Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess


  • This topic is locked This topic is locked
22 replies to this topic

#1 budlite3851

budlite3851

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 06 November 2012 - 12:14 PM

Computer fails to boot.

Attached Files

  • Attached File  FRST.txt   10.38KB   12 downloads


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:21 PM

Posted 06 November 2012 - 12:46 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM-x32\...\Run: []  [x]
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
2 UPATC; C:\Windows\System32\SaiH040B.dll [6656 2009-07-13] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
C:\Windows\System32\SaiH040B.dll
NETSVC: UPATC -> C:\Windows\system32\SaiH040B.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
c:\Windows\System32\consrv.dll
C:\Windows\assembly\GAC_32\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 budlite3851

budlite3851
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 06 November 2012 - 12:55 PM

I ran the fixlist from frst however upon rebooting i still recieved the BSOD c0000135 %hs is missing.
Here is the fix log from FRST

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-11-2012
Ran by SYSTEM at 2012-11-06 13:48:22 Run:1
Running from H:\

==============================================

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
UPATC service deleted successfully.
C:\Windows\System32\SaiH040B.dll moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs UPATC Deleted successfully.
c:\Windows\System32\consrv.dll moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

==== End of Fixlog ====

Edited by budlite3851, 06 November 2012 - 02:30 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:21 PM

Posted 06 November 2012 - 06:07 PM

please re-run FRST

post the fresh log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 budlite3851

budlite3851
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 07 November 2012 - 10:16 AM

I reran frst as instructed here is the new log

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-11-2012
Ran by SYSTEM at 07-11-2012 11:10:34
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [318464 2009-05-14] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2009-10-20] (IDT, Inc.)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [610872 2009-08-25] ()
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [171520 2009-12-05] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [HPCam_Menu] "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam" UpdateWithCreateOnce "Software\Hewlett-Packard\Media\Webcam" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [322104 2009-08-20] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [600936 2009-06-29] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" [149280 2009-12-05] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-08-10] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2010-09-01] (Apple Inc.)
HKLM-x32\...\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe" [348760 2010-10-01] (Kaspersky Lab)
HKU\owner\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-10-16] (Hewlett-Packard Company)
Winlogon\Notify\klogon: %SystemRoot%\System32\klogon.dll (Kaspersky Lab)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 71.242.0.12
AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\x64\kloehk.dll,C:\PROGRA~2\KASPER~1\KASPER~1\x64\sbhook64.dll

==================== Services (Whitelisted) ===================

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_d15ed671de43d681\AESTSr64.exe [89600 2009-03-03] (Andrea Electronics Corporation)
2 AVP; "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe" -r [348760 2010-10-01] (Kaspersky Lab)
2 CSObjectsSrv; "C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe" [743992 2009-12-21] (Infowatch)
2 DvmMDES; "C:\SPLASH.SYS\config\DVMExportService.exe" [323584 2009-07-08] (DeviceVM, Inc.)
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [247152 2009-07-06] ()
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_d15ed671de43d681\STacSV64.exe [240640 2009-10-20] (IDT, Inc.)

==================== Drivers (Whitelisted) =====================

0 CSCrySec; C:\Windows\System32\Drivers\CSCrySec.sys [85048 2009-12-14] (Infowatch)
1 CSVirtualDiskDrv; C:\Windows\System32\Drivers\CSVirtualDiskDrv.sys [66104 2009-12-14] (Infowatch)
1 DVMIO; \??\C:\SPLASH.SYS\config\dvmio.sys [21624 2009-09-27] (DeviceVM, Inc.)
1 kl1; C:\Windows\System32\Drivers\kl1.sys [157712 2009-09-01] (Kaspersky Lab)
0 KLBG; C:\Windows\System32\Drivers\KLBG.sys [40464 2009-10-14] (Kaspersky Lab)
1 KLIF; C:\Windows\System32\Drivers\KLIF.sys [353296 2012-02-05] (Kaspersky Lab)
1 KLIM6; C:\Windows\System32\Drivers\KLIM6.sys [27152 2009-09-14] (Kaspersky Lab)
3 klmouflt; C:\Windows\System32\Drivers\klmouflt.sys [21008 2009-10-02] (Kaspersky Lab)
3 RTSTOR; C:\Windows\System32\drivers\RTSTOR.SYS [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-06 12:02 - 2012-11-06 12:02 - 00000000 ____D C:\FRST
2012-11-06 03:25 - 2011-07-15 21:26 - 00214528 ____N (Microsoft Corporation) C:\Windows\System32\winsrv.bak

==================== 3 Months Modified Files ==================

2012-11-06 07:45 - 2009-07-13 20:45 - 00325912 ____A C:\Windows\System32\FNTCACHE.DAT

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2011-08-10 08:44:00
Restore point made on: 2011-08-10 19:12:49
Restore point made on: 2011-08-12 05:50:21
Restore point made on: 2011-08-27 21:09:25
Restore point made on: 2011-09-05 13:11:34
Restore point made on: 2011-11-03 19:15:57
Restore point made on: 2011-11-15 13:26:18
Restore point made on: 2011-11-18 06:41:39
Restore point made on: 2011-11-28 05:34:57
Restore point made on: 2011-11-29 06:05:34
Restore point made on: 2011-12-09 17:00:06
Restore point made on: 2012-02-05 16:17:09
Restore point made on: 2012-02-06 13:55:08

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3894.84 MB
Available physical RAM: 3192.15 MB
Total Pagefile: 3892.99 MB
Available Pagefile: 3183.57 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:446.7 GB) (Free:391.39 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:18.76 GB) (Free:3.03 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
5 Drive h: () (Removable) (Total:3.73 GB) (Free:3.69 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 3819 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 446 GB 200 MB
Partition 3 Primary 18 GB 446 GB
Partition 4 Primary 103 MB 465 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 446 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 18 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT32 Removable 3818 MB Healthy

=========================================================

Last Boot: 2012-02-11 18:24

==================== End Of Log =============================

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:21 PM

Posted 07 November 2012 - 11:01 AM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Last Boot: 2012-02-11 18:24
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


If your machine is now booting normally, then please follow the previous instructions for ComboFix

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 budlite3851

budlite3851
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 07 November 2012 - 11:11 AM

upon reboot i still recieved the stop c0000135 %hs is missing error
here is the fix log
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-11-2012
Ran by SYSTEM at 2012-11-07 12:05:17 Run:2
Running from H:\

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:21 PM

Posted 07 November 2012 - 11:20 AM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
C:\Windows\System32\consrv.dll
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
cmd: bootrec /FixMbr
cmd: bcdedit /enum all
Control: 
TDL4: custom:26000022
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 budlite3851

budlite3851
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 07 November 2012 - 11:28 AM

still unable to boot c0000135 error
her is fix log
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-11-2012
Ran by SYSTEM at 2012-11-07 12:23:04 Run:3
Running from H:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
C:\Windows\assembly\GAC_32\Desktop.ini not found.
C:\Windows\assembly\GAC_64\Desktop.ini not found.

========= bootrec /FixMbr =========

˙ūT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


========= bcdedit /enum all =========


Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=Y:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
extendedinput Yes
default {default}
resumeobject {c279be75-9b51-11de-9b93-a29d207e6d0e}
displayorder {default}
toolsdisplayorder {memdiag}
timeout 30
customactions 0x1000085000001
0x5400000f
custom:5400000f {current}

Windows Boot Loader
-------------------
identifier {current}
device ramdisk=[E:]\Recovery\WindowsRE\Winre.wim,{3b684fee-f220-11de-86f1-fdee91754fc5}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[E:]\Recovery\WindowsRE\Winre.wim,{3b684fee-f220-11de-86f1-fdee91754fc5}
systemroot \windows
nx OptIn
winpe Yes

Windows Boot Loader
-------------------
identifier {572bcd60-ffa7-11d9-aae0-0007e994107d}
device ramdisk=[boot]\sources\boot.wim,{ramdiskoptions}
path \windows\system32\boot\winload.exe
description Microsoft Windows PE 2.0
osdevice ramdisk=[boot]\sources\boot.wim,{ramdiskoptions}
systemroot \windows
detecthal Yes
winpe Yes
ems Yes

Windows Boot Loader
-------------------
identifier {default}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {current}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {c279be75-9b51-11de-9b93-a29d207e6d0e}
nx OptIn

Resume from Hibernate
---------------------
identifier {c279be75-9b51-11de-9b93-a29d207e6d0e}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=Y:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
bootems Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {3b684fee-f220-11de-86f1-fdee91754fc5}
description Ramdisk Options
ramdisksdidevice partition=E:
ramdisksdipath \Recovery\WindowsRE\boot.sdi

Setup Ramdisk Options
---------------------
identifier {ramdiskoptions}
description Ramdisk Options
ramdisksdidevice boot
ramdisksdipath \boot\boot.sdi

========= End of CMD: =========


=========== Control: ===========

The operation completed successfully.

==== End of Control: ====

An error occurred while attempting to delete the specified data element.
Element not found.
The operation completed successfully.

==== End of Fixlog ====

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:21 PM

Posted 07 November 2012 - 12:37 PM

Please run the following:

  • boot into the System Recovery Options and run FRST.

    Type the following in the edit box after "Search:" so it looks like this:

    Search: winsrv.*


    Click Search button and post the log it makes to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 budlite3851

budlite3851
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 07 November 2012 - 12:46 PM

Thank you for your continued help here are the results from the search
Farbar Recovery Scan Tool (x64) Version: 05-11-2012
Ran by SYSTEM at 2012-11-07 13:39:20
Running from H:\

================== Search: "winsrv.*" ===================

C:\Windows\winsxs\wow64_microsoft-windows-winsrv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a412dbba527dc14e\winsrv.dll.mui
[2009-07-13 21:35] - [2009-07-13 18:08] - 0008192 ____A (Microsoft Corporation) 9848765E88322400BDC710A76ADEA841

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21756_none_1504fba6cc30ff4f\winsrv.dll
[2011-08-10 08:40] - [2011-06-23 21:27] - 0214528 ____A (Microsoft Corporation) C13D05A015346DED3D722BE285814495

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21738_none_151c9c12cc1efa1b\winsrv.dll
[2011-07-12 18:19] - [2011-06-02 23:01] - 0214528 ____A (Microsoft Corporation) 5AA1C7B5F471C4657BE38447BC397665

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21728_none_15276bfecc16de2a\winsrv.dll
[2011-07-12 18:19] - [2011-05-13 23:11] - 0214528 ____A (Microsoft Corporation) 1A589228B6DC007120F877DBBD6CB79D

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21624_none_152368f0cc1a7ba7\winsrv.dll
[2011-02-10 17:59] - [2010-12-18 00:52] - 0214016 ____A (Microsoft Corporation) A199CC08A13EEB667412423F712FE817

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17641_none_14812d55b30fc4e1\winsrv.dll
[2011-08-10 08:40] - [2011-06-23 21:34] - 0214528 ____A (Microsoft Corporation) EB6A48CC998E1090E44E8E7F1009A640

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17625_none_149ace55b2fbf25b\winsrv.dll
[2011-07-12 18:19] - [2011-06-02 22:57] - 0214528 ____A (Microsoft Corporation) 9F761CE1C6C013120B2F0DB27D48C06F

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17617_none_14a79ed5b2f20918\winsrv.dll
[2011-07-12 18:19] - [2011-05-13 23:24] - 0214528 ____A (Microsoft Corporation) 3A8135A7DED2FA0DAD3BDE1B14865A8A

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17527_none_149ccd03b2fa27e2\winsrv.dll
[2011-02-10 17:59] - [2010-12-17 03:42] - 0214016 ____A (Microsoft Corporation) 15822E7206C7A0A893395CB07A63C7E1

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20995_none_12f25ea6cf2be9d0\winsrv.dll
[2011-08-10 08:40] - [2011-06-23 21:26] - 0214528 ____A (Microsoft Corporation) 6D408ABD60A995A2DAB4BAAE38BCA04F

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20978_none_130aff5ccf18fdf3\winsrv.dll
[2011-07-12 18:19] - [2011-06-02 22:59] - 0214528 ____A (Microsoft Corporation) 55917E3ABDDC20D0AAEAC49F5CE67462

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20864_none_1311cc3acf147f7f\winsrv.dll
[2011-02-10 17:59] - [2010-12-21 23:15] - 0214016 ____A (Microsoft Corporation) 571543B93AE0319185970848024C9E04

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16850_none_128f0019b5f25b8f\winsrv.dll
[2011-08-10 08:40] - [2011-07-15 21:26] - 0214528 ____A (Microsoft Corporation) 0CB6EBF4B461A6043353C570BD72A1E1

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16823_none_12b270bbb5d753c1\winsrv.dll
[2011-07-12 18:19] - [2011-06-01 22:44] - 0214528 ____A (Microsoft Corporation) DE09FA38A6544829F012B9531C18454F

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16816_none_12c04185b5cc83d5\winsrv.dll
[2011-07-12 18:19] - [2011-05-13 23:41] - 0214528 ____A (Microsoft Corporation) 3739AA2F57FE492EA976E20C56CDF2F4

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16723_none_12b26ed5b5d7569a\winsrv.dll
[2011-02-10 17:59] - [2010-12-20 22:16] - 0214016 ____A (Microsoft Corporation) B200DECA2186858595A97FBE63E896CC

C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16385_none_12738849b6063c52\winsrv.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0214016 ____A (Microsoft Corporation) 457B44AB6D502E55F64A867D4F35C76C

C:\Windows\winsxs\amd64_microsoft-windows-winsrv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_99be31681e1cff53\winsrv.dll.mui
[2009-07-13 21:35] - [2009-07-13 18:25] - 0008192 ____A (Microsoft Corporation) 0E4E26AF593AC5023E55333096DDD9EA

C:\Windows\winsxs\amd64_microsoft-windows-winsrv-adm_31bf3856ad364e35_6.1.7600.16385_none_74fe9f3a6d505307\Winsrv.admx
[2009-06-10 12:42] - [2009-06-10 12:42] - 0001342 ____A () B28573159BDEA736F3BDFF16604A4AD3

C:\Windows\winsxs\amd64_microsoft-windows-winsrv-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c01e7ca36d3191ee\Winsrv.adml
[2009-07-13 21:35] - [2009-07-13 18:29] - 0001453 ____A () 76D4B8899387BCD0C081D4301E1B18DE

C:\Windows\SysWOW64\en-US\winsrv.dll.mui
[2009-07-13 21:35] - [2009-07-13 18:08] - 0008192 ____A (Microsoft Corporation) 9848765E88322400BDC710A76ADEA841

C:\Windows\system64\winsrv.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0214016 ____A (Microsoft Corporation) 457B44AB6D502E55F64A867D4F35C76C

C:\Windows\system64\en-US\winsrv.dll.mui
[2009-07-13 19:03] - [2009-07-13 19:03] - 0008192 ____A (Microsoft Corporation) 0E4E26AF593AC5023E55333096DDD9EA

C:\Windows\System32\winsrv.bak
[2012-11-06 03:25] - [2011-07-15 21:26] - 0214528 ____N (Microsoft Corporation) 0CB6EBF4B461A6043353C570BD72A1E1

C:\Windows\System32\en-US\winsrv.dll.mui
[2009-07-13 21:35] - [2009-07-13 18:25] - 0008192 ____A (Microsoft Corporation) 0E4E26AF593AC5023E55333096DDD9EA

C:\Windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17514_none_14a49c11b2f4bfec\winsrv.dll
[2011-06-22 05:28] - [2010-11-20 05:27] - 0214016 ____A (Microsoft Corporation) E0406AEF04B088D1C49FC78D0546F689

====== End Of Search ======

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:21 PM

Posted 07 November 2012 - 12:59 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
replace: C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16850_none_128f0019b5f25b8f\winsrv.dll C:\Windows\System32\winsrv.dll
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Let me know how that goes

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 budlite3851

budlite3851
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 07 November 2012 - 01:08 PM

After running that fix i was finally able to boot into windows.
Here is the fixlog

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-11-2012
Ran by SYSTEM at 2012-11-07 13:59:19 Run:4
Running from H:\

==============================================

Could not find C:\Windows\System32\winsrv.dll.
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16850_none_128f0019b5f25b8f\winsrv.dll copied successfully to C:\Windows\System32\winsrv.dll

==== End of Fixlog ====

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:21 PM

Posted 07 November 2012 - 01:17 PM

very good :)

please move on to the ComboFix instructions

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 budlite3851

budlite3851
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 07 November 2012 - 01:51 PM

combofix completed here is the log
ComboFix 12-11-06.03 - owner 11/07/2012 14:37:26.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3895.2521 [GMT -5:00]
Running from: c:\users\owner\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\783383h8n008h676t544x5xqc2c4
c:\users\Public\videos\HP MediaSmart Demo.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-07 to 2012-11-07 )))))))))))))))))))))))))))))))
.
.
2012-11-07 21:59 . 2011-07-16 05:26 214528 ----a-w- c:\windows\system32\winsrv.dll
2012-11-07 19:42 . 2012-11-07 19:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-07 19:02 . 2012-11-07 19:02 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EE10022D-C7CD-4DDC-91E9-BF941F989B02}\offreg.dll
2012-11-06 20:02 . 2012-11-06 20:02 -------- d-----w- C:\FRST
2012-11-06 11:25 . 2011-07-16 05:26 214528 ------w- c:\windows\system32\winsrv.bak
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2010-10-02 03:05 129624 ----a-w- c:\program files (x86)\Kaspersky Lab\Kaspersky PURE\shellex.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-10-16 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HPCam_Menu"="c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-08-20 322104]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-06-29 600936]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files (x86)\Java\jre6\bin\jusched.exe" [2009-12-05 149280]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe" [2010-10-02 348760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~1\mzvkbd3.dll c:\progra~2\KASPER~1\KASPER~1\sbhook.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1109000.00C\SYMDS64.SYS [x]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1109000.00C\SYMEFA64.SYS [x]
R1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20110430.001\BHDrvx64.sys [x]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NISx64\1109000.00C\ccHPx64.sys [x]
R1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20110514.001\IDSvia64.sys [x]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1109000.00C\Ironx64.SYS [x]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe [x]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-11-12 232480]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-04-20 50688]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-15 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
S1 DVMIO;DVMIO;c:\splash.sys\config\dvmio.sys [2009-09-27 21624]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_d15ed671de43d681\AESTSr64.exe [2009-03-03 89600]
S2 DvmMDES;DeviceVM Meta Data Export Service;c:\splash.sys\config\DVMExportService.exe [2009-07-09 323584]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2009-07-08 30520]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-10-01 2320920]
S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-06-29 70656]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-13 151040]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-09-26 233984]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2009-11-12 200736]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-11-06 291328]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-10-16 20:49 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2010-10-02 03:06 170584 ----a-w- c:\program files (x86)\Kaspersky Lab\Kaspersky PURE\x64\ShellEx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-10 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-10 390168]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-10 408600]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-05-15 318464]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-10-21 487424]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-08-25 610872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-05 171520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~1\x64\kloehk.dll c:\progra~2\KASPER~1\KASPER~1\x64\sbhook64.dll
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UPATC
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Anti-Banner - c:\program files (x86)\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\17.9.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-07 13:49:46
ComboFix-quarantined-files.txt 2012-11-07 18:49
.
Pre-Run: 419,607,310,336 bytes free
Post-Run: 420,281,376,768 bytes free
.
- - End Of File - - 7F34023ACF2DF8B5A947F82DFE016649




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users