New
#301
lol
Don't know if this will help or if your problem is worse, but I had this same problem over the weekend and wasn't able to shake it off until I rebooted in safe mode and deleted the app. McAfee full scan did not detect it. But I found the sucker in my Users/user/AppData/Roaming folder (your path may be different due if you log on with a different name). It was an app with the name "amsecure" and a green shield logo. I deleted it early Sunday morning, rebooted, and it hasn't returned since. But I never clicked the box to purchase the product so I don't know if that caused additional complications for you. BTW when I hovered over it it showed the File Description was ALPass and the company was ESTsoft Corp. That may be a bogus company.
Doug, thanks for the interest. I'll let cottonball digest that.
cottonball, jacee's scan just completed ( 6 hrs ). I've got evening appointments that can't be forestalled.
Will be back tomorrow.
This may be of some relevance ...
Your FSS Log shows:MpSvc.dll can be infected by virus Backdoor:PHP/C99shell.J which spreads through social network Flickr to download and install malware Movavi Screen Capture Personal on the affected machines.
Once infected, the file path of MpSvc.dll will be re-set as:
C:\WINDOWS\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\
Farbar Service Scanner Version: 14-04-2013
Ran by Binnie (administrator) on 11-05-2013 at 15:25:02
Windows 7 Home Premium Service Pack 1 (X64)
************************************************
======== Search: "MpSvc.dll" =========
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpSvc.dll
[2009-07-13 16:54] - [2009-07-13 18:41] - 1011712 ____A () D41D8CD98F00B204E9800998ECF8427E
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MpSvc.dll
[2009-07-13 16:54] - [2009-07-13 18:41] - 1011712 ____A () D41D8CD98F00B204E9800998ECF8427E
C:\Program Files\Windows Defender\MpSvc.dll
[2009-07-13 16:54] - [2009-07-13 18:41] - 1011712 ____A () D41D8CD98F00B204E9800998ECF8427E
====== End Of Search ======
Yep, read the same stuff...
That is why Prescottbob is getting a new MpSvc.dll, and with CF and an FCopy:: all three of those will get a new life:
C:\MpSvc.dll | C:\Program Files\Windows Defender\MpSvc.dll
C:\MpSvc.dll | C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpSvc.dll
C:\MpSvc.dll | C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MpSvc.dll
Just need to confirm that the C:\MpSvc.dll is in the right place...
This is what this Trojan Backdoor:PHP/C99shell.J does to an infected computer .. Encyclopedia entry: Backdoor:PHP/C99shell.J - Learn more about malware - Microsoft Malware Protection Center
These are the most dangerous, and most widespread, type of Trojan.
Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.
If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.
trash Post #307 I didn't do something right!
SystemLook.txt
This should be the right one!
After this computer is clean. This might be asking to much but if someone could post what infections were found and where in the system.
What programs or methods removed the problems.
My thoughts are this nasty Backdoor Trojan planted itself in Windows Defender and kept turning Windows Defender on so the torjan could do it nasty things. What a great way to hide a infection; inside a security program.