benrosemberg

Thanks very much Kevin! Please see attached zip. Ran cleanup as suggested. Much appreciate all your help! Best regards, Ben Quarantine.zip

Oh, forgot to mention I did a full scan with Windows Security and it didn't turn up anything either. Thanks!

Hi again Kevin, That seems to have worked now - no pop-up on start up and I ran autorun and that group of files no longer shows up. I've attached fixlog.txt and latest autorun files. Thank you! Ben Fixlog.txt DESKTOP2.zip

Hey Kevin, Kontakt and Steam both mean something, but the rest don't mean anything to me. - Kontakt is a VST plugin for synth and other such MIDI-input driven instruments. Version is patched but I could delete if needed. Definitely wouldn't need an update on it ever, though (due to patched nature), so "Kontakt_update" is basically useless. - Steam is the gaming platform. But I'm not sure what "steam_api" is. I had seen some pop-ups in reference to this before, but I dismissed it as false positives after installing Steam. Could also delete if needed but I do game on it here and there. Thank you! Ben

Sorry - compressed to rar before. Now in zip! DESKTOP1.zip

Thanks Kevin - please see attached. Wasn't sure what format you wanted, so saved both. Regards! DESKTOP1.rar

Hi Kevin, Ran the scan and no cleanup required. Attached logs as requested. Thank you! Ben mbar-log-2020-06-23 (11-03-42).txt system-log.txt

Hey again Kevin, I initially suspected the RevSvcs.exe file may be in fact manipulated by something else, but the fact that only Windows Security flags it (while Virus Total and other such services do not) made me question this. That is from patched software, which I don't even need or use any longer and could simply delete. However, it appears Windows already took care of the issue, as the file in the question is no longer in the folder mentioned. Please see attached log as requested. Thank you, Ben Search.txt

Thanks so much Kevin. I ran all of those steps as instructed, and rebooted. On launch I'm still getting pop-up as attached (Startup popup.JPG), and while a virus scan with Windows Security didn't show any threats, the protection history does show an app being blocked and a threat quarantined just a few minutes prior to having started the scan (Capture1.JPG and Capture 2.JPG). Then, just as I was typing this, I received another threat notice (Capture 3). Malwarebytes didn't flag anything when I ran the same folder through it. Windows blocked the threat, so all appears ok. I'm starting to think maybe Windows Security is giving me false positives?

Hey Kevin, Just came back home where I had left it running. Report was as follows: C:\Windows\system32> DISM /Online /Cleanup-Image /RestoreHealth Deployment Image Servicing and Management tool Version: 10.0.18362.900 Image Version: 10.0.18363.900 [==========================100.0%==========================] The restore operation completed successfully. The operation completed successfully. Does this mean in theory I should be all good? No more popups for RegAsm & RegSvc and Windows Defender will no longer report backdoor virus? Thanks again! Ben

Thanks again Kevin - attached is zip file as requested. The scan didn't yield specific errors, just "Windows Resource Protection found corrupt files and successfully repaired them...." I also should note that I got those pop-ups again ("application unable to start" related to RegSvc and RegAsm) when I first launched command prompt as administrator. Thank you, Ben CBS.zip

Thanks again Kevin - please see attached Fixlog.txt 21.06.2020_09.07.54.zip

Hi Kevin, Thank you very much for your time. Attached all logs as requested. Also included images of the pop-ups I get upon start-up that also indicate to me that not all is good... Please let me know how to proceed. Thanks again! Ben Addition.txt AdW.txt FRST.txt Malwarebytes.txt

Good afternoon, I've decided to post here since I can't seem to find anything online that can help me out with this. Windows Defender seems to constantly find the following threat, even though I always quarantine/delete it. Along with this, I get pop-ups saying RegSvc.exe (or RegAsm.exe) failed to run. Windows Defender seemingly find the virus/malware, but doesn't appear to fully delete it. Malwarebytes doesn't pick it up at all: Backdoor:MSIL/Orcus.A!bit found in: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Any help would be greatly appreciated! Thank you, Ben