Solved Do I have the w32 Blaster?

[Jacee]

I'm trying to find a discrepancy somewhere! Just asking questions to find out what 'exactly' was quarantined, and why.

All of these are legit hash files for MpSvc.dll
Agics - System Processes - Filereport MpSvc.dll (MpSvc.dll plug-in)

Altho' this one is "not very common" C:\mpsvc.dll ------- 1011712 bytes [16:36 14/05/2013] [16:32 14/05/2013] CF318F60A84F15AF352439465A8D05F4
http://www.backgroundtask.eu/Systeemtaken/Taakinfo/45594/MpSvc.dll/CF318F60A84F15AF352439465A8D05F4/

 

[Layback Bear]

Just looking and found this. Might help you and might not.
When I Google this.
CF318F60A84F15AF352439465A8D05F4
Lot of web sites that might be of some use.

https://www.google.com/search?q=905...a:en-US:official&client=firefox-a&channel=rcs

 

[Jacee]

@Prescottbob ...

• Please download Autoruns http://download.sysinternals.com/files/Autoruns.zip and save it to your desktop.
• Right click on the downloaded file and choose Extract All Files.
• Once extracted, open the program named Autoruns.
• Click on Options and then Hide Microsoft and Windows Entries.
• Press F5 to refresh the startup list.
• Next go to File -> Save and choose the file type to Text File (.txt).
• Please attach the text file to your next reply.

 

[Prescottbob]

It will be a few minutes-I'm away from the office on my Ipad.

 

[Jacee]

That's okay .... also, read this Fake ‘Free Media Player’ distributed via rogue ‘Adobe Flash Player HD’ advertisement | Webroot Threat Blog - Internet Security Threat Updates from Around the World
Does this look like the Adobe link you might have clicked on?

 

[Prescottbob]

I downloaded AUTORUNS.zip. When I right clicked it, I then clicked on EXTRACT ALL. I now have a window to extract all to the desktop\autoruns. I click extract and an EMPTY autoruns folder comes up!? Guidance please.

The Adobe thing I clicked on sure didn't look like the HD thing. I swear it looked just like the regular update window that comes up to install updates--but this one came up in the middle of the screen when I was leaving the REAL CLEAR POLITICS website having clicked on a like the took me to an article on REAL CLEAR TECHNOLOGY. However, that morning JAVA and ADOBE update windows had been persistent and I probably clicked on this thing to stop the interruptions.

 

[Layback Bear]

I would suggest stop downloading things unless these good people request you to. Their will be no catching up with infections. You could be installing infection faster that these good people are removing them.

 

[cottonball]

Sorry to interrupt your query, Prescottbob.

@Jacee,

On your post, #336:
C:\Program Files\Microsoft Security Client\MpSvc.dll --a---- 1555920 bytes [18:36 27/01/2013] [18:36 27/01/2013] 905601FFF40D8DA9FA82CBE77D1F5EB1

Thought you were just asking a question, until the "Good catch..." was mentioned. Couldn't figure that one out.

On:
C:\mpsvc.dll ------- 1011712 bytes [16:36 14/05/2013] [16:32 14/05/2013] CF318F60A84F15AF352439465A8D05F4

The link to that file was provided by one of our colleagues at BC. He also had an unusual entry on the FSS report.

You will not see mpsvc.dll placed in C:\ by any program, because that is just where I requested Prescottbob to save it.

From there, an FCopy was done to place it in C:\Program Files\Windows Defender\MpSvc.dll

The FSS run after the FCopy shows:
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

That is all with the C:\mpsvc.dll. It could just be removed, but, prefer to not do so yet.



I'm lost again, though...

Just asking questions to find out what 'exactly' was quarantined, and why.

Quarantined??...Can you tell me by what program?

 

[cottonball]

Laybackbear,

Prescottbob was instructed by Jacee to download Autoruns.

 

[cottonball]

Prescottbob,

Please remove anything from Autoruns except the downloaded zipped file.
Right-click on the downloaded file and select: Extract to Autoruns\

It should create a folder on the Desktop also called Autoruns

In that folder, are there 4 entries, one of them being the application?

 

[Prescottbob]

?? I'm only getting the Autorun.zip when the site downloads it.

 

[cottonball]

Yes, that is fine.

Right-click on the downloaded file and select: Extract to Autoruns\

It should create a folder on the Desktop also called Autoruns

In that folder, are there 4 entries, one of them being the application?

 

[Prescottbob]

Of course if I OPEN the zip it shows the 4 items but wont let me do anything with them individually.

 

[Prescottbob]

When I right click the autorun.zip the only extract option is EXTRACT ALL.... When I do that it creates the Autorun file with nothing in it. "folder is empty".

 

[cottonball]

What happens if you right-click the autoruns application inside the folder and select: Run as Administrator?

 

[VistaKing]

Prescottbob try this

Right-click the zip archive file.

Select “Extract All…” from the pop-up menu.

Specify the name and location of the folder for the extracted files.

Click the “Extract” button or press the “Enter” key.

If the “Show extracted files when complete” box is checked a new folder window will be opened to display the unzipped files.

 

[cottonball]

Start > All Programs > Accessories
Open the Command Prompt

At the blinking cursor, copy/paste (with the mouse) the following:

C:\Users\Binnie\desktop\autoruns\autoruns.exe

Does it run?

 

[cottonball]

Can you post a capture of what you have. Use the Snipping tool...

Looks as if you are using WinZip.
Got WinRAR archiver here.

 

[Prescottbob]

"show extracted files when complete" is checked and the new folder window is a AUTORUN folder with nothing in it.

 

[Layback Bear]

Did I misunderstand this. Post #346

The Adobe thing I clicked on sure didn't look like the HD thing. I swear it looked just like the regular update window that comes up to install updates--but this one came up in the middle of the screen when I was leaving the REAL CLEAR POLITICS website having clicked on a like the took me to an article on REAL CLEAR TECHNOLOGY. However, that morning JAVA and ADOBE update windows had been persistent and I probably clicked on this thing to stop the interruptions.