[dyinginside]

What should I look for in regedit? I've gone through a few times looking for what could be malicious entries but coming up empty

[Advertisements]

Any luck with regedit?  If you can get in to it we may have better luck.

[RKinner]

Any luck with regedit?  If you can get in to it we may have better luck.

[dyinginside]

Regedit is functional, yes.

[RKinner]

That's good news.

 

The major place we want to look is

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\

 

Under Services we want to find the entries that FRST can't remove:

 

HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected

HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected

HKLM\System\CurrentControlSet\Services\drmkpro64 => key could not remove, key could be protected

HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Dataup => key could not remove, key could be protected

 

I have had some luck going in and taking ownership from the above and removing permissions for everyone.  Then when you reboot not all of the malware is running and you can get things like MBAR to run or change the permissions on the associated files. (It all gets undone the next boot unless you manage to remove it all)

 

Other places to look:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\

the services will have LEGACY_ added to the name

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

 

Look for:

HKLM-x32\...\Run: [cpx] => "C:\Users\Nik\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <===== ATTENTION

HKLM-x32\...\Run: [svcvmx] => "C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe" -starup

 

[dyinginside]

I took ownership of those entries, restarted, and now every time it boots to windows I get the sad face BSOD.

[RKinner]

Ouch.  It worked before so I'm not sure what went wrong.  Are you able to get into the BIOS/CMOS setup program?  Go in and note down every option and then try setting it to the default, save and exit.  Go back into the BIOS/CMOS setup and verify that it sees your CD/DVD drive and that it is at the top of the boot list then see if you can boot from your Win 10 Disk.

[RKinner]

From one of our other helpers:

 

 

Have the user perform a couple of hard shutdowns, prior to the BSOD. That should bring up the advanced menu.

 

 

If you can get to  the Recovery Environment. and run FRST64 from there (has to be on a USB drive) we can probably fix it.

 

If you could download FRST64 and our previous fixlist to a usb drive then run FRST from  the Recovery Environment and hit Fix that would probably fix it.