Win64/Patched.A infecting Widows\System32\services.exe

Jay Pfoutz · Nov 6, 2012

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

Go to Step 4 and under "System Restore" click on Create button:

Go to Start Repairs tab and click Start button.

Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

Click on box next to the Restart System when Finished. Then click on Start.

Then, let me know if problems resolve.

Holden75 · Nov 6, 2012

Still getting "The AUTORUN.INF file is missing or corrupt": error

Jay Pfoutz · Nov 7, 2012

Please download VEW by Vino Rosso from here and save it to your desktop

Double click it to start it Note: If running Windows Vista or Windows 7 you will need to right click the file and select Run as administrator and click Continue or Allow at the User Account Control Prompt.

Click the check boxes next to Application and System located under Select log to query on the upper left

Under Select type to list on the right click the boxes next to Error and Warning Note: If running Windows Vista or Windows 7 also click the box next to Critical (not XP).

Under Number or date of events select Number of events and type 20 in the box next to 1 to 20 and click Run

Once it finishes it will display a log file in notepad

Please copy and paste its entire contents into your next reply

Holden75 · Nov 7, 2012

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 07/11/2012 6:46:28 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 02/11/2012 2:06:37 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: nvtray.exe, version: 7.17.13.142, time stamp: 0x4fb20fcd Faulting module name: nvtray.exe, version: 7.17.13.142, time stamp: 0x4fb20fcd Exception code: 0x40000015 Fault offset: 0x0000000000153481 Faulting process id: 0xa84 Faulting application start time: 0x01cdb83ef777c06e Faulting application path: C:\Program Files\NVIDIA Corporation\Display\nvtray.exe Faulting module path: C:\Program Files\NVIDIA Corporation\Display\nvtray.exe Report Id: eec64879-2491-11e2-88ae-002354a0c393

Log: 'Application' Date/Time: 01/11/2012 7:27:32 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: msmoney.exe, version: 17.0.0.724, time stamp: 0x46a6d80b Faulting module name: mnyob99.dll, version: 17.0.0.724, time stamp: 0x46a6d7c2 Exception code: 0xc0000005 Fault offset: 0x00115c88 Faulting process id: 0x1068 Faulting application start time: 0x01cdb80256d2573b Faulting application path: C:\Program Files (x86)\Microsoft Money Plus\MNYCoreFiles\msmoney.exe Faulting module path: C:\Program Files (x86)\Microsoft Money Plus\MNYCoreFiles\mnyob99.dll Report Id: 9915c928-23f5-11e2-8928-002354a0c393

Log: 'Application' Date/Time: 01/11/2012 7:25:41 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: msmoney.exe, version: 17.0.0.724, time stamp: 0x46a6d80b Faulting module name: mnyob99.dll, version: 17.0.0.724, time stamp: 0x46a6d7c2 Exception code: 0xc0000005 Fault offset: 0x00115c88 Faulting process id: 0xef4 Faulting application start time: 0x01cdb80216b114b8 Faulting application path: C:\Program Files (x86)\Microsoft Money Plus\MNYCoreFiles\msmoney.exe Faulting module path: C:\Program Files (x86)\Microsoft Money Plus\MNYCoreFiles\mnyob99.dll Report Id: 56c62cc8-23f5-11e2-8928-002354a0c393

Log: 'Application' Date/Time: 01/11/2012 7:23:36 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: msmoney.exe, version: 17.0.0.724, time stamp: 0x46a6d80b Faulting module name: mnyob99.dll, version: 17.0.0.724, time stamp: 0x46a6d7c2 Exception code: 0xc0000005 Fault offset: 0x00115c88 Faulting process id: 0x8c4 Faulting application start time: 0x01cdb801cd3fcddc Faulting application path: C:\Program Files (x86)\Microsoft Money Plus\MNYCoreFiles\msmoney.exe Faulting module path: C:\Program Files (x86)\Microsoft Money Plus\MNYCoreFiles\mnyob99.dll Report Id: 0c895591-23f5-11e2-8928-002354a0c393

Log: 'Application' Date/Time: 01/11/2012 7:23:08 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: msmoney.exe, version: 17.0.0.724, time stamp: 0x46a6d80b Faulting module name: mnyob99.dll, version: 17.0.0.724, time stamp: 0x46a6d7c2 Exception code: 0xc0000005 Fault offset: 0x00115c88 Faulting process id: 0x1138 Faulting application start time: 0x01cdb801bc3e38fd Faulting application path: C:\Program Files (x86)\Microsoft Money Plus\MNYCoreFiles\msmoney.exe Faulting module path: C:\Program Files (x86)\Microsoft Money Plus\MNYCoreFiles\mnyob99.dll Report Id: fb6c490b-23f4-11e2-8928-002354a0c393

Log: 'Application' Date/Time: 01/11/2012 7:21:42 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: msmoney.exe, version: 17.0.0.724, time stamp: 0x46a6d80b Faulting module name: mnyob99.dll, version: 17.0.0.724, time stamp: 0x46a6d7c2 Exception code: 0xc0000005 Fault offset: 0x00115c88 Faulting process id: 0xd18 Faulting application start time: 0x01cdb80188a8d101 Faulting application path: C:\Program Files (x86)\Microsoft Money Plus\MNYCoreFiles\msmoney.exe Faulting module path: C:\Program Files (x86)\Microsoft Money Plus\MNYCoreFiles\mnyob99.dll Report Id: c8507fa7-23f4-11e2-8928-002354a0c393

Log: 'Application' Date/Time: 01/11/2012 7:21:31 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: msmoney.exe, version: 17.0.0.724, time stamp: 0x46a6d80b Faulting module name: mnyob99.dll, version: 17.0.0.724, time stamp: 0x46a6d7c2 Exception code: 0xc0000005 Fault offset: 0x00115c88 Faulting process id: 0x138c Faulting application start time: 0x01cdb801721f7187 Faulting application path: C:\Program Files (x86)\Microsoft Money Plus\MNYCoreFiles\msmoney.exe Faulting module path: C:\Program Files (x86)\Microsoft Money Plus\MNYCoreFiles\mnyob99.dll Report Id: c202f127-23f4-11e2-8928-002354a0c393

Log: 'Application' Date/Time: 31/10/2012 7:40:38 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: firefox.exe, version: 16.0.2.4680, time stamp: 0x50882871 Faulting module name: xul.dll, version: 16.0.2.4680, time stamp: 0x508827d6 Exception code: 0xc0000005 Fault offset: 0x00130ef7 Faulting process id: 0xb4c Faulting application start time: 0x01cdb72ad1a22004 Faulting application path: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Faulting module path: C:\Program Files (x86)\Mozilla Firefox\xul.dll Report Id: 42ae070e-232e-11e2-852f-002354a0c393

Log: 'Application' Date/Time: 31/10/2012 2:27:13 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: firefox.exe, version: 16.0.2.4680, time stamp: 0x50882871 Faulting module name: xul.dll, version: 16.0.2.4680, time stamp: 0x508827d6 Exception code: 0xc0000005 Fault offset: 0x00130ef7 Faulting process id: 0xd5c Faulting application start time: 0x01cdb70ee41c6e56 Faulting application path: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Faulting module path: C:\Program Files (x86)\Mozilla Firefox\xul.dll Report Id: 7a86e1de-2302-11e2-852f-002354a0c393

Log: 'Application' Date/Time: 30/10/2012 12:06:57 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program iexplore.exe version 9.0.8112.16450 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: 1750 Start Time: 01cdb6325d791a2f Termination Time: 9 Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Report Id:

Log: 'Application' Date/Time: 30/10/2012 12:06:07 AM
Type: Error Category: 0
Event: 10005 Source: MsiInstaller
Product: AVG PC TuneUp -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2203. The arguments are: C:\Windows\Installer\57e8c0.ipi, -2147287035,

Log: 'Application' Date/Time: 30/10/2012 12:04:53 AM
Type: Error Category: 0
Event: 10006 Source: Microsoft-Windows-RestartManager
Application or service 'Windows Explorer' could not be shut down.

Log: 'Application' Date/Time: 28/10/2012 5:12:18 PM
Type: Error Category: 0
Event: 10005 Source: MsiInstaller
Product: Windows Defender -- You do not need to install this software because Windows Defender is included in Windows Vista. You can access Windows Defender from the Security section of the Windows Control Panel.

Log: 'Application' Date/Time: 27/10/2012 11:03:48 PM
Type: Error Category: 0
Event: 8194 Source: VSS
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {d1d54e9e-ea2d-4284-ae68-bcae3f9aa7c5}

Log: 'Application' Date/Time: 27/10/2012 9:41:36 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: mshtml.dll, version: 9.0.8112.16450, time stamp: 0x50372c8a Exception code: 0xc0000005 Fault offset: 0x001d9ad6 Faulting process id: 0x1150 Faulting application start time: 0x01cdb48b42fa11f5 Faulting application path: C:\Windows\SysWOW64\svchost.exe Faulting module path: C:\Windows\SysWOW64\mshtml.dll Report Id: 148e7909-207f-11e2-a233-002354a0c393

Log: 'Application' Date/Time: 27/10/2012 9:16:24 PM
Type: Error Category: 0
Event: 11303 Source: MsiInstaller
Product: Microsoft Money Shared Libraries -- Error 1303.Microsoft Money Shared Libraries cannot be installed to the selected drive. Type or select another drive, such as drive C or drive D.

Log: 'Application' Date/Time: 27/10/2012 9:16:19 PM
Type: Error Category: 0
Event: 11303 Source: MsiInstaller
Product: Microsoft Money Shared Libraries -- Error 1303.Microsoft Money Shared Libraries cannot be installed to the selected drive. Type or select another drive, such as drive C or drive D.

Log: 'Application' Date/Time: 21/10/2012 6:21:18 PM
Type: Error Category: 0
Event: 10005 Source: MsiInstaller
Product: Java Auto Updater -- Internal Error 2203. C:\Windows\Installer\9f88c.ipi, -2147287035

Log: 'Application' Date/Time: 18/10/2012 6:25:58 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: wmplayer.exe, version: 12.0.7601.17514, time stamp: 0x4ce7a485 Faulting module name: splitter.ax, version: 1.10.262.12, time stamp: 0x4c66576a Exception code: 0xc0000005 Fault offset: 0x0000816c Faulting process id: 0x1538 Faulting application start time: 0x01cdad5d9ae42c24 Faulting application path: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Faulting module path: C:\Program Files (x86)\K-Lite Codec Pack\Filters\Haali\splitter.ax Report Id: 42247b59-1951-11e2-b33e-002354a0c393

Log: 'Application' Date/Time: 18/10/2012 7:46:10 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program wmplayer.exe version 12.0.7601.17514 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: c90 Start Time: 01cdad03b2ce5291 Termination Time: 93 Application Path: C:\Program Files (x86)\Windows Media Player\wmplayer.exe Report Id: dd3a7cfc-18f7-11e2-8028-002354a0c393

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 07/11/2012 1:47:44 AM
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}.

Log: 'Application' Date/Time: 07/11/2012 1:41:45 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, WpcClamperProv, has been registered in the Windows Management Instrumentation namespace ROOT\CIMV2\Applications\WindowsParentalControls to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:45 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, WpcClamperProv, has been registered in the Windows Management Instrumentation namespace ROOT\CIMV2\Applications\WindowsParentalControls to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:31 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, MS_NT_EVENTLOG_EVENT_PROVIDER, has been registered in the Windows Management Instrumentation namespace Root\CIMV2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:31 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, MS_NT_EVENTLOG_EVENT_PROVIDER, has been registered in the Windows Management Instrumentation namespace Root\CIMV2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:09 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, HiPerfCooker_v1, has been registered in the Windows Management Instrumentation namespace Root\WMI to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:09 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, HiPerfCooker_v1, has been registered in the Windows Management Instrumentation namespace Root\WMI to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:08 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, CommandLineEventConsumer, has been registered in the Windows Management Instrumentation namespace root\default to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:08 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, CommandLineEventConsumer, has been registered in the Windows Management Instrumentation namespace root\default to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:08 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, LogFileEventConsumer, has been registered in the Windows Management Instrumentation namespace root\default to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:08 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, LogFileEventConsumer, has been registered in the Windows Management Instrumentation namespace root\default to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:08 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, ActiveScriptEventConsumer, has been registered in the Windows Management Instrumentation namespace root\default to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:08 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, ActiveScriptEventConsumer, has been registered in the Windows Management Instrumentation namespace root\default to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:07 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, ActiveScriptEventConsumer, has been registered in the Windows Management Instrumentation namespace root\subscription to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:07 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, ActiveScriptEventConsumer, has been registered in the Windows Management Instrumentation namespace root\subscription to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:07 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, CommandLineEventConsumer, has been registered in the Windows Management Instrumentation namespace root\subscription to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:07 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, CommandLineEventConsumer, has been registered in the Windows Management Instrumentation namespace root\subscription to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:07 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, LogFileEventConsumer, has been registered in the Windows Management Instrumentation namespace root\subscription to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 1:41:07 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, LogFileEventConsumer, has been registered in the Windows Management Instrumentation namespace root\subscription to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 07/11/2012 12:51:07 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 15 user registry handles leaked from \Registry\User\S-1-5-21-793335173-2078993848-683706515-1001:
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001\Software\Microsoft\SystemCertificates\Disallowed
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001\Software\Microsoft\SystemCertificates\trust
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001\Software\Microsoft\SystemCertificates\My
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001\Software\Microsoft\SystemCertificates\CA
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001\Software\Microsoft\SystemCertificates\Root
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001\Software\Microsoft\SystemCertificates\TrustedPeople
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001\Software\Policies\Microsoft\SystemCertificates
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001\Software\Policies\Microsoft\SystemCertificates
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001\Software\Policies\Microsoft\SystemCertificates
Process 2688 (\Device\HarddiskVolume4\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-793335173-2078993848-683706515-1001\Software\Policies\Microsoft\SystemCertificates

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 09/07/2012 3:48:55 AM
Type: Critical Category: 64
Event: 10111 Source: Microsoft-Windows-DriverFrameworks-UserMode
The device K:\ (location (unknown)) is offline due to a user-mode driver crash. Windows will attempt to restart the device 5 more times. Please contact the device manufacturer for more information about this problem.

Log: 'System' Date/Time: 09/07/2012 3:48:55 AM
Type: Critical Category: 64
Event: 10110 Source: Microsoft-Windows-DriverFrameworks-UserMode
A problem has occurred with one or more user-mode drivers and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices.

Log: 'System' Date/Time: 08/07/2012 11:12:52 PM
Type: Critical Category: 64
Event: 10111 Source: Microsoft-Windows-DriverFrameworks-UserMode
The device SEAN'S IPOD (location (unknown)) is offline due to a user-mode driver crash. Windows will attempt to restart the device 5 more times. Please contact the device manufacturer for more information about this problem.

Log: 'System' Date/Time: 08/07/2012 11:12:52 PM
Type: Critical Category: 64
Event: 10110 Source: Microsoft-Windows-DriverFrameworks-UserMode
A problem has occurred with one or more user-mode drivers and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices.

Log: 'System' Date/Time: 08/07/2012 11:01:10 PM
Type: Critical Category: 64
Event: 10111 Source: Microsoft-Windows-DriverFrameworks-UserMode
The device SEAN'S IPOD (location (unknown)) is offline due to a user-mode driver crash. Windows will attempt to restart the device 5 more times. Please contact the device manufacturer for more information about this problem.

Log: 'System' Date/Time: 08/07/2012 11:01:10 PM
Type: Critical Category: 64
Event: 10110 Source: Microsoft-Windows-DriverFrameworks-UserMode
A problem has occurred with one or more user-mode drivers and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices.

Log: 'System' Date/Time: 07/07/2012 8:13:35 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 07/11/2012 4:18:36 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {ED1D0FDF-4414-470A-A56D-CFB68623FC58} did not register with DCOM within the required timeout.

Log: 'System' Date/Time: 07/11/2012 1:50:02 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

Log: 'System' Date/Time: 07/11/2012 1:50:02 AM
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Log: 'System' Date/Time: 07/11/2012 1:48:01 AM
Type: Error Category: 0
Event: 14332 Source: Microsoft-Windows-WMPNSS-Service
Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80070420'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.

Log: 'System' Date/Time: 07/11/2012 1:02:29 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

Log: 'System' Date/Time: 07/11/2012 1:02:29 AM
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Log: 'System' Date/Time: 04/11/2012 10:04:38 PM
Type: Error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk5\DR5.

Log: 'System' Date/Time: 04/11/2012 9:35:28 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

Log: 'System' Date/Time: 04/11/2012 9:35:28 PM
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Log: 'System' Date/Time: 04/11/2012 9:26:54 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The NVIDIA Stereoscopic 3D Driver Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 03/11/2012 6:55:50 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

Log: 'System' Date/Time: 03/11/2012 6:55:50 PM
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Log: 'System' Date/Time: 03/11/2012 12:17:03 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

Log: 'System' Date/Time: 03/11/2012 12:17:03 AM
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Log: 'System' Date/Time: 03/11/2012 12:01:14 AM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The NVIDIA Stereoscopic 3D Driver Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 02/11/2012 2:06:35 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

Log: 'System' Date/Time: 02/11/2012 2:06:35 AM
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Log: 'System' Date/Time: 01/11/2012 2:43:55 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

Log: 'System' Date/Time: 01/11/2012 2:43:55 PM
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Log: 'System' Date/Time: 01/11/2012 7:49:36 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 04/11/2012 10:58:09 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name www.lucysgirlsnextdoor.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 28/10/2012 8:11:00 PM
Type: Warning Category: 0
Event: 1116 Source: Microsoft Antimalware
The event description cannot be found.

Log: 'System' Date/Time: 28/10/2012 8:10:59 PM
Type: Warning Category: 0
Event: 1116 Source: Microsoft Antimalware
The event description cannot be found.

Log: 'System' Date/Time: 28/10/2012 8:10:59 PM
Type: Warning Category: 0
Event: 1116 Source: Microsoft Antimalware
The event description cannot be found.

Log: 'System' Date/Time: 28/10/2012 8:10:59 PM
Type: Warning Category: 0
Event: 1116 Source: Microsoft Antimalware
The event description cannot be found.

Log: 'System' Date/Time: 28/10/2012 8:10:59 PM
Type: Warning Category: 0
Event: 1116 Source: Microsoft Antimalware
The event description cannot be found.

Log: 'System' Date/Time: 28/10/2012 8:10:59 PM
Type: Warning Category: 0
Event: 1116 Source: Microsoft Antimalware
The event description cannot be found.

Log: 'System' Date/Time: 28/10/2012 8:10:58 PM
Type: Warning Category: 0
Event: 1116 Source: Microsoft Antimalware
The event description cannot be found.

Log: 'System' Date/Time: 28/10/2012 7:10:01 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name www.twine.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 24/10/2012 5:41:11 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name insider.msg.yahoo.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 24/10/2012 5:40:17 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 24/10/2012 5:39:21 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 21/10/2012 5:58:33 AM
Type: Warning Category: 0
Event: 8021 Source: BROWSER
The browser service was unable to retrieve a list of servers from the browser master \\RON-HP on the network \Device\NetBT_Tcpip_{CA45B2FF-91A3-4326-B67E-E2B5DC938D04}. Browser master: \\RON-HP Network: \Device\NetBT_Tcpip_{CA45B2FF-91A3-4326-B67E-E2B5DC938D04} This event may be caused by a temporary loss of network connectivity. If this message appears again, verify that the server is still connected to the network. The return code is in the Data text box.

Log: 'System' Date/Time: 14/10/2012 1:14:16 AM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name www.gamersbrain.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 10/10/2012 2:00:01 PM
Type: Warning Category: 0
Event: 8021 Source: BROWSER
The browser service was unable to retrieve a list of servers from the browser master \\RON-HP on the network \Device\NetBT_Tcpip_{CA45B2FF-91A3-4326-B67E-E2B5DC938D04}. Browser master: \\RON-HP Network: \Device\NetBT_Tcpip_{CA45B2FF-91A3-4326-B67E-E2B5DC938D04} This event may be caused by a temporary loss of network connectivity. If this message appears again, verify that the server is still connected to the network. The return code is in the Data text box.

Log: 'System' Date/Time: 09/10/2012 1:42:22 PM
Type: Warning Category: 0
Event: 8021 Source: BROWSER
The browser service was unable to retrieve a list of servers from the browser master \\RON-HP on the network \Device\NetBT_Tcpip_{CA45B2FF-91A3-4326-B67E-E2B5DC938D04}. Browser master: \\RON-HP Network: \Device\NetBT_Tcpip_{CA45B2FF-91A3-4326-B67E-E2B5DC938D04} This event may be caused by a temporary loss of network connectivity. If this message appears again, verify that the server is still connected to the network. The return code is in the Data text box.

Log: 'System' Date/Time: 08/10/2012 11:04:39 PM
Type: Warning Category: 0
Event: 8021 Source: BROWSER
The browser service was unable to retrieve a list of servers from the browser master \\RON-HP on the network \Device\NetBT_Tcpip_{CA45B2FF-91A3-4326-B67E-E2B5DC938D04}. Browser master: \\RON-HP Network: \Device\NetBT_Tcpip_{CA45B2FF-91A3-4326-B67E-E2B5DC938D04} This event may be caused by a temporary loss of network connectivity. If this message appears again, verify that the server is still connected to the network. The return code is in the Data text box.

Log: 'System' Date/Time: 02/10/2012 8:21:26 AM
Type: Warning Category: 0
Event: 1073 Source: USER32
The attempt by user Sean-PC\Sean to restart/shutdown computer SEAN-PC failed

Log: 'System' Date/Time: 29/09/2012 11:45:46 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name xchat14.myfreecams.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 29/09/2012 11:45:43 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name xchat14.myfreecams.com timed out after none of the configured DNS servers responded.

Jay Pfoutz · Nov 8, 2012

Did you have an old version of MS Money prior to trying to install Sunset?

Holden75 · Nov 8, 2012

Yes. Upgrading Money requires an uninstall of earlier versions, but now I cannot install previous versions anymore because I get the AUTORUN.INF error message.

Jay Pfoutz · Nov 8, 2012

One more question, did the install file have a file extension .msi?

Holden75 · Nov 8, 2012

It is a setup.exe file. The downloaded money file is a self-extracting executable file. When it finishes extracting it run the setup.exe file and that is when I get the AUTORUN.INF error message.

Jay Pfoutz · Nov 9, 2012

Okie dokie, just what I needed to know.

Please open OTM

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose Copy):

:reg
[+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

:Commands
[emptytemp]
[purity]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFilesfolder, and
open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Holden75 · Nov 11, 2012

I started OTM and did what you said to do last night when I went to bed and when I woke up it had done nothing. I was Not Responding.

Jay Pfoutz · Nov 11, 2012

Download the attached zip file, extract contents...double-click on msmoneyfix.reg, confirm. Then, reboot your computer.

Once done, test the MS Money Sunset.

Holden75 · Nov 11, 2012

Still the same missing or corrupt error

Jay Pfoutz · Nov 12, 2012

Perform a clean boot, then try again: http://support.microsoft.com/kb/929135

The Microsoft Money forum site: http://social.microsoft.com/Forums/en/money/threads

Holden75 · Nov 13, 2012

I followed a suggestion someone made in those forums and it has installed. Thank you for all your help

Jay Pfoutz · Nov 13, 2012

You're welcome. Topic marked solved.

TechSpot

Welcome to TechSpot

Win64/Patched.A infecting Widows\System32\services.exe

Jay Pfoutz Malware Helper Posts: 4,286 +49

Holden75 Newcomer, in training Posts: 36

Jay Pfoutz Malware Helper Posts: 4,286 +49

Holden75 Newcomer, in training Posts: 36

Jay Pfoutz Malware Helper Posts: 4,286 +49

Holden75 Newcomer, in training Posts: 36

Jay Pfoutz Malware Helper Posts: 4,286 +49

Holden75 Newcomer, in training Posts: 36

Jay Pfoutz Malware Helper Posts: 4,286 +49

Holden75 Newcomer, in training Posts: 36

Jay Pfoutz Malware Helper Posts: 4,286 +49

Attached Files:

msmoneyfix.zip

Holden75 Newcomer, in training Posts: 36

Jay Pfoutz Malware Helper Posts: 4,286 +49

Holden75 Newcomer, in training Posts: 36

Jay Pfoutz Malware Helper Posts: 4,286 +49

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.