Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help removing win32.downloader.gen and possible zlob.downloader v

Windows 7 trojan zlob

  • This topic is locked This topic is locked

#16
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts
Hi,
OK, just a tip for the future, and this shouldn't sound/meant to be unfriendly: Please don't use any automated tools like TDSSKiller, ComboFix etc. with no expert because it fixed an legitimate driver and that could be the cause of the issues. It maybe "destroyed" your AntiVirus being honest.

Did you have the issues before TDSSKiller Run or after? :)

Bye,
Machiavelli
  • 0

Advertisements


#17
kuratowa2

kuratowa2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

The problems with MalwareBytes crashing was before, but the whole computer crashing may well have been after.  I'll have to double-check with partner, who may recall better.

 

And, it is appreciated insight, even if it emphasizes error on our part. ;)


  • 0

#18
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts
OK, then uninstall everything what is related to Norton and run the Removal Tool for Norton, instruction on how to do this can be found here. Tell me if this solved the problem. :) If not then we know that it wasn't TDSSKiller's fault and we have to check other things.

Again, well done. ;)
  • 0

#19
kuratowa2

kuratowa2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

History: Ran Malwarebytes and Spybot simultaneously for routine check after Windows update; Spybot found 18 items; removed all but 5 IIRC — these included the Conduit/Open Candy items and listed win32.downloader.gen as the other, which it couldn't remove.  Malwarebytes was running, had found several items, and then crashed in the middle of searching (at the same place, approx. each time), giving us the blue screen of death.  Restarted computer, ran again, ended again with blue screen.  That was when we went on to find webpage with instructions to use TDSSKiller, etc.  When things started to go completely haywire and we noticed the zlobdownloader endings when we reran Spybot, we came here for help.

 

Removing Norton:

Ran Norton Removal Tool, restarted in normal mode.  Went to Programs, to see if other Norton program removed — still has Norton Online Backup, clicked to Uninstall, and windows explorer stopped working, requiring a restart (which it started on own).  I chose safe mode with networking, but when I tried to uninstall it again, it staid Windows Installer Service could not be accessed (I'm guessing it must be done in normal mode?). Tried again in Normal Mode — success, then Windows explorer crashed (The program can't start because API-MS-WIN-Service-Core-L1-1-0.dll is missing from your computer.)  And restarting.


  • 0

#20
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts
So always when you restart the computer you get this message?
  • 0

#21
kuratowa2

kuratowa2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

No, normally, it just closes explorer, and stays there for a few, then restarts.  Only stays open if opened in Safe Mode with Networking.  


  • 0

#22
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts
Hello,
 

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - File not found
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - File not found
O20 - HKLM Winlogon: UserInit - (userinit.exe) - File not found
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - File not found


These are weird entries. There shouldn't be a File Not Found. So I will check this to make sure that this doesn't cause our problems here.

 

Command Prompt

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.
  • Click on the Start Start%20Orb.jpg button and in the search box, type Command Prompt
  • When you see Command Prompt on the list, right-click on it and select Run as administrator
  • When command prompt opens, copy and paste the following commands into it, press enter after each

    regedit /e %SYSTEMDRIVE%\Machiavelli.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

  • This will create a text file called Machiavelli.txt in the root folder of your main drive (e.g. Machiavelli.txt). Please copy and paste the contents of this into your next post.
 
 

sfc /scannow it states that 'sfc' is not recognized as an internal or external command, operable program or batch file.

Are you sure you entered the right? :) If yes we will use another method to get SFC running. I think there are some files corrupt.
  • 0

#23
kuratowa2

kuratowa2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

'regedit' is not recognized as an internal or external command, operable program or batch file.

 

Yes, I copy/pasted and also wrote it out (the sfc command, that is).  I tried it another time after doing the Norton, and it started to verify, got to 9%, then it ceased and computer crashed before I could copy what it said.

 

Retried the regedit with success:

 

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ReportBootOk"="1"
"Shell"="explorer.exe"
"PreCreateKnownFolders"="{A520A1A4-1780-4FF6-BD18-167343C5AF16}"
"Userinit"="C:\\Windows\\system32\\userinit.exe,"
"VMApplet"="SystemPropertiesPerformance.exe /pagefile"
"AutoRestartShell"=dword:00000001
"Background"="0 0 0"
"CachedLogonsCount"="10"
"DebugServerCommand"="no"
"ForceUnlockLogon"=dword:00000000
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PasswordExpiryWarning"=dword:00000005
"PowerdownAfterShutdown"="0"
"ShutdownWithoutLogon"="0"
"WinStationsDisabled"="0"
"DisableCAD"=dword:00000001
"scremoveoption"="0"
"ShutdownFlags"=dword:00000027
"AutoAdminLogon"="0"
"DefaultUserName"="Union"
"SyncForegroundPolicy"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@="Wireless Group Policy"
"DisplayName"=hex(2):40,00,77,00,6c,00,67,00,70,00,63,00,6c,00,6e,00,74,00,2e,\
  00,64,00,6c,00,6c,00,2c,00,2d,00,31,00,30,00,30,00,00,00
"ProcessGroupPolicyEx"="ProcessWLANPolicyEx"
"GenerateGroupPolicy"="GenerateWLANPolicy"
"DllName"=hex(2):77,00,6c,00,67,00,70,00,63,00,6c,00,6e,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=hex(2):66,00,64,00,65,00,70,00,6c,00,6f,00,79,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=hex(7):28,00,46,00,6f,00,6c,00,64,00,65,00,72,00,20,00,52,00,65,\
  00,64,00,69,00,72,00,65,00,63,00,74,00,69,00,6f,00,6e,00,2c,00,41,00,70,00,\
  70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,29,00,00,00,00,00
"DisplayName"=hex(2):40,00,66,00,64,00,65,00,70,00,6c,00,6f,00,79,00,2e,00,64,\
  00,6c,00,6c,00,2c,00,2d,00,32,00,36,00,31,00,00,00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Disk Quota"
"DisplayName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
  00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
  5c,00,64,00,73,00,6b,00,71,00,75,00,6f,00,74,00,61,00,2e,00,64,00,6c,00,6c,\
  00,2c,00,2d,00,31,00,30,00,30,00,00,00
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
  00,73,00,6b,00,71,00,75,00,6f,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicy"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="QoS Packet Scheduler"
"DisplayName"=hex(2):40,00,67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,\
  00,6c,00,2c,00,2d,00,32,00,30,00,31,00,00,00
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
  00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}]
@="Remote Desktop USB Redirection"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,54,\
  00,73,00,55,00,73,00,62,00,52,00,65,00,64,00,69,00,72,00,65,00,63,00,74,00,\
  69,00,6f,00,6e,00,47,00,72,00,6f,00,75,00,70,00,50,00,6f,00,6c,00,69,00,63,\
  00,79,00,45,00,78,00,74,00,65,00,6e,00,73,00,69,00,6f,00,6e,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"RequiresSuccessfulRegistry"=dword:00000001
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"NoGPOListChanges"=dword:00000001
"NoUserPolicy"=dword:00000001
"DisplayName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
  00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
  5c,00,54,00,73,00,55,00,73,00,62,00,52,00,65,00,64,00,69,00,72,00,65,00,63,\
  00,74,00,69,00,6f,00,6e,00,47,00,72,00,6f,00,75,00,70,00,50,00,6f,00,6c,00,\
  69,00,63,00,79,00,45,00,78,00,74,00,65,00,6e,00,73,00,69,00,6f,00,6e,00,2e,\
  00,64,00,6c,00,6c,00,2c,00,2d,00,31,00,30,00,30,00,00,00
"NoBackgroundPolicy"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Internet Explorer Zonemapping"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"DllName"="C:\\Windows\\System32\\iedkcs32.dll"
"RequiresSuccessfulRegistry"=dword:00000001
"NoGPOListChanges"=dword:00000001
"DisplayName"="@C:\\Windows\\System32\\iedkcs32.dll,-3051"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6cfb9c5c-138e-4bb3-8a3d-d5383e910e57}]
@="Remote Desktop Protocol Extension"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,52,\
  00,64,00,70,00,47,00,72,00,6f,00,75,00,70,00,50,00,6f,00,6c,00,69,00,63,00,\
  79,00,45,00,78,00,74,00,65,00,6e,00,73,00,69,00,6f,00,6e,00,2e,00,64,00,6c,\
  00,6c,00,00,00
"RequiresSuccessfulRegistry"=dword:00000001
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"NoGPOListChanges"=dword:00000001
"NoUserPolicy"=dword:00000001
"DisplayName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
  00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
  5c,00,52,00,64,00,70,00,47,00,72,00,6f,00,75,00,70,00,50,00,6f,00,6c,00,69,\
  00,63,00,79,00,45,00,78,00,74,00,65,00,6e,00,73,00,69,00,6f,00,6e,00,2e,00,\
  64,00,6c,00,6c,00,2c,00,2d,00,31,00,30,00,30,00,00,00
"NoBackgroundPolicy"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}]
@="Windows Search Group Policy Extension"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,72,00,63,00,68,00,61,00,64,00,6d,00,69,00,6e,00,2e,00,64,00,6c,00,6c,00,\
  00,00
"RequiresSuccessfulRegistry"=dword:00000001
"NoSlowLink"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoUserPolicy"=dword:00000000
"NoMachinePolicy"=dword:00000000
"PerUserLocalSettings"=dword:00000000
"EnableAsynchronousProcessing"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@="Internet Explorer User Accelerators"
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"DllName"="C:\\Windows\\System32\\iedkcs32.dll"
"RequiresSuccessfulRegistry"=dword:00000001
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"NoGPOListChanges"=dword:00000001
"DisplayName"="@C:\\Windows\\System32\\iedkcs32.dll,-3051"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@="Security"
"DisplayName"=hex(2):40,00,28,00,72,00,75,00,6e,00,74,00,69,00,6d,00,65,00,2e,\
  00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,29,00,5c,00,73,00,63,00,\
  65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,37,00,36,00,35,\
  00,30,00,00,00
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
  00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}]
@="Deployed Printer Connections"
"DisplayName"=hex(2):40,00,25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
  00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
  5c,00,67,00,70,00,70,00,72,00,6e,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,\
  00,2c,00,2d,00,31,00,00,00
"DllName"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,67,\
  00,70,00,70,00,72,00,6e,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,00,00
"EnableAsynchronousProcessing"=dword:00000001
"ExtensionEventSource"=""
"GenerateGroupPolicy"="PrinterGenerateGroupPolicy"
"MaxNoGPOListChangesInterval"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000001
"NotifyLinkTransition"=dword:00000000
"NoUserPolicy"=dword:00000000
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="PrinterProcessGroupPolicy"
"ProcessGroupPolicyEx"="PrinterProcessGroupPolicyEx"
"RequiresSuccessfulRegistry"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@="Internet Explorer Branding"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="C:\\Windows\\System32\\iedkcs32.dll"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoSlowLink"=dword:00000001
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@C:\\Windows\\System32\\iedkcs32.dll,-3014"
"NoBackgroundPolicy"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@="802.3 Group Policy"
"DisplayName"=hex(2):40,00,64,00,6f,00,74,00,33,00,67,00,70,00,63,00,6c,00,6e,\
  00,74,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,31,00,30,00,30,00,00,00
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=hex(2):64,00,6f,00,74,00,33,00,67,00,70,00,63,00,6c,00,6e,00,74,00,\
  2e,00,64,00,6c,00,6c,00,00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}]
@="TCPIP"
"DisplayName"=hex(2):40,00,67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,\
  00,6c,00,2c,00,2d,00,32,00,30,00,34,00,00,00
"ProcessGroupPolicy"="ProcessTCPIPPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
  00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@="Internet Explorer Machine Accelerators"
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"DllName"="C:\\Windows\\System32\\iedkcs32.dll"
"RequiresSuccessfulRegistry"=dword:00000001
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"NoGPOListChanges"=dword:00000001
"DisplayName"="@C:\\Windows\\System32\\iedkcs32.dll,-3051"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="IP Security"
"ProcessGroupPolicyEx"="ProcessIPSECPolicyEx"
"GenerateGroupPolicy"="GenerateIPSECPolicy"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,70,\
  00,6f,00,6c,00,73,00,74,00,6f,00,72,00,65,00,2e,00,64,00,6c,00,6c,00,00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000
"DisplayName"=hex(2):40,00,43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,\
  00,73,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,70,00,\
  6f,00,6c,00,73,00,74,00,6f,00,72,00,65,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,\
  00,35,00,30,00,31,00,32,00,00,00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}]
@="Audit Policy Configuration"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"DllName"=hex(2):61,00,75,00,64,00,69,00,74,00,63,00,73,00,65,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"NoUserPolicy"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
"ForceRefreshFG"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}]
@="Enterprise QoS"
"DisplayName"=hex(2):40,00,67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,\
  00,6c,00,2c,00,2d,00,32,00,30,00,33,00,00,00
"ProcessGroupPolicy"="ProcessEQoSPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
  00,00
"RequiresSuccessfulRegistry"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}]
@="CP"
"DisplayName"=hex(2):40,00,67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,\
  00,6c,00,2c,00,2d,00,32,00,30,00,35,00,00,00
"ProcessGroupPolicy"="ProcessConnectivityPlatformPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
  00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked]

  • 0

#24
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts
Hey,
hopefully the below works. If not I will have to find another way to fix this.

Export CBS folder
  • Click the Start button StartButton_16x16.gif then click Computer.
  • Double-click on the C: drive, under the Hard Disk Drives category, and then scroll down to, and double click on the Windows folder.
  • Find and double click on the Logs folder.
  • Right-click on the CBS folder, and select Copy.
  • Go back to your Desktop, right-click on it, and select Paste. You should now see a copy of the CBS folder appear on your Desktop called CBS.
  • Right-click on this new folder, and navigate through Send to, and select Compressed (zipped) folder.
  • A new file, also called CBS (CBS.zip), but this time with a different icon, will be created.
  • Attach this to your next post please. If it is too big, please use an alternative uploading method then send me the link (Dropbox, SkyDrive, SendSpace etc.).
chkdsk /f

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.
  • Click on the Start Start%20Orb.jpg button and in the search box, type Command Prompt
  • When you see Command Prompt on the list, right-click on it and select Run as administrator
  • When command prompt opens, copy and paste the following commands into it, press enter after each

    chkdsk c: /f /r

  • Reboot
  • Download ListChkdskResult.exe (by SleepyDude) from the link below:

    https://dl.dropboxus...hkdskResult.exe
  • Double click on it to run it. It will take a few seconds to scan, then it will open a Notepad window with the log. Copy and paste the contents of this into your next post please!

  • 0

#25
kuratowa2

kuratowa2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

CBS log file:

Way too big — 12.7 MB zip file: https://www.dropbox....n5ypgs6/CBS.zip

 

When trying to do the chkdsk, it states:

 

The type of file system is NTFS.

Cannot lock current drive.

 

Chkdsk cannot run because the volume is in use by another process.  Would you like to schedule this volume to be checked the next time the system restarts?

 

did that, and during the chkdsk, I got this screen:

CameraAwesomePhoto.jpg

 

followed by:

CameraAwesomePhoto2.jpg


Edited by kuratowa2, 03 May 2014 - 01:23 PM.

  • 0

Advertisements


#26
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts
Just to be sure: Still crashes?
  • 0

#27
kuratowa2

kuratowa2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Yes; I restarted, and it is running a chkdsk again.


  • 0

#28
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts
Hey,
then we trying Machiavellis Mini Gun. :D
  • Please download Windows Repair from here
  • Right click on the Installer and select Run as Administrator - then install the program
  • Right click on the Windows Repair All-in-one icon and select Run as Administrator
  • You will see a screen like that below:
lcqgqjaq.png
  • Please move to the tab called Step3: Optional. The picture below shows how the screen should look like:
h77xsqx5.png
  • Please click on Do It and wait until it is finished.
  • Please move to the tab Step 4 and under Registry Backup please click BackUp - this will do a Registry BackUp of your computer. Please let it also create a System Restore point by clicking on the Create Button under the System Restore Section
  • Then move to the tab Start Repairs - you will see a screen like below:
yfpbt3hs.png
  • Please click on Start - this will open a new screen.
  • Select the following items and tick restart system when finished. (Check the same items like in the picture below)
qzd34qji.png
  • Then click Start and the scan/fix will begin
  • The PC will reboot - if not please reboot it manually
Report if this solved our problems.
  • 0

#29
kuratowa2

kuratowa2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

The newest version of Windows Repair is a little different looking, but I went to the page with System File Check (now Step 4), and clicked "Do It", and after it started verifying, the computer crashed.  

 

Finally got it thru to the scan/fix, and computer restarted — not clear if it did all it was trying to do.  Computer crashed and restarted again after reboot.  Should I try the tweaking.com Windows Repair again to make sure it finished?


  • 0

#30
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,698 posts
Hey,
it should be finished.

We are trying now to do a clean boot. For this follow the instructions here.

Do you have crashes in clean boot?
  • 0






Similar Topics


Also tagged with one or more of these keywords: Windows 7, trojan, zlob

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP