Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bluescreen Loop After Removing Pihar Rootkit Trojan


  • Please log in to reply

#16
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
Please download the OTM by OldTimer.
  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\FRST

    :Commands
    [EMPTYTEMP]
    [RESETHOSTS]
    [EMPTYJAVA]

  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Lets try to locate the Context Menu entry in the registry.

For 64bit systems, Please download SystemLook from the link below and save it to your Desktop.

64 bit Download Mirror

  • Double-click SystemLook.exe (or SystemLook_x64.exe) to run the application.
  • Copy the content of the following quote box into the main textfield:


    :regfind
    "%1" %*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
  • 0

Advertisements


#17
Don54

Don54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
FYI - I just restarted the machine following the last Combofix run, and booted up to a black screen... I got to the welcome screen, signed in with windows password, then black screen... desktop didn't load. Restarted again under safemode and was able to access the desktop, restarted again normai boot and it seems fine now. I will continue with above instructions.

Edited by Don54, 19 March 2013 - 04:33 PM.

  • 0

#18
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
:thumbsup:
  • 0

#19
Don54

Don54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
:) Ran OTM and Systemlook, logs follow:

*** OTM

All processes killed
========== FILES ==========
C:\FRST\Quarantine folder moved successfully.
C:\FRST\Logs folder moved successfully.
C:\FRST\Hives folder moved successfully.
C:\FRST folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56468 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Don
->Temp folder emptied: 2306949 bytes
->Temporary Internet Files folder emptied: 192673907 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1451 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 5505 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 84793 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 186.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Don
->Java cache emptied: 0 bytes

User: Public

Total Java Files Cleaned = 0.00 mb


OTM by OldTimer - Version 3.1.21.0 log created on 03192013_184422

Files moved on Reboot...
C:\Users\Don\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

*** SystemLook

SystemLook 30.07.11 by jpshortstuff
Log created at 18:53 on 19/03/2013 by Don
Administrator - Elevation successful

========== regfind ==========

Searching for ""%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\3XEfile\shell\open\command]
@=""%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command]
@=""%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\runas\command]
@="%SystemRoot%\System32\cmd.exe /C "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command]
@=""%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\runas\command]
@="%SystemRoot%\System32\cmd.exe /C "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command]
@=""%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
@=""%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
"IsolatedCommand"=""%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\runas\command]
@=""%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\runas\command]
"IsolatedCommand"=""%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htafile\Shell\Open\Command]
@="C:\Windows\SysWOW64\mshta.exe "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jarfile\shell\open\command]
@=""C:\Program Files (x86)\Java\jre6\bin\javaw.exe" -jar "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSEFile\Shell\Open\Command]
@="C:\Windows\System32\WScript.exe "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSEFile\Shell\Open2\Command]
@="C:\Windows\System32\CScript.exe "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\Shell\Open\Command]
@="%SystemRoot%\System32\WScript.exe "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\Shell\Open2\Command]
@="C:\Windows\System32\CScript.exe "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\Author\command]
@="%SystemRoot%\system32\mmc.exe /a "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\open\command]
@="%SystemRoot%\system32\mmc.exe "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\RunAs\command]
@="%SystemRoot%\system32\mmc.exe "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msi.Package\shell\Open\command]
@=""%SystemRoot%\System32\msiexec.exe" /i "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msi.Package\shell\Repair\command]
@=""%SystemRoot%\System32\msiexec.exe" /f "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msi.Package\shell\Uninstall\command]
@=""%SystemRoot%\System32\msiexec.exe" /x "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msi.Patch\shell\Open\command]
@=""%SystemRoot%\System32\msiexec.exe" /p "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command]
@=""%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBEFile\Shell\Open\Command]
@="%SystemRoot%\System32\WScript.exe "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBEFile\Shell\Open2\Command]
@=""%SystemRoot%\System32\CScript.exe" "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command]
@="%SystemRoot%\System32\WScript.exe "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command]
@=""%SystemRoot%\System32\CScript.exe" "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.XamlDocument\shell\open\command]
@=""C:\Windows\System32\PresentationHost.exe" "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.Xbap\shell\open\command]
@=""C:\Windows\System32\PresentationHost.exe" "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.XPSReachViewer\shell\open\command]
@="%SystemRoot%\System32\xpsrchvw.exe "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WSFFile\Shell\Open\Command]
@=""%SystemRoot%\System32\WScript.exe" "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WSFFile\Shell\Open2\Command]
@=""%SystemRoot%\System32\CScript.exe" "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WSHFile\Shell\Open\Command]
@=""%SystemRoot%\System32\WScript.exe" "%1" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WSHFile\Shell\Open2\Command]
@=""%SystemRoot%\System32\CScript.exe" "%1" %*"

-= EOF =-
  • 0

#20
Don54

Don54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Just to be clear, I only see the "%1" %* with .exe files.
  • 0

#21
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
Besides the Context Menu, How is the computer doing?
  • 0

#22
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts

Just to be clear, I only see the "%1" %* with .exe files.

There is no problems with the entries above. I am consulting my colleagues. Chances are is coming from a shell file.

Will let you know soon. Let me know how is it doing?
  • 0

#23
Don54

Don54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Computer seems fine... boot time seems faster... though I still can't get MS Security Essentials to start so I am not sure how to proceed with antivirus protection.

With regard to context menu, I think the key is with regard to registry entries in KEY_CLASSES_ROOT\exefile\shell\open. Now after running OTM, at the top of the context menu I see: (value not set) - instead of "%1" %*. I checked the registry and \shell and \open both have the defaults now set to (value not set). Previously KEY_CLASSES_ROOT\exefile\shell\open was set to "%1" %* and that is what displayed in the context menu. Hope this makes sense.
  • 0

#24
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
Open a command prompt. (Start->type CMD on the Search line->press Enter)

At the prompt copy and paste the following command and press Enter

Reg query HKEY_CLASSES_ROOT\exefile /s >"%Userprofile%\desktop\Report.txt"

Type Exit and press Enter to return to Windows. A Report.txt will be produced on your desktop. Opened with Notepad and post its contents.
  • 0

#25
Don54

Don54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
CMD query: Reg query HKEY_CLASSES_ROOT\exefile /s >"%Userprofile%\desktop\Report.txt"


*** Report.txt


HKEY_CLASSES_ROOT\exefile
(Default) REG_SZ Application
EditFlags REG_BINARY 38070000
FriendlyTypeName REG_EXPAND_SZ @%SystemRoot%\System32\shell32.dll,-10156

HKEY_CLASSES_ROOT\exefile\DefaultIcon
(Default) REG_SZ %1

HKEY_CLASSES_ROOT\exefile\shell

HKEY_CLASSES_ROOT\exefile\shell\open
EditFlags REG_BINARY 00000000
(Default) REG_SZ (value not set)

HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) REG_SZ "%1" %*
IsolatedCommand REG_SZ "%1" %*

HKEY_CLASSES_ROOT\exefile\shell\runas
HasLUAShield REG_SZ

HKEY_CLASSES_ROOT\exefile\shell\runas\command
(Default) REG_SZ "%1" %*
IsolatedCommand REG_SZ "%1" %*

HKEY_CLASSES_ROOT\exefile\shell\runasuser
(Default) REG_SZ @shell32.dll,-50944
Extended REG_SZ
SuppressionPolicyEx REG_SZ {F211AA05-D4DF-4370-A2A0-9F19C09756A7}

HKEY_CLASSES_ROOT\exefile\shell\runasuser\command
DelegateExecute REG_SZ {ea72d00e-4960-42fa-ba92-7792a7944c1d}

HKEY_CLASSES_ROOT\exefile\shellex

HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers
(Default) REG_SZ Compatibility

HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\Compatibility
(Default) REG_SZ {1d27f844-3a1f-4410-85ac-14651078412d}

HKEY_CLASSES_ROOT\exefile\shellex\DropHandler
(Default) REG_SZ {86C86720-42A0-1069-A2E8-08002B30309D}

HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers

HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page
(Default) REG_SZ {513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}
  • 0

Advertisements


#26
Don54

Don54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
FYI - When I first started having problems running exe files I implemented the followng MS KB fix (http://support.micro....com/kb/2688326). Probably by now all of the values have been changed back by the exe reg merge and OTM, just thought I should mention it.


***
Let me fix it myself
To resolve this issue, you can reset the registry settings to their default settings. To do this, follow these steps.
1.Click the Startbutton and type regedit in the Search box
2.Right-click Regedit.exe in the returned list and click Run as administrator
3.Browse to the following registry key:

HKEY_CLASSES_ROOT\.exe

4.With .exe selected, right-click (Default) and click Modify…
5.Change the Value data: to exefile
6.Browse to and then click on the following registry key:

HKEY_CLASSES_ROOT\exefile

7.With exefileselected, right-click (Default) and click Modify…
8.Change the Value data: to "%1" %*
9.Browse to and then click on the following registry key:

KEY_CLASSES_ROOT\exefile\shell\open

10.With openselected, right-click (Default) and click Modify…
11.Change the Value data: to "%1" %*
12.Close the Registry Editor and restart your PC
  • 0

#27
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
Open a command prompt. (Start->type CMD on the Search line->press Enter)

At the prompt copy and paste the following command and press Enter

Reg delete HKEY_CLASSES_ROOT\exefile\shell\open /ve /f

Type Exit and press Enter to return to Windows. Check your Context Menu
  • 0

#28
Don54

Don54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Way to go, worked like a charm! Thank you!!! Very cool.

Any thoughts about anti-virus so that I don't end up in the same situation?
  • 0

#29
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
Combofix shows you have two antivirus. They could be in conflict. Remove Lavasoft Ad-Watch Live! and let see if that resolves the issue.
  • 0

#30
Don54

Don54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Uninstalled Ad Aware, still can't get MS Security Essentials service to start. Maybe I should just uninstall it and go with something else, didn't seem to have done such a good job anyway. Any suggestions re: free/effective AV programs? I have a Kaspersky internet security disk but I think it is only a year subsription... not sure I want to go that route.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP