• Make sure that the Addition box is checked.
• Press Scan button.
• It will produce two logs called FRST.txt and Addition.txt in the same directory the tool is run from.
• Please copy and paste them back here.

= = = = = = = = = = = = = = = = = = = =

Now in your next reply please include these ones for my review:
ComboFix.txt
FRST.txt
Addition.txt

I don't mind multiple posts if necessary.

Cheers,
Naat

[hi-marsh]

Greetings Naat,

 

When I checked for the ComboFix.txt document, I could not find it anywhere.  Likely because I had only used a trial version of the program.  There was only an .exe file in the ComboFix subfolder, nothing hidden.  I will provide you with new FRST and Addition docs tomorrow.

 

Thanks,

hi-marsh

[Naathim]

Hi
 
Thank you, I will be somewhere around
 
Cheers,
Naat

[hi-marsh]

 

 

Hi Naat,

 

Here are the FRST.txt and Addition.txt documents....    

 

Many thanks,

hi-marsh

 

Attached Files

•  FRST.txt   19.79KB   271 downloads
•  Addition.txt   28.9KB   226 downloads

[Naathim]

Hi
 
There appears to be a critical system file patched. Please do the following:

Please re-run Farbar Recovery Scan Tool

• Right click on to run as administrator (XP users click run after receipt of Windows Security Warning - Open File).
• When the tool opens click Yes to disclaimer.
• You will be presented with a window like below:
  

  

• In the Search bar please type in the following:
  rpcss.dll;
• Press Search Files button.
• It will produce a log called Search.txt in the same directory the tool is run from.
• Please copy and paste it back here.

Please do not attach the logfiles!
This makes my work really harder. Just copy their content (Ctrl+A -> Ctrl+C) and paste it (Ctrl+V) directly into your post.


Cheers,
Naat

[Dakeyras]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[Dakeyras]

Topic re-opened per OP's request...

[Naathim]

Hello again
 
Please follow the instructions in my previous post and include Search.txt log from FRST.
 

Please note also this one:
 
Please do not attach the logfiles!
This makes my work really harder. Just copy their content (Ctrl+A -> Ctrl+C) and paste it  (Ctrl+V) directly into your post.
 
Cheers,
Naat

[hi-marsh]

Greetings Naat,

Here is the information from the Search.txt file:

Farbar Recovery Scan Tool (x86) Version:21-05-2014
Ran by Owner Supervisor at 2014-06-16 21:21:47
Running from J:\
Boot Mode: Safe Mode (minimal)

================== Search: "rpcss.dll" ===================

C:\WINDOWS\system32\rpcss.dll
[2008-04-25 09:16] - [2009-02-09 05:10] - 0407040 ____A (Microsoft Corporation) 4a56e5f034f62b33dbed454596661fb3

C:\WINDOWS\system32\dllcache\rpcss.dll
[2009-05-23 18:01] - [2009-02-09 05:10] - 0407040 ___AC (Microsoft Corporation) 4153bb4e0413d10a50c22b0e2b5d88cc

C:\WINDOWS\ServicePackFiles\i386\rpcss.dll
[2009-05-23 18:57] - [2008-04-14 05:42] - 0399360 ____N (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
[2009-05-23 18:09] - [2008-04-14 05:00] - 0399360 ____C (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2009-05-23 18:01] - [2009-02-09 03:56] - 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2

=== End Of Search ===

Thanks again.
Hi-marsh

[Naathim]

Hi 

 

OK, let's try to kill the bad guy sitting there. Also please bare in mind that our procedures should be done in a timely manner and not once per week. My tools have limited timimg area of scans, and after each break I need fresh ones. It makes our work longer and more complicated.

 
We'll run a fix using Farbar Recovery Scan Tool.

• Download attached fixlist.txt file and save it to the Desktop.
   fixlist.txt   550bytes   280 downloads
• VERY IMPORTANT:
  Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

WARNING 

This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system!

• Right click on the  to run as administrator (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

After that please try to boot in normal mode.

If succesful, generate the next reports from normal mode.

If no joy, perform them from the safe mode.
 
 
Performing general FRST scan

Please re-run Farbar Recovery Scan Tool

• Right click on  to run as administrator (XP users click run after receipt of Windows Security Warning - Open File).
• When the tool opens click Yes to disclaimer.
• You will be presented with a window like below:
  

  

• Make sure that the Addition box is checked.
• Press Scan button.
• It will produce two logs called FRST.txt and Addition.txt in the same directory the tool is run from.
• Please copy and paste them back here.

 

Now in your next reply please include:

- fixlog.txt

- FRST.txt

- addition.txt

 

I don't mind multiple posts if necessary.

 

Cheers,
Naat 

[hi-marsh]

Thanks Naat,
I have a 100K trip to town to download the file. Will get it done today.
Cheers, hi-marsh