Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

xpsp3, constant rogue processes spawning


  • This topic is locked This topic is locked
27 replies to this topic

#1 rcolosi

rcolosi

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 15 May 2016 - 03:09 PM

Hello there.  I have a machine running xp sp3, and I think I may have recently downloaded a false version of flash player that made everything wonk.

Processes constantly spawn, draining cpu usage and memory.  I have seen that many people had this problem as well, and tried to follow some similar steps to achieve success, to no avail.  I was honestly ready to reformat, and alas cannot find my windows disc.  Processes include cmd, notepad, msiexec, presentationhost, explorer, svchost, all of which spawn multiples at differing rates of memory drain.

 

I beseech thee!



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:01 AM

Posted 16 May 2016 - 08:32 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.

#3 rcolosi

rcolosi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 16 May 2016 - 03:11 PM

Hi again, thanks a million for helping.  Here you go!

 

Edit:  It doesn't look like anything happened, except Malwarebytes found something that never seems to go away.

Attached Files


Edited by rcolosi, 16 May 2016 - 03:12 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:01 AM

Posted 17 May 2016 - 06:44 AM

No antivirus protection see on this computer.
Windows Firewall is disabled.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
-----

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:
Hosts:

S3 ReimageRealTimeProtector; C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [6324208 2015-08-19] (Reimage®)
S3 cpuz134; \??\C:\DOCUME~1\Robert\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [X]
S4 IntelIde; no ImagePath
Task: C:\WINDOWS\Tasks\ReimageUpdater.job => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe <==== ATTENTION
ShortcutWithArgument: C:\Documents and Settings\Robert\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://trustedsurf.com/?ssid=1463272026&a=1054210&src=sh&uuid=091e1fb8-cd36-4838-a2db-0fa26cf6af48"
ShortcutWithArgument: C:\Documents and Settings\Robert\Start Menu\Programs\WarThunder\WarThunder.lnk -> C:\WarThunder\launcher.exe (Gaijin Entertainment) -> "hxxp://trustedsurf.com/?ssid=1463272026&a=1054210&src=sh&uuid=091e1fb8-cd36-4838-a2db-0fa26cf6af48"
ShortcutWithArgument: C:\Documents and Settings\Robert\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://trustedsurf.com/?ssid=1463272026&a=1054210&src=sh&uuid=091e1fb8-cd36-4838-a2db-0fa26cf6af48"
ShortcutWithArgument: C:\Documents and Settings\Robert\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://trustedsurf.com/?ssid=1463272026&a=1054210&src=sh&uuid=091e1fb8-cd36-4838-a2db-0fa26cf6af48"
ShortcutWithArgument: C:\Documents and Settings\Robert\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://trustedsurf.com/?ssid=1463272026&a=1054210&src=sh&uuid=091e1fb8-cd36-4838-a2db-0fa26cf6af48"
ShortcutWithArgument: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://trustedsurf.com/?ssid=1463272026&a=1054210&src=sh&uuid=091e1fb8-cd36-4838-a2db-0fa26cf6af48"
ShortcutWithArgument: C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://trustedsurf.com/?ssid=1463272026&a=1054210&src=sh&uuid=091e1fb8-cd36-4838-a2db-0fa26cf6af48"
ShortcutWithArgument: C:\Documents and Settings\All Users.WINDOWS\Desktop\WarThunder.lnk -> C:\WarThunder\launcher.exe (Gaijin Entertainment) -> "hxxp://trustedsurf.com/?ssid=1463272026&a=1054210&src=sh&uuid=091e1fb8-cd36-4838-a2db-0fa26cf6af48"
C:\Program Files\Reimage\Reimage Protector

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

How is the computer running now?

#5 rcolosi

rcolosi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 17 May 2016 - 01:36 PM

I thought it was running better at first, but it just seems to take longer for the processes to ramp back up. Also I suppose it's worth noting that every time I shut the computer down, it takes a minute or two because a million boxes pop up saying the application can't be run because the system is shutting down.

 

Here's the fixlog from frst.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:01 AM

Posted 18 May 2016 - 07:43 AM

Close all programs and Windows then Shut Down.

If the error message appears please copy the exact error message.
It may give me some clues to investigate.

#7 rcolosi

rcolosi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 18 May 2016 - 03:43 PM

"The application failed to initialize because the window station is shutting down"

 

Followed by a bunch of spam-like ads popping up for various things like banking or video sites and stuff, which I might note never pop up during normal service of the computer.  And I don't use ad blockers and the like.

 

I assume the error message is due to the program spawning all these unnecessary exe's to slow the computer down while the computer is simultaneusly shutting down.  but I know nothin' bout nothin'

 

Edit:  I suppose it's worth noting also that every time I restart, it tells me a new hardware is found, and asks if I want to search the web for drivers.  I disregard it usually.


Edited by rcolosi, 18 May 2016 - 03:44 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:01 AM

Posted 19 May 2016 - 07:40 AM

1. Type “msconfig” in Run box, you will get System Configuration window.
2. Navigate to Startup tab.
3. Uncheck all the options in Startup and then reboot the computer to see whether you get the same issue.

If all is well then continue.

Those programs will not start automatically. You need to start them manually.

In this way, we can narrow down the cause of the issue. It seems that there are some program cause this issue.

Keep me posted.

When the test is completed you can Check the Items that were unchecked.

#9 rcolosi

rcolosi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 19 May 2016 - 12:56 PM

Alright, only 3 programs were left unchecked, so I unchecked them, restarted.

 

However, the only one that looked funky (308_309_1120_1_dfdaf), came back after restart on the startup configuration.  I'll try unchecking it and restarting again.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:01 AM

Posted 20 May 2016 - 07:48 AM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:
    :regfind
    308_309_1120_1_dfdaf
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
===

#11 rcolosi

rcolosi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 20 May 2016 - 11:04 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 09:04 on 20/05/2016 by Robert
Administrator - Elevation successful

========== regfind ==========

Searching for "308_309_1120_1_dfdaf"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WinResSync"="C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Robert\Application Data\Microsoft\Protect\308_309_1120_1_dfdaf.rs""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WinResSync"="C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Robert\Application Data\Microsoft\Protect\308_309_1120_1_dfdaf.rs""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinResSync]
"item"="308_309_1120_1_dfdaf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinResSync]
"command"="C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Robert\Application Data\Microsoft\Protect\308_309_1120_1_dfdaf.rs""
[HKEY_USERS\S-1-5-21-1409082233-602162358-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"WinResSync"="C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Robert\Application Data\Microsoft\Protect\308_309_1120_1_dfdaf.rs""
[HKEY_USERS\S-1-5-21-1409082233-602162358-839522115-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WinResSync"="C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Robert\Application Data\Microsoft\Protect\308_309_1120_1_dfdaf.rs""

-= EOF =-



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:01 AM

Posted 21 May 2016 - 08:00 AM

Your FRST logs reports this.

C:\WINDOWS\system32\regsvr32.exe /s "C:\Documents and Settings\Robert\Application Data\Microsoft\Protect\307_308_1112_1_1a0f2.rs


If you Google WinResSync you will see that these files are random.

It may be that this one is malware.

Submit the file in bold to Virus Total for a scan.
C:\Documents and Settings\Robert\Application Data\Microsoft\Protect\308_309_1120_1_dfdaf.rs

Follow the instructions on this page.
https://www.virustotal.com/

Post the log for my review.

#13 rcolosi

rcolosi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 22 May 2016 - 12:05 AM

Strange.  It told me I had already scanned the file 3 days ago, and I've definitely never been to the site.  I had it reanalyzed, though.  There was no actual file log to post, so I suppose I'll just post all the information I see.  Also it's worth noting that the file was kinda hard to get to, it's hidden in the folder it resides in.

 

ALYac Gen:Variant.Graftor.176744 20160522 AVG Win32/DH{gVQj?} 20160522 AVware Trojan.Win32.Generic!BT 20160521 Ad-Aware Gen:Variant.Graftor.176744 20160522 AegisLab Troj.W32.Invader!c 20160521 Antiy-AVL Trojan[:HEUR]/Win32.Invader 20160522 Arcabit Trojan.Graftor.D2B268 20160522 Avast Win32:Malware-gen 20160522 Avira (no cloud) TR/Crypt.Xpack.iweu 20160521 BitDefender Gen:Variant.Graftor.176744 20160522 Cyren W32/Trojan.QSOA-0058 20160522 DrWeb Trojan.KillProc.41442 20160522 ESET-NOD32 a variant of Win32/TrojanDownloader.Blocrypt.AN 20160521 Emsisoft Gen:Variant.Graftor.176744 (B) 20160522 F-Secure Gen:Variant.Graftor.176744 20160522 Fortinet Malware_Generic.P0 20160522 GData Gen:Variant.Graftor.176744 20160522 Ikarus Trojan-Downloader.Win32.Blocrypt 20160521 Jiangmin Trojan.Invader.ws 20160522 K7AntiVirus Trojan-Downloader ( 004e0d9c1 ) 20160521 K7GW Trojan-Downloader ( 004e0d9c1 ) 20160522 Kaspersky HEUR:Trojan.Win32.Invader 20160522 McAfee Artemis!DF533F665722 20160522 McAfee-GW-Edition BehavesLike.Win32.Dropper.dh 20160521 eScan Gen:Variant.Graftor.176744 20160522 Microsoft Trojan:Win32/Dynamer!ac 20160522 NANO-Antivirus Trojan.Win32.Invader.ecmwcd 20160522 Panda Trj/Genetic.gen 20160521 Qihoo-360 HEUR/QVM30.1.Malware.Gen 20160522 Rising Malware.Generic!2la08DvNQAR@1 (Thunder) 20160522 Sophos Mal/Generic-S 20160522 Symantec Trojan.Gen 20160522 Tencent Win32.Trojan.Invader.Wtxb 20160522 VIPRE Trojan.Win32.Generic!BT 20160522 ViRobot Trojan.Win32.Z.Graftor.241152[h] 20160521 AhnLab-V3   20160521 Alibaba   20160520 Baidu   20160520 Baidu-International   20160521 Bkav   20160521 CAT-QuickHeal   20160521 CMC   20160520 ClamAV   20160522 Comodo   20160522 F-Prot   20160522 Kingsoft   20160522 Malwarebytes   20160522 SUPERAntiSpyware   20160521 TheHacker   20160522 TrendMicro   20160522 TrendMicro-HouseCall   20160522 VBA32   20160520 Yandex   20160521 Zillya   20160521 Zoner   20160522 nProtect  

20160520

 

-----------------------------------------------------------------------------

 

The file being studied is a Portable Executable file! More specifically, it is a Win32 DLL file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Direct3d minisite standby
Product Dbms optical drive dac codec dtd
Original name San filename hyper-threading graymail xml cuda
Internal name Cdma dhcp iso olap
File version 22.51.124.213
Description Bookmark google drive thread gateway
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-05-18 07:20:31
Entry Point 0x00005F46
Number of sections 6
PE sections
Name Virtual address Virtual size Raw size Entropy MD5
.text 4096 131374 131584 6.63 5d2ea1f3ee4125aadc889bd7e635f5b0
.rdata 139264 37012 37376 4.98 1e70456021a134dc92910ceebf420821
.data 180224 15600 6656 4.27 d50dee50a4477c4924ea41cd47233c7e
.dat 196608 8 512 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rsrc 200704 43368 43520 6.58 09cd3efe4e190c4694fe7ed3a12616d1
.reloc 245760 20458 20480 3.68 daad2161e2ac487cf183a0021546d3ea
PE imports PE exports
DllRegisterServer
DoAllocateAndGetTcpExTableFromStack
DoEnumerateSecurityPackagesA
DoGetLocalManagedApplicationData
DoGetSecurityUserInfo
DoI_RpcGetCurrentCallHandle
DoImageList_Remove
DoVarUI1FromI4
DoVarUI8FromUI2
Doregister_icmp
 
Number of PE resources by type
RT_ICON 4
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 6
ExifTool file metadata
SubsystemVersion
5.1
LinkerVersion
11.0
ImageVersion
0.0
FileSubtype
0
FileVersionNumber
22.51.124.213
UninitializedDataSize
0
LanguageCode
English (U.S.)
FileFlagsMask
0x003f
CharacterSet
Unicode
InitializedDataSize
117760
EntryPoint
0x5f46
OriginalFileName
San filename hyper-threading graymail xml cuda
MIMEType
application/octet-stream
LegalCopyright
Direct3d minisite standby
FileVersion
22.51.124.213
TimeStamp
2016:05:18 08:20:31+01:00
FileType
Win32 DLL
PEType
PE32
InternalName
Cdma dhcp iso olap
ProductVersion
139.133.0.0
FileDescription
Bookmark google drive thread gateway
OSVersion
5.1
FileOS
Windows NT 32-bit
Subsystem
Windows GUI
MachineType
Intel 386 or later, and compatibles
CompanyName
Input monitor newsgroup rj45 command line interface class platform navigation bar botnet
CodeSize
131584
ProductName
Dbms optical drive dac codec dtd
ProductVersionNumber
139.133.0.0
FileTypeExtension
dll
ObjectFileType
Dynamic link library
 
-----------------------------------------------------------
 
File identification
MD5 df533f665722a26434a8b469f4635224
SHA1 fde6f342c5a4fedad46641ae093132008fcf3a95
SHA256 2b05892a518e2bcb8dd7fceb34d37f0380ffcc2a81946b2d823ca8d89c068d6b
ssdeep
3072:hkMppeVxBrQlxRVLAx5NMgO+FMtUrlg9fM+2s2YIy:hbGdsNc57OZUrlu+y
authentihash d527b20d45d157fe2ddd8c6ecdcdadbd763025247245b9ae4e9b14018e569ad4
imphash 6325114097f802b238d3c81b6f97dd0e
File size 235.5 KB ( 241152 bytes )
File type Win32 DLL
Magic literal
PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
TrID Win32 Executable MS Visual C++ (generic) (67.4%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
pedll
VirusTotal metadata
First submission 2016-05-18 21:04:20 UTC ( 3 days, 7 hours ago )
Last submission 2016-05-22 04:58:36 UTC ( 4 minutes ago )
File names 308_309_1832_1_bd084.rs
308_309_1120_1_dfdaf.rs
Cdma dhcp iso olap
San filename hyper-threading graymail xml cuda

 

------------------------------------

 

 

 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:01 AM

Posted 22 May 2016 - 08:21 AM

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WinResSync"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WinResSync"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinResSync]
"item"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinResSync]
"command"=-
[HKEY_USERS\S-1-5-21-1409082233-602162358-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"WinResSync"=-
[HKEY_USERS\S-1-5-21-1409082233-602162358-839522115-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WinResSync"=-


Restart the computer when completed.

You can delete the fixme.reg file when done.

---

Please run the Farbart tool and post a fresh FRST log for my review.

Let me know if the problem persists.

#15 rcolosi

rcolosi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 22 May 2016 - 12:12 PM

Restarting after the registry change still prompted the error box to pop up, along with the usual popups.  After rebooting and running the scan tool, the problem still appears to be just as strong as before.

 

Here's the log!

Attached Files

  • Attached File  FRST.txt   33.21KB   1 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users