Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Trojan, Crypt.anvh


  • Please log in to reply
16 replies to this topic

#1 SMargie47

SMargie47

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 17 March 2012 - 03:54 PM

Hi there,

I posted here once before when I was afflicted by the TDSS Redirect virus, and you guys were amazing at helping me fix it. I turn now to you again. My computer is reporting the presence of crypt.anvh, specifically in a file, tdx.sys in system32/drivers. I deleted this file, but issues persist. I'm hoping for some assistance in wiping this malicious program from the face of my hard drive! Any help appreciated, just let me know where to start.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:55 PM

Posted 17 March 2012 - 04:37 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 SMargie47

SMargie47
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 17 March 2012 - 07:04 PM

I'm unable to follow any of these steps.

I successfully downloaded MiniToolbox, FSS, and SecurityCheck, but none of the programs will open. They all present the exact same error:

The dependency service or group failed to start.

When I double-click any of these programs on my desktop, I get an hourglass for about 3 minutes, during which I am unable to click anything on my desktop, then this error window opens stating the above error, preventing me from being able to proceed.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:55 PM

Posted 17 March 2012 - 08:05 PM

Did you try Safe Mode?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 SMargie47

SMargie47
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 18 March 2012 - 03:03 AM

I was able to run the programs while in Safe Mode, thank you for the suggestion. I performed a System Restore to a prior date before performing most of these steps, in order to replace tdx.sys in my Windows directory, so that I could regain an internet connection on this machine. I also slapped myself for presuming to delete a file, any file, from the Windows folder.

First the log for SecurityCheck:

Results of screen317's Security Check version 0.99.24
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
AVG 2011
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
Java™ 6 Update 24
Out of date Java installed!
Adobe Flash Player ( 10.0.32.18) Flash Player Out of Date!
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

#6 SMargie47

SMargie47
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 18 March 2012 - 03:06 AM

Here is the FSS Log, showing the replaced tdx.sys. I originally realized my mistake when reading thru this log and seeing the result of the file as MISSING. I performed a system restore, and then this scan again, along with all the others.

Farbar Service Scanner Version: 01-03-2012
Ran by PatriotsFan27 (administrator) on 18-03-2012 at 03:04:46
Running from "C:\Users\PatriotsFan27\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
The start type of bfe service is set to Disabled. The default start type is Auto.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys
[2009-09-16 18:18] - [2009-04-10 23:45] - 0072192 ____A () 9B0D8420D71E95B46705C96F43B90CA0

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#7 SMargie47

SMargie47
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 18 March 2012 - 03:08 AM

Here are the MiniToolBox results:

MiniToolBox by Farbar Version: 18-01-2012
Ran by PatriotsFan27 (administrator) on 18-03-2012 at 03:07:16
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.no_proxies_on", "*.local"
"network.proxy.type", 0
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Intel® 82566DC Gigabit Network Connection = Local Area Connection (Connected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : MyComputer
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : austin.rr.com

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 00-0A-3A-6F-E4-3B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : austin.rr.com
Description . . . . . . . . . . . : Intel® 82566DC Gigabit Network Connection
Physical Address. . . . . . . . . : 00-19-D1-4C-FF-64
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::590e:7a74:9105:530f%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.197(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, March 18, 2012 2:27:34 AM
Lease Expires . . . . . . . . . . : Monday, March 19, 2012 2:27:33 AM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 201333201
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0D-CC-AC-02-00-19-D1-4C-FF-64
DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.austin.rr.com
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{9355B8E9-77D2-479D-A745-C4A6A8DD5CD7}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.0.1

Name: google.com
Addresses: 74.125.227.35
74.125.227.36
74.125.227.37
74.125.227.38
74.125.227.39
74.125.227.40
74.125.227.41
74.125.227.46
74.125.227.32
74.125.227.33
74.125.227.34



Pinging google.com [74.125.227.38] with 32 bytes of data:

Reply from 74.125.227.38: bytes=32 time=15ms TTL=55

Reply from 74.125.227.38: bytes=32 time=14ms TTL=55



Ping statistics for 74.125.227.38:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 14ms, Maximum = 15ms, Average = 14ms

Server: UnKnown
Address: 192.168.0.1

Name: yahoo.com
Addresses: 98.139.183.24
209.191.122.70
72.30.38.140



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=15ms TTL=54

Reply from 209.191.122.70: bytes=32 time=16ms TTL=54



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 15ms, Maximum = 16ms, Average = 15ms

Server: UnKnown
Address: 192.168.0.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:

Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
14 ...00 0a 3a 6f e4 3b ...... Bluetooth Device (Personal Area Network)
9 ...00 19 d1 4c ff 64 ...... Intel® 82566DC Gigabit Network Connection
1 ........................... Software Loopback Interface 1
8 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
17 ...00 00 00 00 00 00 00 e0 isatap.austin.rr.com
16 ...00 00 00 00 00 00 00 e0 isatap.{9355B8E9-77D2-479D-A745-C4A6A8DD5CD7}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.197 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.197 276
192.168.0.197 255.255.255.255 On-link 192.168.0.197 276
192.168.0.255 255.255.255.255 On-link 192.168.0.197 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.197 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.197 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
9 276 fe80::/64 On-link
9 276 fe80::590e:7a74:9105:530f/128
On-link
1 306 ff00::/8 On-link
9 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\System32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Windows\system32\wshbth.dll [34304] (Microsoft Corporation)
Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 27 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 28 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 29 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/18/2012 03:01:36 AM) (Source: System Restore) (User: )
Description: Failed to create restore point on volume (Process = C:\Windows\servicing\TrustedInstaller.exe; Descripton = Windows Modules Installer; Hr = 0x800423f4).

Error: (03/18/2012 03:01:36 AM) (Source: SPP) (User: )
Description: Shadow copy creation failed because of error reported by ASR Writer.

More info: The parameter is incorrect. (0x80070057).

Error: (03/18/2012 03:01:20 AM) (Source: System Restore) (User: )
Description: Failed to create restore point on volume (Process = C:\Windows\system32\svchost.exe -k netsvcs; Descripton = Windows Update; Hr = 0x800423f4).

Error: (03/18/2012 03:01:20 AM) (Source: SPP) (User: )
Description: Shadow copy creation failed because of error reported by ASR Writer.

More info: The parameter is incorrect. (0x80070057).

Error: (03/18/2012 00:44:05 AM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x47918b89, faulting module MSHTML.dll, version 9.0.8112.16441, time stamp 0x4ee81830, exception code 0xc0000005, fault offset 0x001d9686,
process id 0x1e9c, application start time 0xsvchost.exe0.

Error: (03/18/2012 00:32:55 AM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x47918b89, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x5f7a4d31,
process id 0xcf8, application start time 0xsvchost.exe0.

Error: (03/18/2012 00:05:12 AM) (Source: System Restore) (User: )
Description: Failed to create restore point on volume (Process = C:\Windows\system32\svchost.exe -k netsvcs; Descripton = Windows Update; Hr = 0x800423f4).

Error: (03/18/2012 00:05:12 AM) (Source: SPP) (User: )
Description: Shadow copy creation failed because of error reported by ASR Writer.

More info: The parameter is incorrect. (0x80070057).

Error: (03/17/2012 11:57:58 PM) (Source: System Restore) (User: )
Description: Failed to create restore point on volume (Process = C:\Windows\servicing\TrustedInstaller.exe; Descripton = Windows Modules Installer; Hr = 0x800423f4).

Error: (03/17/2012 11:57:58 PM) (Source: SPP) (User: )
Description: Shadow copy creation failed because of error reported by ASR Writer.

More info: The parameter is incorrect. (0x80070057).


System errors:
=============
Error: (03/18/2012 02:30:17 AM) (Source: Service Control Manager) (User: )
Description: Avgtdix

Error: (03/18/2012 02:30:09 AM) (Source: Service Control Manager) (User: )
Description: Internet Connection Sharing (ICS)Base Filtering Engine%%1058

Error: (03/18/2012 02:30:09 AM) (Source: Service Control Manager) (User: )
Description: SBSD Security Center Servicewscsvc

Error: (03/18/2012 02:30:09 AM) (Source: Service Control Manager) (User: )
Description: IPsec Policy AgentBase Filtering Engine%%1058

Error: (03/18/2012 02:30:09 AM) (Source: Service Control Manager) (User: )
Description: IKE and AuthIP IPsec Keying ModulesBase Filtering Engine%%1058

Error: (03/18/2012 02:30:09 AM) (Source: Service Control Manager) (User: )
Description: Computer Browser%%1060

Error: (03/18/2012 02:25:00 AM) (Source: DCOM) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (03/18/2012 00:42:31 AM) (Source: Service Control Manager) (User: )
Description: 1Restart the serviceRemote Access Connection Manager%%1056

Error: (03/18/2012 00:00:10 AM) (Source: Service Control Manager) (User: )
Description: Application Experience1600001Restart the service

Error: (03/17/2012 11:44:23 PM) (Source: Service Control Manager) (User: )
Description: Windows Update


Microsoft Office Sessions:
=========================
Error: (03/18/2012 03:01:36 AM) (Source: System Restore)(User: )
Description: C:\Windows\servicing\TrustedInstaller.exeWindows Modules Installer0x800423f4

Error: (03/18/2012 03:01:36 AM) (Source: SPP)(User: )
Description: ASR WriterThe parameter is incorrect. (0x80070057)

Error: (03/18/2012 03:01:20 AM) (Source: System Restore)(User: )
Description: C:\Windows\system32\svchost.exe -k netsvcsWindows Update0x800423f4

Error: (03/18/2012 03:01:20 AM) (Source: SPP)(User: )
Description: ASR WriterThe parameter is incorrect. (0x80070057)

Error: (03/18/2012 00:44:05 AM) (Source: Application Error)(User: )
Description: svchost.exe6.0.6001.1800047918b89MSHTML.dll9.0.8112.164414ee81830c0000005001d96861e9c01cd04c95a420490

Error: (03/18/2012 00:32:55 AM) (Source: Application Error)(User: )
Description: svchost.exe6.0.6001.1800047918b89unknown0.0.0.000000000c00000055f7a4d31cf801cd04c3c533c6b8

Error: (03/18/2012 00:05:12 AM) (Source: System Restore)(User: )
Description: C:\Windows\system32\svchost.exe -k netsvcsWindows Update0x800423f4

Error: (03/18/2012 00:05:12 AM) (Source: SPP)(User: )
Description: ASR WriterThe parameter is incorrect. (0x80070057)

Error: (03/17/2012 11:57:58 PM) (Source: System Restore)(User: )
Description: C:\Windows\servicing\TrustedInstaller.exeWindows Modules Installer0x800423f4

Error: (03/17/2012 11:57:58 PM) (Source: SPP)(User: )
Description: ASR WriterThe parameter is incorrect. (0x80070057)


=========================== Installed Programs ============================

Adobe Flash Player 10 Plugin (Version: 10.0.32.18)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Reader 7.1.0 (Version: 7.1.0)
Adobe Shockwave Player 11 (Version: 11)
AIM 7
Apple Application Support (Version: 2.1.7)
Apple Mobile Device Support (Version: 5.1.1.4)
Apple Software Update (Version: 2.1.3.127)
AutoUpdate (Version: 1.1)
AVG 2011 (Version: 10.0.1424)
AVG 2011 (Version: 10.0.2113)
Bonjour (Version: 3.0.0.10)
Dell System Customization Wizard (Version: 1.00.0000)
Diablo II
DivX Player (Version: 7.0.0)
DivX Version Checker (Version: 7.0.0.19)
DivX Web Player (Version: 1.4.2)
Documentation & Support Launcher (Version: 1.00.0000)
Download Updater (AOL LLC)
FEAR (Version: 1.00.0000)
Games, Music, & Photos Launcher (Version: 1.00.0000)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.3.2710.138)
Google Update Helper (Version: 1.3.21.99)
iCloud (Version: 1.1.0.40)
Intel® Matrix Storage Manager
iTunes (Version: 10.6.0.40)
Java Auto Updater (Version: 2.0.3.1)
Java™ 6 Update 24 (Version: 6.0.240)
Logitech QuickCam (Version: 11.90.1263)
Logitech QuickCam Driver Package
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Silverlight (Version: 4.1.10111.0)
Microsoft VC9 runtime libraries (Version: 1.0.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works (Version: 08.05.0818)
mIRC (Version: 7.19)
Mozilla Firefox 10.0.2 (x86 en-US) (Version: 10.0.2)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
NVIDIA Drivers (Version: 1.3)
Octoshape add-in for Adobe Flash Player
OpenOffice.org 2.4 (Version: 2.4.9310)
Parrot Audio Suite
QuickTime (Version: 7.71.80.42)
Roxio Creator Audio (Version: 3.3.0)
Roxio Creator BDAV Plugin (Version: 3.3.0)
Roxio Creator Copy (Version: 3.3.0)
Roxio Creator Data (Version: 3.3.0)
Roxio Creator DE (Version: 3.3.0)
Roxio Creator Tools (Version: 3.3.0)
Roxio Express Labeler (Version: 2.1.0)
Roxio MyDVD DE (Version: 9.0.116)
Roxio Update Manager (Version: 3.0.0)
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Sonic Activation Module (Version: 1.0)
Spybot - Search & Destroy (Version: 1.6.2)
TeamSpeak 2 RC2 (Version: 2.0.32.60)
Ultima Online Second Age 5.0.8.3 (Version: 5.0.8.3)
Ultima Online: Mondain's Legacy (Version: 1.00.0000)
UO Auto-Map 9.0.0 (Version: 9.0.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
URL Assistant
User's Guides
Veetle TV 0.9.18 (Version: 0.9.18)
Ventrilo Client (Version: 3.0.1)
vShare Plugin
WIDCOMM Bluetooth Software (Version: 6.2.1.100)
Windows Driver Package - Broadcom Bluetooth (06/15/2009 6.2.0.9000) (Version: 06/15/2009 6.2.0.9000)
Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800) (Version: 07/28/2009 6.2.0.9800)
World of Warcraft

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 72%
Total physical RAM: 2045.21 MB
Available physical RAM: 565.18 MB
Total Pagefile: 4327.7 MB
Available Pagefile: 2301.71 MB
Total Virtual: 2047.88 MB
Available Virtual: 1962.74 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:222.78 GB) (Free:114.8 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:4.07 GB) NTFS

========================= Users: ========================================

User accounts for \\MYCOMPUTER

Administrator Guest Mcx1
PatriotsFan27


**** End of log ****

#8 SMargie47

SMargie47
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 18 March 2012 - 03:55 AM

I ran the Malware Bytes, and here's the log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.18.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
PatriotsFan27 :: MYCOMPUTER [administrator]

3/18/2012 12:04:02 AM
mbam-log-2012-03-18 (00-04-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205286
Time elapsed: 47 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\PatriotsFan27\AppData\Local\temp\fka0.752593774347528.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)

And finally, I ran the avast scan program, it found a few rootkits, and I hit Fix at the end, and saved a log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-18 03:09:59
-----------------------------
03:09:59.453 OS Version: Windows 6.0.6002 Service Pack 2
03:09:59.453 Number of processors: 2 586 0xF02
03:09:59.454 ComputerName: MYCOMPUTER UserName:
03:10:19.515 Initialize success
03:10:30.643 AVAST engine defs: 12031700
03:10:40.851 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
03:10:40.854 Disk 0 Vendor: ST325082 3.AD Size: 238418MB BusType: 3
03:10:40.892 Disk 0 MBR read successfully
03:10:40.895 Disk 0 MBR scan
03:10:40.901 Disk 0 MBR:Alureon-M [Rtk]
03:10:40.904 Disk 0 TDL4@MBR code has been found
03:10:40.907 Disk 0 Windows VISTA default MBR code found via API
03:10:40.910 Disk 0 MBR hidden
03:10:40.919 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
03:10:40.970 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 98304
03:10:41.006 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 228129 MB offset 21069824
03:10:41.013 Disk 0 MBR [TDL4] **ROOTKIT**
03:10:41.019 Disk 0 trace - called modules:
03:10:41.025 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86f2849f]<<
03:10:41.031 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8649a430]
03:10:41.036 3 CLASSPNP.SYS[8859e8b3] -> nt!IofCallDriver -> [0x86dadab8]
03:10:41.041 \Driver\iaStor[0x86b90710] -> IRP_MJ_CREATE -> 0x86f2849f
03:10:46.756 AVAST engine scan C:\Windows
03:10:53.656 AVAST engine scan C:\Windows\system32
03:17:39.061 AVAST engine scan C:\Windows\system32\drivers
03:18:02.883 File: C:\Windows\system32\drivers\tdx.sys **INFECTED** Win32:Aluroot-B [Rtk]
03:18:08.904 AVAST engine scan C:\Users\PatriotsFan27
03:35:14.679 AVAST engine scan C:\ProgramData
03:38:36.206 Scan finished successfully
03:47:57.598 Disk 0 MBR has been saved successfully to "C:\Users\PatriotsFan27\Desktop\MBR.dat"
03:47:57.613 The log file has been saved successfully to "C:\Users\PatriotsFan27\Desktop\aswMBR.txt"

#9 SMargie47

SMargie47
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 18 March 2012 - 04:07 AM

I may have resolved the redirection issue, now. After running the avast scanner, I was finally able to successfully run TDSSKiller from Kaspersky. It identified the problem file as tdx.sys, and i told it to fix it, restarted my computer, and am no longer redirecting. I'd be happy to continue with whatever you recommend, as other issues may still remain, I did run into a Generic.BXKE trojan at one point as well, so I may not be virus free yet, just redirection-free.

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:55 PM

Posted 18 March 2012 - 12:09 PM

We need double check couple of things and we still have some issues to be resolved.

First, please re-run aswMBR and post new log.
Re-run FSS and post new log.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#11 SMargie47

SMargie47
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 19 March 2012 - 03:04 AM

New FSS Log:

Farbar Service Scanner Version: 01-03-2012
Ran by PatriotsFan27 (administrator) on 19-03-2012 at 03:03:18
Running from "C:\Users\PatriotsFan27\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
The start type of bfe service is set to Disabled. The default start type is Auto.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:55 PM

Posted 19 March 2012 - 06:49 PM

please re-run aswMBR and post new log.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#13 SMargie47

SMargie47
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 19 March 2012 - 10:29 PM

Sorry I ran the scan this morning but it didn't finish before I had to go to work. Got home now and my computer restarted, so I have to run scan again. Results posted soon.

#14 SMargie47

SMargie47
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 20 March 2012 - 01:11 AM

Here's the log, sorry about the delay:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-18 03:09:59
-----------------------------
03:09:59.453 OS Version: Windows 6.0.6002 Service Pack 2
03:09:59.453 Number of processors: 2 586 0xF02
03:09:59.454 ComputerName: MYCOMPUTER UserName:
03:10:19.515 Initialize success
03:10:30.643 AVAST engine defs: 12031700
03:10:40.851 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
03:10:40.854 Disk 0 Vendor: ST325082 3.AD Size: 238418MB BusType: 3
03:10:40.892 Disk 0 MBR read successfully
03:10:40.895 Disk 0 MBR scan
03:10:40.901 Disk 0 MBR:Alureon-M [Rtk]
03:10:40.904 Disk 0 TDL4@MBR code has been found
03:10:40.907 Disk 0 Windows VISTA default MBR code found via API
03:10:40.910 Disk 0 MBR hidden
03:10:40.919 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
03:10:40.970 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 98304
03:10:41.006 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 228129 MB offset 21069824
03:10:41.013 Disk 0 MBR [TDL4] **ROOTKIT**
03:10:41.019 Disk 0 trace - called modules:
03:10:41.025 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86f2849f]<<
03:10:41.031 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8649a430]
03:10:41.036 3 CLASSPNP.SYS[8859e8b3] -> nt!IofCallDriver -> [0x86dadab8]
03:10:41.041 \Driver\iaStor[0x86b90710] -> IRP_MJ_CREATE -> 0x86f2849f
03:10:46.756 AVAST engine scan C:\Windows
03:10:53.656 AVAST engine scan C:\Windows\system32
03:17:39.061 AVAST engine scan C:\Windows\system32\drivers
03:18:02.883 File: C:\Windows\system32\drivers\tdx.sys **INFECTED** Win32:Aluroot-B [Rtk]
03:18:08.904 AVAST engine scan C:\Users\PatriotsFan27
03:35:14.679 AVAST engine scan C:\ProgramData
03:38:36.206 Scan finished successfully
03:47:57.598 Disk 0 MBR has been saved successfully to "C:\Users\PatriotsFan27\Desktop\MBR.dat"
03:47:57.613 The log file has been saved successfully to "C:\Users\PatriotsFan27\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-19 22:29:19
-----------------------------
22:29:19.615 OS Version: Windows 6.0.6002 Service Pack 2
22:29:19.615 Number of processors: 2 586 0xF02
22:29:19.616 ComputerName: MYCOMPUTER UserName:
22:29:23.299 Initialize success
22:30:02.307 AVAST engine defs: 12031700
22:30:32.725 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:30:32.727 Disk 0 Vendor: ST325082 3.AD Size: 238418MB BusType: 3
22:30:32.752 Disk 0 MBR read successfully
22:30:32.755 Disk 0 MBR scan
22:30:32.760 Disk 0 Windows VISTA default MBR code
22:30:32.763 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
22:30:32.771 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 98304
22:30:32.791 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 228129 MB offset 21069824
22:30:32.869 Disk 0 scanning sectors +488278016
22:30:32.951 Disk 0 scanning C:\Windows\system32\drivers
22:30:49.762 Service scanning
22:31:15.871 Modules scanning
22:31:22.922 Disk 0 trace - called modules:
22:31:22.931
22:31:23.805 AVAST engine scan C:\Windows
22:31:27.279 AVAST engine scan C:\Windows\system32
22:36:15.592 AVAST engine scan C:\Windows\system32\drivers
22:36:30.418 AVAST engine scan C:\Users\PatriotsFan27
22:50:38.823 AVAST engine scan C:\ProgramData
22:55:29.913 Scan finished successfully
01:09:12.542 Disk 0 MBR has been saved successfully to "C:\Users\PatriotsFan27\Desktop\MBR.dat"
01:09:12.573 The log file has been saved successfully to "C:\Users\PatriotsFan27\Desktop\aswMBR.txt"

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:55 PM

Posted 20 March 2012 - 06:35 PM

That looks good.

Now, we have several registry keys missing affecting different functions of your computer.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/windows-vista/create-a-restore-point-for-windows-vistas-system-restore/



Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Click Advanced.
Under Owner tab select the entry starting with you user name, example: Farbar(Farbar-PC\Farbar)
Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.

Download Vista.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip downloaded file.
You'll find several files inside.
Double-click windefend.reg and confirm the prompt.
Double-click legacy_wscsvc.reg and confirm the prompt.
Double-click wscsvc.reg and confirm the prompt.
Double-click legacy_bfe and confirm the prompt.
Double-click bfe.reg and confirm the prompt.
Double-click legacy_mpssvc.reg and confirm the prompt.
Double-click mpssvc.reg and confirm the prompt.


Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.

Restart computer.
Post new FSS log.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users