Winrscmde has stopped working

#1
Hey Guys,

I have done quite a bit of searching on this topic and found various ways to fix the problem, but I was wanting to see what you recommend. I think there are a lot of people with these problems, so hopefully I'm not double posting on the same issue, sorry if I am.

One site said to run TDSSkiller: so I did. It found this:

Rootkit.Boot.Pihar.b
\Device\Harddisk0\DR0

There was a lot of other info in the report, but I dont know if it's important, and I don't know how to post it.

Anyway, they also said to run aswmbr: so I did. It found this:


aswMBR version 0.9.9.1618 Copyright(c) 2011 AVAST Software
Run date: 2012-02-20 16:17:55
-----------------------------
16:17:55.308 OS Version: Windows x64 6.0.6002 Service Pack 2
16:17:55.308 Number of processors: 4 586 0x170A
16:17:55.309 ComputerName: OFFICE-PC UserName: Lucas
16:17:57.100 Initialize success
16:18:45.711 AVAST engine defs: 12022002
16:18:52.066 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:18:52.069 Disk 0 Vendor: Hitachi_ STDO Size: 610480MB BusType: 3
16:18:52.071 Device \Driver\iaStor -> MajorFunction fffffa80074e95c4
16:18:52.074 Disk 0 MBR read successfully
16:18:52.077 Disk 0 MBR scan
16:18:52.081 Disk 0 Windows VISTA default MBR code
16:18:52.102 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048
16:18:52.145 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 597166 MB offset 27265024
16:18:52.150 Service scanning
16:19:20.254 Modules scanning
16:19:20.259 Disk 0 trace - called modules:
16:19:20.264 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8008865350]<<66742141.sys >>UNKNOWN [0xfffffa80074e95c4]<<hal.dll
16:19:20.267 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004f7e790]
16:19:20.272 3 CLASSPNP.SYS[fffffa6000fcdc33] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8003ec5050]
16:19:20.275 \Driver\iaStor[0xfffffa8007270530] -> IRP_MJ_CREATE -> 0xfffffa80074e95c4
16:19:23.001 AVAST engine scan C:\Windows
16:19:27.534 AVAST engine scan C:\Windows\system32
16:24:56.920 AVAST engine scan C:\Windows\system32\drivers
16:25:28.911 AVAST engine scan C:\Users\Lucas
16:31:53.633 Disk 0 MBR has been saved successfully to "C:\Users\Lucas\Desktop\MBR.dat"
16:31:53.640 The log file has been saved successfully to "C:\Users\Lucas\Desktop\aswMBR.txt"
16:32:47.829 File: C:\Users\Lucas\AppData\Local\Temp\29E2.tmp **INFECTED** Win32:MalOb-IK [Cryp]
16:32:48.091 File: C:\Users\Lucas\AppData\Local\Temp\3076.tmp **INFECTED** Win32
ropper-KDD [Drp]
16:35:11.400 File: C:\Users\Lucas\AppData\Local\Temp\jar_cache812827438487245398.tmp **INFECTED** Win32:Cycbot-OD [Trj]
16:35:29.822 File: C:\Users\Lucas\AppData\Local\Temp\nslB2FD.tmp\nlw6tmk.3bt **INFECTED** Win32:MalOb-HO [Cryp]
16:35:29.969 File: C:\Users\Lucas\AppData\Local\Temp\nslB2FD.tmp\qyrb5od.zfp **INFECTED** Win32:MalOb-HO [Cryp]
16:35:30.011 File: C:\Users\Lucas\AppData\Local\Temp\nslB2FD.tmp\uqb4apu.max **INFECTED** Win32:MalOb-HO [Cryp]
16:54:23.189 AVAST engine scan C:\ProgramData
16:56:53.314 File: C:\ProgramData\Microsoft\Windows\DRM\2934.tmp **INFECTED** Win32:Malware-gen
16:56:53.372 File: C:\ProgramData\Microsoft\Windows\DRM\2934.tmp.dat **INFECTED** Win32:MalOb-IK [Cryp]
16:56:53.461 File: C:\ProgramData\Microsoft\Windows\DRM\2FD8.tmp **INFECTED** Win32:Malware-gen
16:56:53.516 File: C:\ProgramData\Microsoft\Windows\DRM\2FD8.tmp.dat **INFECTED** Win32
ropper-KDD [Drp]
16:56:53.680 File: C:\ProgramData\Microsoft\Windows\DRM\D3B5.tmp **INFECTED** Win32:MalOb-IK [Cryp]
17:20:39.501 Scan finished successfully
17:25:36.647 Disk 0 MBR has been saved successfully to "C:\Users\Lucas\Desktop\MBR.dat"
17:25:36.676 The log file has been saved successfully to "C:\Users\Lucas\Desktop\aswMBR.txt"
17:28:08.627 Disk 0 MBR has been saved successfully to "C:\Users\Lucas\Desktop\MBR.dat"
17:28:08.633 The log file has been saved successfully to "C:\Users\Lucas\Desktop\aswMBR.txt"

I have read to run something called ComboFix, but I have yet to do that because I wanted to see about the importance of what I already did.

I am not very good with computers, but I learn fast, so if you need more info, let me know. Also, please tell me if I am just an idiot and I should let someone else fix this for me.

Thanks!
 

Ex_Brit

If you're going through hell, keep going.
Staff member
#2
1st thing to try. Boot into Safe Mode by tapping F8 repeatedly while booting up and then go to Start > All Programs > Accessories > System Tools > System Restore and see if you can take your machine back to before this happening.

An alternative means to start System Restore is to go to Start/Run and type in rstrui.exe and click Enter.

If successful, temporarily disable System Restore to delete the infected restore point.

If not read on....

Boot into 'Safe Mode with Networking' and download the FREE version of THIS tool, update it (important) and then run a full scan ALL IN THAT MODE (it works!).

Hopefully that will get rid of it.

As far as TDSSKiller and ComboFix are concerned, they are best left to the experts on the malware removal forums.
 
#3
if you can't restore your old system. then run try running malwarebytes-antimalware,noobkiller, kaizer killer, your av with full scan. and combo fix still in safe mode.