A few days ago, I had a trojan infect my computer, but I thought I had cleared it up with rkill, Trojan Killer, tdsskiller, and Malewarebytes. My computer seems to be fine except for a really annoying message that pops up telling me, "Host Process for Windows Services has Stopped Working and was closed" and then I click, "OK/Close" and another window comes up telling me how to fix the problem (check for updates-I don't have any). I checked my Event Viewer and I have tons of alerts, including, "Faulting application svchost.exe" and "Task Scheduling Error" from Bonjour. Also, I turned on my computer today and Firefox had uninstalled. I ran Malwarebytes and it found a Trojan called certstore.dat (the same one it found initially when I first had a fake anti-virus software install itself on my computer). Everytime I delete it and reboot and rescan, it comes back. Can anything be done for this?
turn off your system restore and then scan. Some HELP in posting on Computing.net plus free progs and instructions Cheers
Ok I turned off system restore and scanned with Malwarebytes, PC Tools Antivirus, and Trojan Remover and nothing was found, but the "Host Process.." pop up is still appearing. Could the virus be gone and the pop up be another problem? And can I turn my system restore back on?
Yes, you can turn it back on as you have now deleted all the old points. Hopefully your problem is fixed now, I noticed you ran the right cleaners in your OP.
Good luckSome HELP in posting on Computing.net plus free progs and instructions Cheers
Thanks so much for you help!
Ok, my problem is not solved as I thought it was. I ran another Malwarebytes, just to double check, this time a full scan (hate running those bc it takes almost an hour), and the virus is still there. I deleted it and restarted with System Restore turned OFF, but I'm running Malwarebytes one more time, just to check. This is a very nasty virus apparently..
run rkill again, then tdss killer and then do another scan with malwarebytes. Sometimes running it again, picks up the problem when it escaped previously. Good luck ;-) Some HELP in posting on Computing.net plus free progs and instructions Cheers
rkill and tdss killer found nothing. Malwarebytes is still finding it over and over, but obviously not deleting it..
if your vista is 32 bit you can use combofix:
http://www.bleepingcomputer.com/com...
Just follow the tutorial and you will be fine.
If it is 64 bit, combofix will not workSome HELP in posting on Computing.net plus free progs and instructions Cheers
Do you want me to post the log here or private message it?
you can post it here Some HELP in posting on Computing.net plus free progs and instructions Cheers
ComboFix 10-10-21.02 - Allison 10/21/2010 20:57:02.1.2 - x86
Running from: c:\users\Allison\Desktop\ComboFix.exe
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:\windows\system32\AVSredirect.dll
c:\windows\system32\drivers\fnld.sys
c:\windows\system32\FastUv32.dll.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.-------\Service_oxbcgulf
((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))
.2010-10-22 02:02 . 2010-10-22 02:05 -------- d-----w- c:\users\Allison\AppData\Local\temp
2010-10-22 02:02 . 2010-10-22 02:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-21 04:06 . 2010-10-12 21:59 140248 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-10-21 04:06 . 2010-10-12 21:59 25048 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2010-10-20 02:02 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{807046FF-4BE0-4242-96C4-16617BDDCC4A}\mpengine.dll
2010-10-17 20:26 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-10-17 20:26 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-10-17 20:26 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-10-17 20:26 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-10-17 20:26 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-10-17 20:26 . 2010-10-17 20:26 -------- d-----w- c:\program files\Trojan Remover
2010-10-17 20:26 . 2010-10-17 20:26 -------- d-----w- c:\users\Allison\AppData\Roaming\Simply Super Software
2010-10-17 20:26 . 2010-10-17 20:26 -------- d-----w- c:\programdata\Simply Super Software
2010-10-17 20:16 . 2010-10-17 20:16 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-14 18:47 . 2010-08-31 13:27 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-10-14 18:47 . 2010-05-04 19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
2010-10-13 16:12 . 2010-08-20 16:05 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-10-13 16:12 . 2010-08-31 15:44 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-09-29 20:07 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-29 19:47 . 2010-08-26 04:23 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-09-29 00:24 . 2004-01-25 05:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll
2010-09-29 00:24 . 2004-01-25 05:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
2010-09-23 19:42 . 2010-09-23 19:42 95672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-13 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-13 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-13 154136]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-03-13 6965792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-03-07 468320]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-12-18 448376]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-03-23 729088]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-18 1451304]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-04-17 2513472]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-03-25 163840]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe" [2009-03-24 1007616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"TPCHWMsg"="c:\program files\TOSHIBA\TPHM\TPCHWMsg.exe" [2009-04-10 570736]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-01 1283384]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-08-02 1167808][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-474958008-1710612053-3734575190-1000]
"EnableNotificationsRef"=dword:00000001R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [2010-09-02 13312]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-11 366840]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-02-05 233136]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [2010-06-18 198608]
S2 camsvc;TOSHIBA Web Camera Service;c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [2009-04-17 20544]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-11-23 88040]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-02-19 57344]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-04-01 62776]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-04-15 176128]
S2 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-03-17 73728]
S2 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-04-10 656752]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-03-21 12920]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2008-01-22 100864]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-01-12 70664]
S3 pctNDIS;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys [2010-01-07 58816]
S3 pctplfw;pctplfw;c:\windows\System32\drivers\pctplfw.sys [2010-01-13 115216]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-03-18 22272]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder2010-10-21 c:\windows\Tasks\User_Feed_Synchronization-{564068F1-9626-48D8-A49C-13B34C589B7C}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\users\Allison\AppData\Roaming\Mozilla\Firefox\Profiles\ipwfdfmw.default\
FF - prefs.js: browser.search.selectedEngine - Search Defender
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.search-results.com/web?o=15868&l=dis&prt=PRT&chn=UN&geo=US&ver=UN&q=
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-10-21 21:10:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-22 02:10Pre-Run: 203,684,401,152 bytes free
Post-Run: 203,473,420,288 bytes freeCurrent=1 Default=1 Failed=0 LastKnownGood=14 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14
- - End Of File - - 563E0C07850B4E1207D00FD3EDE30AFD
do you still have the problem after running combofix? Some HELP in posting on Computing.net plus free progs and instructions Cheers
I just used my computer for about an hour and none of those popups showed up so maybe ComboFix cleared it up!
Sounds good, good luck! Some HELP in posting on Computing.net plus free progs and instructions Cheers