also @ TechSpot: Codemasters announces £125,000 special edition of GRID 2

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

@Broni the saver! please save my PC from Sirefef..:(

Discussion in 'Virus and Malware Removal' started by gamesms, Jun 26, 2012.

Post New Reply

Page 3 of 4

Broni Malware Annihilator Posts: 39,398 +177
Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL DRV - File not found [Kernel | System | Stopped] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5E57A4CF-A0CD-4FC2-94F1-9AA1DE82192E}\MpKsl8ae75fa0.sys -- (MpKsl8ae75fa0) DRV - File not found [Kernel | On_Demand | Unknown] -- -- (a0gnhw78) IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> O15 - HKU\S-1-5-21-2546657983-1106873551-1639024377-1001\..Trusted Domains: alipay.com ([]https in Trusted sites) O15 - HKU\S-1-5-21-2546657983-1106873551-1639024377-1001\..Trusted Domains: alisoft.com ([]https in Trusted sites) O15 - HKU\S-1-5-21-2546657983-1106873551-1639024377-1001\..Trusted Domains: taobao.com ([]https in Trusted sites) O33 - MountPoints2\{260a83bd-9117-11e1-a50b-0021919148fd}\Shell - "" = AutoRun O33 - MountPoints2\{260a83bd-9117-11e1-a50b-0021919148fd}\Shell\AutoRun\command - "" = G:\Startme.exe O33 - MountPoints2\{47ee91e8-5c38-11e0-962b-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{47ee91e8-5c38-11e0-962b-806e6f6e6963}\Shell\AutoRun\command - "" = notepad SeaToolsDOSguide.EN.txt [2011/02/25 07:18:11 | 000,000,088 | RHS- | C] () -- C:\ProgramData\9B8B3F0050.sys [2010/02/04 04:31:36 | 000,000,088 | RHS- | C] () -- C:\ProgramData\5019F804B8.sys [2009/11/08 00:13:34 | 000,000,088 | RHS- | C] () -- C:\ProgramData\A522B7E563.sys [C:\Windows\$NtUninstallKB13182$] -> Error: Cannot create file handle -> Unknown point type :Commands [purity] [emptytemp] [emptyjava] [emptyflash] [Reboot]

Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.

======================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:

Internet Services

Windows Firewall

System Restore

Security Center

Windows Update

Windows Defender

Press "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, click on List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.
Broni, Jun 30, 2012

#41
gamesms Newcomer, in training Posts: 45

All processes killed
========== OTL ==========
Service MpKsl8ae75fa0 stopped successfully!
Service MpKsl8ae75fa0 deleted successfully!
File C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5E57A4CF-A0CD-4FC2-94F1-9AA1DE82192E}\MpKsl8ae75fa0.sys not found.
Error: No service named a0gnhw78 was found to stop!
Service\Driver key a0gnhw78 not found.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-2546657983-1106873551-1639024377-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alipay.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2546657983-1106873551-1639024377-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alisoft.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2546657983-1106873551-1639024377-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\taobao.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{260a83bd-9117-11e1-a50b-0021919148fd}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{260a83bd-9117-11e1-a50b-0021919148fd}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{260a83bd-9117-11e1-a50b-0021919148fd}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{260a83bd-9117-11e1-a50b-0021919148fd}\ not found.
File G:\Startme.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{47ee91e8-5c38-11e0-962b-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47ee91e8-5c38-11e0-962b-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{47ee91e8-5c38-11e0-962b-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47ee91e8-5c38-11e0-962b-806e6f6e6963}\ not found.
File notepad SeaToolsDOSguide.EN.txt not found.
C:\ProgramData\9B8B3F0050.sys moved successfully.
C:\ProgramData\5019F804B8.sys moved successfully.
C:\ProgramData\A522B7E563.sys moved successfully.
Unable to remove Unknown point type C:\Windows\$NtUninstallKB13182$
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 2470205 bytes
->Temporary Internet Files folder emptied: 12618737 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 5242912 bytes
->Flash cache emptied: 470 bytes

User: All Users

User: Bisho
->Temp folder emptied: 163713587 bytes
->Temporary Internet Files folder emptied: 70166248 bytes
->Java cache emptied: 11760235 bytes
->FireFox cache emptied: 77086953 bytes
->Google Chrome cache emptied: 262816914 bytes
->Apple Safari cache emptied: 877568 bytes
->Flash cache emptied: 110734 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Desktop

User: nad
->Temp folder emptied: 162535 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Public

User: Trial
->Temp folder emptied: 127588548 bytes
->Temporary Internet Files folder emptied: 61194868 bytes
->Java cache emptied: 513 bytes
->FireFox cache emptied: 82775958 bytes
->Flash cache emptied: 5907 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 39734 bytes
RecycleBin emptied: 443292 bytes

Total Files Cleaned = 838.00 mb

[EMPTYJAVA]

User: Administrator
->Java cache emptied: 0 bytes

User: All Users

User: Bisho
->Java cache emptied: 0 bytes

User: Default

User: Default User

User: Desktop

User: nad

User: Public

User: Trial
->Java cache emptied: 0 bytes

User: UpdatusUser

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Bisho
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Desktop

User: nad

User: Public

User: Trial
->Flash cache emptied: 0 bytes

User: UpdatusUser

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.53.0 log created on 06302012_235511

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

gamesms, Jun 30, 2012

#42
gamesms Newcomer, in training Posts: 45

Results of screen317's Security Check version 0.99.24
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Microsoft Security Essentials Prerelease
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
TuneUp Utilities Language Pack (en-US)
CCleaner
Java(TM) 6 Update 33
Java(TM) SE Development Kit 6 Update 26
Java DB 10.6.2.1
Adobe Flash Player11.3.300.262
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
``````````End of Log````````````

gamesms, Jun 30, 2012

#43
gamesms Newcomer, in training Posts: 45

Farbar Service Scanner Version: 25-06-2012 01
Ran by Bisho (administrator) on 01-07-2012 at 00:06:50
Running from "D:\Downloads\Programs"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****

gamesms, Jun 30, 2012

#44
Broni Malware Annihilator Posts: 39,398 +177

I still need Eset scan log.

Broni, Jun 30, 2012

#45

gamesms Newcomer, in training Posts: 45

I will try to make it tonight.. cause I tried but took more than 3 hours and it didn't finished..so I slept and it was 24% and found 3 infected files.
Thanks for everything

gamesms, Jul 1, 2012

#46

Broni Malware Annihilator Posts: 39,398 +177

OK

Broni, Jul 1, 2012

#47
gamesms Newcomer, in training Posts: 45

ESET scan log:

C:\Program Files\Unlockroot\unlockroot.exea variant of Win32/Packed.VProtect.C applicationcleaned by deleting - quarantined
C:\Windows\System32\Launch JAF..exea variant of Win32/Packed.Themida applicationcleaned by deleting - quarantined
D:\$RECYCLE.BIN\S-1-5-21-935990401-1012392228-1743835088-1000\$R8DT869\Net\MsgPlusLive-483.exea variant of Win32/Adware.CiDHelp applicationcleaned by deleting - quarantined
D:\$RECYCLE.BIN\S-1-5-21-935990401-1012392228-1743835088-1000\$R8DT869\Sys Tools\Eset Keyfinder.exeWin32/RiskWare.HackAV.FG applicationcleaned by deleting - quarantined
D:\Downloads\SoftonicDownloader_for_steam.exea variant of Win32/SoftonicDownloader.A applicationcleaned by deleting - quarantined
D:\Downloads\Collection Freeware to Create Bootable USB Drive to Install Windows and Linux\isotousb_setup.exea variant of Win32/TrojanDownloader.FakeAlert.FL trojancleaned by deleting - quarantined
D:\Downloads\Collection Freeware to Create Bootable USB Drive to Install Windows and Linux\WinToFlash_0.7.0048-Beta.exea variant of Win32/InstallCore.W applicationcleaned by deleting - quarantined
D:\Downloads\Picture Collage Maker Pro 3.0.3 build 3402\PictureCollageMakerPro.exea variant of Win32/Injector.HGV trojancleaned by deleting - quarantined
D:\Downloads\Programs\cole2k.media.-.codec.pack.v7.9.5.-advanced-.setup.exea variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
D:\Downloads\Programs\JAF_Setup_1.98.63_PK_BUG_REMOVED.exea variant of Win32/Packed.Themida applicationcleaned by deleting - quarantined
D:\Downloads\Programs\Setup-MsgPlus-510.exea variant of Win32/MessengerPlus.A applicationdeleted - quarantined
D:\Downloads\Programs\unlockroot23-eng.exea variant of Win32/Packed.VProtect.C applicationcleaned by deleting - quarantined
D:\Downloads\Programs\unlockroot23.exea variant of Win32/Packed.VProtect.C applicationcleaned by deleting - quarantined
D:\Program Files\LIMBO\limbo_lang.exea variant of Win32/Kryptik.EIF trojancleaned by deleting - quarantined
F:\BASHIR\download\Prostitution.FRENCH.XXX.DVDRiP.XViD-LiPS_downloader.exea variant of Win32/ExpressFiles applicationcleaned by deleting - quarantined

gamesms, Jul 1, 2012

#48
Broni Malware Annihilator Posts: 39,398 +177

Very well.

Now, we have several registry keys missing.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Double click on windefend.reg file and confirm the prompt.
Double click on wscsvc.reg file and confirm the prompt.
Double click on mpssvc.reg file and confirm the prompt.Restart computer.
Post new FSS log.

Broni, Jul 1, 2012

#49
gamesms Newcomer, in training Posts: 45

Farbar Service Scanner Version: 25-06-2012 01
Ran by Bisho (administrator) on 02-07-2012 at 02:39:49
Running from "D:\Downloads\Programs"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Disabled. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

gamesms, Jul 1, 2012

#50
Broni Malware Annihilator Posts: 39,398 +177

We fixed registry key but we still have some services which are not running.

Download Windows Repair (all in one) from this site

Install the program then run

Go to step 2 and allow it to run Disc check

Once that is done then go to step 3 and allow it to run SFC

On the the Start Repairs tab click Start button.

Please ensure that items seen in the image below are ticked as indicated:

Click on box next to the Restart System when Finished. Then click on Start

Post new FSS log.

Broni, Jul 1, 2012

#51
gamesms Newcomer, in training Posts: 45

Yes, sir I make some services disabled by me to make my pc run fast and in my main usage I think they are useless.. here a snapshot of what I am already not running services and disabled manually..
if one of the services can affect me in future please let me know which is it to make it automatic.

gamesms, Jul 2, 2012

#52
Broni Malware Annihilator Posts: 39,398 +177

Windows firewall and Action Center are not working.
Both are crucial.

Broni, Jul 2, 2012

#53
gamesms Newcomer, in training Posts: 45

Windows Firewall has enabled again
but I can't turn on actions center from taskbar..

FSS log:
Farbar Service Scanner Version: 25-06-2012 01
Ran by Bisho (administrator) on 03-07-2012 at 04:26:58
Running from "D:\My data\Desktop\Desktop\All Phones work\PC FIX"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

gamesms, Jul 2, 2012

#54
Broni Malware Annihilator Posts: 39,398 +177

Good

I can't turn on actions center from taskbar..

I'm not sure what exactly you mean by "turn on".

Can you access Action Center manually? Start>Control Panel>Action Center

Broni, Jul 2, 2012

#55
gamesms Newcomer, in training Posts: 45

Yes I am able to.. but I meant the flag on taskbar

see below the snapshot

gamesms, Jul 2, 2012

#56
Broni Malware Annihilator Posts: 39,398 +177
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

Double-click SystemLook.exe to run it.

Vista users:: Right click on SystemLook.exe, click Run As Administrator

Copy the content of the following box and paste it into the main textfield:

Code:

:reg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center /s

Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
Broni, Jul 2, 2012

#57
gamesms Newcomer, in training Posts: 45

SystemLook 30.07.11 by jpshortstuff
Log created at 05:01 on 03/07/2012 by Bisho
Administrator - Elevation successful

========== reg ==========

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center]
"ReNotifyCount"= 0x0000000002 (2)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks]
(No values found)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100]
"CheckSetting"=23 00 41 00 43 00 42 00 6c 00 6f 00 62 00 00 00 00 00 00 00 01 00 00 00 80 00 00 00 00 00 00 00 d9 8f be ad cb a2 ca 01 00 00 00 00 7b 00 30 00 31 00 39 00 37 00 39 00 63 00 36 00 61 00 2d 00 34 00 32 00 66 00 61 00 2d 00 34 00 31 00 34 00 63 00 2d 00 62 00 38 00 61 00 61 00 2d 00 65 00 65 00 65 00 32 00 63 00 38 00 32 00 30 00 32 00 30 00 31 00 38 00 7d 00 2e 00 6e 00 6f 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 2e 00 30 00 00 00 00 31 00 37 00 39 00 31 00 00 00 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.101]
(No values found)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}.check.101]
"CheckSetting"=23 00 41 00 43 00 42 00 6c 00 6f 00 62 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 61 00 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100]
"CheckSetting"=23 00 41 00 43 00 42 00 6c 00 6f 00 62 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 73 00 5d 00 00 00 5d 00 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101]
"CheckSetting"=23 00 41 00 43 00 42 00 6c 00 6f 00 62 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 73 00 5d 00 00 00 5d 00 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{945a8954-c147-4acd-923f-40c45405a658}.check.42]
"CheckSetting"=23 00 41 00 43 00 42 00 6c 00 6f 00 62 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 65 00 64 00 00 00 00 00 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A}.check.100]
"CheckSetting"=01 00 00 00 d0 8c 9d df 01 15 d1 11 8c 7a 00 c0 4f c2 97 eb 01 00 00 00 5a a4 5c 8e c6 be 1a 44 a6 98 33 cd 3a a9 1a 82 00 00 00 00 02 00 00 00 00 00 10 66 00 00 00 01 00 00 20 00 00 00 12 9c fb 5e 5d e9 db 4c a0 4a 34 39 fb 74 0c 4d fe a0 5d 2e 50 4b 9a c6 44 8b 12 55 2b e3 25 0e 00 00 00 00 0e 80 00 00 00 02 00 00 20 00 00 00 c8 b0 38 de 7e f8 bc 19 12 d0 c0 93 93 90 c0 ac ff ae 06 5b 8f e3 99 f0 af 44 25 05 58 da bc 51 30 00 00 00 d3 a6 d6 c8 d8 bd 05 ca 3f dc 33 5c eb 8d d0 ab fc 0e bc 39 60 c8 63 6b 22 21 08 62 3c 1b 77 1f 29 43 86 52 91 62 dd d7 3a b8 75 8a 21 23 fb ec 40 00 00 00 01 20 72 9b eb d0 89 7f 22 f6 63 6e 33 7d 4c 5e b0 01 cb 7c 2c 0f 75 42 49 1c 9e fa d1 06 8a fd 71 be c6 1f ef 75 e7 f8 39 b7 a2 05 78 da a1 c2 ae b2 08 9c 50 56 dd d8 05 71 3b 3b bb 86 06 bb (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0]
"CheckSetting"=23 00 41 00 43 00 42 00 6c 00 6f 00 62 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 51 36 79 d5 03 00 00 00 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{DAB69A6A-4D2A-4D44-94BF-E0091898C881}.check.100]
(No values found)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100]
"CheckSetting"=23 00 41 00 43 00 42 00 6c 00 6f 00 62 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 2f 00 31 00 00 00 00 00 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101]
"CheckSetting"=23 00 41 00 43 00 42 00 6c 00 6f 00 62 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 2f 00 31 00 00 00 00 00 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102]
"CheckSetting"=23 00 41 00 43 00 42 00 6c 00 6f 00 62 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 2f 00 31 00 00 00 00 00 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.103]
"CheckSetting"=23 00 41 00 43 00 42 00 6c 00 6f 00 62 00 00 00 00 00 00 00 01 00 00 00 a0 00 00 00 00 00 00 00 37 c0 ba 11 bd 58 cd 01 00 00 00 00 7b 00 45 00 38 00 34 00 33 00 33 00 42 00 37 00 32 00 2d 00 35 00 38 00 34 00 32 00 2d 00 34 00 64 00 34 00 33 00 2d 00 38 00 36 00 34 00 35 00 2d 00 42 00 43 00 32 00 43 00 33 00 35 00 39 00 36 00 30 00 38 00 33 00 37 00 7d 00 2e 00 6e 00 6f 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 2e 00 31 00 30 00 33 00 2e 00 32 00 2d 00 31 00 33 00 38 00 39 00 32 00 38 00 32 00 00 00 00 00 72 00 69 00 76 00 65 00 72 00 2e 00 70 00 68 00 70 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.104]
"CheckSetting"=23 00 41 00 43 00 42 00 6c 00 6f 00 62 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 73 00 5d 00 00 00 94 76 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.106]
"CheckSetting"=23 00 41 00 43 00 42 00 6c 00 6f 00 62 00 00 00 00 00 00 00 01 00 00 00 a0 00 00 00 00 00 00 00 5b ea d3 25 14 41 cd 01 00 00 00 00 7b 00 45 00 38 00 34 00 33 00 33 00 42 00 37 00 32 00 2d 00 35 00 38 00 34 00 32 00 2d 00 34 00 64 00 34 00 33 00 2d 00 38 00 36 00 34 00 35 00 2d 00 42 00 43 00 32 00 43 00 33 00 35 00 39 00 36 00 30 00 38 00 33 00 37 00 7d 00 2e 00 6e 00 6f 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 2e 00 31 00 30 00 36 00 2e 00 32 00 2d 00 33 00 32 00 38 00 35 00 37 00 32 00 31 00 31 00 00 00 72 00 69 00 76 00 65 00 72 00 2e 00 70 00 68 00 70 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers]
(No values found)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog]
(No values found)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{01979c6a-42fa-414c-b8aa-eee2c8202018}]
"LastKnownState"=3c 00 42 00 6f 00 6f 00 6b 00 6d 00 61 00 72 00 6b 00 4c 00 69 00 73 00 74 00 3e 00 0d 00 0a 00 20 00 20 00 3c 00 42 00 6f 00 6f 00 6b 00 6d 00 61 00 72 00 6b 00 20 00 43 00 68 00 61 00 6e 00 6e 00 65 00 6c 00 3d 00 27 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2d 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 2d 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 75 00 70 00 2f 00 41 00 63 00 74 00 69 00 6f 00 6e 00 43 00 65 00 6e 00 74 00 65 00 72 00 27 00 20 00 52 00 65 00 63 00 6f 00 72 00 64 00 49 00 64 00 3d 00 27 00 38 00 39 00 31 00 27 00 20 00 49 00 73 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 3d 00 27 00 74 00 72 00 75 00 65 00 27 00 2f 00 3e 00 0d 00 0a 00 3c 00 2f 00 42 00 6f 00 6f 00 6b 00 6d 00 61 00 72 00 6b 00 4c 00 69 00 73 00 74 00 3e 00 00 00 00 00 00 00 20 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 64 00 6c 00 00 00 2c 00 02 00 00 00 02 00 00 00 00 00 00 00 37 7e 05 00 10 00 00 00 65 00 00 00 00 00 00 00 1d 00 00 00 00 00 00 00 00 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}]
"LastKnownState"=3c 00 42 00 6f 00 6f 00 6b 00 6d 00 61 00 72 00 6b 00 4c 00 69 00 73 00 74 00 3e 00 0d 00 0a 00 20 00 20 00 3c 00 42 00 6f 00 6f 00 6b 00 6d 00 61 00 72 00 6b 00 20 00 43 00 68 00 61 00 6e 00 6e 00 65 00 6c 00 3d 00 27 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2d 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 2d 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 44 00 65 00 66 00 65 00 6e 00 64 00 65 00 72 00 2f 00 57 00 48 00 43 00 27 00 20 00 52 00 65 00 63 00 6f 00 72 00 64 00 49 00 64 00 3d 00 27 00 33 00 33 00 27 00 20 00 49 00 73 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 3d 00 27 00 74 00 72 00 75 00 65 00 27 00 2f 00 3e 00 0d 00 0a 00 3c 00 2f 00 42 00 6f 00 6f 00 6b 00 6d 00 61 00 72 00 6b 00 4c 00 69 00 73 00 74 00 3e 00 00 00 6f 00 20 00 00 00 65 00 00 00 00 00 6b 00 4c 00 69 00 02 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 6c 00 00 00 2c 00 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{945a8954-c147-4acd-923f-40c45405a658}]
"LastKnownState"=3c 00 42 00 6f 00 6f 00 6b 00 6d 00 61 00 72 00 6b 00 4c 00 69 00 73 00 74 00 3e 00 0d 00 0a 00 20 00 20 00 3c 00 42 00 6f 00 6f 00 6b 00 6d 00 61 00 72 00 6b 00 20 00 43 00 68 00 61 00 6e 00 6e 00 65 00 6c 00 3d 00 27 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2d 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 2d 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 55 00 70 00 64 00 61 00 74 00 65 00 43 00 6c 00 69 00 65 00 6e 00 74 00 2f 00 4f 00 70 00 65 00 72 00 61 00 74 00 69 00 6f 00 6e 00 61 00 6c 00 27 00 20 00 52 00 65 00 63 00 6f 00 72 00 64 00 49 00 64 00 3d 00 27 00 35 00 39 00 35 00 39 00 27 00 20 00 49 00 73 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 3d 00 27 00 74 00 72 00 75 00 65 00 27 00 2f 00 3e 00 0d 00 0a 00 3c 00 2f 00 42 00 6f 00 6f 00 6b 00 6d 00 61 00 72 00 6b 00 4c 00 69 00 73 00 74 00 3e 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 2a 00 00 00 00 00 6c 00 00 00 2c 00 00 00 00 00 01 00 00 00 00 00 00 00 37 7e 05 00 03 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A}]
"LastKnownState"=3c 00 42 00 6f 00 6f 00 6b 00 6d 00 61 00 72 00 6b 00 4c 00 69 00 73 00 74 00 3e 00 0d 00 0a 00 20 00 20 00 3c 00 42 00 6f 00 6f 00 6b 00 6d 00 61 00 72 00 6b 00 20 00 43 00 68 00 61 00 6e 00 6e 00 65 00 6c 00 3d 00 27 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2d 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 2d 00 44 00 69 00 61 00 67 00 6e 00 6f 00 73 00 69 00 73 00 2d 00 53 00 63 00 68 00 65 00 64 00 75 00 6c 00 65 00 64 00 2f 00 4f 00 70 00 65 00 72 00 61 00 74 00 69 00 6f 00 6e 00 61 00 6c 00 27 00 20 00 52 00 65 00 63 00 6f 00 72 00 64 00 49 00 64 00 3d 00 27 00 31 00 33 00 27 00 20 00 49 00 73 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 3d 00 27 00 74 00 72 00 75 00 65 00 27 00 2f 00 3e 00 0d 00 0a 00 3c 00 2f 00 42 00 6f 00 6f 00 6b 00 6d 00 61 00 72 00 6b 00 4c 00 69 00 73 00 74 00 3e 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 64 00 00 00 00 00 6c 00 00 00 2c 00 00 00 00 00 01 00 00 00 90 a1 23 00 f0 e4 89 01 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog\{DAB69A6A-4D2A-4D44-94BF-E0091898C881}]
(No values found)

-= EOF =-

gamesms, Jul 2, 2012

#58
Broni Malware Annihilator Posts: 39,398 +177

I don't see anything unusual.

Restart computer and see it fixes the issue.

Broni, Jul 2, 2012

#59
gamesms Newcomer, in training Posts: 45

same thing.

gamesms, Jul 3, 2012

#60

Page 3 of 4

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.