New
#91
That's the log from ServicesRepair.exe
The log I was referring to is from Farbar Service Scanner . The program should be called FSS.exe
That's the log from ServicesRepair.exe
The log I was referring to is from Farbar Service Scanner . The program should be called FSS.exe
Farbar Service Scanner Version: 31-05-2013 01
Ran by Mike's (administrator) on 14-06-2013 at 17:19:43
Running from "E:\"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-06-12 16:26] - [2013-05-08 07:39] - 1910632 ____A (Microsoft Corporation) 9849EA3843A2ADBDD1497E97A85D8CAE
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2013-06-12 16:26] - [2013-05-13 06:51] - 0184320 ____A (Microsoft Corporation) D8129C49798CBBFB2E4351D4B7B8EF9C
ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll Reparse point on file detected.
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
**** End of log **
Looking like death to me :-(
Open notepad one more time .
Inside notepad . Paste the highlighted text below .
Start
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
End
Save the file as Fixlist.txt to your Desktop . Make sure FRST64.exe and Fixlist.txt are on the desktop .
Right click on FRST64.exe and choose click on Yes button on the disclaimer window .
On the Farbar Recovery Scan Tool click on the Fix button . Once done it will create a Fixlog.txt on the Desktop . Restart and upload that file .
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-06-2013
Ran by Mike's at 2013-06-14 17:38:34 Run:2
Running from C:\Users\Mike's\Desktop
Boot Mode: Normal
==============================================
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
==== End of Fixlog ====
I apologize Mike . Can you run FSS.exe one more time . Trying to see if we fixed the Defender service .
Farbar Service Scanner Version: 31-05-2013 01
Ran by Mike's (administrator) on 14-06-2013 at 17:43:43
Running from "E:\"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-06-12 16:26] - [2013-05-08 07:39] - 1910632 ____A (Microsoft Corporation) 9849EA3843A2ADBDD1497E97A85D8CAE
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2013-06-12 16:26] - [2013-05-13 06:51] - 0184320 ____A (Microsoft Corporation) D8129C49798CBBFB2E4351D4B7B8EF9C
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
**** End of log ****
I wonder if these virus creators are watching this and enjoying the moment ?
Ok back inside the FRST64.exe programs copy and paste this to the Search box
tcpip.sys;cryptsvc.dll
Click the Search File(s) button
Farbar Recovery Scan Tool (x64) Version: 13-06-2013
Ran by Mike's at 2013-06-14 18:02:40
Running from C:\Users\Mike's\Desktop
Boot Mode: Normal
================== Search: "tcpip.sys;cryptsvc.dll" ===================
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.22322_none_7883b3211239122d\cryptsvc.dll
[2013-06-12 16:26] - [2013-05-11 05:59] - 0142848 ____A (Microsoft Corporation) AC04D05309BB2C418D0D80B9FB014642
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.22321_none_7882b2d71239f8d6\cryptsvc.dll
[2013-06-12 16:26] - [2013-05-10 06:06] - 0142848 ____A (Microsoft Corporation) E122AA1C9A3CC46FF9DDDE46E5EB0C58
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.22010_none_788c7cc71232cc19\cryptsvc.dll
[2012-10-10 08:15] - [2012-06-02 05:52] - 0142336 ____A (Microsoft Corporation) 063DD65889D21035311463337BD268E7
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.21979_none_7854c7b7125b248c\cryptsvc.dll
[2012-06-14 16:41] - [2012-04-24 05:28] - 0142336 ____A (Microsoft Corporation) 21993009E0CCB9B4FA195F14D3408626
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.18151_none_77d8a461f934afb8\cryptsvc.dll
[2013-06-12 16:26] - [2013-05-13 05:45] - 0140288 ____A (Microsoft Corporation) 3897DFF247D9ED0006190349DE264E14
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.18150_none_77d7a417f9359661\cryptsvc.dll
[2013-06-12 16:26] - [2013-05-10 05:49] - 0140288 ____A (Microsoft Corporation) 33ADF6E0853AB39EA1723BE82842C1D3
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17856_none_77ddc9e5f93000db\cryptsvc.dll
[2012-10-10 08:15] - [2012-06-02 05:36] - 0140288 ____A (Microsoft Corporation) 96C0E38905CFD788313BE8E11DAE3F2F
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17827_none_77ff39f3f916c65f\cryptsvc.dll
[2012-06-14 16:41] - [2012-04-24 05:36] - 0140288 ____A (Microsoft Corporation) 06E771AA596B8761107AB57E99F128D7
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17514_none_7807034ff91166f4\cryptsvc.dll
[2010-11-21 04:24] - [2010-11-21 04:24] - 0136192 ____A (Microsoft Corporation) A585BEBF7D054BD9618EDA0922D5484A
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.22319_none_11d29984961f0be0\tcpip.sys
[2013-06-12 16:26] - [2013-05-08 07:14] - 1900392 ____A (Microsoft Corporation) 3E94650745D4DAB67E161F5F32CEA597
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.22209_none_11dd678a9616f2c8\tcpip.sys
[2013-02-18 08:26] - [2013-01-04 06:47] - 1901416 ____A (Microsoft Corporation) B8C1AAC0523E1C33AEB0EF7572144BA2
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.22124_none_11c2c45a962baed0\tcpip.sys
[2012-11-16 11:32] - [2012-10-03 18:44] - 1902472 ____A (Microsoft Corporation) D5707FC2300AA5B04B7BFE86D40C0133
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.22097_none_117a13de9661c145\tcpip.sys
[2012-09-12 09:32] - [2012-08-22 19:06] - 1901936 ____A (Microsoft Corporation) 7880A26B7D3B96FDA8EFD9F985036B1D
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.21954_none_11a27a8e9643d23a\tcpip.sys
[2012-06-06 18:03] - [2012-03-30 11:26] - 1901424 ____A (Microsoft Corporation) 885B202006EE17AE99B9FBCEC9AF88C9
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.18148_none_11278ac57d1aa96b\tcpip.sys
[2013-06-12 16:26] - [2013-05-08 07:39] - 1910632 ____A (Microsoft Corporation) 9849EA3843A2ADBDD1497E97A85D8CAE
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.18042_none_112187237d20143a\tcpip.sys
[2013-02-18 08:26] - [2013-01-03 07:00] - 1913192 ____A (Microsoft Corporation) B62A953F2BF3922C8764A29C34A22899
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17964_none_110e0fbd7d2e4b88\tcpip.sys
[2012-11-16 11:32] - [2012-10-03 18:56] - 1914248 ____A (Microsoft Corporation) 37608401DFDB388CAF66917F6B2D6FB0
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17939_none_113380f37d117668\tcpip.sys
[2012-09-12 09:32] - [2012-08-22 19:12] - 1913200 ____A (Microsoft Corporation) F782CAD3CEDBB3F9FFE3BF2775D92DDC
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17802_none_114ceccb7cff740d\tcpip.sys
[2012-06-06 18:03] - [2012-03-30 12:35] - 1918320 ____A (Microsoft Corporation) ACB82BDA8F46C84F465C1AFA517DC4B9
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17514_none_114417c17d05cb37\tcpip.sys
[2010-11-21 04:24] - [2010-11-21 04:24] - 1924480 ____A (Microsoft Corporation) 509383E505C973ED7534A06B3D19688D
C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.22322_none_d4a24ea4ca968363\cryptsvc.dll
[2013-06-12 16:26] - [2013-05-11 06:18] - 0186880 ____A (Microsoft Corporation) 8122252F0A4ACFA92FA0C1D50D18493B
C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.22321_none_d4a14e5aca976a0c\cryptsvc.dll
[2013-06-12 16:26] - [2013-05-10 06:18] - 0186880 ____A (Microsoft Corporation) CA13C4F92BEE66DB48E58AB3223DDF6E
C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.22010_none_d4ab184aca903d4f\cryptsvc.dll
[2012-10-10 08:15] - [2012-06-04 08:52] - 0186880 ____A (Microsoft Corporation) 7E7D2DACF65D750D466F36BD3D09AE20
C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.21979_none_d473633acab895c2\cryptsvc.dll
[2012-06-14 16:41] - [2012-04-24 06:22] - 0186880 ____A (Microsoft Corporation) B7337E9C9E5936355BB700AA33E0936E
C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.18151_none_d3f73fe5b19220ee\cryptsvc.dll
[2013-06-12 16:26] - [2013-05-13 06:51] - 0184320 ____A (Microsoft Corporation) D8129C49798CBBFB2E4351D4B7B8EF9C
C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.18150_none_d3f63f9bb1930797\cryptsvc.dll
[2013-06-12 16:26] - [2013-05-10 06:49] - 0184320 ____A (Microsoft Corporation) 7FDC4626B01106A8EF328C88C7C0DEE3
C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17856_none_d3fc6569b18d7211\cryptsvc.dll
[2012-10-10 08:15] - [2012-06-02 06:41] - 0184320 ____A (Microsoft Corporation) 9C01375BE382E834CC26D1B7EAF2C4FE
C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17827_none_d41dd577b1743795\cryptsvc.dll
[2012-06-14 16:41] - [2012-04-24 06:37] - 0184320 ____A (Microsoft Corporation) 4F5414602E2544A4554D95517948B705
C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17514_none_d4259ed3b16ed82a\cryptsvc.dll
[2010-11-21 04:24] - [2010-11-21 04:24] - 0177152 ____A (Microsoft Corporation) 15597883FBE9B056F276ADA3AD87D9AF
C:\Windows\SysWOW64\cryptsvc.dll
[2013-06-12 16:26] - [2013-05-13 05:45] - 0140288 ____A (Microsoft Corporation) 3897DFF247D9ED0006190349DE264E14
C:\Windows\System32\cryptsvc.dll
[2013-06-12 16:26] - [2013-05-13 06:51] - 0184320 ____A (Microsoft Corporation) D8129C49798CBBFB2E4351D4B7B8EF9C
C:\Windows\System32\drivers\tcpip.sys
[2013-06-12 16:26] - [2013-05-08 07:39] - 1910632 ____A (Microsoft Corporation) 9849EA3843A2ADBDD1497E97A85D8CAE
C:\Users\Mike's\Documents\xp bak\My Documents\driverback\CRYPTSVC.DLL
[2012-06-15 09:48] - [2004-08-04 05:00] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B
C:\Users\Mike's\Documents\xp bak\My Documents\driverback\tcpip.sys
[2012-06-15 09:51] - [2005-05-25 20:04] - 0359808 ____A (Microsoft Corporation) 88763A98A4C26C409741B4AA162720C9
====== End Of Search ======