I'm trying to find a discrepancy somewhere! Just asking questions to find out what 'exactly' was quarantined, and why.
All of these are legit hash files for MpSvc.dll
Agics - System Processes - Filereport MpSvc.dll (MpSvc.dll plug-in)
Altho' this one is "not very common" C:\mpsvc.dll ------- 1011712 bytes [16:36 14/05/2013] [16:32 14/05/2013] CF318F60A84F15AF352439465A8D05F4
http://www.backgroundtask.eu/Systeem...439465A8D05F4/
Just looking and found this. Might help you and might not.
When I Google this.
CF318F60A84F15AF352439465A8D05F4
Lot of web sites that might be of some use.
https://www.google.com/search?q=9056...-a&channel=rcs
@Prescottbob ...
- Please download Autoruns http://download.sysinternals.com/files/Autoruns.zip and save it to your desktop.
- Right click on the downloaded file and choose Extract All Files.
- Once extracted, open the program named Autoruns.
- Click on Options and then Hide Microsoft and Windows Entries.
- Press F5 to refresh the startup list.
- Next go to File -> Save and choose the file type to Text File (.txt).
- Please attach the text file to your next reply.
It will be a few minutes-I'm away from the office on my Ipad.
That's okay .... also, read this Fake ‘Free Media Player’ distributed via rogue ‘Adobe Flash Player HD’ advertisement | Webroot Threat Blog - Internet Security Threat Updates from Around the World
Does this look like the Adobe link you might have clicked on?
I downloaded AUTORUNS.zip. When I right clicked it, I then clicked on EXTRACT ALL. I now have a window to extract all to the desktop\autoruns. I click extract and an EMPTY autoruns folder comes up!? Guidance please.
The Adobe thing I clicked on sure didn't look like the HD thing. I swear it looked just like the regular update window that comes up to install updates--but this one came up in the middle of the screen when I was leaving the REAL CLEAR POLITICS website having clicked on a like the took me to an article on REAL CLEAR TECHNOLOGY. However, that morning JAVA and ADOBE update windows had been persistent and I probably clicked on this thing to stop the interruptions.
I would suggest stop downloading things unless these good people request you to. Their will be no catching up with infections. You could be installing infection faster that these good people are removing them.
Sorry to interrupt your query, Prescottbob.
@Jacee,
On your post, #336:
C:\Program Files\Microsoft Security Client\MpSvc.dll --a---- 1555920 bytes [18:36 27/01/2013] [18:36 27/01/2013] 905601FFF40D8DA9FA82CBE77D1F5EB1
Thought you were just asking a question, until the "Good catch..." was mentioned. Couldn't figure that one out.
On:
C:\mpsvc.dll ------- 1011712 bytes [16:36 14/05/2013] [16:32 14/05/2013] CF318F60A84F15AF352439465A8D05F4
The link to that file was provided by one of our colleagues at BC. He also had an unusual entry on the FSS report.
You will not see mpsvc.dll placed in C:\ by any program, because that is just where I requested Prescottbob to save it.
From there, an FCopy was done to place it in C:\Program Files\Windows Defender\MpSvc.dll
The FSS run after the FCopy shows:
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
That is all with the C:\mpsvc.dll. It could just be removed, but, prefer to not do so yet.
I'm lost again, though...
Quarantined??...Can you tell me by what program?Just asking questions to find out what 'exactly' was quarantined, and why.
Prescottbob,
Please remove anything from Autoruns except the downloaded zipped file.
Right-click on the downloaded file and select: Extract to Autoruns\
It should create a folder on the Desktop also called Autoruns
In that folder, are there 4 entries, one of them being the application?
Quote
