Help with removing malware

[jlachey]

I think it worked this time.

[chaslang]

Well now the Network Connections service shows that it is no longer running again. As are many other services. As stated earlier, I do not think all of this is due to malware damage. There are way to many things in the wrong state to have been from malware that you had. This is not at all typical. Also it seems you don't have any restore points we could attempt to use to fix this. Let's try the below using ComboFix but we will first need to download a new copy to your Desktop. Also we will need to do this in a few stages since there are so many broken services.

Download this combofix.exe and save to your Desktop. Do not run it yet. Just save it.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

ClearJavaCache::
KILLALL::
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Workstation"
"Group"="NetworkProvider"
"ObjectName"="LocalSystem"
"Description"="Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Linkage]
"Bind"=hex(7):5c,44,65,76,69,63,65,5c,4e,77,6c,6e,6b,4e,62,00,5c,44,65,76,69,\
63,65,5c,4e,65,74,62,69,6f,73,53,6d,62,00,5c,44,65,76,69,63,65,5c,4e,65,74,\
42,54,5f,54,63,70,69,70,5f,7b,39,46,43,44,45,39,35,36,2d,32,33,32,43,2d,34,\
39,37,41,2d,42,34,42,44,2d,30,43,39,37,36,46,45,31,32,30,30,32,7d,00,5c,44,\
65,76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,45,41,32,31,39,33,\
35,30,2d,42,32,35,46,2d,34,33,30,34,2d,42,30,41,37,2d,43,41,36,43,31,35,44,\
32,35,43,33,46,7d,00,5c,44,65,76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,\
70,5f,7b,43,38,46,42,38,36,33,31,2d,31,34,45,42,2d,34,42,44,30,2d,39,45,42,\
41,2d,37,34,36,36,34,46,45,33,41,46,31,45,7d,00,00
"Route"=hex(7):22,4e,77,6c,6e,6b,4e,62,22,00,22,4e,65,74,62,69,6f,73,53,6d,62,\
22,00,22,4e,65,74,42,54,22,20,22,54,63,70,69,70,22,20,22,7b,39,46,43,44,45,\
39,35,36,2d,32,33,32,43,2d,34,39,37,41,2d,42,34,42,44,2d,30,43,39,37,36,46,\
45,31,32,30,30,32,7d,22,00,22,4e,65,74,42,54,22,20,22,54,63,70,69,70,22,20,\
22,4e,64,69,73,57,61,6e,49,70,22,00,00
"Export"=hex(7):5c,44,65,76,69,63,65,5c,4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,\
74,69,6f,6e,5f,4e,77,6c,6e,6b,4e,62,00,5c,44,65,76,69,63,65,5c,4c,61,6e,6d,\
61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,5f,4e,65,74,62,69,6f,73,53,6d,62,00,\
5c,44,65,76,69,63,65,5c,4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,\
5f,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,39,46,43,44,45,39,35,36,2d,32,33,\
32,43,2d,34,39,37,41,2d,42,34,42,44,2d,30,43,39,37,36,46,45,31,32,30,30,32,\
7d,00,5c,44,65,76,69,63,65,5c,4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,\
6f,6e,5f,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,45,41,32,31,39,33,35,30,2d,\
42,32,35,46,2d,34,33,30,34,2d,42,30,41,37,2d,43,41,36,43,31,35,44,32,35,43,\
33,46,7d,00,5c,44,65,76,69,63,65,5c,4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,\
74,69,6f,6e,5f,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,43,38,46,42,38,36,33,\
31,2d,31,34,45,42,2d,34,42,44,30,2d,39,45,42,41,2d,37,34,36,36,34,46,45,33,\
41,46,31,45,7d,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\NetworkProvider]
"Name"="Microsoft Windows Network"
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,6e,74,6c,61,6e,6d,61,6e,2e,64,6c,6c,00
"DeviceName"="\\Device\\LanmanRedirector"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00
"OtherDomains"=hex(7):00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Enum]
"0"="Root\\LEGACY_LANMANWORKSTATION\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Server"
"ObjectName"="LocalSystem"
"Description"="Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\AutotunedParameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity]
"SrvsvcConfigInfo"=hex:01,00,04,80,a0,00,00,00,ac,00,00,00,00,00,00,00,14,00,\
00,00,02,00,8c,00,06,00,00,00,00,00,18,00,17,00,0f,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,00,00,18,00,17,00,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,25,02,00,00,00,00,14,00,17,00,0f,00,01,01,00,00,00,00,00,05,12,\
00,00,00,00,00,18,00,03,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,\
00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,01,00,00,00,00,00,00,14,\
00,01,00,00,00,01,01,00,00,00,00,00,05,07,00,00,00,01,01,00,00,00,00,00,05,\
12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
"SrvsvcTransportEnum"=hex:01,00,04,80,8c,00,00,00,98,00,00,00,00,00,00,00,14,\
00,00,00,02,00,78,00,05,00,00,00,00,00,18,00,17,00,0f,00,01,02,00,00,00,00,\
00,05,20,00,00,00,20,02,00,00,00,00,18,00,17,00,0f,00,01,02,00,00,00,00,00,\
05,20,00,00,00,25,02,00,00,00,00,14,00,17,00,0f,00,01,01,00,00,00,00,00,05,\
12,00,00,00,00,00,18,00,03,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,23,\
02,00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,05,0b,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
"SrvsvcConnection"=hex:01,00,04,80,7c,00,00,00,88,00,00,00,00,00,00,00,14,00,\
00,00,02,00,68,00,04,00,00,00,00,00,18,00,01,00,0f,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,00,00,18,00,01,00,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,25,02,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,05,20,\
00,00,00,26,02,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,05,20,00,\
00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,\
05,12,00,00,00
"SrvsvcServerDiskEnum"=hex:01,00,04,80,4c,00,00,00,58,00,00,00,00,00,00,00,14,\
00,00,00,02,00,38,00,02,00,00,00,00,00,18,00,01,00,0f,00,01,02,00,00,00,00,\
00,05,20,00,00,00,20,02,00,00,00,00,18,00,01,00,0f,00,01,02,00,00,00,00,00,\
05,20,00,00,00,25,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,\
00,00,00,05,12,00,00,00
"SrvsvcFile"=hex:01,00,04,80,64,00,00,00,70,00,00,00,00,00,00,00,14,00,00,00,\
02,00,50,00,03,00,00,00,00,00,18,00,11,00,0f,00,01,02,00,00,00,00,00,05,20,\
00,00,00,20,02,00,00,00,00,18,00,11,00,0f,00,01,02,00,00,00,00,00,05,20,00,\
00,00,25,02,00,00,00,00,18,00,11,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,\
00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,\
12,00,00,00
"SrvsvcShareFileInfo"=hex:01,00,04,80,8c,00,00,00,98,00,00,00,00,00,00,00,14,\
00,00,00,02,00,78,00,05,00,00,00,00,00,18,00,13,00,0f,00,01,02,00,00,00,00,\
00,05,20,00,00,00,20,02,00,00,00,00,18,00,13,00,0f,00,01,02,00,00,00,00,00,\
05,20,00,00,00,25,02,00,00,00,00,18,00,13,00,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,23,02,00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,01,00,\
00,00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,05,07,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
"SrvsvcSharePrintInfo"=hex:01,00,04,80,a4,00,00,00,b0,00,00,00,00,00,00,00,14,\
00,00,00,02,00,90,00,06,00,00,00,00,00,18,00,13,00,0f,00,01,02,00,00,00,00,\
00,05,20,00,00,00,20,02,00,00,00,00,18,00,13,00,0f,00,01,02,00,00,00,00,00,\
05,20,00,00,00,25,02,00,00,00,00,18,00,13,00,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,26,02,00,00,00,00,18,00,13,00,0f,00,01,02,00,00,00,00,00,05,20,\
00,00,00,23,02,00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,05,07,00,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
"SrvsvcShareAdminInfo"=hex:01,00,04,80,8c,00,00,00,98,00,00,00,00,00,00,00,14,\
00,00,00,02,00,78,00,05,00,00,00,00,00,18,00,13,00,0f,00,01,02,00,00,00,00,\
00,05,20,00,00,00,20,02,00,00,00,00,18,00,02,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,25,02,00,00,00,00,18,00,02,00,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,23,02,00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,01,00,\
00,00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,05,07,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
"SrvsvcShareConnect"=hex:01,00,04,80,8c,00,00,00,98,00,00,00,00,00,00,00,14,00,\
00,00,02,00,78,00,05,00,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,25,02,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,00,00,05,20,\
00,00,00,27,02,00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,05,07,00,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
"SrvsvcShareAdminConnect"=hex:01,00,04,80,64,00,00,00,70,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,00,\
00,05,20,00,00,00,25,02,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,00,00,\
05,20,00,00,00,27,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,\
00,00,00,05,12,00,00,00
"SrvsvcStatisticsInfo"=hex:01,00,04,80,60,00,00,00,6c,00,00,00,00,00,00,00,14,\
00,00,00,02,00,4c,00,03,00,00,00,00,00,18,00,01,00,0f,00,01,02,00,00,00,00,\
00,05,20,00,00,00,20,02,00,00,00,00,18,00,01,00,0f,00,01,02,00,00,00,00,00,\
05,20,00,00,00,25,02,00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,02,\
00,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,\
00,00,00
"AnonymousDescriptorsUpgraded"=dword:00000001
"PreviousAnonymousRestriction"=dword:00000000
"SrvsvcSessionInfo"=hex:01,00,04,80,78,00,00,00,84,00,00,00,00,00,00,00,14,00,\
00,00,02,00,64,00,04,00,00,00,00,00,18,00,13,00,0f,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,00,00,18,00,13,00,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,25,02,00,00,00,00,18,00,13,00,0f,00,01,02,00,00,00,00,00,05,20,\
00,00,00,23,02,00,00,00,00,14,00,01,00,00,00,01,01,00,00,00,00,00,05,0b,00,\
00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00
"SessionSecurityDescriptorRegenerated"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Linkage]
"Bind"=hex(7):5c,44,65,76,69,63,65,5c,4e,77,6c,6e,6b,4e,62,00,5c,44,65,76,69,\
63,65,5c,4e,77,6c,6e,6b,49,70,78,00,5c,44,65,76,69,63,65,5c,4e,65,74,62,69,\
6f,73,53,6d,62,00,5c,44,65,76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,\
5f,7b,39,46,43,44,45,39,35,36,2d,32,33,32,43,2d,34,39,37,41,2d,42,34,42,44,\
2d,30,43,39,37,36,46,45,31,32,30,30,32,7d,00,5c,44,65,76,69,63,65,5c,4e,65,\
74,42,54,5f,54,63,70,69,70,5f,7b,45,41,32,31,39,33,35,30,2d,42,32,35,46,2d,\
34,33,30,34,2d,42,30,41,37,2d,43,41,36,43,31,35,44,32,35,43,33,46,7d,00,5c,\
44,65,76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,43,38,46,42,38,\
36,33,31,2d,31,34,45,42,2d,34,42,44,30,2d,39,45,42,41,2d,37,34,36,36,34,46,\
45,33,41,46,31,45,7d,00,00
"Route"=hex(7):22,4e,77,6c,6e,6b,4e,62,22,00,22,4e,77,6c,6e,6b,49,70,78,22,00,\
22,4e,65,74,62,69,6f,73,53,6d,62,22,00,22,4e,65,74,42,54,22,20,22,54,63,70,\
69,70,22,20,22,7b,39,46,43,44,45,39,35,36,2d,32,33,32,43,2d,34,39,37,41,2d,\
42,34,42,44,2d,30,43,39,37,36,46,45,31,32,30,30,32,7d,22,00,22,4e,65,74,42,\
54,22,20,22,54,63,70,69,70,22,20,22,4e,64,69,73,57,61,6e,49,70,22,00,00
"Export"=hex(7):5c,44,65,76,69,63,65,5c,4c,61,6e,6d,61,6e,53,65,72,76,65,72,5f,\
4e,77,6c,6e,6b,4e,62,00,5c,44,65,76,69,63,65,5c,4c,61,6e,6d,61,6e,53,65,72,\
76,65,72,5f,4e,77,6c,6e,6b,49,70,78,00,5c,44,65,76,69,63,65,5c,4c,61,6e,6d,\
61,6e,53,65,72,76,65,72,5f,4e,65,74,62,69,6f,73,53,6d,62,00,5c,44,65,76,69,\
63,65,5c,4c,61,6e,6d,61,6e,53,65,72,76,65,72,5f,4e,65,74,42,54,5f,54,63,70,\
69,70,5f,7b,39,46,43,44,45,39,35,36,2d,32,33,32,43,2d,34,39,37,41,2d,42,34,\
42,44,2d,30,43,39,37,36,46,45,31,32,30,30,32,7d,00,5c,44,65,76,69,63,65,5c,\
4c,61,6e,6d,61,6e,53,65,72,76,65,72,5f,4e,65,74,42,54,5f,54,63,70,69,70,5f,\
7b,45,41,32,31,39,33,35,30,2d,42,32,35,46,2d,34,33,30,34,2d,42,30,41,37,2d,\
43,41,36,43,31,35,44,32,35,43,33,46,7d,00,5c,44,65,76,69,63,65,5c,4c,61,6e,\
6d,61,6e,53,65,72,76,65,72,5f,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,43,38,\
46,42,38,36,33,31,2d,31,34,45,42,2d,34,42,44,30,2d,39,45,42,41,2d,37,34,36,\
36,34,46,45,33,41,46,31,45,7d,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\
4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,45,50,\
4d,41,50,50,45,52,00,4c,4f,43,41,54,4f,52,00,54,72,6b,57,6b,73,00,54,72,6b,\
53,76,72,00,00
"NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00
"Lmannounce"=dword:00000000
"Size"=dword:00000002
"Guid"=hex:c8,23,26,e1,f5,c6,e1,44,aa,bf,f3,8f,62,fe,f3,b6
"AdjustedNullSessionPipes"=dword:00000001
"srvcomment"="Dell Optiplex GX520"
"CachedOpenLimit"=dword:00000000
"DisableDos"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares]
"VideoLab2"=hex(7):43,53,43,46,6c,61,67,73,3d,30,00,4d,61,78,55,73,65,73,3d,34,\
32,39,34,39,36,37,32,39,35,00,50,61,74,68,3d,43,3a,5c,00,50,65,72,6d,69,73,\
73,69,6f,6e,73,3d,30,00,52,65,6d,61,72,6b,3d,44,65,6c,6c,20,47,58,35,32,30,\
00,54,79,70,65,3d,30,00,00
"SharedDocs"=hex(7):43,53,43,46,6c,61,67,73,3d,30,00,4d,61,78,55,73,65,73,3d,\
34,32,39,34,39,36,37,32,39,35,00,50,61,74,68,3d,43,3a,5c,44,4f,43,55,4d,45,\
4e,54,53,20,41,4e,44,20,53,45,54,54,49,4e,47,53,5c,41,4c,4c,20,55,53,45,52,\
53,5c,44,4f,43,55,4d,45,4e,54,53,00,50,65,72,6d,69,73,73,69,6f,6e,73,3d,30,\
00,52,65,6d,61,72,6b,3d,00,54,79,70,65,3d,30,00,00
"Downloads"=hex(7):43,53,43,46,6c,61,67,73,3d,30,00,4d,61,78,55,73,65,73,3d,34,\
32,39,34,39,36,37,32,39,35,00,50,61,74,68,3d,43,3a,5c,44,6f,77,6e,6c,6f,61,\
64,73,00,50,65,72,6d,69,73,73,69,6f,6e,73,3d,30,00,52,65,6d,61,72,6b,3d,00,\
54,79,70,65,3d,30,00,00
"500GB"=hex(7):43,53,43,46,6c,61,67,73,3d,30,00,4d,61,78,55,73,65,73,3d,34,32,\
39,34,39,36,37,32,39,35,00,50,61,74,68,3d,46,3a,5c,00,50,65,72,6d,69,73,73,\
69,6f,6e,73,3d,30,00,52,65,6d,61,72,6b,3d,44,56,44,20,57,6f,72,6b,20,44,72,\
69,76,65,00,54,79,70,65,3d,30,00,00
"E"=hex(7):43,53,43,46,6c,61,67,73,3d,30,00,4d,61,78,55,73,65,73,3d,34,32,39,\
34,39,36,37,32,39,35,00,50,61,74,68,3d,45,3a,5c,00,50,65,72,6d,69,73,73,69,\
6f,6e,73,3d,30,00,52,65,6d,61,72,6b,3d,44,56,44,20,52,65,61,64,65,72,00,54,\
79,70,65,3d,30,00,00
"Community_Episodes"=hex(7):43,53,43,46,6c,61,67,73,3d,30,00,4d,61,78,55,73,65,\
73,3d,34,32,39,34,39,36,37,32,39,35,00,50,61,74,68,3d,49,3a,5c,43,6f,6d,6d,\
75,6e,69,74,79,5f,45,70,69,73,6f,64,65,73,00,50,65,72,6d,69,73,73,69,6f,6e,\
73,3d,30,00,52,65,6d,61,72,6b,3d,00,54,79,70,65,3d,30,00,00
"Movies"=hex(7):43,53,43,46,6c,61,67,73,3d,30,00,4d,61,78,55,73,65,73,3d,34,32,\
39,34,39,36,37,32,39,35,00,50,61,74,68,3d,49,3a,5c,4d,6f,76,69,65,73,00,50,\
65,72,6d,69,73,73,69,6f,6e,73,3d,30,00,52,65,6d,61,72,6b,3d,00,54,79,70,65,\
3d,30,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security]
"VideoLab2"=hex:01,00,04,80,54,00,00,00,70,00,00,00,00,00,00,00,14,00,00,00,02,\
00,40,00,02,00,00,00,00,00,24,00,ff,01,1f,00,01,05,00,00,00,00,00,05,15,00,\
00,00,55,a8,a8,1d,c4,09,ed,78,a6,2c,b3,07,ed,03,00,00,00,00,14,00,a9,00,12,\
00,01,01,00,00,00,00,00,01,00,00,00,00,01,05,00,00,00,00,00,05,15,00,00,00,\
55,a8,a8,1d,c4,09,ed,78,a6,2c,b3,07,ed,03,00,00,01,05,00,00,00,00,00,05,15,\
00,00,00,55,a8,a8,1d,c4,09,ed,78,a6,2c,b3,07,01,02,00,00
"Downloads"=hex:01,00,04,80,54,00,00,00,70,00,00,00,00,00,00,00,14,00,00,00,02,\
00,40,00,02,00,00,00,00,00,24,00,ff,01,1f,00,01,05,00,00,00,00,00,05,15,00,\
00,00,55,a8,a8,1d,c4,09,ed,78,a6,2c,b3,07,ed,03,00,00,00,00,14,00,a9,00,12,\
00,01,01,00,00,00,00,00,01,00,00,00,00,01,05,00,00,00,00,00,05,15,00,00,00,\
55,a8,a8,1d,c4,09,ed,78,a6,2c,b3,07,ed,03,00,00,01,05,00,00,00,00,00,05,15,\
00,00,00,55,a8,a8,1d,c4,09,ed,78,a6,2c,b3,07,01,02,00,00
"500GB"=hex:01,00,04,80,40,00,00,00,5c,00,00,00,00,00,00,00,14,00,00,00,02,00,\
2c,00,01,00,00,00,00,00,24,00,ff,01,1f,00,01,05,00,00,00,00,00,05,15,00,00,\
00,55,a8,a8,1d,c4,09,ed,78,a6,2c,b3,07,ed,03,00,00,01,05,00,00,00,00,00,05,\
15,00,00,00,55,a8,a8,1d,c4,09,ed,78,a6,2c,b3,07,ed,03,00,00,01,05,00,00,00,\
00,00,05,15,00,00,00,55,a8,a8,1d,c4,09,ed,78,a6,2c,b3,07,01,02,00,00
"E"=hex:01,00,04,80,30,00,00,00,4c,00,00,00,00,00,00,00,14,00,00,00,02,00,1c,\
00,01,00,00,00,00,00,14,00,a9,00,12,00,01,01,00,00,00,00,00,01,00,00,00,00,\
01,05,00,00,00,00,00,05,15,00,00,00,55,a8,a8,1d,c4,09,ed,78,a6,2c,b3,07,ed,\
03,00,00,01,05,00,00,00,00,00,05,15,00,00,00,55,a8,a8,1d,c4,09,ed,78,a6,2c,\
b3,07,01,02,00,00
"Community_Episodes"=hex:01,00,04,80,30,00,00,00,4c,00,00,00,00,00,00,00,14,00,\
00,00,02,00,1c,00,01,00,00,00,00,00,14,00,a9,00,12,00,01,01,00,00,00,00,00,\
01,00,00,00,00,01,05,00,00,00,00,00,05,15,00,00,00,55,a8,a8,1d,c4,09,ed,78,\
a6,2c,b3,07,ed,03,00,00,01,05,00,00,00,00,00,05,15,00,00,00,55,a8,a8,1d,c4,\
09,ed,78,a6,2c,b3,07,01,02,00,00
"Movies"=hex:01,00,04,80,30,00,00,00,4c,00,00,00,00,00,00,00,14,00,00,00,02,00,\
1c,00,01,00,00,00,00,00,14,00,a9,00,12,00,01,01,00,00,00,00,00,01,00,00,00,\
00,01,05,00,00,00,00,00,05,15,00,00,00,55,a8,a8,1d,c4,09,ed,78,a6,2c,b3,07,\
ed,03,00,00,01,05,00,00,00,00,00,05,15,00,00,00,55,a8,a8,1d,c4,09,ed,78,a6,\
2c,b3,07,01,02,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Enum]
"0"="Root\\LEGACY_LANMANSERVER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"DependOnGroup"=hex(7):00
"DependOnService"=hex(7):4e,65,74,6d,61,6e,00,57,69,6e,4d,67,6d,74,00,00
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:0000375d
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=dword:00000000
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:*:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:*:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:*:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:*:Enabled:@xpsp2res.dll,-22002"
"3389:TCP"="3389:TCP:*:Enabled:@xpsp2res.dll,-22009"
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"="C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe:*:Enabled:Spybot - Search & Destroy"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Age of Empires 2\\empires2.exe"="C:\\Age of Empires 2\\empires2.exe:*:Disabled:Age of Empires II"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Disabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\PRTG Traffic Grapher\\PRTG Traffic Grapher.exe"="C:\\Program Files\\PRTG Traffic Grapher\\PRTG Traffic Grapher.exe:*:Enabled:PRTG_Traffic_Grapher_Webserver"
"C:\\WINDOWS\\system32\\ping.exe"="C:\\WINDOWS\\system32\\ping.exe:*:Enableding.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"
"14030:TCP"="14030:TCP:*:Enabled:BitComet 14030 TCP"
"14030:UDP"="14030:UDP:*:Enabled:BitComet 14030 UDP"
"7523:TCP"="7523:TCP:*:Enabled:BitComet 7523 TCP"
"7523:UDP"="7523:UDP:*:Enabled:BitComet 7523 UDP"
"14986:TCP"="14986:TCP:*:Enabled:BitComet 14986 TCP"
"14986:UDP"="14986:UDP:*:Enabled:BitComet 14986 UDP"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Security Center"
"DependOnService"=hex(7):52,70,63,53,73,00,77,69,6e,6d,67,6d,74,00,00
"ObjectName"="LocalSystem"
"Description"="Monitors system security settings and configurations."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,53,59,53,54,45,4d,52,4f,4f,54,25,5c,73,79,73,74,65,6d,\
33,32,5c,77,73,63,73,76,63,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[jlachey]

This is an older computer, so could it be from something I did a while ago? I stopped using it a few years ago because it had a lot of problems and I didn't think I would be able to get it to work. I only started using it again less than a year ago, and I thought it was close to being back to normal. I did have a lot of trouble with installing Service Pack 3- I don't know if any changes to my computer at that time could have caused some problems. As for system restore, I only noticed it wasn't working after I got rid of the malware and tried to flush my restore points. I was able to turn it off, but I could not turn it back on after I restarted my computer. I'm guessing that is why I don't have any restore points.

I am hoping ComboFix worked. It seems like it did, but I was concerned since Zone Alarm was re-enabled after ComboFix restarted my computer.

For the second step, I did receive a success message for the addition to the registry.

[chaslang]

Good. That fixed 13 services. Let's try to fix a few more with another registry patch.

Quote:

Originally Posted by jlachey

As for system restore, I only noticed it wasn't working after I got rid of the malware and tried to flush my restore points. I was able to turn it off, but I could not turn it back on after I restarted my computer.

Yes it was not running. Now it is.


Copy the bold text below to notepad. Save it as fixme2.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks]
"Description"="Maintains links between NTFS files within a computer or across computers in a network domain."
"DisplayName"="Distributed Link Tracking Client"
"DependOnService"=hex(7):52,70,63,53,73,00,00
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,72,6b,77,6b,73,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\Enum]
"0"="Root\\LEGACY_TRKWKS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,4c,6f,63,61,6c,53,65,72,\
76,69,63,65,00
"DisplayName"="WebClient"
"Group"="NetworkProvider"
"DependOnService"=hex(7):4d,52,78,44,41,56,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="NT AUTHORITY\\LocalService"
"Description"="Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start."
"ServiceSidType"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider]
"Name"="Web Client Network"
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,64,61,76,63,6c,6e,74,2e,64,6c,6c,00
"DeviceName"="\\Device\\WebDavRedirector"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,65,62,63,6c,6e,74,2e,64,6c,6c,00
"ServerNotFoundCacheLifeTimeInSec"=dword:0000003c
"AcceptOfficeAndTahoeServers"=dword:00000000
"ServiceDebug"=dword:00000000
"ClientDebug"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Enum]
"0"="Root\\LEGACY_WEBCLIENT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Automatic Updates"
"ObjectName"="LocalSystem"
"Description"="Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters]
"ServiceDll"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,\
5c,77,75,61,75,73,65,72,76,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,00,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,48,00,03,00,00,00,00,00,14,00,9d,00,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,ff,01,0f,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum]
"0"="Root\\LEGACY_WUAUSERV\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

[Kestrel13!]

Quote:

Good. That fixed 13 services.

I did not realise so much was broken! Nice one Chas.

[jlachey]

The addition to the registry was successful. When you tell me to let you know how things are working, what should I check? I don't want to click on something I shouldn't, and ruin any progress we are making.

[chaslang]

Well now most of what we fixed is broken again. I think it is time you bite the bullet and reinstall. There is just too much messed up to be able to repair. Your other choice may be to use Macrium to restore an old backup.

[jlachey]

Hmm, ok. Well, thank you for all of your help!

[chaslang]

You're welcome. One other thing of note if you reinstall. Do not have two active Windows partitions like you have now. You have somethings trying to load from drive F and some from drive C. There should be only one "ACTIVE" Windows partition.

[jlachey]

Ok. I was new to all of that when I installed the second drive- hopefully I have a better understanding of things now.

[jlachey]

Actually, I don't think I completely understand what you are saying. I have two hard drives. I cloned the original drive onto the newer one because I was running out of space on the first one. The newer one has data onit that is not on the original drive. Could that be why some things try to load from the C drive and others try to load from the F drive? How do I make only one partition active?

[chaslang]

Quote:

Originally Posted by jlachey

Actually, I don't think I completely understand what you are saying. I have two hard drives. I cloned the original drive onto the newer one because I was running out of space on the first one.

From your logs there were examples of what I'm referring too. For example in RogueKiller it showed the two hard disks and both of them have Active Windows boot partitions.

Code:

+++++ PhysicalDrive0: WDC WD2500JB-57REA0 +++++
--- User ---
[MBR] c7d283efd6f72a116f5c4a6e68b934a6
[BSP] 124cd039919cf1c728422027a3563770 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 31 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 64260 | Size: 238441 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: MAXTOR 6L040J2 +++++
--- User ---
[MBR] 3457ac3ae5cfdb2a5d269d6c6080e1bc
[BSP] f49cae14d8b91b005dff84b1f6d8852f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 31 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 64260 | Size: 38138 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Only one disk should have an active boot partition. You should have turned the other into a slave drive just to hold data. You have things setup where you are booting Windows from drive F and then having some things like C:\Program Files reference while this in itself is not necessarily an issue, the two active boot partitions is. I'm not sure of everything you did but you may even have Windows itself confused on where your registry is and perhaps this is even part of the reason that your services are all messed up. I cannot be sure but I do know all of this is not due to malware. And since each time we get things fixed, and then they break again on the next reboot, it points towards some internal issues with Windows. For stability sake, it would be better to reinstall; however you could try temporarily disconnect the smaller ( and I assume older ) drive and then see if your PC will bootup Windows properly.

I'm not even sure if removing the Active setting on one of the drives will cure the problems you have.

Do you have a full backup from Macrium? Possibly you could use it?

[jlachey]

I did some tweaking and I think I managed to make the F drive (the newer drive) into a slave drive. The C drive has always been set to master, but I wasn't sure about the F drive since it isn't labelled very well. The computer now seems to be starting up with the older drive, but it is very slow. System Restore works- at least in safe mode. I might try disconnecting the C drive next to see if I can get the system to boot up with the newer drive. I don't have a full backup, but I do have my important data stored on other devices. So I'm not really worried about losing anything.

[chaslang]

Well while you only have one drive connected ( either the C or the currently F drive ), run MGtools and attach the new log so we can see what the status is in that mode with all your services.

[jlachey]

I am still trying to get one drive to work by itself- I keep getting error messages along the lines of 'primary Hard disk drive 0 (or 1) not found. I did manage to configure it where one disk is listed as 'active' and the other is listed as 'system'. I think they were previously both listed as 'system'. The problem now is that the computer will now only start up properly in safe mode (I'm using the network option) and I cannot update any programs (Avast, Malwarebytes, etc.). I will keep trying to get just one drive working alone, or do you think I should try something else?

[chaslang]

This is likely the effect of having Windows installed on both and both being active. This is why we were having problems previously in getting services fixed. Perhaps you would be better off reinstalling.

[jlachey]

Yeah, I'm thinking that will be my best option. Thank you so much for your help- thank you, Kestrel13! as well! I really appreciate the time and effort you both put into helping me.

[Kestrel13!]

On behalf of us both, you are *most* welcome.