TechSpot

Win64 Patched.a and other crap

Inactive-A
By Philippe
Jun 16, 2013
  1. Philippe

    Philippe TS Rookie Topic Starter Posts: 23

    Results of screen317's Security Check version 0.99.68
    Windows 7 x64 (UAC is enabled)
    Out of date service pack!!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Avira Desktop
    Antivirus up to date! (On Access scanning disabled!)
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.75.0.1300
    Java(TM) 6 Update 32
    Java 7 Update 25
    Adobe Flash Player 11.7.700.224
    Mozilla Firefox 21.0 Firefox out of Date!
    Mozilla Thunderbird (17.0.)
    ````````Process Check: objlist.exe by Laurent````````
    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    Malwarebytes' Anti-Malware mbamscheduler.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
     
  2. Philippe

    Philippe TS Rookie Topic Starter Posts: 23

    Farbar Service Scanner Version: 27-06-2013
    Ran by Philippe Marchal (administrator) on 02-07-2013 at 18:11:54
    Running from "D:\Downloads"
    Microsoft Windows 7 Ultimate (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys
    [2009-07-14 01:25] - [2009-07-14 03:45] - 1898576 ____A (Microsoft Corporation) 912107716BAB424C7870E8E6AF5E07E1

    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\ipnathlp.dll => MD5 is legit
    C:\Windows\System32\iphlpsvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  3. Philippe

    Philippe TS Rookie Topic Starter Posts: 23

    C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting (after the next restart) - quarantined
    C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting (after the next restart) - quarantined
    C:\Qoobox\Quarantine\C\Users\Philippe Marchal\AppData\Roaming\117043\117043.exe.vir Win32/Injector.Autoit.MA trojan cleaned by deleting - quarantined
    C:\Users\Philippe Marchal\AppData\Roaming\Mozilla\Firefox\Profiles\ldpyy1al.default\prefs.js JS/SecurityDisabler.A.Gen application cleaned by deleting - quarantined
    C:\Users\Philippe Marchal\AppData\Roaming\Mozilla\Firefox\Profiles\ldpyy1al.default\prefs.js.BAK JS/SecurityDisabler.A.Gen application cleaned by deleting - quarantined
    D:\ABP\APB_Reloaded_Installer.exe Win32/OpenCandy application cleaned by deleting - quarantined
    D:\Downloads\Adobe CS5 Master Collection.iso a variant of Win32/Keygen.BH application deleted - quarantined
    D:\Downloads\cbsi-3_2_5_39-10494267.exe a variant of Win32/CNETInstaller.A application cleaned by deleting - quarantined
    D:\Downloads\DM-247.exe Win32/HotSpotShield application cleaned by deleting - quarantined
    D:\Downloads\Holdem Manager CRACKED 100% Working.zip a variant of MSIL/TrojanDropper.Agent.HV trojan deleted - quarantined
    D:\Downloads\AE CS5 Plugins Collection x64 v2.1\Boris.Continuum.Complete.7 CS5\Boris.Continuum.Complete.7.AE.WinAll-ZARDOZ.rar Win32/HackTool.Patcher.A application deleted - quarantined
    D:\Downloads\AE CS5 Plugins Collection x64 v2.1\Red Giant CS5\Magic.Bullet.Suite CS5\Magic Bullet Colorista II\keygen.exe a variant of Win32/Keygen.DD application cleaned by deleting - quarantined
    D:\Downloads\AE CS5 Plugins Collection x64 v2.1\Red Giant CS5\Magic.Bullet.Suite CS5\Magic Bullet Colorista II\Keygen.rar a variant of Win32/Keygen.DD application deleted - quarantined
    D:\Downloads\AE CS5 Plugins Collection x64 v2.1\Red Giant CS5\Magic.Bullet.Suite CS5\Magic Bullet Mojo v1.2\Keygen-MESMERiZE\keygen.exe a variant of Win32/Keygen.DD application cleaned by deleting - quarantined
    D:\Downloads\AE CS5 Plugins Collection x64 v2.1\Video Co-Pilot Software CS5\Video-Co-Pilot Optical Flares CS5\Optical_Flares_v1.2.124_-_x64_x32.rar Win32/HackTool.Patcher.A application deleted - quarantined
    D:\Downloads\Autodesk AutoCad 2011 - X86x64- Multilanguage\Autodesk AutoCad 2011 - X86x64- Multilanguage.iso multiple threats deleted - quarantined
    D:\Downloads\Fable.III-SKIDROW\sr-fable3.iso a variant of Win32/Packed.VMProtect.AAA trojan deleted - quarantined
    D:\Downloads\Microsoft.Office.2010.Professional.Plus_(x64and x86)\MICROSOFT.OFFICE.2010.RTM.14.0.4734.1000 Professional Plus x86_en-us\setup.exe multiple threats cleaned by deleting - quarantined
    D:\Downloads\PLUGINS - Magic DeGun 2011 SCTV83\AEpluginsWarpLooks3Dflare\AEPluginsWarpLooks3Dflare\Magic.Bullet.Suite CS5\Magic Bullet Colorista II\Keygen.rar a variant of Win32/Keygen.DD application deleted - quarantined
    D:\Downloads\PLUGINS - Magic DeGun 2011 SCTV83\AEpluginsWarpLooks3Dflare\AEPluginsWarpLooks3Dflare\Magic.Bullet.Suite CS5\Magic Bullet Mojo v1.2\Keygen-MESMERiZE\keygen.exe a variant of Win32/Keygen.DD application cleaned by deleting - quarantined
    D:\SSD 30 - Backup\Users\Philippe\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\c669a2-4010bbb6 multiple threats cleaned by deleting - quarantined
    D:\SSD 30 - Backup\Users\Philippe\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\4f8882a3-3190d993 probably a variant of Java/Agent.BR trojan cleaned by deleting - quarantined
    D:\SSD 30 - Backup\Users\Philippe\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\25bb4a6b-5c9f99c3 Java/TrojanDownloader.OpenStream.NBV trojan cleaned by deleting - quarantined
    E:\Creed\Microsoft Office 2013 Professional Plus x64x86 with Activator\setup.exe Win32/Injector.Autoit.MA trojan cleaned by deleting - quarantined
    E:\Creed\Microsoft Office 2013 Professional Plus x64x86 with Activator\x64\setup.exe Win32/Injector.Autoit.MA trojan cleaned by deleting - quarantined
    E:\Creed\Microsoft Office 2013 Professional Plus x64x86 with Activator\x86\setup.exe Win32/Injector.Autoit.MA trojan cleaned by deleting - quarantined
     
  4. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    [​IMG] FSS indicates some issue with Action Center service...

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

    Windows 8: http://www.vikitech.com/11302/system-restore-windows-8

    Download win-7-8-action-center-notification-icon-missing.reg from here: http://www.bleepstatic.com/fhost/uploads/1/win-7-8-action-center-notification-icon-missing.reg
    Double-click on downloaded file and confirm the prompt.
    Restart computer.
    Post new FSS log.
    [​IMG] Update Firefox to the current 22.0 version.

    [​IMG] We need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista and 7 users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.
     
  5. Philippe

    Philippe TS Rookie Topic Starter Posts: 23

    Ran everything, but I think FSS still indicates the registry problem.

    Computer is running a lot smoother, altho the one issue that still happens is that the firefox process still keeps running after I close it. I still have to kill it with the task manger before being able to open a new browser.

    Farbar Service Scanner Version: 27-06-2013
    Ran by Philippe Marchal (administrator) on 04-07-2013 at 10:31:42
    Running from "D:\Downloads"
    Microsoft Windows 7 Ultimate (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys
    [2009-07-14 01:25] - [2009-07-14 03:45] - 1898576 ____A (Microsoft Corporation) 912107716BAB424C7870E8E6AF5E07E1

    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\ipnathlp.dll => MD5 is legit
    C:\Windows\System32\iphlpsvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  6. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    When you ran registry fix did it say registry merge was successful?

    Try to do it again and post new FSS log.
     
  7. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Still with me?
     
  8. Philippe

    Philippe TS Rookie Topic Starter Posts: 23

    Yes sorry for the delay, I tried it again it says the keys off bla bla bla have been added succesfully. However the fss log remains the same.
     
  9. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Download Windows Repair (All in One) from this site

    Install the program then run it.

    NOTE 1. In Windows Vista, 7 and 8 right click on the program, click "Run As Administrator".
    NOTE 2. Disable your antivirus program before running Windows Repair.


    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

    [​IMG]



    Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

    [​IMG]


    Go to Step 4 and under "System Restore" click on Create button:

    [​IMG]


    Go to Start Repairs tab and click Start button.

    Leave all checkmarks as they're.
    NOTE for Windows 8 users. Reset Registry Permissions is NOT checked by design.

    Click on Start button.

    [​IMG]

    Post Windows Repair log (_windows_repair_log.txt) which is located in the following folder:
    64-bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
    32-bit systems - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs

    Post new FSS log as well.
     
  10. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Still with me?
     
  11. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
     
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.