Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Windows Defender MpSvc.dll file


  • This topic is locked This topic is locked
41 replies to this topic

#1 DJFudd

DJFudd

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 22 May 2013 - 11:04 AM

I have seen this before recently from D-Drop but I don't see a solution. My conditions are remarkably similar.

 

Going thru what B-boy/StyLe/ has to say, I am not sure what I need to send where. So I will attach  I have attached RK log, Junction.log, and Farbar log.

Please tell me what to do next.

 

Thanks

 

 

 

Farbar Service Scanner Version: 14-04-2013
Ran by Dan (administrator) on 22-05-2013 at 08:28:03
Running from "C:\Users\Dan\Desktop"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.

Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Disabled. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2009-07-13 19:54] - [2009-07-13 21:41] - 1011712 ____A () D41D8CD98F00B204E9800998ECF8427E

ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll IS INFECTED AND SHOULD BE REPLACED.

C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

 

 

 

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dan [Admin rights]
Mode : Remove -- Date : 05/22/2013 08:26:41
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] cltmng.exe -- C:\Users\Dan\AppData\Roaming\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 2 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Users\Dan\AppData\Roaming\SearchProtect\bin\cltmng.exe) [7] -> DELETED
[TASK][SUSP PATH] Funmoods : C:\Users\Dan\AppData\Roaming\Funmoods\UpdateProc\UpdateTask.exe /Check [-] -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD7500BPVT-55HXZT3 +++++
--- User ---
[MBR] 671c9ff5e246e147ca56cba1ee38c9a7
[BSP] 34197d814b2716ebd3bccb2a37fa7884 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 16377 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 33542144 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 33746944 | Size: 698925 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4]_D_05222013_02d0826.txt >>
RKreport[1]_S_05032013_02d0921.txt ; RKreport[2]_D_05032013_02d0940.txt ; RKreport[3]_S_05222013_02d0824.txt ; RKreport[4]_D_05222013_02d0826.txt

Attached Files


Edited by jntkwx, 25 May 2013 - 12:26 PM.
Moved from Win 7 to Malware Removal Logs - Hamluis. Including logs in post (easier to read) - jntkwx


BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:37 PM

Posted 25 May 2013 - 12:33 PM

Hi DJFudd,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.
  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.
  • In the upper right hand corner of the topic you will see the Follow This Topic button. Click on this then choose Receive Notification Immediately and then click Follow This Topic and you will be sent an email once I have posted a response and make the cleaning process faster.

    Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

     

    Please download Farbar Recovery Scan Tool and save it to your desktop.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:37 PM

Posted 29 May 2013 - 04:28 PM

DJFudd,
 
It has been four days since my last post. Do you still need help?
 
If you do, please follow my previous instructions. :thumbup2:


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#4 DJFudd

DJFudd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 29 May 2013 - 08:40 PM

Sorry, I thought that I had posted a reply with the appropriate files. The files are apparently too large to upload together.

 

I will upload separately.

 

Here is FRST.txt

 

 



Additin.txt to folow



#5 DJFudd

DJFudd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 29 May 2013 - 08:44 PM

Sorry, I thought that I had posted a reply with the appropriate files. The files are apparently too large to upload together.

 

I will upload separately.

 

Here is Addition].txt

 

 

Attached Files



#6 DJFudd

DJFudd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 29 May 2013 - 08:45 PM

Sorry for all of the extra posts, apparently I'm not as familiar with posting as I thought. Hopefully you have both files now.



#7 DJFudd

DJFudd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 29 May 2013 - 08:49 PM

Back to FRST being too big. Suggestions?



#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:37 PM

Posted 29 May 2013 - 08:51 PM

Having them attached it fine. I'm looking over the logs now, and I'll post back shortly.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:37 PM

Posted 29 May 2013 - 09:08 PM

Rerun FRST
Copy and paste the following text into a notepad document, and save it as fixlist.txt to the Desktop.

Start
C:\$Recycle.Bin\S-1-5-18\billy
End

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
 
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.
 
Run FRST/FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 DJFudd

DJFudd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 30 May 2013 - 09:35 AM

Requested file attached.

 

Can I say that I am a little frustrated. I guess I have been in the computer business too long to understand some things. After I attach the document, my Post button disappears (moves?) and I seem to have to go thru hoops to get it back. 

Attached Files



#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:37 PM

Posted 30 May 2013 - 10:07 AM

Requested file attached.
 
Can I say that I am a little frustrated. I guess I have been in the computer business too long to understand some things. After I attach the document, my Post button disappears (moves?) and I seem to have to go thru hoops to get it back.

 
That's really strange, and I can understand your frustration. What browser are you using?


Rerun FRST
Copy and paste the following text into a notepad document, and save it as fixlist.txt to the Desktop.

Start
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
End

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
 
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.
 
Run FRST/FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 DJFudd

DJFudd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 30 May 2013 - 12:20 PM

I'm using IE8. That's from where some of my problems stem. I can't download anything. The down load completes than I get the message that the file has a virus and will be deleted.



#13 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:37 PM

Posted 30 May 2013 - 11:20 PM

Ok, please follow my previous instructions to rerun FRST again.


Edited by jntkwx, 01 June 2013 - 07:49 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#14 DJFudd

DJFudd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 01 June 2013 - 09:02 PM

Fixlog.txt attached

Attached Files



#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:37 PM

Posted 01 June 2013 - 09:34 PM

How's the computer running now? Please be as descriptive as possible. :thumbup2:


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users