Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Error 0X0000225 After syskey lock


  • This topic is locked This topic is locked
24 replies to this topic

#1 zap1974

zap1974

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 18 July 2018 - 02:12 PM

HI I have a friends computer its a HP stream. With windows 10 on it. They got hit with syskey lock over a phone scam. So I followed the instructions below to get rid of it.

 

 

When windows boots I now get the error: File \Windows\system32\config\system 

Error code: 0X0000225

 

I've tried to follow instructions for bootrec and /fixmbr and /fixboot work. But when I go to /rebuildbcd I get it finds my Windows installation but I go to add it to the installation it comes back "The requested system device can't be found"

 

Anything with bcd doesn't seem to work. I'm not sure if this is because syskey lock is still locking the Hive. 

 

I 've attached photos to try and explain. It says the drive is GPT so I tried to set it as Active but it said I couldn't as its not something.  

 

Here are the photos. 

 

https://drive.google.com/open?id=1hHVHaeNIYo7HKmdiTZ9mRkRO7GrjYxcY



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:36 AM

Posted 18 July 2018 - 10:00 PM

Hi and welcome.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Boot in the Recovery Environment
  • Plug your USB Flash Drive in the infected computer
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
Once in the command prompt
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Scan button and wait for it to complete
  • A log called frst.txt will be saved on your USB Flash Drive. Post it in your next reply

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 zap1974

zap1974
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 18 July 2018 - 10:48 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15.07.2018
Ran by SYSTEM on MININT-6MM4OJ3 (18-07-2018 20:46:44)
Running from D:\
Platform: WIN_10 (X64) Language: English (United States)
Boot Mode: Recovery
ATTENTION: Could not load system hive.
The operation completed successfully.
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Winlogon: [Userinit]
HKLM\...\Winlogon: [Shell]  [ ] () <=== ATTENTION
HKLM-x32\...\Winlogon: [Shell]  [ ] () <=== ATTENTION
HKLM\...\InprocServer32: [Default-wbemess]  <==== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  <==== ATTENTION
HKU\Skylar\...\RunOnce: [MISPInst] => C:\Users\Skylar\AppData\Local\Temp\McInstallTemp\Install.exe [2131728 2018-04-03] (McAfee, Inc.) <==== ATTENTION
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2018-07-18 20:46 - 2018-07-18 20:46 - 000000000 ____D C:\FRST
2018-07-18 18:05 - 2018-07-18 18:05 - 000000512 _____ C:\lsfc.isk20180719020543956.isk
2018-07-18 18:05 - 2018-07-18 18:05 - 000000435 _____ C:\lsmc.isk20180719020543925.isk
2018-07-18 15:57 - 2018-07-18 15:57 - 000000000 _____ C:\BCD20180718235722047.isk.bcd
2018-07-18 15:55 - 2018-07-18 15:55 - 000000512 _____ C:\lsfc.isk20180718235549766.isk
2018-07-18 02:52 - 2018-07-18 18:05 - 000000512 _____ C:\lsfc.isk
2018-07-18 02:52 - 2018-07-18 18:05 - 000000435 _____ C:\lsmc.isk
2018-07-18 02:52 - 2018-07-18 02:52 - 000000512 _____ C:\lsfc.isk20180718105231863.isk
2018-07-18 02:52 - 2018-07-18 02:52 - 000000512 _____ C:\lsfc.isk20180718105205131.isk
2018-07-18 02:52 - 2018-07-18 02:52 - 000000435 _____ C:\lsmc.isk20180718105231832.isk
2018-07-18 02:52 - 2018-07-18 02:52 - 000000435 _____ C:\lsmc.isk20180718105200324.isk
2018-07-18 02:51 - 2018-07-18 02:51 - 000008192 _____ C:\lsnc.isk20180718105117090.isk
2018-07-18 02:51 - 2018-07-18 02:51 - 000008192 _____ C:\lsnc.isk
2018-07-18 02:50 - 2018-07-18 02:50 - 000000000 _____ C:\BCD20180718105006070.isk.bcd
2018-07-18 02:49 - 2018-07-18 02:49 - 000065536 _____ C:\Windows\System32\config\sam.lbk
2018-07-17 23:37 - 2018-07-17 23:37 - 000000000 ____D C:\efi
2018-07-17 23:23 - 2018-07-18 20:32 - 000000000 _____ C:\Recovery.txt
2018-07-17 17:39 - 2018-07-18 15:32 - 000008192 _____ C:\Windows\System32\config\SOFTWARE
2018-07-17 17:39 - 2018-07-18 09:42 - 000028672 _____ C:\Windows\System32\config\BCD-Template
2018-07-17 17:39 - 2018-07-15 10:36 - 001310720 _____ C:\Windows\System32\config\BBI
2018-07-17 17:39 - 2018-07-15 10:34 - 000032768 _____ C:\Windows\System32\config\ELAM
2018-07-17 17:39 - 2017-03-18 13:01 - 000004096 _____ C:\Windows\System32\config\VSMIDK
2018-07-17 17:39 - 2017-03-17 19:52 - 000008192 _____ C:\Windows\System32\config\SYSTEM
2018-07-17 17:39 - 2017-03-17 19:52 - 000008192 _____ C:\Windows\System32\config\SECURITY
2018-07-17 17:39 - 2017-03-17 19:52 - 000008192 _____ C:\Windows\System32\config\SAM
2018-07-17 17:39 - 2017-03-17 19:52 - 000008192 _____ C:\Windows\System32\config\DEFAULT
2018-07-17 16:42 - 2018-07-17 16:42 - 000028672 _____ C:\bcd_backup
2018-07-17 16:37 - 2018-07-17 16:37 - 000028672 _____ C:\bcdbackup
2018-07-17 01:11 - 2018-07-17 01:11 - 000000000 ____D C:\Windows\System32\config\backup3
2018-07-17 01:08 - 2018-07-17 00:02 - 000008192 _____ C:\Windows\System32\SYSTEM
2018-07-17 01:08 - 2018-07-17 00:02 - 000008192 _____ C:\Windows\System32\SOFTWARE
2018-07-17 01:08 - 2018-07-15 10:36 - 001310720 _____ C:\Windows\System32\BBI
2018-07-17 01:08 - 2018-07-15 10:34 - 000032768 _____ C:\Windows\System32\ELAM
2018-07-17 01:08 - 2017-09-27 14:32 - 000028672 _____ C:\Windows\System32\BCD-Template
2018-07-17 01:08 - 2017-03-18 13:01 - 000004096 _____ C:\Windows\System32\VSMIDK
2018-07-17 01:08 - 2017-03-17 19:52 - 000008192 _____ C:\Windows\System32\SECURITY
2018-07-17 01:08 - 2017-03-17 19:52 - 000008192 _____ C:\Windows\System32\SAM
2018-07-17 01:08 - 2017-03-17 19:52 - 000008192 _____ C:\Windows\System32\DEFAULT
2018-07-17 01:00 - 2018-07-17 01:01 - 000000000 ____D C:\Windows\System32\config\backup1
2018-07-17 00:55 - 2018-07-16 22:48 - 017563648 _____ C:\SYSTEM
2018-07-17 00:55 - 2018-07-16 22:48 - 000786432 _____ C:\DEFAULT
2018-07-17 00:55 - 2018-07-16 22:48 - 000065536 _____ C:\SECURITY
2018-07-17 00:55 - 2018-07-16 19:16 - 000065536 _____ C:\SAM
2018-07-17 00:55 - 2018-07-15 10:36 - 001310720 _____ C:\BBI
2018-07-17 00:55 - 2018-07-15 10:34 - 000032768 _____ C:\ELAM
2018-07-17 00:55 - 2017-09-27 14:32 - 000028672 _____ C:\BCD-Template
2018-07-17 00:55 - 2017-03-18 13:01 - 000004096 _____ C:\VSMIDK
2018-07-17 00:13 - 2018-07-17 00:14 - 000000000 ____D C:\Windows\System32\config\backup
2018-07-17 00:02 - 2018-07-17 00:02 - 000000000 ___HD C:\$SysReset
2018-07-16 23:54 - 2018-07-16 23:55 - 000000000 ____D C:\regbackup
2018-07-15 10:38 - 2018-07-15 10:38 - 387783930 _____ C:\Windows\MEMORY.DMP
2018-07-15 10:28 - 2018-07-15 10:28 - 013046896 _____ (McAfee, Inc.) C:\Users\Skylar\Downloads\McAfee_Installer_serial_bHYt-_jANqh8rnzf2ryiRQ2_key_affid_876_akey.exe
2018-07-15 10:10 - 2018-07-15 10:10 - 000000000 ____D C:\ProgramData\AdvancedPasswordManager
2018-07-15 10:07 - 2018-07-15 10:07 - 000003210 _____ C:\Windows\System32\Tasks\Advanced PasswordManager_Logon
2018-07-15 10:06 - 2018-07-15 10:06 - 000001136 _____ C:\Users\Public\Desktop\Advanced Password Manager.lnk
2018-07-15 10:06 - 2018-07-15 10:06 - 000000000 ____D C:\Users\Skylar\AppData\Roaming\AdvancedPasswordManager
2018-07-15 10:06 - 2018-07-15 10:06 - 000000000 ____D C:\Program Files (x86)\Advanced PasswordManager
2018-07-15 10:05 - 2018-07-15 10:06 - 006642232 _____ (AdvancedPasswordManager ) C:\Users\Skylar\Downloads\apmsetupsite.exe
2018-07-15 09:56 - 2018-07-15 09:56 - 000001522 _____ C:\Users\Skylar\Desktop\GoToAssist Customer.lnk
2018-07-15 09:53 - 2018-07-15 09:53 - 000000000 ____D C:\Users\Skylar\AppData\Local\GoToAssist Remote Support Customer
2018-07-15 09:53 - 2018-07-15 09:53 - 000000000 ____D C:\Users\Skylar\AppData\Local\GoTo Opener
2018-07-15 09:13 - 2018-07-15 09:13 - 000000000 ____D C:\Windows\UpdateAssistant
2018-06-29 11:00 - 2018-06-29 11:00 - 000000000 ____D C:\Windows\System32\Tasks\Apple
2018-06-29 11:00 - 2018-06-29 11:00 - 000000000 ____D C:\Program Files (x86)\Apple Software Update
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2018-07-18 09:04 - 2017-03-17 19:52 - 000312376 _____ C:\Windows\System32\FNTCACHE.DAT
2018-07-17 20:35 - 2017-09-27 14:54 - 000152054 _____ C:\DUMP184a.tmp
2018-07-17 20:34 - 2017-09-27 14:54 - 000150974 _____ C:\DUMP1944.tmp
2018-07-17 19:42 - 2017-09-27 14:54 - 000150974 _____ C:\DUMP18b8.tmp
2018-07-17 19:40 - 2017-09-27 14:54 - 000150974 _____ C:\DUMP18f6.tmp
2018-07-17 18:11 - 2017-09-27 14:54 - 000150974 _____ C:\DUMP1915.tmp
2018-07-17 17:57 - 2017-09-27 14:54 - 000157110 _____ C:\DUMP18e7.tmp
2018-07-17 17:53 - 2017-09-27 14:54 - 000149430 _____ C:\DUMP1879.tmp
2018-07-17 17:38 - 2017-09-27 14:54 - 000118598 _____ C:\DUMP24ae.tmp
2018-07-15 10:36 - 2017-12-08 18:06 - 000000000 ____D C:\users\Skylar
2018-07-15 10:36 - 2017-09-27 14:00 - 000000000 ____D C:\ProgramData\mcafee
2018-07-15 10:36 - 2017-09-27 14:00 - 000000000 ____D C:\Program Files\Common Files\mcafee
2018-07-15 10:35 - 2017-03-17 19:52 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-07-15 10:34 - 2017-09-27 14:01 - 000000000 ____D C:\Windows\System32\Tasks\McAfee
2018-07-15 10:34 - 2017-03-18 13:03 - 000000000 ___HD C:\Windows\ELAMBKUP
2018-07-15 10:34 - 2017-03-18 13:01 - 000000000 ____D C:\Windows\INF
2018-07-15 10:10 - 2017-12-26 15:50 - 000000000 ____D C:\Users\Skylar\AppData\Roaming\WTablet
2018-07-15 09:29 - 2017-03-17 19:52 - 000000000 ____D C:\Windows\System32\SleepStudy
2018-07-15 09:17 - 2017-03-18 13:03 - 000000000 ____D C:\Windows\rescache
2018-07-15 09:13 - 2017-03-18 13:03 - 000000000 ____D C:\Windows\AppReadiness
2018-07-15 09:09 - 2017-12-09 00:59 - 000000180 _____ C:\Windows\System32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2018-07-15 09:09 - 2017-12-08 18:09 - 000000000 __SHD C:\Users\Skylar\IntelGraphicsProfiles
2018-07-10 11:37 - 2017-03-18 13:03 - 000000000 ___HD C:\Program Files\WindowsApps
2018-07-08 21:27 - 2018-03-24 13:08 - 000000000 ____D C:\Windows10Upgrade
2018-06-29 10:56 - 2018-03-24 11:54 - 000000000 ____D C:\Windows\System32\Drivers\wd
2018-06-27 11:10 - 2018-03-24 12:28 - 000131288 _____ (Microsoft Corporation) C:\Windows\System32\osrss.dll
2018-06-26 13:57 - 2017-03-18 12:51 - 000000000 ____D C:\Windows\CbsTemp
2018-06-26 13:55 - 2017-12-08 18:19 - 000003378 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-580888338-3488302483-2474060531-1001
2018-06-26 13:55 - 2017-12-08 18:17 - 000002227 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-06-26 13:54 - 2017-12-08 18:15 - 000000000 ___RD C:\Users\Skylar\OneDrive
2018-06-18 20:07 - 2017-03-18 13:03 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-06-18 20:04 - 2017-06-07 09:03 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
Files to move or delete:
====================
C:\Users\Skylar\AppData\Local\Temp\McInstallTemp\Install.exe

Some files in TEMP:
====================
2018-07-15 10:30 - 2017-12-19 18:27 - 001013256 _____ (McAfee, Inc.) C:\Users\Skylar\AppData\Local\Temp\0147741531679441mcinst.exe
==================== Known DLLs (Whitelisted) =========================

==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe
[2018-01-23 13:29] - [2017-12-31 17:30] - 000706560 _____ (Microsoft Corporation) 1487F8F540F1518AD13AE179F67DB4E1
C:\Windows\System32\wininit.exe
[2017-12-10 08:34] - [2017-07-27 21:14] - 000318232 _____ (Microsoft Corporation) 0242626678C83AE788C655C1990A3CC3
C:\Windows\explorer.exe
[2017-12-10 08:35] - [2017-09-29 21:42] - 004848952 _____ (Microsoft Corporation) 01078D46C77CE0D7DC584A29062A799D
C:\Windows\SysWOW64\explorer.exe
[2017-12-10 08:38] - [2017-09-29 18:06] - 004471368 _____ (Microsoft Corporation) F28807FD9CE1F66E59CDC0EECEDED8C0
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2017-12-10 08:35] - [2017-07-27 21:09] - 000527976 _____ (Microsoft Corporation) C81F9707DEA008EED4071B5A39B7C76E
C:\Windows\System32\User32.dll
[2017-12-10 08:34] - [2017-11-01 21:13] - 001345600 _____ (Microsoft Corporation) B074ECE844C671332F89C7544DBFC74A
C:\Windows\SysWOW64\User32.dll
[2017-12-10 08:38] - [2017-11-01 21:04] - 001292360 _____ (Microsoft Corporation) BF2A7959C460D6B85A36410CACD6ACE3
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2017-12-10 08:34] - [2017-09-04 20:19] - 001085440 _____ (Microsoft Corporation) AA7F1C36F5BC779964CFA4F98D224D9F
C:\Windows\System32\dnsapi.dll
[2017-12-10 08:35] - [2017-09-29 21:51] - 000661224 _____ (Microsoft Corporation) 6AFA66A457759C1FEC29A52612A67043
C:\Windows\SysWOW64\dnsapi.dll
[2017-12-10 08:38] - [2017-09-29 18:10] - 000508344 _____ (Microsoft Corporation) 1F4909406532C2FFCBD3683A65F7198F
C:\Windows\System32\Drivers\volsnap.sys
[2017-03-18 12:57] - [2017-03-18 12:57] - 000397216 _____ (Microsoft Corporation) E3429DBBEA3965BB96E24B16EF4A2551

==================== Association (Whitelisted) =============
HKLM\...\.exe:  =>  <==== ATTENTION
HKLM\...\exefile\DefaultIcon:  <==== ATTENTION
HKLM\...\exefile\shell\open\command:  <==== ATTENTION
==================== Restore Points  =========================

==================== Memory info ===========================
Percentage of memory in use: 16%
Total physical RAM: 4001.62 MB
Available physical RAM: 3330.46 MB
Total Virtual: 4001.62 MB
Available Virtual: 3347.74 MB
==================== Drives ================================
Drive c: (Windows) (Fixed) (Total:27.89 GB) (Free:0.23 GB) NTFS
Drive d: () (Removable) (Total:14.58 GB) (Free:14.58 GB) FAT32
Drive e: (Windows RE tools) (Fixed) (Total:0.96 GB) (Free:0.61 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.5 GB) NTFS

==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 29.1 GB) (Disk ID: D7ACB614)
Partition: GPT.
========================================================
Disk: 1 (Protective MBR) (Size: 14.6 GB) (Disk ID: 00000000)
Partition: GPT.
LastRegBack: 2017-03-17 19:52
==================== End of FRST.txt ============================


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:36 AM

Posted 19 July 2018 - 10:12 AM

Hi, zap1974.

The registry is corrupted and the size of the hard drive is less than 29gb, so apparently, some space has been lost I don't believe the computer is salvaged, and perhaps a Recovery to factory settings may be the only way.

Enter the System Recovery as you did before

 

  • Once in the Command Prompt:
  • Type in the following and press Enter.
    .

    bcdedit | find "osdevice"

  • Note the osdevice partition letter, then type.

    CHKDSK X: /R

  • Where X is the osdevice letter, and press Enter
  • The tool will start to run.

Upon finished, type exit and press Enter. Restart the computer

 

Go back to the Recovery Environment and open FRST64 as you did before.

Type the following in the edit box on FRST, after "Search:".

SYSTEM;SECURITY;SAM;DEFAULT;SOFTWARE  (Note the file name is separated by a semicolon)

Click Search Files button and post the log (Search.txt) it makes on the USB drive in your next reply.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 zap1974

zap1974
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 19 July 2018 - 11:36 AM

Hi thanks for the replay. The chkdsk completed with no errors. The laptop is just a little HP stream so only has a 32 gig so 29 gig showing would be right. The drive is eMMC flash drive they have installed.  

Here is the log.  

 

 

Farbar Recovery Scan Tool (x64) Version: 15.07.2018
Ran by SYSTEM (19-07-2018 09:31:49)
Running from e:\
Boot Mode: Recovery
================== Search Files: "system;security;sam;default;software" =============
C:\DEFAULT
[2018-07-17 00:55][2018-07-16 22:48] 000786432 _____ () FF25D91EBC320CC0C72561469D7E0910
C:\SAM
[2018-07-17 00:55][2018-07-16 19:16] 000065536 _____ () 4029EFB5BFA13E6F284B9B0A32B38B23
C:\SECURITY
[2018-07-17 00:55][2018-07-16 22:48] 000065536 _____ () A1D9AA79783B03251223A18D2F8922AF
C:\SYSTEM
[2018-07-17 00:55][2018-07-16 22:48] 017563648 _____ () D10566F8082455FD2711D3E3FE63734D
C:\Windows\System32\DEFAULT
[2018-07-17 01:08][2017-03-17 19:52] 000008192 _____ () B5DBA68B99A9D6C412A7FAC614B888D8
C:\Windows\System32\SAM
[2018-07-17 01:08][2017-03-17 19:52] 000008192 _____ () DFC9ADDAB6AA5428FD8265E99BDAC4F9
C:\Windows\System32\SECURITY
[2018-07-17 01:08][2017-03-17 19:52] 000008192 _____ () 202D99B6CDFD083FB60648266BC9A284
C:\Windows\System32\SOFTWARE
[2018-07-17 01:08][2018-07-17 00:02] 000008192 _____ () 68169ADF1717C977B4FFBE5415093812
C:\Windows\System32\SYSTEM
[2018-07-17 01:08][2018-07-17 00:02] 000008192 _____ () F82F55239167A64FC5407C34B057EDB1
C:\Windows\System32\config\DEFAULT
[2018-07-17 17:39][2017-03-17 19:52] 000008192 _____ () 149C6CAEB37A1B69CA68C89972551278
C:\Windows\System32\config\SAM
[2018-07-17 17:39][2017-03-17 19:52] 000008192 _____ () 0524AB1AD9B5859729447914222A1835
C:\Windows\System32\config\SECURITY
[2018-07-17 17:39][2017-03-17 19:52] 000008192 _____ () 2F858A9CDDEC48FFA8BBF3B05BEF9D03
C:\Windows\System32\config\SOFTWARE
[2018-07-17 17:39][2018-07-18 15:32] 000008192 _____ () 4FABFB1DCC130823B9022BD18D09C8A9
C:\Windows\System32\config\SYSTEM
[2018-07-17 17:39][2017-03-17 19:52] 000008192 _____ () F92AC406133D3006EE041E633FAC296A
C:\Windows\System32\config\RegBack\DEFAULT
[2017-03-17 19:52][2017-03-17 19:52] 000000000 _____ () D41D8CD98F00B204E9800998ECF8427E
C:\Windows\System32\config\RegBack\SAM
[2017-03-17 19:52][2017-03-17 19:52] 000000000 _____ () D41D8CD98F00B204E9800998ECF8427E
C:\Windows\System32\config\RegBack\SECURITY
[2017-03-17 19:52][2017-03-17 19:52] 000000000 _____ () D41D8CD98F00B204E9800998ECF8427E
C:\Windows\System32\config\RegBack\SOFTWARE
[2017-03-17 19:52][2017-03-17 19:52] 000000000 _____ () D41D8CD98F00B204E9800998ECF8427E
C:\Windows\System32\config\RegBack\SYSTEM
[2017-03-17 19:52][2017-03-17 19:52] 000000000 _____ () D41D8CD98F00B204E9800998ECF8427E
C:\Windows\System32\config\backup1\DEFAULT
[2018-07-17 01:01][2017-03-17 19:52] 000008192 _____ () B5DBA68B99A9D6C412A7FAC614B888D8
C:\Windows\System32\config\backup1\SAM
[2018-07-17 01:01][2017-03-17 19:52] 000008192 _____ () DFC9ADDAB6AA5428FD8265E99BDAC4F9
C:\Windows\System32\config\backup1\SECURITY
[2018-07-17 01:01][2017-03-17 19:52] 000008192 _____ () 202D99B6CDFD083FB60648266BC9A284
C:\Windows\System32\config\backup1\SOFTWARE
[2018-07-17 01:01][2018-07-17 00:02] 000008192 _____ () 68169ADF1717C977B4FFBE5415093812
C:\Windows\System32\config\backup1\SYSTEM
[2018-07-17 01:01][2018-07-17 00:02] 000008192 _____ () F82F55239167A64FC5407C34B057EDB1
C:\Windows\System32\config\backup\DEFAULT
[2018-07-17 00:14][2017-03-17 19:52] 000008192 _____ () B5DBA68B99A9D6C412A7FAC614B888D8
C:\Windows\System32\config\backup\SAM
[2018-07-17 00:14][2017-03-17 19:52] 000008192 _____ () DFC9ADDAB6AA5428FD8265E99BDAC4F9
C:\Windows\System32\config\backup\SECURITY
[2018-07-17 00:14][2017-03-17 19:52] 000008192 _____ () 202D99B6CDFD083FB60648266BC9A284
C:\Windows\System32\config\backup\SOFTWARE
[2018-07-17 00:14][2018-07-17 00:02] 000008192 _____ () 68169ADF1717C977B4FFBE5415093812
C:\Windows\System32\config\backup\SYSTEM
[2018-07-17 00:14][2018-07-17 00:02] 000008192 _____ () F82F55239167A64FC5407C34B057EDB1
C:\regbackup\DEFAULT
[2018-07-16 23:55][2018-07-16 22:48] 000786432 _____ () FF25D91EBC320CC0C72561469D7E0910
C:\regbackup\SAM
[2018-07-16 23:55][2018-07-16 19:16] 000065536 _____ () 4029EFB5BFA13E6F284B9B0A32B38B23
C:\regbackup\SECURITY
[2018-07-16 23:55][2018-07-16 22:48] 000065536 _____ () A1D9AA79783B03251223A18D2F8922AF
C:\regbackup\SOFTWARE
[2018-07-16 23:55][2018-07-16 22:48] 104857600 _____ () D41D8CD98F00B204E9800998ECF8427E
C:\regbackup\SYSTEM
[2018-07-16 23:55][2018-07-16 22:48] 017563648 _____ () D10566F8082455FD2711D3E3FE63734D
C:\FRST\Hives\DEFAULT
[2018-07-18 20:46][2017-03-17 19:52] 000008192 _____ () 149C6CAEB37A1B69CA68C89972551278
C:\FRST\Hives\SAM
[2018-07-18 20:46][2017-03-17 19:52] 000008192 _____ () 0524AB1AD9B5859729447914222A1835
C:\FRST\Hives\SECURITY
[2018-07-18 20:46][2017-03-17 19:52] 000008192 _____ () 2F858A9CDDEC48FFA8BBF3B05BEF9D03
C:\FRST\Hives\SOFTWARE
[2018-07-18 20:46][2018-07-18 15:32] 000008192 _____ () 4FABFB1DCC130823B9022BD18D09C8A9
C:\FRST\Hives\SYSTEM
[2018-07-18 20:46][2017-03-17 19:52] 000008192 _____ () F92AC406133D3006EE041E633FAC296A
X:\Windows\System32\config\DEFAULT
[2017-03-18 03:40][2017-03-18 13:45] 000032768 _____ () 8549B5B41E1D9EC249CD69F5AB3F8B85
X:\Windows\System32\config\SAM
[2017-03-18 03:40][2017-03-18 13:39] 000008192 _____ () B894D45D32DE230F89760BDA93E6FF1F
X:\Windows\System32\config\SECURITY
[2017-03-18 03:40][2017-03-18 13:39] 000008192 _____ () 330964FEC6A845BF3F3484F4EE1C02B2
X:\Windows\System32\config\SOFTWARE
[2017-03-18 03:40][2017-09-27 14:33] 010223616 _____ () 13DC9C37F5C325787EE991C79D74B34C
X:\Windows\System32\config\SYSTEM
[2017-03-18 03:40][2017-09-27 14:33] 006029312 _____ () 147B69B4F798E42EE96A3027DE3B2A72

====== End of Search ======


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:36 AM

Posted 19 July 2018 - 12:26 PM

Download the enclosed file.   Save it in the flashdrive, next to FRST64. Boot to the Recovery Environment. Open FRST64 and click on the Fix button. The tool will generate a log, Fixlog.txt, in the flashdrive. Please post it in your reply.

 

Attempt to boot in Normal Mode.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 zap1974

zap1974
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 19 July 2018 - 12:46 PM

Attempted to boot normally. Same error message:

 

 

File \Windows\system32\config\system 

Error code: 0X0000225

Here is the error log:

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15.07.2018
Ran by SYSTEM (19-07-2018 10:42:11) Run:1
Running from e:\
Boot Mode: Recovery
==============================================
fixlist content:
*****************
Replace: C:\regbackup\DEFAULT C:\Windows\System32\config\DEFAULT
Replace: C:\regbackup\SAM C:\Windows\System32\config\SAM
Replace: C:\regbackup\SECURITY C:\Windows\System32\config\SECURITY
Replace: C:\regbackup\SOFTWARE C:\Windows\System32\config\SOFTWARE
Replace: C:\regbackup\SYSTEM C:\Windows\System32\config\SYSTEM
*****************
C:\Windows\System32\config\DEFAULT => moved successfully
C:\regbackup\DEFAULT copied successfully to C:\Windows\System32\config\DEFAULT
C:\Windows\System32\config\SAM => moved successfully
C:\regbackup\SAM copied successfully to C:\Windows\System32\config\SAM
C:\Windows\System32\config\SECURITY => moved successfully
C:\regbackup\SECURITY copied successfully to C:\Windows\System32\config\SECURITY
"C:\Windows\System32\config\SOFTWARE" => Could not move.
"C:\Windows\System32\config\SYSTEM" => Could not move.
==== End of Fixlog 10:42:11 ====


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:36 AM

Posted 19 July 2018 - 02:08 PM

Download the enclosed file.   Save it in the flashdrive, next to FRST64. Boot to the Recovery Environment. Open FRST64 and click on the Fix button. The tool will generate a log, Fixlog.txt, in the flashdrive. Please post it in your reply.

 

Attempt to boot in Normal Mode.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 zap1974

zap1974
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 19 July 2018 - 02:33 PM

Same error message when booting. Here is the log. 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15.07.2018
Ran by SYSTEM (19-07-2018 12:29:26) Run:2
Running from e:\
Boot Mode: Recovery
==============================================
fixlist content:
*****************
Unlock: C:\Windows\System32\config\SOFTWARE
Unlock: C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SOFTWARE
C:\Windows\System32\config\SYSTEM
Replace: C:\regbackup\SOFTWARE C:\Windows\System32\config\SOFTWARE
Replace: C:\regbackup\SYSTEM C:\Windows\System32\config\SYSTEM
HKLM\...\.exe:  =>  <==== ATTENTION
HKLM\...\exefile\DefaultIcon:  <==== ATTENTION
HKLM\...\exefile\shell\open\command:  <==== ATTENTION
C:\Users\Skylar\AppData\Local\Temp\McInstallTemp\Install.exe
2018-07-15 10:30 - 2017-12-19 18:27 - 001013256 _____ (McAfee, Inc.) C:\Users\Skylar\AppData\Local\Temp\0147741531679441mcinst.exe
CMD: Type C:\Windows\System32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2018-07-17 20:35 - 2017-09-27 14:54 - 000152054 _____ C:\DUMP184a.tmp
2018-07-17 20:34 - 2017-09-27 14:54 - 000150974 _____ C:\DUMP1944.tmp
2018-07-17 19:42 - 2017-09-27 14:54 - 000150974 _____ C:\DUMP18b8.tmp
2018-07-17 19:40 - 2017-09-27 14:54 - 000150974 _____ C:\DUMP18f6.tmp
2018-07-17 18:11 - 2017-09-27 14:54 - 000150974 _____ C:\DUMP1915.tmp
2018-07-17 17:57 - 2017-09-27 14:54 - 000157110 _____ C:\DUMP18e7.tmp
2018-07-17 17:53 - 2017-09-27 14:54 - 000149430 _____ C:\DUMP1879.tmp
2018-07-17 17:38 - 2017-09-27 14:54 - 000118598 _____ C:\DUMP24ae.tmp
2018-07-18 18:05 - 2018-07-18 18:05 - 000000512 _____ C:\lsfc.isk20180719020543956.isk
2018-07-18 18:05 - 2018-07-18 18:05 - 000000435 _____ C:\lsmc.isk20180719020543925.isk
2018-07-18 15:57 - 2018-07-18 15:57 - 000000000 _____ C:\BCD20180718235722047.isk.bcd
2018-07-18 15:55 - 2018-07-18 15:55 - 000000512 _____ C:\lsfc.isk20180718235549766.isk
2018-07-18 02:52 - 2018-07-18 18:05 - 000000512 _____ C:\lsfc.isk
2018-07-18 02:52 - 2018-07-18 18:05 - 000000435 _____ C:\lsmc.isk
2018-07-18 02:52 - 2018-07-18 02:52 - 000000512 _____ C:\lsfc.isk20180718105231863.isk
2018-07-18 02:52 - 2018-07-18 02:52 - 000000512 _____ C:\lsfc.isk20180718105205131.isk
2018-07-18 02:52 - 2018-07-18 02:52 - 000000435 _____ C:\lsmc.isk20180718105231832.isk
2018-07-18 02:52 - 2018-07-18 02:52 - 000000435 _____ C:\lsmc.isk20180718105200324.isk
2018-07-18 02:51 - 2018-07-18 02:51 - 000008192 _____ C:\lsnc.isk20180718105117090.isk
2018-07-18 02:51 - 2018-07-18 02:51 - 000008192 _____ C:\lsnc.isk
2018-07-18 02:50 - 2018-07-18 02:50 - 000000000 _____ C:\BCD20180718105006070.isk.bcd
2018-07-17 00:55 - 2018-07-16 22:48 - 017563648 _____ C:\SYSTEM
2018-07-17 00:55 - 2018-07-16 22:48 - 000786432 _____ C:\DEFAULT
2018-07-17 00:55 - 2018-07-16 22:48 - 000065536 _____ C:\SECURITY
2018-07-17 00:55 - 2018-07-16 19:16 - 000065536 _____ C:\SAM
2018-07-17 00:55 - 2018-07-15 10:36 - 001310720 _____ C:\BBI
2018-07-17 00:55 - 2018-07-15 10:34 - 000032768 _____ C:\ELAM
2018-07-17 00:55 - 2017-09-27 14:32 - 000028672 _____ C:\BCD-Template
2018-07-17 00:55 - 2017-03-18 13:01 - 000004096 _____ C:\VSMIDK
2018-07-17 01:08 - 2017-03-17 19:52 - 000008192 _____ C:\Windows\System32\SECURITY
2018-07-17 01:08 - 2017-03-17 19:52 - 000008192 _____ C:\Windows\System32\SAM
2018-07-17 01:08 - 2017-03-17 19:52 - 000008192 _____ C:\Windows\System32\DEFAULT
2018-07-17 01:08 - 2018-07-17 00:02 - 000008192 _____ C:\Windows\System32\SYSTEM
2018-07-17 01:08 - 2018-07-17 00:02 - 000008192 _____ C:\Windows\System32\SOFTWARE
 
 
 
 
 
 

*****************
"C:\Windows\System32\config\SOFTWARE" => was unlocked
"C:\Windows\System32\config\SYSTEM" => was unlocked
Could not move "C:\Windows\System32\config\SOFTWARE" => Scheduled to move on reboot.
Could not move "C:\Windows\System32\config\SYSTEM" => Scheduled to move on reboot.
"C:\Windows\System32\config\SOFTWARE" => Could not move.
"C:\Windows\System32\config\SYSTEM" => Could not move.
HKLM\Software\Classes\.exe\\Default => value restored successfully
HKLM\Software\Classes\exefile\DefaultIcon\\Default => value restored successfully
HKLM\Software\Classes\exefile\shell\open\command\\Default => value restored successfully
C:\Users\Skylar\AppData\Local\Temp\McInstallTemp\Install.exe => moved successfully
C:\Users\Skylar\AppData\Local\Temp\0147741531679441mcinst.exe => moved successfully
========= Type C:\Windows\System32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat =========
@echo off
if exist igfxEM.exe start igfxEM.exe
if exist igfxHK.exe start igfxHK.exe
if exist igfxTray.exe start igfxTray.exe
del /Q {A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
========= End of CMD: =========
C:\DUMP184a.tmp => moved successfully
C:\DUMP1944.tmp => moved successfully
C:\DUMP18b8.tmp => moved successfully
C:\DUMP18f6.tmp => moved successfully
C:\DUMP1915.tmp => moved successfully
C:\DUMP18e7.tmp => moved successfully
C:\DUMP1879.tmp => moved successfully
C:\DUMP24ae.tmp => moved successfully
C:\lsfc.isk20180719020543956.isk => moved successfully
C:\lsmc.isk20180719020543925.isk => moved successfully
C:\BCD20180718235722047.isk.bcd => moved successfully
C:\lsfc.isk20180718235549766.isk => moved successfully
C:\lsfc.isk => moved successfully
C:\lsmc.isk => moved successfully
C:\lsfc.isk20180718105231863.isk => moved successfully
C:\lsfc.isk20180718105205131.isk => moved successfully
C:\lsmc.isk20180718105231832.isk => moved successfully
C:\lsmc.isk20180718105200324.isk => moved successfully
C:\lsnc.isk20180718105117090.isk => moved successfully
C:\lsnc.isk => moved successfully
C:\BCD20180718105006070.isk.bcd => moved successfully
C:\SYSTEM => moved successfully
C:\DEFAULT => moved successfully
C:\SECURITY => moved successfully
C:\SAM => moved successfully
C:\BBI => moved successfully
C:\ELAM => moved successfully
C:\BCD-Template => moved successfully
C:\VSMIDK => moved successfully
C:\Windows\System32\SECURITY => moved successfully
C:\Windows\System32\SAM => moved successfully
C:\Windows\System32\DEFAULT => moved successfully
C:\Windows\System32\SYSTEM => moved successfully
C:\Windows\System32\SOFTWARE => moved successfully
==== End of Fixlog 12:29:29 ====


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:36 AM

Posted 19 July 2018 - 02:52 PM

For some reason the System and Software hives are refusing to be replaced.

 

Download the enclosed file. Save it in the flashdrive, next to FRST64. Boot to the Recovery Environment. Open FRST64 and click on the Fix button. The tool will generate a log, Fixlog.txt, in the flashdrive. Please post it in your reply.

 

Attempt to boot in Normal Mode.


Edited by JSntgRvr, 19 July 2018 - 02:54 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 zap1974

zap1974
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 19 July 2018 - 03:21 PM

Hi that seemed to work so now it boots up to the syskey lock screen so SAM must still be infected.  

 

Here is the log.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15.07.2018
Ran by SYSTEM (19-07-2018 13:17:19) Run:3
Running from e:\
Boot Mode: Recovery
==============================================
fixlist content:
*****************
Replace: C:\regbackup\SOFTWARE C:\FRST\Hives\SOFTWARE
Replace: C:\regbackup\SYSTEM C:\FRST\Hives\SYSTEM
Restore From Backup: SOFTWARE
Restore From Backup: SYSTEM
*****************
C:\FRST\Hives\SOFTWARE => moved successfully
C:\regbackup\SOFTWARE copied successfully to C:\FRST\Hives\SOFTWARE
C:\FRST\Hives\SYSTEM => moved successfully
C:\regbackup\SYSTEM copied successfully to C:\FRST\Hives\SYSTEM
"SOFTWARE" =>  renamed (SOFTWARE.old)
"SOFTWARE" => restored successfully
"SYSTEM" =>  renamed (SYSTEM.old)
"SYSTEM" => restored successfully
==== End of Fixlog 13:17:22 ====


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:36 AM

Posted 19 July 2018 - 03:26 PM

Scan with FRST in the Recovery Environment and post the FRST.txt log.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 zap1974

zap1974
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 19 July 2018 - 03:46 PM

Here is the log:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15.07.2018
Ran by SYSTEM on MININT-6623CJK (19-07-2018 13:44:28)
Running from e:\
Platform: Windows 10 Home Version 1703 15063.850 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-18] (Microsoft Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8899592 2016-08-22] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3349720 2017-04-23] (ELAN Microelectronics Corp.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [298296 2018-01-22] (Apple Inc.)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\HP\HP System Event\HPMSGSVC.exe [1062392 2017-03-15] (HP Inc.)
HKLM-x32\...\Run: [HPRadioMgr] => C:\Program Files (x86)\HP\HP Wireless Button Driver\HPRadioMgr64.exe [324488 2016-08-02] (HP)
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files (x86)\GoToAssist Remote Support Customer\1599\g2ax_winlogonx64.dll [X]
HKU\Skylar\...\RunOnce: [MISPInst] => "C:\Users\Skylar\AppData\Local\Temp\McInstallTemp\Install.exe" /serial:bHYt-_jANqh8rnzf2ryiRQ2 /Resume /Restart <==== ATTENTION
==================== Services (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2018-04-27] (Apple Inc.)
S2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [8654504 2018-06-12] (Microsoft Corporation)
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-12-08] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-12-08] (Dropbox, Inc.)
S2 esifsvc; C:\Windows\SysWOW64\esif_uf.exe [1419424 2017-01-10] (Intel Corporation)
S2 ETDService; C:\Program Files\Elantech\ETDService.exe [144600 2017-04-23] (ELAN Microelectronics Corp.)
S2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [350064 2016-11-22] (WildTangent)
S2 HP Comm Recover; C:\Program Files\HPCommRecovery\HPCommRecovery.exe [1309184 2016-10-07] (HP Inc.)
S2 HPJumpStartBridge; C:\Program Files (x86)\HP\HP JumpStart Bridge\HPJumpStartBridge.exe [471040 2017-07-28] (HP Inc.)
S3 hpqcaslwmiex; C:\Program Files (x86)\HP\Shared\hpqwmiex.exe [1031704 2016-06-03] (HP)
S2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [31776 2016-12-07] (HP Inc.)
S2 HPWMISVC; c:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe [630776 2017-02-06] (HP Inc.)
S2 ibtsiva; C:\Windows\system32\ibtsiva.exe [542320 2017-12-06] (Intel Corporation)
S2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [356352 2017-04-12] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\TXE Components\TCS\SocketHeciServer.exe [887784 2015-09-03] (Intel® Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\TXE Components\DAL\jhi_service.exe [174368 2015-04-21] (Intel Corporation)
S2 osrss; C:\Windows\system32\osrss.dll [131288 2018-06-27] (Microsoft Corporation)
S2 PSI_SVC_2_x64; C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [337776 2014-04-30] (arvato digital services llc)
S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [314624 2016-08-22] (Realtek Semiconductor)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\NisSrv.exe [3925648 2018-06-29] (Microsoft Corporation)
S2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\MsMpEng.exe [100080 2018-06-29] (Microsoft Corporation)
S2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [1764296 2017-12-13] (Wacom Technology, Corp.)
S2 0147741531679441mcinstcleanup; C:\Users\Skylar\AppData\Local\Temp\014774~1.EXE -cleanup -nolog [X] <==== ATTENTION
S2 GoToAssist Remote Support Customer; "C:\Program Files (x86)\GoToAssist Remote Support Customer\1599\g2ax_service.exe" "Start=service" [X]
S3 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe" [X]
S2 mfemms; "C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe" [X]
S3 mfevtp; "C:\windows\system32\mfevtps.exe" [X]
===================== Drivers (Whitelisted) ======================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 AX88772; C:\Windows\System32\drivers\ax88772.sys [111616 2017-03-18] (ASIX Electronics Corp.)
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
S3 dptf_acpi; C:\Windows\System32\drivers\dptf_acpi.sys [55792 2017-01-10] (Intel Corporation)
S3 dptf_cpu; C:\Windows\System32\drivers\dptf_cpu.sys [52208 2017-01-10] (Intel Corporation)
S3 esif_lf; C:\Windows\system32\DRIVERS\esif_lf.sys [260080 2017-01-10] (Intel Corporation)
S3 ETDSMBus; C:\Windows\System32\drivers\ETDSMBus.sys [32848 2017-04-23] (ELAN Microelectronic Corp.)
S3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [136128 2017-12-06] (Intel Corporation)
S3 igfxLP; C:\Windows\system32\DRIVERS\igdkmd64lp.sys [7407064 2017-04-12] (Intel Corporation)
S3 mfeavfk01; no ImagePath
S3 Netwtw04; C:\Windows\System32\drivers\Netwtw04.sys [8623128 2018-04-04] (Intel Corporation)
S3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [329184 2017-04-23] (Realtek Semiconductor Corp.)
S3 SDFRd; C:\Windows\System32\drivers\SDFRd.sys [31128 2017-03-18] ()
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
S3 TXEIx64; C:\Windows\System32\drivers\TXEIx64.sys [146200 2015-10-14] (Intel Corporation)
S3 WacHidRouterPro; C:\Windows\System32\drivers\wachidrouter.sys [115192 2017-11-21] (Wacom Technology, Corp.)
S0 WdBoot; C:\Windows\System32\drivers\wd\WdBoot.sys [46592 2018-06-29] (Microsoft Corporation)
S0 WdFilter; C:\Windows\System32\drivers\wd\WdFilter.sys [340008 2018-06-29] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [59944 2018-06-29] (Microsoft Corporation)
S3 WirelessButtonDriver64; C:\Windows\system32\DRIVERS\WirelessButtonDriver64.sys [30368 2017-06-21] (HP)
S0 cfwids; system32\drivers\cfwids.sys [X]
S0 mfeaack; system32\drivers\mfeaack.sys [X]
S0 mfeavfk; system32\drivers\mfeavfk.sys [X]
S0 mfeelamk; system32\drivers\mfeelamk.sys [X]
S0 mfefirek; system32\drivers\mfefirek.sys [X]
S0 mfehidk; system32\drivers\mfehidk.sys [X]
S0 mfeplk; system32\drivers\mfeplk.sys [X]
S0 mfewfpk; system32\drivers\mfewfpk.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2018-07-18 20:46 - 2018-07-19 13:17 - 000000000 ____D C:\FRST
2018-07-18 02:49 - 2018-07-18 02:49 - 000065536 _____ C:\Windows\System32\config\sam.lbk
2018-07-17 23:37 - 2018-07-17 23:37 - 000000000 ____D C:\efi
2018-07-17 23:23 - 2018-07-19 13:43 - 000000000 _____ C:\Recovery.txt
2018-07-17 17:39 - 2018-07-19 12:42 - 104857600 _____ C:\Windows\System32\config\SOFTWARE
2018-07-17 17:39 - 2018-07-19 12:42 - 017563648 _____ C:\Windows\System32\config\SYSTEM
2018-07-17 17:39 - 2018-07-19 12:42 - 000786432 _____ C:\Windows\System32\config\DEFAULT
2018-07-17 17:39 - 2018-07-19 12:42 - 000065536 _____ C:\Windows\System32\config\SECURITY
2018-07-17 17:39 - 2018-07-19 12:29 - 000008192 _____ C:\Windows\System32\config\SOFTWARE.old
2018-07-17 17:39 - 2018-07-18 09:42 - 000028672 _____ C:\Windows\System32\config\BCD-Template
2018-07-17 17:39 - 2018-07-16 19:16 - 000065536 _____ C:\Windows\System32\config\SAM
2018-07-17 17:39 - 2018-07-15 10:36 - 001310720 _____ C:\Windows\System32\config\BBI
2018-07-17 17:39 - 2018-07-15 10:34 - 000032768 _____ C:\Windows\System32\config\ELAM
2018-07-17 17:39 - 2017-03-18 13:01 - 000004096 _____ C:\Windows\System32\config\VSMIDK
2018-07-17 17:39 - 2017-03-17 19:52 - 000008192 _____ C:\Windows\System32\config\SYSTEM.old
2018-07-17 16:42 - 2018-07-17 16:42 - 000028672 _____ C:\bcd_backup
2018-07-17 16:37 - 2018-07-17 16:37 - 000028672 _____ C:\bcdbackup
2018-07-17 01:11 - 2018-07-17 01:11 - 000000000 ____D C:\Windows\System32\config\backup3
2018-07-17 01:08 - 2018-07-15 10:36 - 001310720 _____ C:\Windows\System32\BBI
2018-07-17 01:08 - 2018-07-15 10:34 - 000032768 _____ C:\Windows\System32\ELAM
2018-07-17 01:08 - 2017-09-27 14:32 - 000028672 _____ C:\Windows\System32\BCD-Template
2018-07-17 01:08 - 2017-03-18 13:01 - 000004096 _____ C:\Windows\System32\VSMIDK
2018-07-17 01:00 - 2018-07-17 01:01 - 000000000 ____D C:\Windows\System32\config\backup1
2018-07-17 00:13 - 2018-07-17 00:14 - 000000000 ____D C:\Windows\System32\config\backup
2018-07-17 00:02 - 2018-07-17 00:02 - 000000000 ___HD C:\$SysReset
2018-07-16 23:54 - 2018-07-16 23:55 - 000000000 ____D C:\regbackup
2018-07-15 10:38 - 2018-07-15 10:38 - 387783930 _____ C:\Windows\MEMORY.DMP
2018-07-15 10:28 - 2018-07-15 10:28 - 013046896 _____ (McAfee, Inc.) C:\Users\Skylar\Downloads\McAfee_Installer_serial_bHYt-_jANqh8rnzf2ryiRQ2_key_affid_876_akey.exe
2018-07-15 10:10 - 2018-07-15 10:10 - 000000000 ____D C:\ProgramData\AdvancedPasswordManager
2018-07-15 10:07 - 2018-07-15 10:07 - 000003210 _____ C:\Windows\System32\Tasks\Advanced PasswordManager_Logon
2018-07-15 10:06 - 2018-07-15 10:06 - 000001136 _____ C:\Users\Public\Desktop\Advanced Password Manager.lnk
2018-07-15 10:06 - 2018-07-15 10:06 - 000000000 ____D C:\Users\Skylar\AppData\Roaming\AdvancedPasswordManager
2018-07-15 10:06 - 2018-07-15 10:06 - 000000000 ____D C:\Program Files (x86)\Advanced PasswordManager
2018-07-15 10:05 - 2018-07-15 10:06 - 006642232 _____ (AdvancedPasswordManager ) C:\Users\Skylar\Downloads\apmsetupsite.exe
2018-07-15 09:56 - 2018-07-15 09:56 - 000001522 _____ C:\Users\Skylar\Desktop\GoToAssist Customer.lnk
2018-07-15 09:53 - 2018-07-15 09:53 - 000000000 ____D C:\Users\Skylar\AppData\Local\GoToAssist Remote Support Customer
2018-07-15 09:53 - 2018-07-15 09:53 - 000000000 ____D C:\Users\Skylar\AppData\Local\GoTo Opener
2018-07-15 09:13 - 2018-07-15 09:13 - 000000000 ____D C:\Windows\UpdateAssistant
2018-06-29 11:00 - 2018-06-29 11:00 - 000000000 ____D C:\Windows\System32\Tasks\Apple
2018-06-29 11:00 - 2018-06-29 11:00 - 000000000 ____D C:\Program Files (x86)\Apple Software Update
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2018-07-19 12:42 - 2017-03-17 19:52 - 000312376 _____ C:\Windows\System32\FNTCACHE.DAT
2018-07-15 10:36 - 2017-12-08 18:06 - 000000000 ____D C:\users\Skylar
2018-07-15 10:36 - 2017-09-27 14:00 - 000000000 ____D C:\ProgramData\mcafee
2018-07-15 10:36 - 2017-09-27 14:00 - 000000000 ____D C:\Program Files\Common Files\mcafee
2018-07-15 10:35 - 2017-03-17 19:52 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-07-15 10:34 - 2017-09-27 14:01 - 000000000 ____D C:\Windows\System32\Tasks\McAfee
2018-07-15 10:34 - 2017-03-18 13:03 - 000000000 ___HD C:\Windows\ELAMBKUP
2018-07-15 10:34 - 2017-03-18 13:01 - 000000000 ____D C:\Windows\INF
2018-07-15 10:10 - 2017-12-26 15:50 - 000000000 ____D C:\Users\Skylar\AppData\Roaming\WTablet
2018-07-15 09:29 - 2017-03-17 19:52 - 000000000 ____D C:\Windows\System32\SleepStudy
2018-07-15 09:17 - 2017-03-18 13:03 - 000000000 ____D C:\Windows\rescache
2018-07-15 09:13 - 2017-03-18 13:03 - 000000000 ____D C:\Windows\AppReadiness
2018-07-15 09:09 - 2017-12-09 00:59 - 000000180 _____ C:\Windows\System32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2018-07-15 09:09 - 2017-12-08 18:09 - 000000000 __SHD C:\Users\Skylar\IntelGraphicsProfiles
2018-07-10 11:37 - 2017-03-18 13:03 - 000000000 ___HD C:\Program Files\WindowsApps
2018-07-08 21:27 - 2018-03-24 13:08 - 000000000 ____D C:\Windows10Upgrade
2018-06-29 10:56 - 2018-03-24 11:54 - 000000000 ____D C:\Windows\System32\Drivers\wd
2018-06-27 11:10 - 2018-03-24 12:28 - 000131288 _____ (Microsoft Corporation) C:\Windows\System32\osrss.dll
2018-06-26 13:57 - 2017-03-18 12:51 - 000000000 ____D C:\Windows\CbsTemp
2018-06-26 13:55 - 2017-12-08 18:19 - 000003378 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-580888338-3488302483-2474060531-1001
2018-06-26 13:55 - 2017-12-08 18:17 - 000002227 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-06-26 13:54 - 2017-12-08 18:15 - 000000000 ___RD C:\Users\Skylar\OneDrive
==================== Known DLLs (Whitelisted) =========================

==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe
[2018-01-23 13:29] - [2017-12-31 17:30] - 000706560 _____ (Microsoft Corporation) 1487F8F540F1518AD13AE179F67DB4E1
C:\Windows\System32\wininit.exe
[2017-12-10 08:34] - [2017-07-27 21:14] - 000318232 _____ (Microsoft Corporation) 0242626678C83AE788C655C1990A3CC3
C:\Windows\explorer.exe
[2017-12-10 08:35] - [2017-09-29 21:42] - 004848952 _____ (Microsoft Corporation) 01078D46C77CE0D7DC584A29062A799D
C:\Windows\SysWOW64\explorer.exe
[2017-12-10 08:38] - [2017-09-29 18:06] - 004471368 _____ (Microsoft Corporation) F28807FD9CE1F66E59CDC0EECEDED8C0
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2017-12-10 08:35] - [2017-07-27 21:09] - 000527976 _____ (Microsoft Corporation) C81F9707DEA008EED4071B5A39B7C76E
C:\Windows\System32\User32.dll
[2017-12-10 08:34] - [2017-11-01 21:13] - 001345600 _____ (Microsoft Corporation) B074ECE844C671332F89C7544DBFC74A
C:\Windows\SysWOW64\User32.dll
[2017-12-10 08:38] - [2017-11-01 21:04] - 001292360 _____ (Microsoft Corporation) BF2A7959C460D6B85A36410CACD6ACE3
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2017-12-10 08:34] - [2017-09-04 20:19] - 001085440 _____ (Microsoft Corporation) AA7F1C36F5BC779964CFA4F98D224D9F
C:\Windows\System32\dnsapi.dll
[2017-12-10 08:35] - [2017-09-29 21:51] - 000661224 _____ (Microsoft Corporation) 6AFA66A457759C1FEC29A52612A67043
C:\Windows\SysWOW64\dnsapi.dll
[2017-12-10 08:38] - [2017-09-29 18:10] - 000508344 _____ (Microsoft Corporation) 1F4909406532C2FFCBD3683A65F7198F
C:\Windows\System32\Drivers\volsnap.sys
[2017-03-18 12:57] - [2017-03-18 12:57] - 000397216 _____ (Microsoft Corporation) E3429DBBEA3965BB96E24B16EF4A2551

==================== Association (Whitelisted) =============

==================== Restore Points  =========================

==================== Memory info ===========================
Percentage of memory in use: 20%
Total physical RAM: 4001.58 MB
Available physical RAM: 3184.02 MB
Total Virtual: 4001.58 MB
Available Virtual: 3218.49 MB
==================== Drives ================================
Drive c: (Windows) (Fixed) (Total:27.89 GB) (Free:0.06 GB) NTFS
Drive d: (Windows RE tools) (Fixed) (Total:0.96 GB) (Free:0.61 GB) NTFS
Drive e: () (Removable) (Total:14.58 GB) (Free:14.58 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.5 GB) NTFS

==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 29.1 GB) (Disk ID: D7ACB614)
Partition: GPT.
========================================================
Disk: 1 (Protective MBR) (Size: 14.6 GB) (Disk ID: 00000000)
Partition: GPT.
LastRegBack: 2017-03-17 19:52
==================== End of FRST.txt ============================

 



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:36 AM

Posted 19 July 2018 - 04:20 PM

Lets check the registry.

 

Download the enclosed file. Attached File  Fixlist.txt   1.9KB   5 downloads  Save it in the flashdrive, next to FRST64. Boot to the Recovery Environment. Open FRST64 and click on the Fix button. The tool will generate a log, Fixlog.txt, in the flashdrive. Please post it in your reply.

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 zap1974

zap1974
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 19 July 2018 - 06:03 PM

Here is the log. I tried to boot again and the Startup Password popped up

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15.07.2018
Ran by SYSTEM (19-07-2018 16:01:26) Run:4
Running from e:\
Boot Mode: Recovery
==============================================
fixlist content:
*****************
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files (x86)\GoToAssist Remote Support Customer\1599\g2ax_winlogonx64.dll [X]
S2 0147741531679441mcinstcleanup; C:\Users\Skylar\AppData\Local\Temp\014774~1.EXE -cleanup -nolog [X] <==== ATTENTION
S2 GoToAssist Remote Support Customer; "C:\Program Files (x86)\GoToAssist Remote Support Customer\1599\g2ax_service.exe" "Start=service" [X]
S3 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe" [X]
S2 mfemms; "C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe" [X]
S3 mfevtp; "C:\windows\system32\mfevtps.exe" [X]
S0 cfwids; system32\drivers\cfwids.sys [X]
S0 mfeaack; system32\drivers\mfeaack.sys [X]
S0 mfeavfk; system32\drivers\mfeavfk.sys [X]
S0 mfeelamk; system32\drivers\mfeelamk.sys [X]
S0 mfefirek; system32\drivers\mfefirek.sys [X]
S0 mfehidk; system32\drivers\mfehidk.sys [X]
S0 mfeplk; system32\drivers\mfeplk.sys [X]
S0 mfewfpk; system32\drivers\mfewfpk.sys [X]
HKU\Skylar\...\RunOnce: [MISPInst] => "C:\Users\Skylar\AppData\Local\Temp\McInstallTemp\Install.exe" /serial:bHYt-_jANqh8rnzf2ryiRQ2 /Resume /Restart <==== ATTENTION
S2 0147741531679441mcinstcleanup; C:\Users\Skylar\AppData\Local\Temp\014774~1.EXE -cleanup -nolog [X] <==== ATTENTION
HKU\Skylar\...\RunOnce: [MISPInst] => "C:\Users\Skylar\AppData\Local\Temp\McInstallTemp\Install.exe" /serial:bHYt-_jANqh8rnzf2ryiRQ2 /Resume /Restart <==== ATTENTION
S2 0147741531679441mcinstcleanup; C:\Users\Skylar\AppData\Local\Temp\014774~1.EXE -cleanup -nolog [X] <==== ATTENTION
HKU\Skylar\...\RunOnce: [MISPInst] => "C:\Users\Skylar\AppData\Local\Temp\McInstallTemp\Install.exe" /serial:bHYt-_jANqh8rnzf2ryiRQ2 /Resume /Restart <==== ATTENTION
S2 0147741531679441mcinstcleanup; C:\Users\Skylar\AppData\Local\Temp\014774~1.EXE -cleanup -nolog [X] <==== ATTENTION
Reg: Reg query HKLM\SAM\SAM\Domains\Account
Reg: Reg query HKLM\System\ControlSet001\Control\Lsa
*****************
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer" => removed successfully
"HKLM\System\ControlSet001\Services\0147741531679441mcinstcleanup" => removed successfully
0147741531679441mcinstcleanup => service removed successfully
"HKLM\System\ControlSet001\Services\GoToAssist Remote Support Customer" => removed successfully
GoToAssist Remote Support Customer => service removed successfully
"HKLM\System\ControlSet001\Services\mfefire" => removed successfully
mfefire => service removed successfully
"HKLM\System\ControlSet001\Services\mfemms" => removed successfully
mfemms => service removed successfully
"HKLM\System\ControlSet001\Services\mfevtp" => removed successfully
mfevtp => service removed successfully
"HKLM\System\ControlSet001\Services\cfwids" => removed successfully
cfwids => service removed successfully
"HKLM\System\ControlSet001\Services\mfeaack" => removed successfully
mfeaack => service removed successfully
"HKLM\System\ControlSet001\Services\mfeavfk" => removed successfully
mfeavfk => service removed successfully
"HKLM\System\ControlSet001\Services\mfeelamk" => removed successfully
mfeelamk => service removed successfully
"HKLM\System\ControlSet001\Services\mfefirek" => removed successfully
mfefirek => service removed successfully
"HKLM\System\ControlSet001\Services\mfehidk" => removed successfully
mfehidk => service removed successfully
"HKLM\System\ControlSet001\Services\mfeplk" => removed successfully
mfeplk => service removed successfully
"HKLM\System\ControlSet001\Services\mfewfpk" => removed successfully
mfewfpk => service removed successfully
"HKU\Skylar\Software\Microsoft\Windows\CurrentVersion\RunOnce\\MISPInst" => removed successfully
0147741531679441mcinstcleanup => service not found.
"HKU\Skylar\Software\Microsoft\Windows\CurrentVersion\RunOnce\\MISPInst" => not found
0147741531679441mcinstcleanup => service not found.
"HKU\Skylar\Software\Microsoft\Windows\CurrentVersion\RunOnce\\MISPInst" => not found
0147741531679441mcinstcleanup => service not found.
========= Reg query HKLM\SAM\SAM\Domains\Account =========

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account
    F    REG_BINARY    0300010000000000FE1AB885A91FD40101000000000000000000000040DEFFFF0000000000000000000000000000008000CC1DCFFBFFFFFF00CC1DCFFBFFFFFF0000000000000000E803000000000000000000000000000001000000030000000100000000000100020000007000000030000000200000004D5A0715D4C20DC7D28D9A247B5A24B9417AB076C47355A267DD3D3D51F761E71E73050E1E627DF9D909EA5D7CB86A0579E26110EDA42B8B8A7260C22C0876647085B7B46703CC453AD9FDFF2BE580831173FC018E8F63E432DF6283BC1BBB900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000
    V    REG_BINARY    0000000030010000030001003001000018000000000000004801000000000000000000004801000000000000000000000100148010010000200100001400000044000000020030000200000002C014007A04050101010000000000010000000002C01400FF070F000101000000000005070000000200CC0007000000000014008503020001010000000000010000000000001800850302000102000000000005200000002102000000001800DF070F000102000000000005200000002002000000001800850302000102000000000005200000002302000000001800D5030200010200000000000520000000240200000000380085030200010A00000000000F0300000000040000DEA22867213ED2AF19AD5D79B0C107292756FC20D8AD66F610F268FADF2AF80F01001800500000000102000000000005200000002302000001020000000000052000000020020000010200000000000520000000200200000104000000000005150000008E1B3289E76E620924CBDD64
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Aliases
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Groups
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users

========= End of Reg: =========

========= Reg query HKLM\System\ControlSet001\Control\Lsa =========

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa
    auditbasedirectories    REG_DWORD    0x0
    auditbaseobjects    REG_DWORD    0x0
    Bounds    REG_BINARY    0030000000200000
    crashonauditfail    REG_DWORD    0x0
    fullprivilegeauditing    REG_BINARY    00
    LimitBlankPasswordUse    REG_DWORD    0x1
    NoLmHash    REG_DWORD    0x1
    Security Packages    REG_MULTI_SZ    ""
    Notification Packages    REG_MULTI_SZ    scecli
    Authentication Packages    REG_MULTI_SZ    msv1_0
    LsaPid    REG_DWORD    0x2cc
    SecureBoot    REG_DWORD    0x2
    ProductType    REG_DWORD    0x3
    disabledomaincreds    REG_DWORD    0x0
    everyoneincludesanonymous    REG_DWORD    0x0
    forceguest    REG_DWORD    0x0
    restrictanonymous    REG_DWORD    0x0
    restrictanonymoussam    REG_DWORD    0x1
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\AccessProviders
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\Audit
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\CentralizedAccessPolicies
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\Credssp
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\Data
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\GBG
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\JD
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\Kerberos
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\MSV1_0
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\OfflineLSA
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\OfflineSAM
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\OSConfig
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\Skew1
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\SSO
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\SspiCache

========= End of Reg: =========

==== End of Fixlog 16:01:30 ====





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users