k9876

Hi there just updated to 7.2.2 today. Did a scan. My mouth opened wide in surprise. Then I closed my mouth when I see the results. The false positives are all immunization entries created by SpyBot S&D and SpywareBlaster. So no cause for alarm. Ran a few tests to double check, and it is indeed immunization entries being detected. This has happened before in the past, so its not a huge issue. Just hope the next database update or next release takes care of this. Thought I'd let you know and others on the forum in case any one else thought their computer was infected when its not. Cheers!

Exact same problem.

Same here I had to disable it as it was crashing my PC. not good. :(

Hi Aura all is good here. As far I know a week after my last post everything seems fine on my PC. I'm still doing regular checks and even checking to see if those registry keys appear again, but they haven't returned and neither has the file I quarantined. If I ever do stumble in to some little nasties again i'll be sure to post about it here at the forum. What is really interesting about the infection is that many other infections seem to use those registry keys as if they are an easy exploit or target on a Windows system, its got me studying more about it and the whole world of malware viruses worms and trojans. Its also made me paranoid again which isn't a bad thing I seem to have got a bit relaxed with my security, a mistake i'm not going to make again. Thanks for asking Aura

Happy to say that I cleaned this annoying infection up. Everything pointed to a file named NTSVC.ocx which was located in the SYSWOW64 folder. I quarantined the file in Emsisoft emergency scanner as it allows you to add files to the quarantine. This was after removing all the registry keys created by NTSVC.ocx I think it would be very handy if Malware Bytes Premium had such an option to add any file to quarantine, definitely consider this guys. Perhaps also add the detections in to Malware Bytes Premium since it did not pick this up once at all. I have done several scans and registry searches since and it is completely gone. Nuked. I also disabled system restore before doing any of what I have mentioned so its important to do this too with system restore, delete any back ups it has created as you don't want this coming back, let me tell you it is annoying as f*** This file is created by whatever nasty little bit of kit lands on the system and creates all the registry keys I mentioned in my above posts. It also seems that whatever this is (was), it goes by many names since those registry keys are mentioned a lot in relation to other infections. Tools I used to track this down and get rid of it were: RegShot by maddes, xhmikosr, regshot: take a snap of your registry before and after, very helpful. MiniRegTool64 by FarBar. Helped find other hidden keys with the same values as the registry keys I posted. Regedit by Microsoft RKILL by Bleeping Computer Emsisoft emergency scanner by Emsisoft AdwCleaner by fr33tux My Brain by Me I am no longer infected with this. I helped myself. You can now close this. Cheers.

Hi there I still have the same happening over and over. Here are some more logs. One for Adwcleaner and one from Emsisoft emergency scanner which lists this as being SmartService trojan but i've looked up about smart service disabling security programs, none which have happened to me. I've done some further reading and these keys in my previous post seem to be more related to Yelloader or Bancos. I still can not find any procesess creating these keys, also I went in to safe mode and scanned and the funny thing is the scans came back empty but if I boot in to windows as usual and then do a scan the keys are present again. Could these keys be stuck in memory ? why do they keep returning even after being cleaned with Adwcleaner and Emsisoft, and why isn't Malware bytes premium picking this up ? I also did a rootkit scan with the actual Malware bytes standalone rootkit scanner but it turned up empty too. Attached the logs. So any help when you are free would be much appreciated guys, i'm not totally sure if this is a serious infection or not or just some stubborn keys that are hard to remove or being loaded by remnants of a previous infection I didn't even know I had. AdwCleaner[S243].txt scan_170504-045014.txt

Adwcleaner picks these keys up: Key Found: HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C} Key Found: HKLM\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C} I remove them with Adwcleaner and reboot for them only to be there again. I then used Emsisoft emergency kit to do a scan being curious if it would find anything else and it does these are the keys Emsisoft emergency kit finds: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C} HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C} HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C} Once the scan is complete with Emsisoft I then quarantine and assume all is ok. But this is not the case. After reboot I scan again and the keys are yet again found. So I check in my registry to find other things associated with these keys and I find: NTService.Control.1 _DNtSvc related to these keys. Of course before coming here I searched around online finding many topics and virus related pages to do with these keys. The trouble is I can't find which process is resposible for creating these keys and also that these keys can unknowingly be installed with a software. I'm not sure why Malware bytes premium isn't detecting any changes or picking up on this. Kaspersky Internet security also doesn't seem to find anything wrong. I've done a FRST scan and have attached the logs. Any help on this will be much appreciated. FRST.txt Addition.txt

Yep i've checked those out but funnily enough can not find anything else mentioned there on my machine searched registry high and low and it seems only the key I mention is ever found. This one - {E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C} It has since been removed by AdwCleaner, but what if this comes back ? like it has today and why is it appearing in AdwCleaner and not MalwareBytes Premium or Kaspersky Internet Security. Surely both these products would detect the rest ? or at least give me a sign of a threat on my system. I also scanned with ESET, EMSISOFT, SOPHOS, SPYBOT S&D, SUPERANTI SPYWARE and not a trace or hint of anything suspicious. So i'm in wonder here about this registry key, because if it was everything else mentioned on trend micro then surely my MalwareBytes premium would pick it up or KIS would.... i'm baffled! I run Windows 7 Ultimate x64, I steer clear of dodgy sites or anything remotely suspect I download programs from trusted sources, so this is all a bit of a mystery to me if and how I would become infected and this i'm not even sure of now.

Hi guys I have come across this registry key which AdwCleaner finds. This is not the first time it has found it. I removed it with AdwCleaner in 2016 and today I scan and see it has appeared again, but what is it ?? I thought whatever it was, was gone for good but it seems not. Its now back. The key AdwCleaner finds is this {E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C} I don't know if this is a false positive or not ? I searched online about it and there are not good things about this key. But the key is also related to something in Windows too. So i'm confused on the search results. I have scanned my system constantly with MalwareBytes too and also Kaspersky internet security. I do not have any suspicious programs installed, I am a very careful PC user. here is the log from AdwCleaner: ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious keys found. ***** [ Shortcuts ] ***** No infected shortcut found. ***** [ Scheduled Tasks ] ***** No malicious task found. ***** [ Registry ] ***** Key Found: HKLM\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C} ***** [ Web browsers ] ***** No malicious Firefox based browser items found. No malicious Chromium based browser items found. ------------- So any ideas ? is it anything to worry about ?

Still happens for me with the reverting. Yeah best to sit tight for this one. Wait it out.

Much better way of doing it as you can never be too sure, so just add the lot Good post. Thanks!

Just thought i'd say its still happening. I'm looking to revert back to 2.2 if this isn't being resolved. Happening everyday I reboot or turn off my computer and turn back on the next day. Thing is I even disabled KIS thinking that would stop it but it didnt. So I ruled out KIS now being the problem. It just keeps reverting back to 3.0. Also I did the uninstall and cleared every trace of 3.0 from my system grabbed 3.5 installed that and it still somehow reverts back to 3.0 even if 3.0 is not installed. what? how? Anyways hope a fix comes soon, getting tiring.

Oh no. Another of the problems I have too. I was really wondering how on earth it was reverting back. Least I know now i'm not the only one.

Having the same with web protection now

Sure. Left click in tray icon of KIS and select Kaspersky Internet Security open More Tools on the interface you have opened (green box, white writing at the bottom) It will then switch to another interface and on the left hand side in a list look for 'Trusted Applications Mode' and click on that It will then show you another interface saying Trusted Applications Mode and on that interface it should show you 'Blocked' in slightly smaller grey writing and should have a number or numbers in red indicating how much modules have been blocked click on the number saying Launch Attempts next to it in red. It will then show you everything Kaspersky has blocked and you can select them manually to be allowed. Quite annoying really as you would think KIS would know not to block these modules for Malware Bytes.