Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Registry Deletes Keys on Restart


  • This topic is locked This topic is locked
11 replies to this topic

#1 EchoSRP

EchoSRP

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 31 August 2012 - 04:29 AM

OS: Windows 7 x64 Home Premium SP 1

I recently got hit by a drive-by download of some sort of malware that really screwed up a lot of things in my computer.

Here are the details:

Initial registry keys deleted from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - bfe, bits, mpssvc, sharedaccess, wscsvc, wuauserv

I managed to run a few malware scanners, but only the first one I ran detected the malware as a trojan and deleted it. I don't remember which one detected it because I downloaded a bunch of different scanners and ran them all (not at the same time). I'm pretty sure some of what I tried were Malwarebytes and microsoft malicious software removal tool.

I then ran the sfc /scannow from cmd. It said a few files that it found were corrupted and that it fixed them.

I also replaced each of the registry keys listed above with clean ones found from a computer with the exact same OS, and then I fixed permissions for each of the keys that required it by adding NT SERVICE/mpssvc (if I remember that string of characters correctly) and Everyone and setting full control for both. Then I ran some batch files to re-register dll's such as:

regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wups.dll
regsvr32 wups2.dll
regsvr32 wuwebv.dll
regsvr32 wucltux.dll

(There were others but i don't remember at the moment)

Windows Update isn't even listed in the services listing until I run this command after every time I restart the computer:

regsvr32 wuaueng.dll

or else it just tells me that the service isn't running when I try to use Windows Update.

Although, my only other evident problem now is that the BITS registry key is auto-deleted when I restart the computer. The other keys I replaced remain, but I can't use Windows Update without this BITS key, as I get error code 80246008 when attempting to download new updates. I continue to receive the same error even after re-adding the BITS key to the registry, but I think the system needs to be restarted for the change in registry to actually take effect? So it ends up being a looping problem. Restart to have changes take effect, but delete the key that's supposed to be making the changes...wtf?

Everything I did in attempt to fix this problem was under instruction of websites I searched for solutions for about 9 hours straight. I can't find anything to solve these last remaining problems. Any help that doesn't involve a restore/recover is much appreciated! Really, I don't have any restore points and a recover would take days of tweaking all the settings of the numerous programs I'd have to get back onto my computer...

BC AdBot (Login to Remove)

 


#2 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 PM

Posted 31 August 2012 - 06:24 AM

Download the windows all in one repair tool and run it with all boxes checked except the ones below. http://majorgeeks.com/downloadget.php?id=7141&file=15&evp=18a37c9c3804bd022748a38eb328614e Remove temp files Repair snipping tool. Repair CD DVD Make sure that restart when done is checked. After the restart download the program below run it then hit the scan button then the delete button.Reboot your machine. http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe After that then try and replace the bits file and reboot,if no go then do the following. Please download FarbarServiceScanner and run it on the computer with the issue. Make sure the following options are checked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Press "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please copy and paste the log to your reply. Please download MINITOOLBOX and run it. Checkmark following boxes: List content of Hosts List last 10 Event Viewer log List Installed Programs List Users, Partitions and Memory size List Devices (problems only) Click Go and post the result.

#3 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 PM

Posted 31 August 2012 - 07:01 AM

Download the windows all in one repair tool and run it with all boxes checked  <b> except the ones below.</b> <a href='http://majorgeeks.com/downloadget.php?id=7141&amp;file=15&amp;evp=18a37c9c3804bd022748a38eb328614e' class='bbc_url' title='External link' rel='nofollow external'>http://majorgeeks.com/downloadget.php?id=7141&amp;file=15&amp;evp=18a37c9c3804bd022748a38eb328614e</a>  Remove temp files Repair snipping tool. Repair CD DVD  Make sure that restart when done is checked.  After the restart download the program below run it then hit the scan button then the delete button.Reboot your machine. <a href='http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe' class='bbc_url' title='External link' rel='nofollow external'>http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe</a>   After that then try and replace the bits file and reboot,if no go then do the following.

Edited by InadequateInfirmity, 31 August 2012 - 07:02 AM.


#4 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 PM

Posted 31 August 2012 - 07:18 AM

I do not know why all that got jumbled up like that... Please download FarbarServiceScanner and run it on the computer with the issue. http://download.bleepingcomputer.com/farbar/FSS.exe Make sure the following options are checked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Press "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please copy and paste the log to your reply. Please download MINITOOLBOX and run it. http://download.bleepingcomputer.com/farbar/MiniToolBox.exe Checkmark following boxes: Report IE Proxy Settings Report FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Users, Partitions and Memory size List Devices (problems only) Click Go and post the result.

#5 EchoSRP

EchoSRP
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 31 August 2012 - 10:27 AM

Thanks, I ran all the programs requested.

The malware scanner found something called ZeroAccess, I check marked everything and hit delete.

I re-did the keys for BITS and restarted the system...same problem, except now I can't get windows update service to run at all now. The command "regsvr32 wuaueng.dll" throws the following error:
The module "wuaueng.dll" was loaded but the call to DllRegisterServer failed with error code 0x80070005.

Here are the results of FSS:

Farbar Service Scanner Version: 06-08-2012
Ran by Chalenor (administrator) on 31-08-2012 at 11:19:05
Running from "C:\Users\Chalenor\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****




And here are the results of MiniToolBox:

MiniToolBox by Farbar Version: 23-07-2012
Ran by Chalenor (administrator) on 31-08-2012 at 11:20:44
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================




127.0.0.1 localhost

========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/31/2012 11:15:58 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/31/2012 11:02:41 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/31/2012 04:05:35 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/31/2012 03:49:56 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/31/2012 01:24:40 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/31/2012 01:14:25 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/31/2012 00:44:09 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/31/2012 00:21:37 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/31/2012 00:01:44 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/30/2012 11:22:10 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (08/31/2012 05:36:51 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk5\DR5.

Error: (08/31/2012 02:55:52 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk6\DR6.

Error: (08/31/2012 02:01:05 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk6\DR6.

Error: (08/31/2012 01:13:49 AM) (Source: bowser) (User: )
Description: The master browser has received a server announcement from the computer MICHAEL-PC
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{159C6142-BF85-420A-9B40-A796ED3CCF34}.
The master browser is stopping or an election is being forced.

Error: (08/31/2012 01:13:27 AM) (Source: Service Control Manager) (User: )
Description: The LogMeIn Hamachi Tunneling Engine service failed to start due to the following error:
%%1053

Error: (08/31/2012 01:13:27 AM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the LogMeIn Hamachi Tunneling Engine service to connect.

Error: (08/31/2012 01:13:27 AM) (Source: Service Control Manager) (User: )
Description: The LogMeIn Hamachi Tunneling Engine service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (08/31/2012 00:48:45 AM) (Source: Service Control Manager) (User: )
Description: The Windows Firewall service terminated with service-specific error %%5.

Error: (08/31/2012 00:45:25 AM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Listener service terminated with service-specific error %%-2147023143.

Error: (08/31/2012 00:42:47 AM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Listener service terminated with service-specific error %%-2147023143.


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
µTorrent (Version: 3.1.3)
7-Zip 9.20 (x64 edition) (Version: 9.20.00.0)
ActiveCheck component for HP Active Support Library (Version: 3.0.0.3)
Adobe Flash Player 11 Plugin (Version: 11.3.300.271)
AMD Accelerated Video Transcoding (Version: 2.00.0002)
AMD APP SDK Runtime (Version: 10.0.923.1)
AMD Catalyst Install Manager (Version: 8.0.873.0)
AMD Drag and Drop Transcoding (Version: 2.00.0000)
AMD Media Foundation Decoders (Version: 1.0.70405.2224)
Audacity 2.0
Auslogics Disk Defrag (Version: version 3.4)
Cain & Abel v4.9.42
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center (Version: 2012.0405.2205.37728)
Catalyst Control Center Graphics Previews Common (Version: 2012.0405.2205.37728)
Catalyst Control Center InstallProxy (Version: 2012.0405.2205.37728)
Catalyst Control Center Localization All (Version: 2012.0405.2205.37728)
ccc-utility64 (Version: 2012.0405.2205.37728)
CCC Help Chinese Standard (Version: 2012.0405.2204.37728)
CCC Help Chinese Traditional (Version: 2012.0405.2204.37728)
CCC Help Czech (Version: 2012.0405.2204.37728)
CCC Help Danish (Version: 2012.0405.2204.37728)
CCC Help Dutch (Version: 2012.0405.2204.37728)
CCC Help English (Version: 2012.0405.2204.37728)
CCC Help Finnish (Version: 2012.0405.2204.37728)
CCC Help French (Version: 2012.0405.2204.37728)
CCC Help German (Version: 2012.0405.2204.37728)
CCC Help Greek (Version: 2012.0405.2204.37728)
CCC Help Hungarian (Version: 2012.0405.2204.37728)
CCC Help Italian (Version: 2012.0405.2204.37728)
CCC Help Japanese (Version: 2012.0405.2204.37728)
CCC Help Korean (Version: 2012.0405.2204.37728)
CCC Help Norwegian (Version: 2012.0405.2204.37728)
CCC Help Polish (Version: 2012.0405.2204.37728)
CCC Help Portuguese (Version: 2012.0405.2204.37728)
CCC Help Russian (Version: 2012.0405.2204.37728)
CCC Help Spanish (Version: 2012.0405.2204.37728)
CCC Help Swedish (Version: 2012.0405.2204.37728)
CCC Help Thai (Version: 2012.0405.2204.37728)
CCC Help Turkish (Version: 2012.0405.2204.37728)
CCleaner (Version: 3.18)
Cheat Engine 6.2
CL-Eye Driver (Version: 4.0.2.1017)
Crystal Reports for Visual Studio (Version: 12.51.0.240)
D3DX10 (Version: 15.4.2368.0902)
DAEMON Tools Lite (Version: 4.45.4.0315)
Dotfuscator Software Services - Community Edition (Version: 5.0.2500.0)
Foxit Reader (Version: 5.3.1.606)
Fraps (remove only)
GIMP 2.8.0 (Version: 2.8.0)
HP Auto (Version: 1.0.12935.3667)
HP Client Services (Version: 1.1.12938.3539)
HP Customer Experience Enhancements (Version: 6.0.1.7)
HP Odometer (Version: 2.10.0000)
HP Support Information (Version: 10.1.1000)
HPAsset component for HP Active Support Library (Version: 3.0.0.3)
HydraVision (Version: 4.2.184.0)
Java Auto Updater (Version: 2.1.6.0)
Java™ 7 Update 4 (64-bit) (Version: 7.0.40)
Java™ 7 Update 5 (Version: 7.0.50)
JavaFX 2.1.1 (Version: 2.1.1)
Junk Mail filter update (Version: 15.4.3502.0922)
KeyTweak - Keyboard Remapper (remove only)
LabelPrint (Version: 2.5.3609)
LAME v3.99.3 (for Windows)
LogMeIn Hamachi (Version: 2.1.0.215)
Mesh Runtime (Version: 15.4.5722.2)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft .NET Framework 4 Multi-Targeting Pack (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools (Version: 2.0.50217.0)
Microsoft ASP.NET MVC 2 (Version: 2.0.50217.0)
Microsoft Help Viewer 1.1 (Version: 1.1.40219)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Report Viewer 2012 Runtime (Version: 11.0.2100.60)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft Silverlight 3 SDK (Version: 3.0.40818.0)
Microsoft Silverlight 4 SDK (Version: 4.0.50826.0)
Microsoft SQL Server 2008 R2 Management Objects (Version: 10.51.2500.0)
Microsoft SQL Server 2008 Setup Support Files (Version: 10.1.2731.0)
Microsoft SQL Server 2012 (64-bit)
Microsoft SQL Server 2012 Native Client (Version: 11.0.2100.60)
Microsoft SQL Server 2012 RsFx Driver (Version: 11.0.2100.60)
Microsoft SQL Server 2012 Setup (English) (Version: 11.0.2100.60)
Microsoft SQL Server 2012 Transact-SQL Compiler Service (Version: 11.0.2100.60)
Microsoft SQL Server 2012 Transact-SQL ScriptDom (Version: 11.0.2100.60)
Microsoft SQL Server System CLR Types (Version: 10.51.2500.0)
Microsoft Sync Framework Runtime v1.0 SP1 (x64) (Version: 1.0.3010.0)
Microsoft Sync Framework SDK v1.0 SP1 (Version: 1.0.3010.0)
Microsoft Sync Framework Services v1.0 SP1 (x64) (Version: 1.0.3010.0)
Microsoft Sync Services for ADO.NET v2.0 SP1 (x64) (Version: 2.0.3010.0)
Microsoft System CLR Types for SQL Server 2012 (x64) (Version: 11.0.2100.60)
Microsoft Team Foundation Server 2010 Object Model - ENU (Version: 10.0.40219)
Microsoft Visual C++ Compilers 2010 Standard - enu - x64 (Version: 10.0.40219)
Microsoft Visual C++ Compilers 2010 Standard - enu - x86 (Version: 10.0.40219)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974 (Version: 9.0.30729.4974)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Designtime - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010 x64 Runtime - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010 x86 Runtime - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual F# 2.0 Runtime (Version: 10.0.40219)
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools (Version: 10.0.40219)
Microsoft Visual Studio 2010 Office Developer Tools (x64) (Version: 10.0.40219)
Microsoft Visual Studio 2010 Professional - ENU (Version: 10.0.30319)
Microsoft Visual Studio 2010 Professional - ENU (Version: 10.0.40219)
Microsoft Visual Studio 2010 Service Pack 1 (Version: 10.0.40219)
Microsoft Visual Studio 2010 SharePoint Developer Tools (Version: 10.0.40219)
Microsoft Visual Studio 2010 Shell (Isolated) - ENU (Version: 10.0.40219)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.31007)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.31010)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.31124)
Microsoft Visual Studio Macro Tools (Version: 9.0.30729)
Microsoft VSS Writer for SQL Server 2012 (Version: 11.0.2100.60)
Microsoft Works 6-9 Converter (Version: 14.0.6120.5002)
Microsoft WSE 3.0 Runtime (Version: 3.0.5305.0)
MotioninJoy Gamepad tool 0.7.0000 (Version: 0.7.0000)
Mozilla Firefox 15.0 (x86 en-US) (Version: 15.0)
Mozilla Maintenance Service (Version: 15.0)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT Redists (Version: 1.0)
MSVCRT_amd64 (Version: 15.4.2862.0708)
PeerBlock 1.1 (r518) (Version: 1.1.0.518)
Picasa 3 (Version: 3.8)
PlayReady PC Runtime amd64 (Version: 1.3.0)
PlayReady PC Runtime x86 (Version: 1.3.0)
Power2Go (Version: 6.1.4817)
Rappelz_US (Version: Rappelz_US)
Realtek High Definition Audio Driver (Version: 6.0.1.6387)
Recovery Manager (Version: 5.5.3621)
Sandboxie 3.68 (64-bit) (Version: 3.68)
Skype™ 5.10 (Version: 5.10.116)
SQL Server 2012 Common Files (Version: 11.0.2100.60)
SQL Server 2012 Database Engine Services (Version: 11.0.2100.60)
SQL Server 2012 Database Engine Shared (Version: 11.0.2100.60)
SQL Server 2012 Management Studio (Version: 11.0.2100.60)
SQL Server Browser for SQL Server 2012 (Version: 11.0.2100.60)
Sql Server Customer Experience Improvement Program (Version: 11.0.2100.60)
Synergy (Version: 1.3.7)
TeamViewer 7 (Version: 7.0.13989)
Tweaking.com - Windows Repair (All in One) (Version: 1.8.0)
Update 4.0.2 for Microsoft .NET Framework 4 Client Profile (KB2544514) (Version: 1)
Update 4.0.2 for Microsoft .NET Framework 4 Extended (KB2544514) (Version: 1)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Vegas Pro 11.0 (64-bit) (Version: 11.0.371)
Ventrilo Client for Windows x64 (Version: 3.0.8.0)
Visual Studio 2010 Prerequisites - English (Version: 10.0.40219)
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU (Version: 4.0.8080.0)
VLC media player 2.0.1 (Version: 2.0.1)
WCF RIA Services V1.0 SP1 (Version: 4.1.60114.0)
Web Deployment Tool (Version: 1.1.0618)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3508.1109)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3508.1109)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
WinPcap 4.1.2 (Version: 4.1.0.2001)
ZTE Handset USB Driver
ZTE Handset USB Driver (Version: 5.2066.1.9B04)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 22%
Total physical RAM: 8174.52 MB
Available physical RAM: 6369.01 MB
Total Pagefile: 9196.71 MB
Available Pagefile: 6932.6 MB
Total Virtual: 4095.88 MB
Available Virtual: 3953.04 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:920.17 GB) (Free:857.56 GB) NTFS
2 Drive d: (HP_RECOVERY) (Fixed) (Total:11.25 GB) (Free:1.37 GB) NTFS
8 Drive j: (FreeAgent GoFlex Drive) (Fixed) (Total:1863.01 GB) (Free:1831.47 GB) NTFS

========================= Users: ========================================

User accounts for \\CHALENOR-PC

Administrator Chalenor Guest


**** End of log ****

#6 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 PM

Posted 31 August 2012 - 11:06 AM

I suggest that you run an updated quick scan with malwarebytes,remove all it finds then reboot. http://www.filehippo.com/download/file/1c191e36566ff0456472487024d4a76b64da9a3deb47ec97e27169650720dfde/ Run the tool below as admin reboot and check your issue. http://kb.eset.com/library/ESET/KB Team Only/Malware/ServicesRepair.exe Download the file below save to your desktop and then right click and select merge. http://www.blackviper.com/downloads/Win7/Registry_Files/Default_W7_Home_Premium_64_SP1_Start_v100.zip?7501a5 Reboot. Follow up with a eset scan. http://www.eset.com/us/online-scanner/

#7 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 PM

Posted 31 August 2012 - 11:08 AM

http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe Here is the broken link.

#8 EchoSRP

EchoSRP
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 31 August 2012 - 04:47 PM

Latest update of malwarebytes returned scan with nothing found.

Did the services repair exe and it told me to reboot. Upon logon afer that restart, BITS and wuauserv were not present in the registry.

I merged those registry entries from your link and rebooted again. Windows update and BITS still aren't in the services list. Additionally, BITS and wuauserv are present in the registry, but they look like this:
http://i840.photobucket.com/albums/zz328/PictureAccountPhotos/bits.png
http://i840.photobucket.com/albums/zz328/PictureAccountPhotos/wuauserv.png


Eset online scanner found the following:
http://i840.photobucket.com/albums/zz328/PictureAccountPhotos/eset.png

I chose the option to delete it.

Windows Update and BITS services are still missing.

Edited by EchoSRP, 31 August 2012 - 05:02 PM.


#9 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 PM

Posted 31 August 2012 - 04:56 PM

Here you can get the files you need from here. http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/ Other than that if the keys keep deleting upon reboot then I suggest you create a new account or post in the malware removal forum.

#10 EchoSRP

EchoSRP
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 31 August 2012 - 05:19 PM

I added the missing keys from that link, and upon another restart, they are indeed removed again...

I guess I'm headed to the malware removal forum and I'll post a reference to this thread in there.

#11 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 PM

Posted 31 August 2012 - 05:32 PM

K let me know how it goes. :)

#12 rotor123

rotor123

  • Moderator
  • 8,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:08:43 PM

Posted 31 August 2012 - 06:17 PM

Since this problem is now posted in the Virus, Trojan, Spyware, and Malware Removal Logs Forum at Something is Deleting Registy Keys on Reboot ZeroAccess + sirefef found I am closing this until that issue is resolved. If this needs to be reopened please PM a Moderator.

Roger

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users