1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Error during startup: Stop: c000021a (Fatal System Error)

Discussion in 'Malware and Virus Removal Archive' started by jharry, 2015/02/07.

Page 3 of 4
  1. 2015/03/16
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Following is the content of fixlog.txt

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
    Ran by owner at 2015-03-16 20:35:49 Run:3
    Running from f:\
    Loaded Profiles: owner (Available profiles: owner & fbwuser & Guest)
    Boot Mode: Safe Mode (with Networking)
    ==============================================

    Content of fixlist:
    *****************
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    HKU\S-1-5-21-669636167-3881197016-1759864487-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
    SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2414} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=414&sr=0&q={searchTerms}
    SearchScopes: HKLM-x32 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2414} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=414&sr=0&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-669636167-3881197016-1759864487-1000 -> 99B2053569C04989B01B12CECA3CC99E URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=414&sr=0&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-669636167-3881197016-1759864487-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-669636167-3881197016-1759864487-1000 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_dnldstr_14_33_ie&cd=2XzuyEtN2Y1L1QzuyBtDtC0AtDyEyBtAyByDtBtA0A0BtByCtN0D0Tzu0SzyyDzztN1L2XzutAtFtCtFtDtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyD0FtCtA0AtBtBzztG0BtDzyyCtGyC0DyEzytG0AzztB0BtGtAzy0CzzyE0Bzy0FzztC0CyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2StByE0A0C0D0F0C0DtGzzyDzy0EtGyE0Bzy0BtG0AzytA0EtGzy0C0EyB0AtByD0A0FyE0E0C2Q&cr=1677618460&ir=
    BHO: No Name -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> No File
    BHO: No Name -> {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -> No File
    BHO-x32: No Name -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> No File
    BHO-x32: No Name -> {889D2FEB-5411-4565-8998-1DD2C5261283} -> No File
    BHO-x32: No Name -> {C8CBC109-B04A-4dda-956E-BFFE0360DADD} -> No File
    Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
    Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
    Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll "
    Winsock: Catalog5-x64 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll "
    FF Plugin: @alipay.com/npAliInetHealth -> C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\npAlipaydhc64.dll No File
    FF Plugin: @alipay.com/npAliSecCtrl -> C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\npAliSecCtrl64.dll No File
    FF Plugin-x32: @alipay.com/npalidcp -> C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\npalidcp.dll No File
    FF Plugin-x32: @alipay.com/npaliedit -> C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\npaliedit.dll No File
    FF Plugin-x32: @alipay.com/npAliInetHealth -> C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\npAlipaydhc.dll No File
    FF Plugin-x32: @alipay.com/npAliSecCtrl -> C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\npAliSecCtrl.dll No File
    FF Plugin-x32: @cfca.com/npCryptoKit.BOC.x86,version=3.4.0.5 -> C:\Windows\system32\npCryptoKit.BOC.x86.dll No File
    FF Plugin-x32: @cfca.com/SecEditCtl.BOC,version=1.0.0.9 -> C:\Windows\system32\npSecEditCtl.BOC.x86.dll No File
    FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll No File
    FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll No File
    FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
    FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
    S2 DeviceHealth; "C:\Program Files (x86)\Microsoft Device Health\DhMachineSvc.exe" [X]
    S2 pcas; "C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\pcas.exe" [X]
    S2 RealtekUSB; C:\Program Files (x86)\Realtek\RTL8187 Wireless LAN Utility\RtlService.exe [X]
    S2 secbizsrv; "C:\Program Files (x86)\alipay\aliedit\4.6.0.3481\secbizsrv.exe" [X]
    S3 hitmanpro35; No ImagePath
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    2010-01-30 16:33 - 2002-08-09 00:40 - 0153088 _____ () C:\Program Files (x86)\UNWISE.EXE
    2012-09-07 08:31 - 2013-12-10 02:41 - 0000074 _____ () C:\Users\owner\AppData\Roaming\albumcart.xml
    2014-12-05 19:36 - 2014-12-05 19:36 - 0001078 _____ () C:\Users\owner\AppData\Roaming\base64.cer
    2011-04-05 00:13 - 2012-05-15 19:15 - 0000915 _____ () C:\Users\owner\AppData\Roaming\coreavc.ini
    2012-10-10 17:32 - 2012-10-10 17:32 - 0004786 _____ () C:\Users\owner\AppData\Roaming\info.ini
    2012-09-07 08:30 - 2013-12-10 02:37 - 0000004 _____ () C:\Users\owner\AppData\Roaming\LastUser.ini
    2012-09-07 08:31 - 2014-12-31 13:16 - 0000074 _____ () C:\Users\owner\AppData\Roaming\shoppingcart.xml
    2014-08-28 14:56 - 2015-01-29 01:27 - 0000191 _____ () C:\Users\owner\AppData\Roaming\WB.CFG
    2011-09-07 21:42 - 2015-01-27 17:14 - 0005120 _____ () C:\Users\owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2014-12-16 18:27 - 2014-12-16 18:27 - 0000010 _____ () C:\Users\owner\AppData\Local\DSI.DAT
    2012-05-30 16:15 - 2014-10-19 07:47 - 0007608 _____ () C:\Users\owner\AppData\Local\resmon.resmoncfg
    2012-05-22 16:42 - 2012-05-22 16:42 - 0000000 _____ () C:\ProgramData\-HH1OSz4vwGp6zb
    2012-05-22 16:42 - 2012-05-22 16:42 - 0000168 _____ () C:\ProgramData\-HH1OSz4vwGp6zbr
    2014-03-18 20:13 - 2014-03-18 20:13 - 0000057 _____ () C:\ProgramData\Ament.ini
    2009-12-19 22:15 - 2009-12-19 22:15 - 0000056 _____ () C:\ProgramData\ezsidmv.dat
    2012-05-22 16:42 - 2012-05-22 16:42 - 0000256 _____ () C:\ProgramData\HH1OSz4vwGp6zb
    2010-01-06 22:22 - 2015-03-14 16:37 - 0008456 ___SH () C:\ProgramData\KGyGaAvL.sys
    Task: {D0853781-C6D6-49B3-89DC-1DA6017AE3CD} - System32\Tasks\Optimizer Pro Schedule => C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe <==== ATTENTION
    C:\Program Files (x86)\Optimizer Pro
    Task: {D9E82ACD-AB52-4950-AC5C-88640D572C9E} - \WSE_Astromenda No Task File <==== ATTENTION
    AlternateDataStreams: C:\ProgramData\Temp:373E1720
    AlternateDataStreams: C:\ProgramData\Temp:EEDA5B17

    *****************

    "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
    "HKU\S-1-5-21-669636167-3881197016-1759864487-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
    "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}" => Key deleted successfully.
    HKCR\CLSID\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9} => Key not found.
    "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2414}" => Key deleted successfully.
    HKCR\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2414} => Key not found.
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2414}" => Key deleted successfully.
    HKCR\Wow6432Node\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2414} => Key not found.
    "HKU\S-1-5-21-669636167-3881197016-1759864487-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\99B2053569C04989B01B12CECA3CC99E" => Key deleted successfully.
    HKCR\CLSID\99B2053569C04989B01B12CECA3CC99E => Key not found.
    "HKU\S-1-5-21-669636167-3881197016-1759864487-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
    HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
    "HKU\S-1-5-21-669636167-3881197016-1759864487-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{632F07F3-19A1-4d16-A23F-E6CE9486BAB5}" => Key deleted successfully.
    HKCR\CLSID\{632F07F3-19A1-4d16-A23F-E6CE9486BAB5} => Key not found.
    "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}" => Key deleted successfully.
    HKCR\CLSID\{3049C3E9-B461-4BC5-8870-4C09146192CA} => Key not found.
    "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}" => Key deleted successfully.
    HKCR\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} => Key not found.
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}" => Key deleted successfully.
    HKCR\Wow6432Node\CLSID\{3049C3E9-B461-4BC5-8870-4C09146192CA} => Key not found.
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}" => Key deleted successfully.
    HKCR\Wow6432Node\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283} => Key not found.
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C8CBC109-B04A-4dda-956E-BFFE0360DADD}" => Key deleted successfully.
    HKCR\Wow6432Node\CLSID\{C8CBC109-B04A-4dda-956E-BFFE0360DADD} => Key not found.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => value deleted successfully.
    HKCR\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => Key not found.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => value deleted successfully.
    HKCR\CLSID\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => Key not found.
    Winsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
    Winsock: Catalog5-x64 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
    "HKLM\Software\MozillaPlugins\@alipay.com/npAliInetHealth" => Key deleted successfully.
    "HKLM\Software\MozillaPlugins\@alipay.com/npAliSecCtrl" => Key deleted successfully.
    "HKLM\Software\Wow6432Node\MozillaPlugins\@alipay.com/npalidcp" => Key deleted successfully.
    "HKLM\Software\Wow6432Node\MozillaPlugins\@alipay.com/npaliedit" => Key deleted successfully.
    "HKLM\Software\Wow6432Node\MozillaPlugins\@alipay.com/npAliInetHealth" => Key deleted successfully.
    "HKLM\Software\Wow6432Node\MozillaPlugins\@alipay.com/npAliSecCtrl" => Key deleted successfully.
    "HKLM\Software\Wow6432Node\MozillaPlugins\@cfca.com/npCryptoKit.BOC.x86,version=3.4.0.5" => Key deleted successfully.
    "HKLM\Software\Wow6432Node\MozillaPlugins\@cfca.com/SecEditCtl.BOC,version=1.0.0.9" => Key deleted successfully.
    "HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf" => Key deleted successfully.
    "HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf" => Key deleted successfully.
    "HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922" => Key deleted successfully.
    "HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109" => Key deleted successfully.
    DeviceHealth => Service deleted successfully.
    pcas => Service deleted successfully.
    RealtekUSB => Service deleted successfully.
    secbizsrv => Service deleted successfully.
    hitmanpro35 => Service deleted successfully.
    catchme => Service deleted successfully.
    C:\Program Files (x86)\UNWISE.EXE => Moved successfully.
    C:\Users\owner\AppData\Roaming\albumcart.xml => Moved successfully.
    C:\Users\owner\AppData\Roaming\base64.cer => Moved successfully.
    C:\Users\owner\AppData\Roaming\coreavc.ini => Moved successfully.
    C:\Users\owner\AppData\Roaming\info.ini => Moved successfully.
    C:\Users\owner\AppData\Roaming\LastUser.ini => Moved successfully.
    C:\Users\owner\AppData\Roaming\shoppingcart.xml => Moved successfully.
    C:\Users\owner\AppData\Roaming\WB.CFG => Moved successfully.
    C:\Users\owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => Moved successfully.
    C:\Users\owner\AppData\Local\DSI.DAT => Moved successfully.
    C:\Users\owner\AppData\Local\resmon.resmoncfg => Moved successfully.
    C:\ProgramData\-HH1OSz4vwGp6zb => Moved successfully.
    C:\ProgramData\-HH1OSz4vwGp6zbr => Moved successfully.
    C:\ProgramData\Ament.ini => Moved successfully.
    C:\ProgramData\ezsidmv.dat => Moved successfully.
    C:\ProgramData\HH1OSz4vwGp6zb => Moved successfully.
    C:\ProgramData\KGyGaAvL.sys => Moved successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D0853781-C6D6-49B3-89DC-1DA6017AE3CD}" => Key deleted successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D0853781-C6D6-49B3-89DC-1DA6017AE3CD}" => Key deleted successfully.
    C:\Windows\System32\Tasks\Optimizer Pro Schedule => Moved successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimizer Pro Schedule" => Key deleted successfully.
    "C:\Program Files (x86)\Optimizer Pro" => File/Directory not found.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D9E82ACD-AB52-4950-AC5C-88640D572C9E}" => Key deleted successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D9E82ACD-AB52-4950-AC5C-88640D572C9E}" => Key deleted successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WSE_Astromenda" => Key deleted successfully.
    C:\ProgramData\Temp => ":373E1720" ADS removed successfully.
    C:\ProgramData\Temp => ":EEDA5B17" ADS removed successfully.

    ==== End of Fixlog 20:36:01 ====
     
    jharry,
    #41
  2. 2015/03/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Last scans...

    [​IMG] Download Security Check from here or here and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
    NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
    NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


    [​IMG] Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
      • Other Services
    • Press "Scan ".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    [​IMG] Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    [​IMG] Download Sophos Free Virus Removal Tool and save it to your desktop.
    • Double click the icon and select Run
    • Click Next
    • Select I accept the terms in this license agreement, then click Next twice
    • Click Install
    • Click Finish to launch the program
    • Once the virus database has been updated click Start Scanning
    • If any threats are found click Details, then View log file... (bottom left hand corner)
    • Copy and paste the results in your reply
    • Close the Notepad document, close the Threat Details screen, then click Start cleanup
    • Click Exit to close the program
     
    broni,
    #42


  3. to hide this advert.

  4. 2015/03/17
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Following is the content of checkup.txt

    Results of screen317's Security Check version 0.99.98
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 10 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Microsoft Security Essentials
    avast! Antivirus
    Antivirus up to date! (On Access scanning disabled!)
    `````````Anti-malware/Other Utilities Check:`````````
    AML Free Registry Cleaner 4.25
    Java 7 Update 25
    Java version 32-bit out of Date!
    Java 64-bit 8 Update 31
    Adobe Flash Player 16.0.0.305
    Adobe Reader XI
    Mozilla Firefox (36.0.1)
    Google Chrome (40.0.2214.115)
    Google Chrome (41.0.2272.89)
    ````````Process Check: objlist.exe by Laurent````````
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast avastui.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````

    Following is the content of FSS.txt

    Farbar Service Scanner Version: 17-01-2015
    Ran by owner (administrator) on 16-03-2015 at 21:32:29
    Running from "C:\Users\owner\Desktop "
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    The start type of MpsSvc service is OK.
    The ImagePath of MpsSvc service is OK.
    The ServiceDll of MpsSvc service is OK.

    bfe Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Policy:
    ========================


    Action Center:
    ============


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware "=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => File is digitally signed
    C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
    C:\Windows\System32\dhcpcore.dll => File is digitally signed
    C:\Windows\System32\drivers\afd.sys => File is digitally signed
    C:\Windows\System32\drivers\tdx.sys => File is digitally signed
    C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
    C:\Windows\System32\dnsrslvr.dll => File is digitally signed
    C:\Windows\System32\mpssvc.dll => File is digitally signed
    C:\Windows\System32\bfe.dll => File is digitally signed
    C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
    C:\Windows\System32\SDRSVC.dll => File is digitally signed
    C:\Windows\System32\vssvc.exe => File is digitally signed
    C:\Windows\System32\wscsvc.dll => File is digitally signed
    C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
    C:\Windows\System32\wuaueng.dll => File is digitally signed
    C:\Windows\System32\qmgr.dll => File is digitally signed
    C:\Windows\System32\es.dll => File is digitally signed
    C:\Windows\System32\cryptsvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
    C:\Windows\System32\ipnathlp.dll => File is digitally signed
    C:\Windows\System32\iphlpsvc.dll => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed


    **** End of log ****

    Following is the content of threat details from Sophos Virus Removal Tool:

    2015-03-17 05:21:46.761 Sophos Virus Removal Tool version 2.5.4
    2015-03-17 05:21:46.761 Copyright (c) 2009-2014 Sophos Limited. All rights reserved.

    2015-03-17 05:21:46.761 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

    2015-03-17 05:21:46.761 Windows version 6.1 SP 1.0 Service Pack 1 build 7601 SM=0x300 PT=0x1 WOW64
    2015-03-17 05:21:46.771 Checking for updates...
    2015-03-17 05:21:49.707 Update progress: proxy server not available
    2015-03-17 05:22:05.599 Downloading updates...
    2015-03-17 05:22:05.601 Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0
    2015-03-17 05:22:05.602 Update progress: [I49502] Found supplement SAVIW32 LATEST
    2015-03-17 05:22:05.602 Update progress: [I49502] Found supplement IDE512 LATEST
    2015-03-17 05:22:05.602 Update progress: [I49502] Found supplement IDE513 LATEST
    2015-03-17 05:22:05.602 Update progress: [I49502] Found supplement IDE514 LATEST
    2015-03-17 05:22:05.602 Update progress: [I49502] Found supplement IDE515 LATEST
    2015-03-17 05:22:05.602 Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
    2015-03-17 05:22:05.602 Update progress: [I19463] Syncing product SAVIW32 51
    2015-03-17 05:22:08.518 Update progress: [I19463] Syncing product IDE512 166
    2015-03-17 05:22:09.709 Installing updates...
    2015-03-17 05:22:09.877 Option all = no
    2015-03-17 05:22:12.080 Option recurse = yes
    2015-03-17 05:22:12.080 Option archive = no
    2015-03-17 05:22:12.080 Option service = yes
    2015-03-17 05:22:12.080 Option confirm = yes
    2015-03-17 05:22:12.080 Option sxl = yes
    2015-03-17 05:22:12.080 Option max-data-age = 35
    2015-03-17 05:22:12.080 Option EnableSafeClean = yes
    2015-03-17 05:22:12.080 Option vdl-logging = yes
    2015-03-17 05:22:12.080 Customer ID: 094260ca9b3af99f9d4a3909fc47a743
    2015-03-17 05:22:12.080 Machine ID: 444c96e1d58949f588164f36789cd1ab
    2015-03-17 05:22:12.080 Component SVRTcli.exe version 2.5.4
    2015-03-17 05:22:12.080 Component control.dll version 2.5.4
    2015-03-17 05:22:12.080 Component SVRTservice.exe version 2.5.4
    2015-03-17 05:22:12.080 Component engine\osdp.dll version 1.44.1.2183
    2015-03-17 05:22:12.080 Component engine\veex.dll version 3.58.3.2183
    2015-03-17 05:22:12.080 Component engine\savi.dll version 8.1.5.2183
    2015-03-17 05:22:12.080 Component rkdisk.dll version 1.5.30.0
    2015-03-17 05:22:12.080 Version info: Product version 2.5.4
    2015-03-17 05:22:12.080 Version info: Detection engine 3.58.3
    2015-03-17 05:22:12.080 Version info: Detection data 5.11
    2015-03-17 05:22:12.080 Version info: Build date 2015/2/3
    2015-03-17 05:22:12.080 Version info: Data files added 413
    2015-03-17 05:22:12.080 Version info: Last successful update (not yet updated)
    2015-03-17 05:22:12.080 Error level 1
    2015-03-17 05:22:12.110 Update progress: [I19463] Syncing product IDE513 171
    2015-03-17 05:22:12.110 Update progress: [I19463] Syncing product IDE514 81
    2015-03-17 05:22:12.110 Update progress: [I19463] Syncing product IDE515 1
    2015-03-17 05:22:57.215 Update successful
    2015-03-17 05:23:27.887 Option all = no
    2015-03-17 05:23:27.887 Option recurse = yes
    2015-03-17 05:23:27.888 Option archive = no
    2015-03-17 05:23:27.888 Option service = yes
    2015-03-17 05:23:27.888 Option confirm = yes
    2015-03-17 05:23:27.888 Option sxl = yes
    2015-03-17 05:23:27.891 Option max-data-age = 35
    2015-03-17 05:23:27.891 Option EnableSafeClean = yes
    2015-03-17 05:23:27.968 Option vdl-logging = yes
    2015-03-17 05:23:27.973 Customer ID: 094260ca9b3af99f9d4a3909fc47a743
    2015-03-17 05:23:27.973 Machine ID: 444c96e1d58949f588164f36789cd1ab
    2015-03-17 05:23:27.975 Component SVRTcli.exe version 2.5.4
    2015-03-17 05:23:27.975 Component control.dll version 2.5.4
    2015-03-17 05:23:27.975 Component SVRTservice.exe version 2.5.4
    2015-03-17 05:23:27.975 Component engine\osdp.dll version 1.44.1.2183
    2015-03-17 05:23:27.975 Component engine\veex.dll version 3.58.3.2183
    2015-03-17 05:23:27.975 Component engine\savi.dll version 8.1.5.2183
    2015-03-17 05:23:27.975 Component rkdisk.dll version 1.5.30.0
    2015-03-17 05:23:27.975 Version info: Product version 2.5.4
    2015-03-17 05:23:27.975 Version info: Detection engine 3.58.3
    2015-03-17 05:23:27.975 Version info: Detection data 5.11G
    2015-03-17 05:23:27.975 Version info: Build date 2015/2/3
    2015-03-17 05:23:27.975 Version info: Data files added 413
    2015-03-17 05:23:27.975 Version info: Last successful update 2015/3/16 22:22:57

    2015-03-17 05:51:20.646 >>> Virus 'Troj/Keygen-DS' found in file C:\Downloads\会声会影X5\15.0.0.001\注册机.exe\FILE:0000
    2015-03-17 05:51:20.646 Disinfection not offered
    2015-03-17 05:51:38.716 >>> Virus 'Mal/ZAccConf-A' found in file C:\FRST\Quarantine\C\$Recycle.Bin\S-1-5-18\$b3badc8d50bb3c066fde46b3919fda5d\@
    2015-03-17 05:51:38.716 >>> Virus 'Mal/ZAccConf-A' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
    2015-03-17 05:51:38.716 >>> Virus 'Mal/ZAccConf-A' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
    2015-03-17 05:51:38.716 >>> Virus 'Mal/ZAccConf-A' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 05:51:38.716 >>> Virus 'Mal/ZAccConf-A' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 05:51:38.716 >>> Virus 'Mal/ZAccConf-A' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    2015-03-17 05:51:38.716 >>> Virus 'Mal/ZAccConf-A' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    2015-03-17 05:51:38.716 >>> Virus 'Mal/ZAccConf-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 05:51:51.653 >>> Virus 'Mal/ZAccConf-A' found in file C:\FRST\Quarantine\C\$Recycle.Bin\S-1-5-21-669636167-3881197016-1759864487-1000\$b3badc8d50bb3c066fde46b3919fda5d\@
    2015-03-17 05:51:51.653 >>> Virus 'Mal/ZAccConf-A' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
    2015-03-17 05:51:51.653 >>> Virus 'Mal/ZAccConf-A' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
    2015-03-17 05:51:51.653 >>> Virus 'Mal/ZAccConf-A' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 05:51:51.653 >>> Virus 'Mal/ZAccConf-A' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 05:51:51.653 >>> Virus 'Mal/ZAccConf-A' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    2015-03-17 05:51:51.653 >>> Virus 'Mal/ZAccConf-A' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    2015-03-17 05:51:51.653 >>> Virus 'Mal/ZAccConf-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 05:51:52.961 Could not open C:\hiberfil.sys
    2015-03-17 05:53:28.135 Could not check C:\Iomega_backup\My Files\soar\Feb2008.doc (corrupt)
    2015-03-17 05:58:39.934 Could not open C:\pagefile.sys
    2015-03-17 06:30:21.573 >>> Virus 'Mal/EncPk-AKS' found in file C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{10A45381-E708-D07A-411A-38AEEF4024A6}-ilahnia
    2015-03-17 06:30:21.583 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
    2015-03-17 06:30:21.583 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
    2015-03-17 06:30:21.583 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 06:30:21.583 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 06:30:21.583 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    2015-03-17 06:30:21.583 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    2015-03-17 06:30:21.583 >>> Virus 'Mal/EncPk-AKS' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 06:30:34.665 >>> Virus 'Mal/EncPk-AKS' found in file C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{18098B96-DCB0-090E-A285-2C1562EA337F}-ilahnia
    2015-03-17 06:30:34.668 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
    2015-03-17 06:30:34.669 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
    2015-03-17 06:30:34.671 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 06:30:34.672 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 06:30:34.672 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    2015-03-17 06:30:34.672 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    2015-03-17 06:30:34.672 >>> Virus 'Mal/EncPk-AKS' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 06:30:47.601 >>> Virus 'Mal/EncPk-AKS' found in file C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{672AFB9C-2E76-5192-8541-40EA9610D785}-skjvlrk
    2015-03-17 06:30:47.601 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
    2015-03-17 06:30:47.601 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
    2015-03-17 06:30:47.601 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 06:30:47.601 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 06:30:47.601 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    2015-03-17 06:30:47.611 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    2015-03-17 06:30:47.611 >>> Virus 'Mal/EncPk-AKS' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 06:31:00.007 >>> Virus 'Mal/EncPk-AKS' found in file C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{A38EBCF3-A6E3-3B82-DAAD-BCC6C8D0AC71}-skjvlrk
    2015-03-17 06:31:00.007 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
    2015-03-17 06:31:00.007 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures
    2015-03-17 06:31:00.007 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 06:31:00.007 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 06:31:00.007 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    2015-03-17 06:31:00.007 >>> Virus 'Mal/EncPk-AKS' found in file HKU\S-1-5-21-669636167-3881197016-1759864487-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    2015-03-17 06:31:00.007 >>> Virus 'Mal/EncPk-AKS' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    2015-03-17 06:33:30.709 Could not open C:\System Volume Information\{04a45301-cc63-11e4-bf2d-00262d69b861}{3808876b-c176-4e48-b7ae-04046e6cc752}
    2015-03-17 06:33:30.709 Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
    2015-03-17 06:33:30.709 Could not open C:\System Volume Information\{5bd1b2bb-ca5d-11e4-908a-00262d69b861}{3808876b-c176-4e48-b7ae-04046e6cc752}
    2015-03-17 06:33:30.709 Could not open C:\System Volume Information\{6f564e6a-bf41-11e4-b43c-00262d69b861}{3808876b-c176-4e48-b7ae-04046e6cc752}
    2015-03-17 06:33:30.709 Could not open C:\System Volume Information\{a7717031-c8f7-11e4-b392-00262d69b861}{3808876b-c176-4e48-b7ae-04046e6cc752}
    2015-03-17 06:38:46.089 Could not check C:\Users\owner\Documents\worldschool\TreinReizen.pps (corrupt)
    2015-03-17 06:38:48.989 Could not check C:\Users\owner\Documents\worldschool\別讓那隻鳥飛了.pps (corrupt)
    2015-03-17 06:38:53.883 Could not check C:\Users\owner\Documents\wusimei\1945年的中国__________(S_7.20).pps (corrupt)
    2015-03-17 06:38:56.287 Could not check C:\Users\owner\Documents\wusimei\三字经(图文并茂生动形象) (Y 5.64).pps (corrupt)
    2015-03-17 06:39:21.511 Could not check C:\Users\owner\Documents\wusimei\历史\下乡见闻.pps (corrupt)
    2015-03-17 06:39:28.884 Could not check C:\Users\owner\Documents\wusimei\圣地拉萨.pps (corrupt)
    2015-03-17 06:39:28.914 Could not check C:\Users\owner\Documents\wusimei\圣地拉萨______________(Y_5.54).pps (corrupt)
    2015-03-17 06:40:20.685 Could not check C:\Users\owner\Documents\wusimei\腳趾运动_______(X_1.71).pps (corrupt)
    2015-03-17 06:40:29.053 Could not check C:\Users\owner\Documents\wuzongsu\两句話就可治療頸椎病.doc (corrupt)
    2015-03-17 06:50:56.999 Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
    2015-03-17 06:50:57.009 Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
    2015-03-17 06:51:06.637 Could not open C:\Windows\System32\config\RegBack\DEFAULT
    2015-03-17 06:51:06.637 Could not open C:\Windows\System32\config\RegBack\SAM
    2015-03-17 06:51:06.647 Could not open C:\Windows\System32\config\RegBack\SECURITY
    2015-03-17 06:51:06.647 Could not open C:\Windows\System32\config\RegBack\SOFTWARE
    2015-03-17 06:51:06.647 Could not open C:\Windows\System32\config\RegBack\SYSTEM
    2015-03-17 07:24:38.501 The following items will be cleaned up:
    2015-03-17 07:24:38.501 Mal/ZAccConf-A
    2015-03-17 07:24:38.501 Mal/EncPk-AKS
    2015-03-17 07:24:38.501 Troj/Keygen-DS
     
    jharry,
    #43
  5. 2015/03/17
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Sophos Virus Removal Tool then proceeded to cleanup after restart. But after cleanup it asked me to rescan. And after rescan, it reported 1 threat detected and proceeded to cleanup (without restarting the computer). But it failed to cleanup that threat and asked me to rescan again. I deleted the corrupt files mentioned in the log. A rescan again failed to cleanup the threat Troj/Keygen-DS. I looked at the new scan log, found the location of Troj/keygen-DS, and manually deleted the file containing the threat. A final rescan by Sophos resulted in no threats detected and there was no notepad text when I pressed the "details" button.
     
    jharry,
    #44
  6. 2015/03/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #45
  7. 2015/03/17
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    After double clicking on the downloaded BFE.reg, I got the following error message:
    Cannot import C:\Downloads\Windowsbbs\BFE.reg: Error accessing the registry.
     
    jharry,
    #46
  8. 2015/03/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download PsExec.exe to your desktop (IMPORTANT!)
    Go Start and in "Start search" type in:
    cmd
    Hold CTRL and SHIFT keys, press Enter.
    Command prompt window will open.
    Copy and paste following command:

    "%userprofile%\desktop\psexec" -i -d -s c:\windows\regedit.exe

    Press Enter.
    Registry Editor will open.
    Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
    Right-Click services and select Permissions...
    Click Advanced.
    Under Owner tab select the entry starting with you user name, example: Farbar(Farbar-PC\Farbar)
    Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
    Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
    Click Apply and OK.

    See if you can double click on BFE.reg now without any error.

    If so...

    Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.

    Restart computer.

    Post new FSS log.
     
    broni,
    #47
  9. 2015/03/17
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Executing "%userprofile%\desktop\psexec" -i -d -s c:\windows\regedit.exe in command prompt resulted in the following error message:
    Couldn't install PSEXESVC services: Access is denied.
     
    jharry,
    #48
  10. 2015/03/17
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    I was able to bring up the registry editor as administrator. When I followed instructions to place a check mark on the "Replace owner on subcontainers and objects" and pressed the "Apply" button, I got the error message:
    Registry editor could not set owner on the key currently selected or some of its subkeys.
     
    jharry,
    #49
  11. 2015/03/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Go Start and in "Start search" type in:
    cmd
    Hold CTRL and SHIFT keys, press Enter. <----did you? by doing so you open cmd as administrator; it's crucial!
     
    broni,
    #50
  12. 2015/03/17
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Using CTRL, SHFT and Enter, I was able to open cmd as administrator and then execute the psexec command, which brought up the registry editor. But I got the error message shown in my last post.

    Under the "Owner" tab, there were only two entries:
    Administrator and System. The current owner was Administrator.
     
    Last edited: 2015/03/17
    jharry,
    #51
  13. 2015/03/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #52
  14. 2015/03/17
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Tried whole procedure up to "%userprofile%\desktop\psexec" -i -d -s c:\windows\regedit.exe in safe mode. Got the following error message:

    Could not start PSEXESVC service on GATEWAY-NV54: This service cannot be started in Safe Mode.
     
    jharry,
    #53
  15. 2015/03/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Let's try another way...

    Go Start>Run (Start Search in Vista/7), type in:
    msconfig
    Click OK (hit Enter in Vista/7).
    Windows 8/8.1 users. Press Windows logo key [​IMG] and start typing the following:
    msconfig
    Press Enter.

    Click on Startup tab.
    Click Disable all
    IMPORTANT! In case of laptop, make sure, you do NOT disable any keyboard, or touchpad entries.

    Click Services tab.
    Put checkmark in Hide all Microsoft services
    Click Disable all.

    Click OK.
    Restart computer in Normal Mode.

    NOTE. If you use different firewall, than Windows firewall, turn Windows firewall on, just for this test, since your regular firewall won't be running.
    If you use Windows firewall, you're fine.

    Same problem?
     
    broni,
    #54
  16. 2015/03/17
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Did the msconfig stuff and restarted in normal mode. Ran the full procedure for registry edit. In the Permissions tab, it showed 2 entries of users(gateway NV54\users), one with "Full control <not inherited> This key and subkeys ", and one with "Read MACHINE\SYSTEM This key and subkeys ". Running BFE.reg still gave the same error message:
    Cannot import C:\Downloads\Windowsbbs\BFE.reg: Error accessing the registry.
     
    jharry,
    #55
  17. 2015/03/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Did you remember to run "cmd" as administrator?
     
    broni,
    #56
  18. 2015/03/17
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Yes. The cmd was run as administrator, otherwise I could not bring up the registry editor
     
    jharry,
    #57
  19. 2015/03/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Go back to "msconfig" and reverse all changes you made.

    Download Windows Repair (All in One) from this site

    Install the program then run it.

    NOTE 1. In Windows Vista, 7 and 8 right click on the program, click "Run As Administrator ".
    NOTE 2. Disable your antivirus program before running Windows Repair.

    Go to Step 3 and click on Check button next to 1. See If Check Disk Is Needed.
    If the tool that the Check Disk is needed click on Do It button next to 2. Check Disk.
    In that case make sure you restart computer.

    [​IMG]


    Once the above is done go to Step 4 and allow it to run System File Check by clicking on Do It button:

    [​IMG]


    Go to Step 5 and under "System Restore" click on Create button:

    [​IMG]


    Go to Repairs tab and click Open Repairs button.

    [​IMG]

    In next window....
    Leave all checkmarks as they're.
    Click on Start Repairs button.

    [​IMG]

    Post Windows Repair log which is located in the following folder:
    64-bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
    32-bit systems - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs

    Post fresh FSS log as well.
     
    broni,
    #58
  20. 2015/03/18
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Following is the Windows_Repair log:

    Tweaking.com - Windows Repair v3.0.0
    --------------------------------------------------------------------------------

    System Variables
    --------------------------------------------------------------------------------
    OS: Windows 7 Home Premium
    OS Architecture: 64-bit
    OS Version: 6.1.7601
    OS Service Pack: Service Pack 1
    Computer Name: GATEWAY-NV54
    Windows Drive: C:\
    Windows Path: C:\Windows
    Program Files: C:\Program Files
    Program Files (x86): C:\Program Files (x86)
    Current Profile: C:\Users\owner
    Current Profile SID: S-1-5-21-669636167-3881197016-1759864487-1000
    Current Profile Classes: S-1-5-21-669636167-3881197016-1759864487-1000_Classes
    Profiles Location: C:\Users
    Profiles Location 2: C:\Windows\ServiceProfiles
    Local Settings AppData: C:\Users\owner\AppData\Local
    --------------------------------------------------------------------------------

    System Information
    --------------------------------------------------------------------------------
    System Up Time: 0 Days 00:06:17

    Process Count: 87
    Commit Total: 1.47 GB
    Commit Limit: 7.86 GB
    Commit Peak: 1.60 GB
    Handle Count: 20643
    Kernel Total: 301.88 MB
    Kernel Paged: 249.71 MB
    Kernel Non Paged: 52.16 MB
    System Cache: 854.27 MB
    Thread Count: 862
    --------------------------------------------------------------------------------

    Memory Before Cleaning with CleanMem
    --------------------------------------------------------------------------------
    Memory Total: 3.93 GB
    Memory Used: 1.41 GB(35.8482%)
    Memory Avail.: 2.52 GB
    --------------------------------------------------------------------------------

    Cleaning Memory Before Starting Repairs...

    Memory After Cleaning with CleanMem
    --------------------------------------------------------------------------------
    Memory Total: 3.93 GB
    Memory Used: 1.15 GB(29.2662%)
    Memory Avail.: 2.78 GB
    --------------------------------------------------------------------------------

    Starting Repairs...
    Started at (3/17/2015 10:06:36 PM)

    Setting Any Missing 'InstallDate' From Uninstall Sections Before Running Repair...
    Total Missing 'InstallDate' Fixed: 165

    01 - Reset Registry Permissions 01/03
    HKEY_CURRENT_USER & Sub Keys
    Start (3/17/2015 10:06:39 PM)

    Running Repair Under Current User Account
    Done (3/17/2015 10:08:52 PM)

    01 - Reset Registry Permissions 02/03
    HKEY_LOCAL_MACHINE & Sub Keys
    Start (3/17/2015 10:08:52 PM)


    Decompressing & Updating Windows Permission File services.txt
    Done, 0.27 seconds.

    Running Repair Under System Account
    Done (3/17/2015 10:22:27 PM)

    01 - Reset Registry Permissions 03/03
    HKEY_CLASSES_ROOT & Sub Keys
    Start (3/17/2015 10:22:27 PM)

    Running Repair Under System Account
    Done (3/17/2015 10:26:10 PM)

    03 - Reset Service Permissions
    Start (3/17/2015 10:26:10 PM)

    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:26:48 PM)

    04 - Register System Files
    Start (3/17/2015 10:26:48 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:27:52 PM)

    05 - Repair WMI
    Start (3/17/2015 10:27:52 PM)

    Starting Security Center So We Can Export The Security Info.

    Exporting Antivirus Info...
    Microsoft Security Essentials Exported.
    avast! Antivirus Exported.

    Exporting AntiSpyware Info...
    Windows Defender Exported.
    avast! Antivirus Exported.
    Microsoft Security Essentials Exported.

    Exporting 3rd Party Firewall Info...
    No Firewall Products Reported.

    Running Repair Under Current User Account
    Done (3/17/2015 10:33:02 PM)

    06 - Repair Windows Firewall
    Start (3/17/2015 10:33:02 PM)
    Running Repair Under Current User Account

    Decompressing & Updating Windows Permission File services.txt
    Done, 0.16 seconds.

    Running Repair Under System Account
    Done (3/17/2015 10:33:14 PM)

    07 - Repair Internet Explorer
    Start (3/17/2015 10:33:14 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:34:07 PM)

    08 - Repair MDAC/MS Jet
    Start (3/17/2015 10:34:07 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:34:24 PM)

    09 - Repair Hosts File
    Start (3/17/2015 10:34:24 PM)
    Running Repair Under System Account
    Done (3/17/2015 10:34:25 PM)

    10 - Remove Policies Set By Infections
    Start (3/17/2015 10:34:25 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:34:34 PM)

    12 - Repair Icons
    Start (3/17/2015 10:34:34 PM)
    Running Repair Under Current User Account
    Done (3/17/2015 10:34:36 PM)

    13 - Repair Winsock & DNS Cache
    Start (3/17/2015 10:34:36 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:34:56 PM)

    15 - Repair Proxy Settings
    Start (3/17/2015 10:34:57 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:34:59 PM)

    17 - Repair Windows Updates
    Start (3/17/2015 10:34:59 PM)
    Running Repair Under Current User Account

    Decompressing & Updating Windows Permission File services.txt
    Done, 0.16 seconds.

    Running Repair Under System Account
    Setting Windows Updates Files That Are In Use To Be Removed At Next Boot.
    Done (3/17/2015 10:35:34 PM)

    18 - Repair CD/DVD Missing/Not Working
    Start (3/17/2015 10:35:34 PM)
    iTunes was found, adding UpperFilters for iTunes Reg Key
    UpperFilters added?: True
    Done (3/17/2015 10:35:34 PM)

    19 - Repair Volume Shadow Copy Service
    Start (3/17/2015 10:35:34 PM)
    Running Repair Under Current User Account

    Decompressing & Updating Windows Permission File services.txt
    Done, 0.16 seconds.

    Running Repair Under System Account
    Done (3/17/2015 10:36:01 PM)

    21 - Repair MSI (Windows Installer)
    Start (3/17/2015 10:36:01 PM)
    Running Repair Under Current User Account

    Decompressing & Updating Windows Permission File services.txt
    Done, 0.15 seconds.

    Running Repair Under System Account
    Done (3/17/2015 10:36:17 PM)

    23.01 - Repair bat Association
    Start (3/17/2015 10:36:17 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:36:22 PM)

    23.02 - Repair cmd Association
    Start (3/17/2015 10:36:22 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:36:24 PM)

    23.03 - Repair com Association
    Start (3/17/2015 10:36:24 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:36:26 PM)

    23.04 - Repair Directory Association
    Start (3/17/2015 10:36:26 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:36:29 PM)

    23.05 - Repair Drive Association
    Start (3/17/2015 10:36:29 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:36:31 PM)

    23.06 - Repair exe Association
    Start (3/17/2015 10:36:31 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:36:33 PM)

    23.07 - Repair Folder Association
    Start (3/17/2015 10:36:33 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:36:35 PM)

    23.08 - Repair inf Association
    Start (3/17/2015 10:36:36 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:36:38 PM)

    23.09 - Repair lnk (Shortcuts) Association
    Start (3/17/2015 10:36:38 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:36:40 PM)

    23.10 - Repair msc Association
    Start (3/17/2015 10:36:40 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:36:42 PM)

    23.11 - Repair reg Association
    Start (3/17/2015 10:36:42 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:36:45 PM)

    23.12 - Repair scr Association
    Start (3/17/2015 10:36:45 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:36:47 PM)

    24 - Repair Windows Safe Mode
    Start (3/17/2015 10:36:47 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:36:49 PM)

    25 - Repair Print Spooler
    Start (3/17/2015 10:36:49 PM)
    Running Repair Under Current User Account

    Decompressing & Updating Windows Permission File services.txt
    Done, 0.15 seconds.

    Running Repair Under System Account
    Done (3/17/2015 10:37:09 PM)

    26 - Restore Important Windows Services
    Start (3/17/2015 10:37:09 PM)
    Running Repair Under Current User Account

    Decompressing & Updating Windows Permission File services.txt
    Done, 0.16 seconds.

    Running Repair Under System Account
    Done (3/17/2015 10:37:26 PM)

    27 - Set Windows Services To Default Startup
    Start (3/17/2015 10:37:26 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:37:38 PM)

    Skipping Repair.
    Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
    Current version: 6.1

    Skipping Repair.
    Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
    Current version: 6.1

    Skipping Repair.
    Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
    Current version: 6.1

    31 - Repair Windows 'New' Submenu
    Start (3/17/2015 10:37:38 PM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/17/2015 10:37:40 PM)

    33 - Repair Performance Counters
    Start (3/17/2015 10:37:40 PM)
    Running Repair Under Current User Account
    Done (3/17/2015 10:37:48 PM)

    Cleaning up empty logs...

    All Selected Repairs Done.
    Done at (3/17/2015 10:37:48 PM)
    Total Repair Time: 00:31:14


    ...YOU MUST RESTART YOUR SYSTEM...

    Following is the FSS log:

    Farbar Service Scanner Version: 17-01-2015
    Ran by owner (administrator) on 17-03-2015 at 22:52:37
    Running from "C:\Users\owner\Desktop "
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    The start type of MpsSvc service is OK.
    The ImagePath of MpsSvc service is OK.
    The ServiceDll of MpsSvc service is OK.

    bfe Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Policy:
    ========================


    Action Center:
    ============


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware "=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => File is digitally signed
    C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
    C:\Windows\System32\dhcpcore.dll => File is digitally signed
    C:\Windows\System32\drivers\afd.sys => File is digitally signed
    C:\Windows\System32\drivers\tdx.sys => File is digitally signed
    C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
    C:\Windows\System32\dnsrslvr.dll => File is digitally signed
    C:\Windows\System32\mpssvc.dll => File is digitally signed
    C:\Windows\System32\bfe.dll => File is digitally signed
    C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
    C:\Windows\System32\SDRSVC.dll => File is digitally signed
    C:\Windows\System32\vssvc.exe => File is digitally signed
    C:\Windows\System32\wscsvc.dll => File is digitally signed
    C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
    C:\Windows\System32\wuaueng.dll => File is digitally signed
    C:\Windows\System32\qmgr.dll => File is digitally signed
    C:\Windows\System32\es.dll => File is digitally signed
    C:\Windows\System32\cryptsvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
    C:\Windows\System32\ipnathlp.dll => File is digitally signed
    C:\Windows\System32\iphlpsvc.dll => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed


    **** End of log ****
     
    jharry,
    #59
  21. 2015/03/18
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    I now find that I can't enable my Avast Antivirus. I tried in msconfig to check the box for Avast Antivirus, both in the Services tab and the Startup tab, but when I press the apply button, the check mark disappears, and Avast Antivirus is not enabled.
     
    jharry,
    #60
Page 3 of 4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...