Jump to content

Infected with Trojan-Auleron / winrscmde / svshost.exe

Recommended Posts


First of all, I am so happy you exist! I have been trying to get rid of these infections for months. I believe the virus entered my computer on Apr 13, 2012. What made me notice immediately was the Windows Updates, especially the Security ones, because they began to fail. Another thing that happens quite often is the audio going crazy, it seems like three radio stations or commercials playing at once, over and over. It comes on and off as it pleases, but especially when I try to play something it comes on. The only way I have gotten to quiet it, is by constantly having mute on the computer, or going to the mixer and muting everything but what I recognize. Additionally, Norton is constantly letting me know that there is: "High CPU usage by: winrscmde" which I located in the svshost.exe. Another symptom is that it shuts off whenever it wants, especially when I put it to sleep, I know before I would come back on when I opened it and now it brings the black or blue screen saying that needs to do a data dump or that the computer shut off unexpectedly and it takes forever to load, or goes through the whole process, and this happens almost every day.

So, in short, every day:

(1) Windows Updates fail over and over

(2) the audio goes crazy

(3) Norton warns about "High CPU usage by: winrscmde"

(4) the computer shuts off on its own

Also, when I ran my antivirus, it said that it "partially removed" Trojan-Auleron.

I don't know much about computers, please explain me step by step what I must do, I greatly appreciate your help in advance!

I followed the steps in the "I'm infected - What do I do now" pinned post and these are the results.

Please note that even though it says that it removed trojan, the audio continues to go crazy even when I disconnect from the Internet, which obviously means the virus still on my pc.

Malwarebytes Anti-Malware


Database version: v2012.08.23.02

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Kathy :: KATHY-10 [administrator]

8/22/2012 11:09:41 PM

mbam-log-2012-08-22 (23-09-41).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 197671

Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.



DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Kathy at 23:34:13 on 2012-08-22

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3563.1218 [GMT -7:00]


AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}


============== Running Processes ===============




C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS


C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\IDT\WDM\STacSV64.exe

C:\Windows\system32\svchost.exe -k LocalService



C:\Windows\system32\svchost.exe -k NetworkService


C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe


C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe


C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE


C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted


C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\\ccSvcHst.exe







C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\\ccSvcHst.exe


C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe

C:\Program Files\IDT\WDM\sttray64.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe


C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe

C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe



C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe













============== Pseudo HJT Report ===============


uStart Page = https://brandman.bla.../webapps/login/

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\\coIEPlg.dll

BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\\IPS\IPSBHO.DLL

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\\coIEPlg.dll

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe

mRun: [<NO NAME>]

mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

TCP: DhcpNameServer =

TCP: Interfaces\{45018BFC-0E7A-40EE-80BD-B9EB69BC4965} : DhcpNameServer =

TCP: Interfaces\{45018BFC-0E7A-40EE-80BD-B9EB69BC4965}\46C696E6B6 : DhcpNameServer =

TCP: Interfaces\{45018BFC-0E7A-40EE-80BD-B9EB69BC4965}\86F6D656 : DhcpNameServer =

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SEH: EasyBits ShellExecute Hook: {e54729e8-bb3d-4270-9d49-7389ea579090} - C:\Windows\SysWow64\EZUPBH~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\\coIEPlg.dll

BHO-X64: Norton Identity Protection - No File

BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\\IPS\IPSBHO.DLL

BHO-X64: Norton Vulnerability Protection - No File

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\\coIEPlg.dll

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe

mRun-x64: [(Default)]

mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

mRun-x64: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

SEH-X64: EasyBits ShellExecute Hook: {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWow64\EZUPBH~1.DLL

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL


============= SERVICES / DRIVERS ===============


R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]

R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]

R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0603000.00E\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0603000.00E\SYMDS64.SYS [?]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0603000.00E\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0603000.00E\SYMEFA64.SYS [?]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120804.001\BHDrvx64.sys [2012-8-8 1161376]

R1 ccSet_N360;Norton Security Suite Settings Manager;C:\Windows\system32\drivers\N360x64\0603000.00E\ccSetx64.sys --> C:\Windows\system32\drivers\N360x64\0603000.00E\ccSetx64.sys [?]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20120822.001\IDSviA64.sys [2012-8-21 512672]

R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0603000.00E\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0603000.00E\Ironx64.SYS [?]

R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\N360x64\0603000.00E\SYMNETS.SYS --> C:\Windows\system32\Drivers\N360x64\0603000.00E\SYMNETS.SYS [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-3 63928]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-4-1 365568]

R2 BingDesktopUpdate;Bing Desktop Update service;C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [2012-3-30 151656]

R2 ezSharedSvc;Easybits Services for Windows;C:\Windows\System32\ezSharedSvcHost.exe [2011-5-8 514232]

R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]

R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]

R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-9-1 227896]

R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]

R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]

R2 lxdu_device;lxdu_device;C:\Windows\system32\lxducoms.exe -service --> C:\Windows\system32\lxducoms.exe -service [?]

R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\\ccsvchst.exe [2012-8-22 138272]

R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]

R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]

R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]

R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-15 138912]

R3 hpCMSrv;HP Connection Manager 4.0 Service;C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-2-15 1071160]

R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]

R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 NIS;Norton Internet Security;"C:\Program Files (x86)\Norton Internet Security\Engine\\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\\diMaster.dll" /prefetch:1 --> C:\Program Files (x86)\Norton Internet Security\Engine\\ccSvcHst.exe [?]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-29 158856]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-8 250568]

S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-1 183560]

S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\system32\DRIVERS\ssudbus.sys --> C:\Windows\system32\DRIVERS\ssudbus.sys [?]

S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2012-8-7 24176]

S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]

S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]

S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]

S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\system32\DRIVERS\ssudmdm.sys --> C:\Windows\system32\DRIVERS\ssudmdm.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]

S4 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-9-9 89600]

S4 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-9-9 2375168]

S4 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]


=============== Created Last 30 ================


2012-08-23 06:17:37 20480 ------w- C:\Windows\svchost.exe

2012-08-23 06:09:09 -------- d-----w- C:\Users\Kathy\AppData\Roaming\Malwarebytes

2012-08-23 06:08:53 -------- d-----w- C:\ProgramData\Malwarebytes

2012-08-23 06:08:52 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-08-23 06:08:52 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-08-23 04:23:53 737952 ----a-w- C:\Windows\System32\drivers\N360x64\0603000.00E\srtsp64.sys

2012-08-23 04:23:53 451192 ----a-r- C:\Windows\System32\drivers\N360x64\0603000.00E\symds64.sys

2012-08-23 04:23:53 405624 ----a-r- C:\Windows\System32\drivers\N360x64\0603000.00E\symnets.sys

2012-08-23 04:23:53 37536 ----a-w- C:\Windows\System32\drivers\N360x64\0603000.00E\srtspx64.sys

2012-08-23 04:23:53 190072 ----a-r- C:\Windows\System32\drivers\N360x64\0603000.00E\ironx64.sys

2012-08-23 04:23:53 1129120 ----a-w- C:\Windows\System32\drivers\N360x64\0603000.00E\symefa64.sys

2012-08-23 04:23:52 167072 ----a-w- C:\Windows\System32\drivers\N360x64\0603000.00E\ccsetx64.sys

2012-08-23 04:23:18 -------- d-----w- C:\Windows\System32\drivers\N360x64\0603000.00E

2012-08-16 14:14:36 503808 ----a-w- C:\Windows\System32\srcore.dll

2012-08-16 14:14:36 43008 ----a-w- C:\Windows\SysWow64\srclient.dll

2012-08-16 14:14:28 751104 ----a-w- C:\Windows\System32\win32spl.dll

2012-08-16 14:14:28 67072 ----a-w- C:\Windows\splwow64.exe

2012-08-16 14:14:28 559104 ----a-w- C:\Windows\System32\spoolsv.exe

2012-08-16 14:14:28 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll

2012-08-16 14:14:27 59392 ----a-w- C:\Windows\System32\browcli.dll

2012-08-16 14:14:27 41984 ----a-w- C:\Windows\SysWow64\browcli.dll

2012-08-16 14:14:27 136704 ----a-w- C:\Windows\System32\browser.dll

2012-08-16 14:14:26 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-08-16 14:14:25 956928 ----a-w- C:\Windows\System32\localspl.dll

2012-08-08 05:14:09 -------- d-----w- C:\Program Files\PeerBlock

2012-08-08 05:05:13 -------- d-----w- C:\mp3

2012-08-08 05:05:11 -------- d-----w- C:\Users\Kathy\AppData\Roaming\Naturalsoft

2012-08-08 05:05:11 -------- d-----w- C:\temp

2012-08-08 05:05:11 -------- d-----w- C:\picture

2012-08-08 05:05:11 -------- d-----w- C:\music

2012-08-08 05:05:11 -------- d-----w- C:\Log

2012-08-08 05:05:11 -------- d-----w- C:\audioFile

2012-08-08 05:03:22 -------- d-----w- C:\ProgramData\NaturalSoft

2012-07-30 06:01:48 476976 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll

2012-07-25 18:51:56 1580032 ----a-w- C:\NaturalReader11.exe


==================== Find3M ====================


2012-08-23 06:22:03 73416 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-23 06:22:03 696520 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-07-30 06:01:19 472880 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-06-11 00:24:17 175736 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS

2012-06-06 15:49:52 1070152 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX

2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll

2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll

2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll

2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll

2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll

2012-06-05 18:47:32 6626464 ----a-w- C:\ProgramData\SPL5E45.tmp

2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys

2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys

2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys

2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll

2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll

2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll

2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll

2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll

2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll


============= FINISH: 23:34:55.83 ===============

Please let me know if you need the other text or anything else from me. Thanks in advance again! And please remember that even though I may seem like I know, I am a computer iliterate when it comes to programs or softwares, etc., but I think I can follow your instructions properly.

Link to post
Share on other sites

  • Root Admin

Hello - Please run the following and we'll see if we can get you fixed up.

Step 1.

Download TDSSKiller from Kaspersky to your computer.


Step 2.

Locate the file you downloaded and execute TDSSKiller.exe by right clicking over it and choose "Run as Administrator"

Press Start Scan

If Malicious objects are found, please select SKIP for any infection found for now and simply send me back the log.

Once complete, a log will be produced at the root drive which is typically C:\

For example, C:\TDSSKiller.

Send that log back to me on your next reply please as an attachment.

Thank you

Link to post
Share on other sites

  • Root Admin


Okay please run the following steps.


Run TDSSKiller again but this time when it detects the Rootkit.Boot.Pihar.b tell it to cure it.


After the reboot please run Malwarebytes and check for updates, then do a Quick Scan and fix anything found.


Restart the computer one more time. Then run Malwarebytes again and do another Quick Scan and send me back both log files on your next reply.


Link to post
Share on other sites

I attached all the logs, please let me know if you rather me copy/paste them.

Both, the TDSS and the Malwarebytes, found 1 thing the first time, and detected 0 the second time.

It seems like its working...?

mbam-log-2012-08-23 (00-37-01).txt

mbam-log-2012-08-23 (00-42-53).txt



Link to post
Share on other sites

  • Root Admin

You're doing just fine and yes I like the logs attached as you're doing.


Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop



Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool, on Vista or Win 7 right click and select Run as administrator

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.

    When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file in most cases.


Please download Security Check from one of the links below.




Save it to your Desktop.

Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt

Please attach that document on your next reply as well.

Thanks again

Link to post
Share on other sites

Attached are the logs.

I ran the checkup twice, because I noticed the Java and Adobe updates were needed. So, the first one shows that they were outdated, and checkup2 shows that they are up to date. The other stuff I don't know if there is anything I should do.

I was also able to do the Windows Updates! :)

Thank you Thank you Thank you!



DDS 1.txt

Link to post
Share on other sites

  • Root Admin

There should have been a file named ATTACH.TXT when you ran DDS can you please attach it as well on your next reply.

Please update your Norton Anti-Virus and do a System Scan and let me know if it finds any issues or not.

Let me know if you're still seeing any signs of an infection anymore.

Thanks again

Link to post
Share on other sites

Sorry about that! Attached are both texts. There were 6 updates for Norton!

I cannot believe we are almost done with this process, I hope all viruses stay off my computer for good! I don't see any signs, but when I have tried to remove it before (by running Norton) it would disappear. However, the fact that it let me go through with all the updates, especially windows, is a great indication to me that its probably gone. I am :D . Is there anything else I can do to verify if its really gone?

Attach 1.txt

Norton Quick Scan.txt

Link to post
Share on other sites

  • Root Admin

Please delete your current DDS logs and restart the computer one more time. Then run DDS again and make sure to save and send me back both NEW logs. The attach you sent was from before changing Java I think.

Also want to make sure no more events in the Event Logs going on.

We can run a more intense Anti-Virus scan to make sure the system is clean but so far it's looking just fine now.

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply.


Link to post
Share on other sites

Hello there,

I am writing from my cellphone. I did the DDS scan as requested, then I did the Dr.Web it took over 6 hours! However, I realized I didnt change the settings as requested Therefore, there are no logs on this message as I am running Dr.Web on the pc again, but this time with all the correct settings. It has found 27 things so far. Just wanted to let you know. Thanks for checking up!

Link to post
Share on other sites


Attached are the DDS scans.

The original logs are after the first restart.

After Dr.Web restart, I ran DDS again just in case it may help, so DDS2 and Attach2 were run after the very last restart.

Is not letting me attach the Dr.Web files, it says I am not allowed to attach that type of file.

Please advise. And once again, thank you for your time and help!





Link to post
Share on other sites

  • Root Admin

Please uninstall the following program

Java™ 6 Update 33

This seems odd because the main log shows that the service is running. Maybe it was triggered by the Event Logs if you had it disabled to run Dr Web.

8/24/2012 7:12:26 AM, Error: Service Control Manager [7000] - The Norton Internet Security service failed to start due to the following error: The system cannot find the file specified.

I'll check the Dr Web once you get that uploaded and we'll go from there.


Link to post
Share on other sites

Attached are the Dr.Web texts

1 - scan without modifying settings

2 - scan with correct settings (but without correcting all errors)

3 - log after all viruses were deleted or moved (if the pc allowed me to)

I am not sure what you meant about Norton being odd, is there something else I should do besides uninstalling Java 6 Update 33?

Norton was disabled and the internet was disconnected while the scan was going on... I thought the directions instructed to do so..

I will unistall the Java 6 Update 33 as indicated.





Link to post
Share on other sites

  • Root Admin

Hi Kathy

Okay that looks pretty good and does not look like anything else too serious was there. Dr Web is/was finding stuff in cache and in the Norton quarantine area.

Probably nothing wrong with Norton and was just logged in the Event Logs while scanning is all.

Yes, please do uninstall the Java listed.

Next, go into Norton and go to the Quarantine and empty the Quarantine.

Next, go ahead and uninstall Dr Web and delete the folder it created on your system.

Empty your Trash/Recycle bin

Click on START and type in CMD.EXE and when it shows on the menu right click and choose "Run as administrator"

Then in the DOS box type the following and press the Enter key.


It will say the drive is locked and ask if you want to check it on reboot. Press the Y key and then the Enter key.

Now start Internet Explorer and go to Tools/Internet Options/General and click on the Delete button under Browsing history

uncheck "Preserve Favorites website data"

Put a check on "Temporary Internet files" and anything else you want to remove and then click Delete

Then start IE again and go to Tools/Internet Options/Advanced and click on the Reset button. Then quit IE and restart it and configure it.

Now restart the computer and make sure that the Disk Check runs. It should take a least 5 minutes up to a few hours to run depending on how big your drive is and how much data you have.

After it restarts again make sure the Norton AV is up and running and up to date with no issues.

Check the Malwarebytes is running as well and up to date.

Let me know if you have any questions or notice any other specific issues but we should just about be done here once you complete those tasks.

Thanks again

Link to post
Share on other sites


Do you know how do I find the Quarantine folder in Norton? I opened it, but don't see anything like that...

Also, when I uninstalled Java 6 Upd 33, I noticed there is another one that says Java 6 Upd 24 (in addition to the Java 7 I got), should I also uninstall Java 6 Update 24?

Link to post
Share on other sites

  • Root Admin

What specific name is your Norton AV? I don't have one here to test myself but we might be able to search online to see or I can check another system that I know is running it later tonight.

Yes please uninstall all versions of Java except the latest new one you put in 7 build 6


Link to post
Share on other sites

Ok, I did everything.

Removed the other old Java. Found the Norton Quarantine folder and deleted everything, also deleted the recent history and pretty much everything I could. The Dr.Web program wouldn't give me the option to uninstall, but I deleted it and emptyed the recycle bin, so the only thing I have for dr.web now is the text logs/scans, but I didn't find it in the programs. I also followed your directions in regards the internet explorer and cmd.

Now, I will restart and will get back to you once the cmd is done. (disk check)

Link to post
Share on other sites


The check up is done, it did it upon restart and it appears to be good.

I updated Norton and Malwarebytes, Norton is working good, Malwarebytes I didn't know how to verify so I did a scan and it came out great. Attached is the log.

Thank you so much for all your help! Please let me know if I should be good to go, I believe I am. Oh, and the Norton, is Norton Security Suite, just in case you needed to know.

Link to post
Share on other sites

  • Root Admin

Hi Kathy,

Yes I think you should be good to go now. Everything looks good that you've sent back and it was a pleasure working with you on this.

If there is anything else I can assist you with please let me know.

Make sure you keep your Anti-Virus and Malwarebytes up to date at all times. Check on your plugins like Java, Flash, Acrobat and make you keep them up to date as well and remove older versions if the program doesn't do it for you.

Thank you again and best wishes

Link to post
Share on other sites

Thank you so much! I can not thank you enough!! I might need more help when I start cleaning another computer, but I am good for now. :) I cannot believe you guys help people for free, others charge so much and usually delete the information saved and the preferences, and most people don't even know what they are doing, its so frustrating! You made it very easy and effeciently got rid of everything, I am very VERY thankful! I guess my only questions is, when I need help with my next computer, should I write to this trend or post a new one? Thanks and best wishes!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.