Zero errors detected on the last scan.
Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
SFC: amd64/x86 winsxs comsvcs.dll's corrupted
- Thread starter ravenize
- Start date
Zero errors detected on the last scan.
Sysnative Windows Update
Inactive
- Oct 9, 2014
- 741
This is not a malware issue. Let's wait for the next rollup and see if the issue persists.
Since the virus scan/removal I've seen zero file integrity violations. Violations typically happen on an hourly / daily basis. Time may prove otherwise, but by then a rollup may fix the issue anyway.
Avira rescue cd renamed, among others... the following files associated with cryptography. Other than that I had manually deleted "GnuPG", "Gpg4win"... one or both consistently connected to the internet on its own. Initially left me wondering if this was highly fortified software.
Scan Report
Start: 07:03:02 End: 09:20:21
Detections: 12
Files treated: 12
Files scanned: 430737
Engine version: 8.3.40.172
VDF version: 7.12.118.218
Scan status: Finished
Details
Detection: /target/C:/program files (x86)/nvidia corporation/nvtelemetry/plugin/_nvtelemetrystatusreporter.dll (should be legit, but who knows)
Virus name: TR/Crypt.XPACK.Gen2 file renamed
Virus Type: trojan
Detection: /target/C:/program files (x86)/spybot anti-beacon/spybot3antibeacon.exe (32 bit exe renamed, 64 bit remains behind. recently installed v2.2, it runs on every boot to ensure hosts file is blocks microsoft telemetry/spyware upon boot)
Virus name: TR/ATRAPS.Gen2 file renamed
Virus Type: trojan
Detection: /target/C:/program files (x86)/winscp/putty/pageant.exe (Pageant is a secure shell (ssh) tunneling app for connecting to Unix or Linux machines via PuTTY.) Should be legit.
Virus name: TR/Crypt.XPACK.Gen file renamed
Virus Type: trojan
Detection: /target/C:/program files (x86)/winscp/putty/puttygen.exe (for generating cryptographic keys) Should be legit.
Virus name: TR/Crypt.XPACK.Gen file renamed
Virus Type: trojan
Detection: /target/C:/program files/daedalus/resources/app/nsis-setup.exe (something to do with the crypto daedalus wallet, should be legit)
Virus name: TR/Crypt.XPACK.Gen file renamed
Virus Type: trojan
UPDATE:
I also had uninstalled the following, as detected by farbar:
bl (HKLM-x32\...\{2A075BB4-E976-4278-BF3F-E5C6945D84C0}) (Version: 1.0.0 - Your Company Name) Hidden
associated with Adobe Premiere pro, installed to a bogus directory on drive j:, which doesn't make sense.
name : bl
Command line : MsiExec.exe /I{2A075BB4-E976-4278-BF3F-E5C6945D84C0}
\adobe\Adobe Master Collection CS6\Adobe CS6\payloads\SonicWrappers_bl6.0-mul\ (or something like that on my pc)
Software ID {2A075BB4-E976-4278-BF3F-E5C6945D84C0}
Avira rescue cd renamed, among others... the following files associated with cryptography. Other than that I had manually deleted "GnuPG", "Gpg4win"... one or both consistently connected to the internet on its own. Initially left me wondering if this was highly fortified software.
Scan Report
Start: 07:03:02 End: 09:20:21
Detections: 12
Files treated: 12
Files scanned: 430737
Engine version: 8.3.40.172
VDF version: 7.12.118.218
Scan status: Finished
Details
Detection: /target/C:/program files (x86)/nvidia corporation/nvtelemetry/plugin/_nvtelemetrystatusreporter.dll (should be legit, but who knows)
Virus name: TR/Crypt.XPACK.Gen2 file renamed
Virus Type: trojan
Detection: /target/C:/program files (x86)/spybot anti-beacon/spybot3antibeacon.exe (32 bit exe renamed, 64 bit remains behind. recently installed v2.2, it runs on every boot to ensure hosts file is blocks microsoft telemetry/spyware upon boot)
Virus name: TR/ATRAPS.Gen2 file renamed
Virus Type: trojan
Detection: /target/C:/program files (x86)/winscp/putty/pageant.exe (Pageant is a secure shell (ssh) tunneling app for connecting to Unix or Linux machines via PuTTY.) Should be legit.
Virus name: TR/Crypt.XPACK.Gen file renamed
Virus Type: trojan
Detection: /target/C:/program files (x86)/winscp/putty/puttygen.exe (for generating cryptographic keys) Should be legit.
Virus name: TR/Crypt.XPACK.Gen file renamed
Virus Type: trojan
Detection: /target/C:/program files/daedalus/resources/app/nsis-setup.exe (something to do with the crypto daedalus wallet, should be legit)
Virus name: TR/Crypt.XPACK.Gen file renamed
Virus Type: trojan
UPDATE:
I also had uninstalled the following, as detected by farbar:
bl (HKLM-x32\...\{2A075BB4-E976-4278-BF3F-E5C6945D84C0}) (Version: 1.0.0 - Your Company Name) Hidden
associated with Adobe Premiere pro, installed to a bogus directory on drive j:, which doesn't make sense.
name : bl
Command line : MsiExec.exe /I{2A075BB4-E976-4278-BF3F-E5C6945D84C0}
\adobe\Adobe Master Collection CS6\Adobe CS6\payloads\SonicWrappers_bl6.0-mul\ (or something like that on my pc)
Software ID {2A075BB4-E976-4278-BF3F-E5C6945D84C0}
Sysnative Windows Update
Inactive
- Oct 9, 2014
- 741
Do not manually delete items as then I don't have a clear picture of what is going on with your system.
Since you have updated it, run a fresh SFC Scan, and attach CBS.log
Run SURT scan and attach CheckSUR.log.
Since you have updated it, run a fresh SFC Scan, and attach CBS.log
Run SURT scan and attach CheckSUR.log.
Do not manually delete items as then I don't have a clear picture of what is going on with your system.
Since you have updated it, run a fresh SFC Scan, and attach CBS.log
Run SURT scan and attach CheckSUR.log.
After a strange system crash said i had one minute to save my files, I rebooted, ran sfc /scannow, jumped to c:\windows\syswow64\comsvc.dll, its hash had changed. I made a copy of the changed file. Sfc said it could not repair the file. Immediately after, I ran another sfc /scannow and there were no violations. The file hash had also returned back to normal. Not sure if sfc repaired the file, but couldn't repair the files in store, which are the usual culprits.
Here are both logs and copies of the same dlls with different hashes.
There is a one byte difference on line 4804
w踘üÿë‹uìƒMüÿ9}àt‹Mä‹ÿP‹ÆèV(ùÿ ���CEventRegistrar::CloseEventRegistrar ���F a i l e d t o d e l e t e s u b s c r i p t i o n s . m _ d w I n s t a n c e s = = 0 ��m _ d w I n s t a n c e s > 0 �����ƒl$é3rûÿ�����ƒl$é$rûÿ�����ƒl$érûÿ�����‹ÿU‹ìƒìtV3öVV‰uð‰uüÿ€ w;ƉEø}ÇEüN éˆ W‹}‹Ïè‚íÿÿ;ƉEø}‡ÇEüQ ƒøu‰uøéa ;ÆŒ» �EôPhtwjVhl‚ w‰uôÿ¬ w;ƉEø�Ú ÇEü_ ;ÆŒ‡ ¡è wSjY»ˆ w‹ó�}Œó¥‹Mô�uŒV�uìVP‰Eì‹E‹jÿp4QÿR‹ð…ö}ÇEü€ t‹Eü…Àu¸� PVhÜÿwh
Original is:
W‹}‹Ïè‚íÿÿ;ƉEø}ÇEüQ
Modified is:
W‹}‹Ïè‚íÿÿ;ƉEø}‡ÇEüQ
Attachments
Sysnative Windows Update
Inactive
- Oct 9, 2014
- 741
They are exactly the same.
They are exactly the same.
Sorry; here is the original unmodified version
Attachments
Sysnative Windows Update
Inactive
- Oct 9, 2014
- 741
At this point, I am going to recommend you either upgrade to Windows 10 or do an In-Place Upgrade of Windows 7. I have no idea what exactly was done on the system to be able to tell you exactly what you may have done to have caused this, but my recommendation is to go the quick fix route here.
Has Sysnative Forums helped you? Please consider donating to help us support the site!