help removing RootKit.0access.h

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by fluidmedia, Feb 28, 2012.

  1. fluidmedia

    fluidmedia Private E-2

    i have the RootKit.0access.h,

    i first noticed the computer was being redirected from google so i searched the internet and ran all kinds of scans including the ones in you read and run first thread im posting all logs i have ran starting with the ones you requested first

    combofix just hangs when ran on the system

    rootrepeal give an error on start and an error on scan
    18:40:06: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000f4)
    18:40:06: DeviceIoControl Error! Error Code = 0x1e7
    18:40:06: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000f4)

    MGTOOLS errors
    NSlookup.exe ordinal not found
    the ordinal 1108 could not be found in the dynamic link library wsock32.dll

    just in time debugging
    AN EXCEPTION 'SYSTEM.COMPONENTMODEL.WIN32EXCEPTION HAS OCCURED IN PROCESSDLL.EXE HOWEVER NO DEBUGGERS ARE REGISTERED THAT CAN DEBUG THIS EXCEPTION. UNABLE TO jit DEBUG.

    JIT Debugging
    JIT Debugging failed with the following error unspecified error
    please check the documentation topic 'just-in-time debugging errors' for more information

    i will await assistance
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!


    Please do the below so that we can boot to System Recovery Options to run a scan.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)


    Now rerun TDSSkiller and look to see of the below two items show. If they do show, Delete them this time.
    Code:
    12:46:30.0972 5908 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
    12:46:30.0972 5908 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip 
    Attach a new log from TDSSkiller.
     
  3. fluidmedia

    fluidmedia Private E-2

    here are the two logs

    i only saw one instance of TDSS File System i selected delete
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download this >> View attachment fixlist.txt


    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now boot into normal Windows can continue with the below.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  5. fluidmedia

    fluidmedia Private E-2

    sorry for saying thanks earlier but thanks :)

    i ran both programs as requested and im attaching both logs

    when running the mgtools program i get the same errors as before

    NSlookup.exe ordinal not found
    the ordinal 1108 could not be found in the dynamic link library wsock32.dll

    just in time debugging
    AN EXCEPTION 'SYSTEM.COMPONENTMODEL.WIN32EXCEPTION HAS OCCURED IN PROCESSDLL.EXE HOWEVER NO DEBUGGERS ARE REGISTERED THAT CAN DEBUG THIS EXCEPTION. UNABLE TO jit DEBUG.

    JIT Debugging
    JIT Debugging failed with the following error unspecified error
    please check the documentation topic 'just-in-time debugging errors' for more information

    google is still redirecting

    awaiting further instructions
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    TIP: Your PC is running low on memory due to all the garbage you have installed and allow to run. You really should get rid of some of the junk toolbars and browser helper objects. Also you should disable many of the items you are allowing to run at startup.

    Okay! Now that we have removed some items with FSRT, please rerun TDSSkiller and attach a new log.

    Also are you redirects happening with only Chrome or do they also happen with Internet Explorer? If you don't know, then check. Also make sure Chrome is not running when you test Internet Explorer.



    Now please download Farbar Service Scanner and run it on the computer with the issue.
    • Put a check mark in each option box on the left side.
    • Click "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please attach this log to your next reply.
     
  7. fluidmedia

    fluidmedia Private E-2

    here are the most current logs

    do you have any suggestions to help the start up of the system im currently cleaning out the system
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ask me about this later once we think the system is free of malware. You still have an embedded ZeroAccess infection as shown by TDSSkiller continuing to find more problems.

    Uninstall the below and don't use junk like this:
    Uniblue SpeedUpMyPC

    I see Norton Internet Security in your programs list but I do not see it running. Is it still installed?

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421;
    O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} (Java Plug-in 1.6.0_17) -

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now download The Avenger by Swandog46, and save it to your Desktop.


    See the download links under this icon [​IMG]
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\TEMP
    C:\Users\mike\AppData\Local\Temp\

    Now empty your Recylce Bin.

    Now run the C:\MGtools\FixWFW.bat file by right clicking on it and select Run As Administrator.

    Now run the C:\MGtools\GetLogs.bat file by right clicking on it and select Run As Administrator.


    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  9. fluidmedia

    fluidmedia Private E-2

    no norton was removed from the system a while a go
    success message recived

    recived
    NSlookup.exe ordinal not found
    the ordinal 1108 could not be found in the dynamic link library wsock32.dll

    google isnt redirecting anymore

    ran tdsskiller again and it still detects virus win32.ZAccess.c service CSC

    im including that log also
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      dhcpcsvc.dll
      explorer.exe
      lsass.exe
      nsiproxy.sys
      regedit.exe
      services.exe
      svchost.exe
      tcpip.sys
      tdx.sys
      userinit.exe
      winlogon.exe
      /md5stop
      %systemdrive%\*.*
      %systemdrive%\MGtools\*.*
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.sys /90
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      hklm\system\currentcontrolset\services\dhcp
      hklm\system\currentcontrolset\services\afd
      hklm\system\currentcontrolset\services\tdx
      hklm\system\currentcontrolset\services\tcpip
      hklm\system\currentcontrolset\services\nsiproxy
      hklm\software\microsoft\windows\currentversion\run
      hklm\software\microsoft\windows\currentversion\runonce
      
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
    Also press the Windows Logo key and at the same time hold down the 'e' key to bring up Windows Explorer. Navigate to the C:\MGtools folder and right click on the FixW7FW.bat file and select Run As Administrator.


    Now run the C:\MGtools\GetLogs.bat file by right clicking on it and select Run As Administrator.

    Then attach the below logs:
    C:\MGlogs.zip
     
  11. fluidmedia

    fluidmedia Private E-2

    the was no file named FixW7FW.bat so i ran FixWFW.bat

    all requested logs attached

    and again thanks for the assistance i really appreciate your help.
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry about that. That is what I meant. It did not work properly anyway.


    Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
    SRV - [2009/07/13 20:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\Windows\System32\oracle_load_balancer_60_server-forms6ip9.dll -- (vpcvmm)
    SRV - [2009/07/13 20:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\Windows\System32\thotkey.dll -- (snoopfreesvc)
    SRV - [2009/07/13 20:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\System32\FreshIO.dll -- (SE2Cbus)
    IE - HKU\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = [URL]http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS[/URL]}
    IE - HKU\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = [URL]http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS[/URL]}
    IE - HKU\S-1-5-21-642899384-951903016-1752780833-1000\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - No CLSID value found
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-642899384-951903016-1752780833-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O4 - HKLM..\Run: []  File not found
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" File not found
    O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
    NetSvcs: vpcvmm - C:\Windows\System32\oracle_load_balancer_60_server-forms6ip9.dll (Oak Technology Inc.)
    NetSvcs: oracle_load_balancer_60_server-forms6ip9 -  File not found
    NetSvcs: oraclesnmppeerencapsulator -  File not found
    NetSvcs: cpqarray - C:\Windows\System32\cpqarray.dll (Oak Technology Inc.)
    NetSvcs: snoopfreesvc - C:\Windows\System32\thotkey.dll (Oak Technology Inc.)
    NetSvcs: SE2Cbus - C:\Windows\System32\FreshIO.dll (Oak Technology Inc.)
    NetSvcs: helpsvc - C:\Windows\System32\helpsvc.dll (Oak Technology Inc.)
    [2012/03/01 19:21:23 | 000,082,433 | ---- | C] (Microsoft Corporation) -- C:\ProgramData\6WQMw28m.exe
    [2012/03/01 19:24:01 | 000,000,001 | ---- | M] () -- C:\ProgramData\6WQMw28m.exe_.b
    [2012/03/01 19:24:01 | 000,000,001 | ---- | M] () -- C:\ProgramData\6WQMw28m.exe.b
    [2012/02/29 17:43:08 | 114,207,312 | ---- | M] () -- C:\Users\mike\Desktop\showthread (2).avi
    [2012/02/24 17:22:57 | 000,082,433 | ---- | M] (Microsoft Corporation) -- C:\ProgramData\application data\6WQMw28m.exe
    @Alternate Data Stream - 101 bytes -> C:\ProgramData\Temp:010ADD2C
    :Files
    C:\ProgramData\6WQMw28m.exe
    C:\ProgramData\6WQMw28m.exe_.b
    C:\ProgramData\6WQMw28m.exe.b
    C:\Users\mike\Desktop\showthread (2).avi
    C:\ProgramData\application data\6WQMw28m.exe
    C:\Windows\System32\helpsvc.dll
    C:\Windows\System32\FreshIO.dll
    C:\Windows\System32\thotkey.dll
    C:\Windows\System32\cpqarray.dll
    C:\Windows\System32\oracle_load_balancer_60_server-forms6ip9.dll
    :Reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE]
    "DisplayName"="@%SystemRoot%\\system32\\bfe.dll,-1001"
    "Group"="NetworkProvider"
    "ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
      74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
      00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
      6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
      00,65,00,4e,00,6f,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,00,00
    "Description"="@%SystemRoot%\\system32\\bfe.dll,-1002"
    "ObjectName"="NT AUTHORITY\\LocalService"
    "ErrorControl"=dword:00000001
    "Start"=dword:00000002
    "Type"=dword:00000020
    "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
    "ServiceSidType"=dword:00000003
    "RequiredPrivileges"=hex(7):53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,72,\
      00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,\
      70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,\
      00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
    "FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
      00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00
    :Commands
    [PURITY]
    [EMPTYTEMP] 
    [EMPTYFLASH]
    
    [REBOOT]
    • Now click the [​IMG] button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
     
  13. fluidmedia

    fluidmedia Private E-2

    i still receive the error

    NSlookup.exe ordinal not found
    the ordinal 1108 could not be found in the dynamic link library wsock32.dll

    when running GetLos.bat
    logs attached
     

    Attached Files:

  14. fluidmedia

    fluidmedia Private E-2

    hello just wondering if we were done or am i still infected
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry, been very busy with real work.

    Your logs looked fine. Are you having anymore malware problems?

    I see some issues in services that are not running. The below to be specific
    Code:
    =====================================================================================
       NetBios over Tcpip -NetBT-               is NOT running  
            C:\Windows\System32\drivers\netbt.sys exists  
    =====================================================================================  
    Checking Base Filtering Engine Service State and Dependencies 
       Base Filtering Service               is NOT running  
            C:\Windows\system32\bfe.dll exists  
    =====================================================================================  
    Checking Windows Firewall Service -MpsSvc- State 
    .
       Windows Firewall Service is NOT running  
            C:\Windows\system32\FirewallAPI.dll exists  
    =====================================================================================  
    Checking Windows Firewall Authorization Driver Service -mpsdrv- State 
    .
       Windows Firewall Authorization Driver Service is NOT running  
            C:\Windows\system32drivers\mpsdrv.sys exists  
    =====================================================================================  
     
  16. fluidmedia

    fluidmedia Private E-2

    i ran tdsskiller and it reported that i was infected with

    virus.win32,Zaccess.c
    service: cdrom so im including the logs from that and others that i ran
     

    Attached Files:

  17. fluidmedia

    fluidmedia Private E-2

    other logs

    i also noticed a file on my cltLMSx.dll in c:/cltLMSx.dll that has a last modified date of 12/1/2089 what is that
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It states that the file is from Symantec but Symantec would not be putting files here. Nor would they set the year to 2089. We will remove but first I need to rerun FSRT to get a new log as I see other troubling items from the ZeroAccess infection.

    Plug the flashdrive into the infected PC.


    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
  19. fluidmedia

    fluidmedia Private E-2

    here is the FRST log

    all i can no longer use the cd drive or access any networked drives or printers
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This may be due to the fact that the infection had corrupted the drivers for these and they may have been deleted.

    Please download thisBFE.reg and save it too your Desktop. Just download it. Do nothing else with it until requested.



    Now download SubInACL.msi from Microsoft.
    • Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
    • Now download the below file and save it to your Desktop:
    • Now right click on resetperm.cmd and select Run As Administrator to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.
    Once it finishes, reboot your PC.



    Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
    SRV - File not found [Auto | Stopped] -- -- (oraclexeclragent)
    SRV - File not found [Auto | Stopped] -- -- (oracle_load_balancer_60_server-forms6ip9)
    SRV - [2009/07/13 20:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\Windows\System32\oracle_load_balancer_60_server-forms6ip9.dll -- (vpcvmm)
    SRV - [2009/07/13 20:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\Windows\System32\thotkey.dll -- (snoopfreesvc)
    SRV - [2009/07/13 20:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\System32\FreshIO.dll -- (SE2Cbus)
    NetSvcs: vpcvmm - C:\Windows\System32\oracle_load_balancer_60_server-forms6ip9.dll (Oak Technology Inc.)
    NetSvcs: oracle_load_balancer_60_server-forms6ip9 - File not found
    NetSvcs: oraclesnmppeerencapsulator - File not found
    NetSvcs: oraclexeclragent - File not found
    NetSvcs: cpqarray - C:\Windows\System32\cpqarray.dll (Oak Technology Inc.)
    NetSvcs: snoopfreesvc - C:\Windows\System32\thotkey.dll (Oak Technology Inc.)
    NetSvcs: SE2Cbus - C:\Windows\System32\FreshIO.dll (Oak Technology Inc.)
    NetSvcs: helpsvc - C:\Windows\System32\helpsvc.dll (Oak Technology Inc.)
    :Files
    C:\ProgramData\6WQMw28m.exe
    C:\ProgramData\6WQMw28m.exe_.b
    C:\ProgramData\6WQMw28m.exe.b
    C:\cltLMSx.dll
    C:\ProgramData\application data\6WQMw28m.exe
    C:\Windows\$NtUninstallKB61448$
    C:\Windows\assembly\tmp\02A44IC6
    C:\Windows\assembly\tmp\030MDIMH
    C:\Windows\assembly\tmp\08XO6V6D
    C:\Windows\assembly\tmp\0B0MA7WW
    C:\Windows\assembly\tmp\0DNWCZAW
    C:\Windows\assembly\tmp\0FU2XM0V
    C:\Windows\assembly\tmp\0PH9L4QS
    C:\Windows\assembly\tmp\0QB2XETL
    C:\Windows\assembly\tmp\10RCHP6G
    C:\Windows\assembly\tmp\145XYYYJ
    C:\Windows\assembly\tmp\14T8CGV4
    C:\Windows\assembly\tmp\18Y44ETP
    C:\Windows\assembly\tmp\1JCM0XKY
    C:\Windows\assembly\tmp\1MYTCSKX
    C:\Windows\assembly\tmp\1OJJ9406
    C:\Windows\assembly\tmp\1P6Z84T9
    C:\Windows\assembly\tmp\1XJZI9A5
    C:\Windows\assembly\tmp\20SJFHBX
    C:\Windows\assembly\tmp\290NK52F
    C:\Windows\assembly\tmp\2CUMLBYJ
    C:\Windows\assembly\tmp\2DVN90Z4
    C:\Windows\assembly\tmp\2GILSZ0Z
    C:\Windows\assembly\tmp\2JXKUDT8
    C:\Windows\assembly\tmp\2SGLR142
    C:\Windows\assembly\tmp\2U7S6WM5
    C:\Windows\assembly\tmp\2VB0XLO6
    C:\Windows\assembly\tmp\32TK7K3Q
    C:\Windows\assembly\tmp\35F92DKX
    C:\Windows\assembly\tmp\36KUJCPY
    C:\Windows\assembly\tmp\374EW6FV
    C:\Windows\assembly\tmp\37A4K89F
    C:\Windows\assembly\tmp\3DML3J85
    C:\Windows\assembly\tmp\3N8WLTYI
    C:\Windows\assembly\tmp\3NAI1EUR
    C:\Windows\assembly\tmp\3OR643BY
    C:\Windows\assembly\tmp\3OV1RKAR
    C:\Windows\assembly\tmp\3WJSRBRC
    C:\Windows\assembly\tmp\3XIM9W72
    C:\Windows\assembly\tmp\41JXXD5Q
    C:\Windows\assembly\tmp\44QB5Z44
    C:\Windows\assembly\tmp\47IMXUGK
    C:\Windows\assembly\tmp\48OP43SS
    C:\Windows\assembly\tmp\4EE98M7M
    C:\Windows\assembly\tmp\4GANRKNK
    C:\Windows\assembly\tmp\4IS4229Q
    C:\Windows\assembly\tmp\4JES95YQ
    C:\Windows\assembly\tmp\4Q4HA8SD
    C:\Windows\assembly\tmp\4TLUFWEV
    C:\Windows\assembly\tmp\4U0IB5PJ
    C:\Windows\assembly\tmp\4W32ZYKI
    C:\Windows\assembly\tmp\4XCO09NW
    C:\Windows\assembly\tmp\4Z9YCFQK
    C:\Windows\assembly\tmp\55XS2SDX
    C:\Windows\assembly\tmp\563ICI79
    C:\Windows\assembly\tmp\5C79DUYC
    C:\Windows\assembly\tmp\5DB9AWKD
    C:\Windows\assembly\tmp\5ESUS77Y
    C:\Windows\assembly\tmp\611M285S
    C:\Windows\assembly\tmp\63H3LGOU
    C:\Windows\assembly\tmp\63QRLQPW
    C:\Windows\assembly\tmp\64YUWW5L
    C:\Windows\assembly\tmp\679V3NDR
    C:\Windows\assembly\tmp\68QOYDCW
    C:\Windows\assembly\tmp\6AOO9KXF
    C:\Windows\assembly\tmp\6B6MSPB0
    C:\Windows\assembly\tmp\6LJVSM8N
    C:\Windows\assembly\tmp\6M34YJ2Z
    C:\Windows\assembly\tmp\6MX84JV4
    C:\Windows\assembly\tmp\6OR708NF
    C:\Windows\assembly\tmp\71GGPVF8
    C:\Windows\assembly\tmp\73BJGR9U
    C:\Windows\assembly\tmp\73HYMBG3
    C:\Windows\assembly\tmp\74MU306T
    C:\Windows\assembly\tmp\7BXYR229
    C:\Windows\assembly\tmp\7I8YMEYZ
    C:\Windows\assembly\tmp\7PU5GMLS
    C:\Windows\assembly\tmp\80Y6Z9P6
    C:\Windows\assembly\tmp\81M20KWP
    C:\Windows\assembly\tmp\85F75CVW
    C:\Windows\assembly\tmp\85F9IMSB
    C:\Windows\assembly\tmp\85XYB2VY
    C:\Windows\assembly\tmp\87LGKX5L
    C:\Windows\assembly\tmp\8AIP3L0M
    C:\Windows\assembly\tmp\8EASMJAX
    C:\Windows\assembly\tmp\8EYTDNJ6
    C:\Windows\assembly\tmp\8F91N0X3
    C:\Windows\assembly\tmp\8GUQP6HV
    C:\Windows\assembly\tmp\8H2AYEUB
    C:\Windows\assembly\tmp\8HMRZ3YB
    C:\Windows\assembly\tmp\8IZA2RKX
    C:\Windows\assembly\tmp\8LG33GOC
    C:\Windows\assembly\tmp\8N1D9LNN
    C:\Windows\assembly\tmp\8QL25REO
    C:\Windows\assembly\tmp\8S3GCD08
    C:\Windows\assembly\tmp\8TY25MTJ
    C:\Windows\assembly\tmp\8UEIXZKR
    C:\Windows\assembly\tmp\8VANS2KG
    C:\Windows\assembly\tmp\907NZML5
    C:\Windows\assembly\tmp\91BY2EXC
    C:\Windows\assembly\tmp\95KZRW34
    C:\Windows\assembly\tmp\98QP2ERG
    C:\Windows\assembly\tmp\98WUGCQS
    C:\Windows\assembly\tmp\9B2L5SXY
    C:\Windows\assembly\tmp\9C5CEY5Y
    C:\Windows\assembly\tmp\9DYCAGLQ
    C:\Windows\assembly\tmp\9F3NPK0D
    C:\Windows\assembly\tmp\9IP8STAF
    C:\Windows\assembly\tmp\9LVU09ED
    C:\Windows\assembly\tmp\9NVTDN66
    C:\Windows\assembly\tmp\9QNOMI7P
    C:\Windows\assembly\tmp\9YOLRK12
    C:\Windows\assembly\tmp\A3OHECR1
    C:\Windows\assembly\tmp\A5SBSXG8
    C:\Windows\assembly\tmp\A6K25ZO4
    C:\Windows\assembly\tmp\A7K3KT5L
    C:\Windows\assembly\tmp\A9IJ9UVV
    C:\Windows\assembly\tmp\AA4B69C0
    C:\Windows\assembly\tmp\AK5ZIDF9
    C:\Windows\assembly\tmp\AMYOXNFX
    C:\Windows\assembly\tmp\ARO1LUAK
    C:\Windows\assembly\tmp\AS6G1B8K
    C:\Windows\assembly\tmp\ATKAJPHB
    C:\Windows\assembly\tmp\AUCBMGUZ
    C:\Windows\assembly\tmp\AUPOEYC6
    C:\Windows\assembly\tmp\AVYOQ709
    C:\Windows\assembly\tmp\B4UW4RFF
    C:\Windows\assembly\tmp\B7JW4OXD
    C:\Windows\assembly\tmp\BASAE4NE
    C:\Windows\assembly\tmp\BBOI8O73
    C:\Windows\assembly\tmp\BG8WGFPK
    C:\Windows\assembly\tmp\BQRTD3QV
    C:\Windows\assembly\tmp\BT1HVDBJ
    C:\Windows\assembly\tmp\BVP1A1CS
    C:\Windows\assembly\tmp\BY6VC6HP
    C:\Windows\assembly\tmp\C0NKKSL8
    C:\Windows\assembly\tmp\C141HNB1
    C:\Windows\assembly\tmp\C4MP6G00
    C:\Windows\assembly\tmp\C6MEH7WE
    C:\Windows\assembly\tmp\CD9DIUK7
    C:\Windows\assembly\tmp\CL9UDYAG
    C:\Windows\assembly\tmp\CTQGYMWB
    C:\Windows\assembly\tmp\CTYBMN5G
    C:\Windows\assembly\tmp\CVGDNRF7
    C:\Windows\assembly\tmp\CVQ87KJP
    C:\Windows\assembly\tmp\D0ZJ3WDH
    C:\Windows\assembly\tmp\D2J5JNR3
    C:\Windows\assembly\tmp\D5EPHWFK
    C:\Windows\assembly\tmp\DBJLZ07N
    C:\Windows\assembly\tmp\DCECZCF9
    C:\Windows\assembly\tmp\DE8RT1BM
    C:\Windows\assembly\tmp\DEOARBAP
    C:\Windows\assembly\tmp\DK2RAX3W
    C:\Windows\assembly\tmp\DK7SNML0
    C:\Windows\assembly\tmp\DLAU5WQT
    C:\Windows\assembly\tmp\DMU1DWE2
    C:\Windows\assembly\tmp\DNZONAR3
    C:\Windows\assembly\tmp\DP09PXQP
    C:\Windows\assembly\tmp\DRI5QEP9
    C:\Windows\assembly\tmp\DV04GM5B
    C:\Windows\assembly\tmp\DVRXMSAK
    C:\Windows\assembly\tmp\DY3DW7MS
    C:\Windows\assembly\tmp\DZBKWD5A
    C:\Windows\assembly\tmp\E8EYGBIA
    C:\Windows\assembly\tmp\E8LMVGF1
    C:\Windows\assembly\tmp\EESMEYA8
    C:\Windows\assembly\tmp\EHKIXK1P
    C:\Windows\assembly\tmp\EICGOCYA
    C:\Windows\assembly\tmp\EIS36JEN
    C:\Windows\assembly\tmp\ENXVK8RV
    C:\Windows\assembly\tmp\EPRN946O
    C:\Windows\assembly\tmp\EU8L5JRR
    C:\Windows\assembly\tmp\F34LZYLP
    C:\Windows\assembly\tmp\F6OKKHJA
    C:\Windows\assembly\tmp\F8YNBCLE
    C:\Windows\assembly\tmp\FBDXUTGV
    C:\Windows\assembly\tmp\FIB482KT
    C:\Windows\assembly\tmp\FLX64O64
    C:\Windows\assembly\tmp\FN8NG09A
    C:\Windows\assembly\tmp\FOL68U75
    C:\Windows\assembly\tmp\FP9PF5NK
    C:\Windows\assembly\tmp\FQ0ALDQ7
    C:\Windows\assembly\tmp\FQHG0GSQ
    C:\Windows\assembly\tmp\FSGZPPL3
    C:\Windows\assembly\tmp\FTM3DM3R
    C:\Windows\assembly\tmp\FU6FF5DS
    C:\Windows\assembly\tmp\G3T7FK86
    C:\Windows\assembly\tmp\GBP9HUQI
    C:\Windows\assembly\tmp\GK28JIRS
    C:\Windows\assembly\tmp\GKAAW4EC
    C:\Windows\assembly\tmp\GMT06EKL
    C:\Windows\assembly\tmp\GNJ9Y22U
    C:\Windows\assembly\tmp\GNWS1PHK
    C:\Windows\assembly\tmp\GVMLMN2X
    C:\Windows\assembly\tmp\H3IJKK2T
    C:\Windows\assembly\tmp\H49GAOE7
    C:\Windows\assembly\tmp\HD8SGKH2
    C:\Windows\assembly\tmp\HG2SV0MP
    C:\Windows\assembly\tmp\HT4RAFSH
    C:\Windows\assembly\tmp\HTCTGS09
    C:\Windows\assembly\tmp\HU42RUWD
    C:\Windows\assembly\tmp\I4LZXRWB
    C:\Windows\assembly\tmp\I7PMD0R4
    C:\Windows\assembly\tmp\IAA5V87U
    C:\Windows\assembly\tmp\IER5MJ1Y
    C:\Windows\assembly\tmp\IG3SFZ7T
    C:\Windows\assembly\tmp\IHCABV1A
    C:\Windows\assembly\tmp\IIOXCRL8
    C:\Windows\assembly\tmp\IL2HY56Y
    C:\Windows\assembly\tmp\IMFHGNZT
    C:\Windows\assembly\tmp\INYO0Q06
    C:\Windows\assembly\tmp\IQF4AFTE
    C:\Windows\assembly\tmp\IVTZXQGQ
    C:\Windows\assembly\tmp\IXBX7HFY
    C:\Windows\assembly\tmp\J1JCBKRM
    C:\Windows\assembly\tmp\J45PW9SY
    C:\Windows\assembly\tmp\J6830LJ2
    C:\Windows\assembly\tmp\JA5MXF4T
    C:\Windows\assembly\tmp\JBZBJOJ6
    C:\Windows\assembly\tmp\JC3AWMNI
    C:\Windows\assembly\tmp\JKP99IVL
    C:\Windows\assembly\tmp\JLI3UVBE
    C:\Windows\assembly\tmp\JRMPO8AM
    C:\Windows\assembly\tmp\JVE98JUM
    C:\Windows\assembly\tmp\K0BDQEDK
    C:\Windows\assembly\tmp\K4L9WEAJ
    C:\Windows\assembly\tmp\K4MNXCL9
    C:\Windows\assembly\tmp\K6B0J21W
    C:\Windows\assembly\tmp\K7WB66E0
    C:\Windows\assembly\tmp\K8KUTULT
    C:\Windows\assembly\tmp\KA16XU2D
    C:\Windows\assembly\tmp\KDEHTGWO
    C:\Windows\assembly\tmp\KMVA52PA
    C:\Windows\assembly\tmp\KQZIM43F
    C:\Windows\assembly\tmp\KSRK0OEK
    C:\Windows\assembly\tmp\KVUTFW08
    C:\Windows\assembly\tmp\L1G90JNS
    C:\Windows\assembly\tmp\L3ZB1BRJ
    C:\Windows\assembly\tmp\L67CCGMB
    C:\Windows\assembly\tmp\L68UFZHG
    C:\Windows\assembly\tmp\L9NBS8A6
    C:\Windows\assembly\tmp\LF6JPNOO
    C:\Windows\assembly\tmp\LFYHAO04
    C:\Windows\assembly\tmp\LGRSR8KQ
    C:\Windows\assembly\tmp\LHHV018F
    C:\Windows\assembly\tmp\LI8Y1EM6
    C:\Windows\assembly\tmp\LJ7IYD2P
    C:\Windows\assembly\tmp\LLHDU9UF
    C:\Windows\assembly\tmp\LM9D07ZW
    C:\Windows\assembly\tmp\LN46U7ZI
    C:\Windows\assembly\tmp\LN9BYNHG
    C:\Windows\assembly\tmp\LNZBLR94
    C:\Windows\assembly\tmp\LQNH44J4
    C:\Windows\assembly\tmp\LQP0931X
    C:\Windows\assembly\tmp\LR2YDSRZ
    C:\Windows\assembly\tmp\LTDYMBYU
    C:\Windows\assembly\tmp\LUD7ESY8
    C:\Windows\assembly\tmp\LVNF4XWM
    C:\Windows\assembly\tmp\M3HSYKQY
    C:\Windows\assembly\tmp\MF3LYSCD
    C:\Windows\assembly\tmp\N03R0J2U
    C:\Windows\assembly\tmp\N1ZAPNZN
    C:\Windows\assembly\tmp\N6R0WXE0
    C:\Windows\assembly\tmp\N9XXA0QW
    C:\Windows\assembly\tmp\NCGNI0CR
    C:\Windows\assembly\tmp\NDT1S4IH
    C:\Windows\assembly\tmp\NE58OKS0
    C:\Windows\assembly\tmp\NGZSMY94
    C:\Windows\assembly\tmp\NKIDUIJG
    C:\Windows\assembly\tmp\NUGOOKL2
    C:\Windows\assembly\tmp\NZXL7XX1
    C:\Windows\assembly\tmp\O2UUQJMG
    C:\Windows\assembly\tmp\O50PRXOW
    C:\Windows\assembly\tmp\O9QCOHU1
    C:\Windows\assembly\tmp\OBWBCPKM
    C:\Windows\assembly\tmp\OGHLM7IB
    C:\Windows\assembly\tmp\OHHUHVGQ
    C:\Windows\assembly\tmp\OLZSOL41
    C:\Windows\assembly\tmp\OO0IWTYP
    C:\Windows\assembly\tmp\ORMFLGRG
    C:\Windows\assembly\tmp\ORXXOJYU
    C:\Windows\assembly\tmp\OU8J31TL
    C:\Windows\assembly\tmp\P0F394CW
    C:\Windows\assembly\tmp\P9AKKIZ6
    C:\Windows\assembly\tmp\PC4ZUKHR
    C:\Windows\assembly\tmp\PCMZ0PJQ
    C:\Windows\assembly\tmp\PE3124BF
    C:\Windows\assembly\tmp\PFA2L5PA
    C:\Windows\assembly\tmp\PFWA90S2
    C:\Windows\assembly\tmp\POIZ5RIZ
    C:\Windows\assembly\tmp\PTABAE0O
    C:\Windows\assembly\tmp\PXNS1H1B
    C:\Windows\assembly\tmp\Q6UP0976
    C:\Windows\assembly\tmp\QBXGTLWU
    C:\Windows\assembly\tmp\QC0HG8MO
    C:\Windows\assembly\tmp\QDNDTDMC
    C:\Windows\assembly\tmp\QDWSK7MO
    C:\Windows\assembly\tmp\QEQS4N6W
    C:\Windows\assembly\tmp\QI7GJPJ3
    C:\Windows\assembly\tmp\QJQY8ROJ
    C:\Windows\assembly\tmp\QLM51LCS
    C:\Windows\assembly\tmp\QN1M0ELH
    C:\Windows\assembly\tmp\QOYJRD3U
    C:\Windows\assembly\tmp\QRUTN00A
    C:\Windows\assembly\tmp\QW8MH4CV
    C:\Windows\assembly\tmp\R0GU1M13
    C:\Windows\assembly\tmp\R6WNW29S
    C:\Windows\assembly\tmp\R761QSNN
    C:\Windows\assembly\tmp\R97MOP8E
    C:\Windows\assembly\tmp\RCE6TTXJ
    C:\Windows\assembly\tmp\RDEP0G26
    C:\Windows\assembly\tmp\RLWRM0HI
    C:\Windows\assembly\tmp\RXO94NBI
    C:\Windows\assembly\tmp\S0NUQ2I5
    C:\Windows\assembly\tmp\S3TW9MNO
    C:\Windows\assembly\tmp\S5ED6VK4
    C:\Windows\assembly\tmp\S6Z7R3NV
    C:\Windows\assembly\tmp\SAVL2DUQ
    C:\Windows\assembly\tmp\SKHUHNQR
    C:\Windows\assembly\tmp\SL1KL7CD
    C:\Windows\assembly\tmp\SMF9LT3R
    C:\Windows\assembly\tmp\SUL2RPAN
    C:\Windows\assembly\tmp\SV0GRL4P
    C:\Windows\assembly\tmp\T4LT873H
    C:\Windows\assembly\tmp\T947D4QB
    C:\Windows\assembly\tmp\T9RFMTIV
    C:\Windows\assembly\tmp\TFWMX88M
    C:\Windows\assembly\tmp\THGDMFTG
    C:\Windows\assembly\tmp\THKBVXX3
    C:\Windows\assembly\tmp\TXGE76TE
    C:\Windows\assembly\tmp\TY1NHGFL
    C:\Windows\assembly\tmp\U0FPRZWV
    C:\Windows\assembly\tmp\U2RM7JTE
    C:\Windows\assembly\tmp\U2ZS0Y6N
    C:\Windows\assembly\tmp\U3X4C8UG
    C:\Windows\assembly\tmp\U6W8DN38
    C:\Windows\assembly\tmp\U88XRJOJ
    C:\Windows\assembly\tmp\U96GP46F
    C:\Windows\assembly\tmp\UCFPCLYI
    C:\Windows\assembly\tmp\UDHB50WX
    C:\Windows\assembly\tmp\UJPGTH58
    C:\Windows\assembly\tmp\UOU33CSS
    C:\Windows\assembly\tmp\US2LRMVB
    C:\Windows\assembly\tmp\UTRSLWDB
    C:\Windows\assembly\tmp\UUVUIGM7
    C:\Windows\assembly\tmp\UVVLGY2F
    C:\Windows\assembly\tmp\UXGDNZJC
    C:\Windows\assembly\tmp\UYIQG4HX
    C:\Windows\assembly\tmp\V39ME8EI
    C:\Windows\assembly\tmp\V8N748GN
    C:\Windows\assembly\tmp\VE455LYG
    C:\Windows\assembly\tmp\VGASLXXL
    C:\Windows\assembly\tmp\VLG2TJKK
    C:\Windows\assembly\tmp\VO8JYE2P
    C:\Windows\assembly\tmp\VXWW97W4
    C:\Windows\assembly\tmp\VYKDH9K1
    C:\Windows\assembly\tmp\VYN3UP4K
    C:\Windows\assembly\tmp\W4TAQWRJ
    C:\Windows\assembly\tmp\W4UW58T8
    C:\Windows\assembly\tmp\W5VPFR0Z
    C:\Windows\assembly\tmp\WBAP6O58
    C:\Windows\assembly\tmp\WEDM3H0D
    C:\Windows\assembly\tmp\WKCKAEYI
    C:\Windows\assembly\tmp\X2NWXLGV
    C:\Windows\assembly\tmp\X73NI1HU
    C:\Windows\assembly\tmp\X94XHDIX
    C:\Windows\assembly\tmp\XFS6R663
    C:\Windows\assembly\tmp\XISG04LM
    C:\Windows\assembly\tmp\XMSI0LKA
    C:\Windows\assembly\tmp\XOLHKTKI
    C:\Windows\assembly\tmp\XRJ28KFH
    C:\Windows\assembly\tmp\XSA93W7G
    C:\Windows\assembly\tmp\XVOIWMJT
    C:\Windows\assembly\tmp\XXFLB8M7
    C:\Windows\assembly\tmp\XZDX3K6I
    C:\Windows\assembly\tmp\Y0UE1M0R
    C:\Windows\assembly\tmp\Y7PP13OK
    C:\Windows\assembly\tmp\YAA5ODXB
    C:\Windows\assembly\tmp\YCUP47A5
    C:\Windows\assembly\tmp\YEF3RAL7
    C:\Windows\assembly\tmp\YFAVETKU
    C:\Windows\assembly\tmp\YGFPGCWL
    C:\Windows\assembly\tmp\YHGSHI6U
    C:\Windows\assembly\tmp\YMOMI8KW
    C:\Windows\assembly\tmp\YMTACSGD
    C:\Windows\assembly\tmp\YPIWBYPK
    C:\Windows\assembly\tmp\YT07872H
    C:\Windows\assembly\tmp\YZOIQOR7
    C:\Windows\assembly\tmp\Z86S9NE5
    C:\Windows\assembly\tmp\ZAPTRJEB
    C:\Windows\assembly\tmp\ZCO16BQG
    C:\Windows\assembly\tmp\ZGBSB85R
    C:\Windows\assembly\tmp\ZI1YOGPU
    C:\Windows\assembly\tmp\ZJWB6JXL
    C:\Windows\assembly\tmp\ZO233RU0
    C:\Windows\assembly\tmp\ZP7XMUDT
    C:\Windows\assembly\tmp\ZUCGJZK2
    C:\Windows\assembly\tmp\ZURFJZB6
    C:\Windows\assembly\tmp\ZVWRX5UH
    C:\Windows\assembly\tmp\ZXA2CREM
    :Commands
    [PURITY]
    [EMPTYTEMP] 
    [EMPTYFLASH]
    
    [REBOOT]
    • Now click the [​IMG] button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now please click Start, and type regedit into the search box.
    • You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
    • Right click on regedit.exe and select Run As Administrator
    • When the Windows Registry Editor opens, click File and then Import.
    • Navigate to the BFE.reg file you saved to your Desktop earlier and double click it to import it. Allow it to be added to the registry. Tell me if you get a success message or an error message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds