[Dwashba]

Fixlist:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 03-08-2016

Ran by devin (2016-08-07 23:20:20) Run:3

Running from C:\Users\devin\Desktop

Loaded Profiles: devin (Available Profiles: devin & mom & Top Dog)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

Unlock: c:\windows\system32\fdrespub.dll

Unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub

Unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub\Parameters

Unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub\Security

Unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub\ServiceData

SetDefaultFilePermissions: c:\windows\system32\fdrespub.dll

CMD: dir c:\windows\system32\fdrespub.dll

Reg: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub" /s

sc start FDResPub

sc start wscsvc

 

 

 

 

*****************

 

"c:\windows\system32\fdrespub.dll" => was unlocked

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub" => key was unlocked

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub\Parameters" => key was unlocked

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub\Security" => key was unlocked

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub\ServiceData" => key was unlocked

"c:\windows\system32\fdrespub.dll" => Default permissions restored successfully.

 

========= dir c:\windows\system32\fdrespub.dll =========

 

 Volume in drive C has no label.

 Volume Serial Number is E0B9-085A

 

 Directory of c:\windows\system32

 

07/13/2009  06:40 PM            34,816 FDResPub.dll

               1 File(s)         34,816 bytes

               0 Dir(s)  48,689,242,112 bytes free

 

========= End ofCMD: =========

 

 

========= reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub" /s =========

 

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub

    DisplayName    REG_SZ    @%systemroot%\system32\fdrespub.dll,-100

    ImagePath    REG_EXPAND_SZ    %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation

    Description    REG_SZ    @%systemroot%\system32\fdrespub.dll,-101

    ObjectName    REG_SZ    NT AUTHORITY\LocalService

    ErrorControl    REG_DWORD    0x1

    Start    REG_DWORD    0x3

    Type    REG_DWORD    0x20

    DependOnService    REG_MULTI_SZ    RpcSs\0http

    ServiceSidType    REG_DWORD    0x1

    RequiredPrivileges    REG_MULTI_SZ    SeChangeNotifyPrivilege

    FailureActions    REG_BINARY    805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub\Parameters

    ServiceDll    REG_EXPAND_SZ    %SystemRoot%\system32\fdrespub.dll

    ServiceDllUnloadOnStop    REG_DWORD    0x1

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub\Security

    Security    REG_BINARY    01001488A4000000B0000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020074000500000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D01020001010000000000050600000000001800FD0102000102000000000005200000002C020000010100000000000512000000010100000000000512000000

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FDResPub\ServiceData

    FirstStart    REG_BINARY    2802000000000000

 

 

 

========= End of Reg: =========

 

sc start FDResPub => Error: No automatic fix found for this entry.

sc start wscsvc => Error: No automatic fix found for this entry.

 

==== End of Fixlog 23:20:22 ====

[Advertisements]

Go back into the Services menu (Search for services.msc and hit Enter)

 

Right click on

 

Function Discovery Resource Publication

 

and select Properites.  Change the Startup Type: to Automatic.  Apply then see if you can Start the service.  Do you get the same error?

 

Repeat for Windows Security Center

[RKinner]

Go back into the Services menu (Search for services.msc and hit Enter)

 

Right click on

 

Function Discovery Resource Publication

 

and select Properites.  Change the Startup Type: to Automatic.  Apply then see if you can Start the service.  Do you get the same error?

 

Repeat for Windows Security Center

[Dwashba]

OK I changed FDRP to automatic, but it wouldn't start. Same error.

 

I couldn't even find Windows Security Center on the list, and it won't start from the Control Panel.

[RKinner]

Let's see if this helps:

 

Download the attached FDResPub.zip file.

 

[attachment=82158:FDResPub.zip]

 

Save it then right click on it and Extract All, Extract.  Right click on FDResPub.reg and Merge.

 

(This is slightly different from the previous FD.reg)

 

If that works without complaining then try opening an elevated Command Prompt and type:

regsvr32  fdrespub.dll

You should get a popup like this:

 

[attachment=82158:FDResPub.zip]

 

This just verifies that the files is not locked.

 

Now type in the same Command Window:

sc  start  FDResPub

If it wants to run it will say:

 

SERVICE_NAME: fdrespub

        TYPE               : 20  WIN32_SHARE_PROCESS

        STATE              : 2  START_PENDING

                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

        WIN32_EXIT_CODE    : 0  (0x0)

        SERVICE_EXIT_CODE  : 0  (0x0)

        CHECKPOINT         : 0x0

        WAIT_HINT          : 0x7d0

        PID                : 1768

        FLAGS              :

 

 

 

Wait a minute and run sc start fdrespub again and it should say:

[

SC] StartService FAILED 1056:

 

An instance of the service is already running.

 

 

If you get an error in the above please give me the exact text of the error.

 

 

 

 

 

 

 

[Dwashba]

Alright. The .reg merged fine.

 

I got this error message from the first command line string -

 

 

 

I got the same response as you on the

 

 

sc start FDResPub

, except for on the PID I got 2204.

 

I couldn't get it to say that the service is already running. It would just put out the same info again.

[RKinner]

Try a restart and see if you can get it to start then

[Dwashba]

Nope, I got the same results except that now the PID is 2628. I got the same error from this one: regsvr32 fdrespub.dll.

[RKinner]

Submit the file FDResPub.dll to virustotal.com and let's verify that it is a good file.  It appears to be the same file that's on my PC but who knows.

 

 

Easiest way to submit a file is to copy the path:

 

c:\Windows\System32\FDResPub.dll

 

Then

Go to virustotal.com with your browser.  Click on Choose File then when the file chooser window opens, move down to the File Name: box and then Ctrl + v and the path should appear.  Hit Open and it should return to the main page with FDResPub.dll chosen.  Click on Scan it.  If it knows the file already it will tell you it's already been analyzed and offer you a choice of Reanalyze and View Last Analysis.  In that case click on View Last Analysis.  If it doesn't know the file it will take a minute to query 46 or more different anti-virus companies.  In either case, If the Detection ratio: is not 0 / 46 or more then copy the Analysis page and paste it into the forum.  You can just hit Ctrl + a then Ctrl + c to copy the page then go to a reply and Ctrl + v.

[Dwashba]

I'm not sure what's going on because the file is showing up in windows explorer but not in the choose file pop up from Virustotal.com, and when I past in the address it says it doesn't exist.

[RKinner]

Since it shows up in Windows Explorer, right clcik on it and Copy then move to your desktop and paste. Then submit the copy on your desktop.

 

We can also try:

 

Download ESET's Service Repair http://www.wintips.o...vicesRepair.zipand Save it then right click on it Extract All.

 

Find ServicesRepair.exe and Run As Admin. 

 

Maybe we will get lucky. Bedtime for me.

[Dwashba]

OK I got it scanned. 0/55 detection ration.

 

Have a good night.

[Dwashba]

Do I need to do anything else or do you think I'm good? Your help has been invaluable. You're a saint!

[RKinner]

Did you try ESET's Service Repair?

[Dwashba]

OK I thought that was an alternative to the .reg. Anyway now I've run ESET successfully. The security service seems to be running now.

[RKinner]

Cleanup time then:

 

We usually clean up with Delfix.  This removes our tools and their logs and quarantines and also removes all but the latest System Restore point so there is no chance of the malware coming back with a system restore. Delfix has been a tad too aggressive recently and seems to dislike pdf files in the Downloads folder so if you have any you should move them to a different folder before running Delfix.

 

Download Delfix from http://general-chang...xplode/9-delfix

Ensure Remove disinfection tools is ticked

Also tick:

Create registry backup

Purge system restore

 

Click Run

The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply

 

If we installed Speccy it needs to be uninstalled.  Process Explorer, VEW  and their logs and Speccy's log can just be deleted.

 

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.  Flash is now the most malware targeted program so it must be kept up to date.  Be careful with Adobe.  They are fond of offering optional downloads like yahoo or Ask toolbars or that worthless McAfee Security Scan.  Go slow and uncheck the optional stuff.

 

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program.  There is an exploit out there now that can use it to get on your PC.  For Adobe Reader:  Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript.  OK Close program.  It's the same for Foxit reader except you uncheck Enable Javascript Actions. 

 

 

If you use Chrome/Firefox/IE then get the AdBlock Plus Add-on.  Go to adblockplus.org with each browser and get the add-on.  (It's actually a program for IE)

 

If Chrome/Firefox is slow loading make sure it only has the current Java add-on.  Then download and run Speedy Fox.

http://www.crystalidea.com/speedyfox.  Close Chrome/Firefox/Skpe. Hit Optimize.   You can run it any time that Chrome/Firefox seems slow starting..

 

Be warned:  If you use Limewire, utorrent or any of the other P2P programs you will probably be coming back to the Malware Removal forum.  If you must use P2P then submit any files you get to http://virustotal.combeforeyou open them.

 

Due to a recent rise in the number of Crytolocker infections I am now recommending you install:

 

CryptoPrevent

 

http://www.foolishIT.../cryptoprevent/

 

Last time I downloaded it you had to give them your IP address and they would send you the link to download it.  When it ran it asked if you were sure your PC was clean then it would try to allow everything on your PC to continue running.  The free version does not update on its own so you should check for updated versions once in a while.  If you have problems after installing CryptoPrevent you can just uninstall it.

 

If you have a router, log on to it today and change the default password!  If using a Wireless router you really should be using encryption on the link.  Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business.  See http://www.king5.com...0637284.htmlandhttp://www.seattlepi...ted-1344185.php for why encryption is important.  If you don't know how, visit the router maker's website.  They all have detailed step by step instructions or a wizard you can download.

 

Special note on Java.  Old Java versions should be removed after first clearing the Java Cache by following the instructions in:

http://www.java.com/...lugin_cache.xml

Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better.  These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE.  Get the latest version from Java.com.  They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download.  Just uncheck the garbage before the download (or install) starts.  If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.

Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it.  IF that is the case then go to Control Panel, Java, Security and slide it up to the highest level.  OK.

 

 

My help is free but if you wish to show your appreciation, please donate to Kwiaht instead of me. It's an Orcas Island environmental organization that I volunteered with: http://www.kwiaht.org/donate.htm

(The name means something like "clean place" in one of the local native-American dialects)

 

Ron