[Buddierdl]

You can post the soft.txt log, but what I really need is the registry hive named ntbsoft. It doesn't have an extension and is probably quite large, so you might need to use a file-sharing service like dropbox.

[Advertisements]

Ok, I created a dropbox account and put the ntbsoft file in it. How do I share it with you?

[skullkrusher78]

Ok, I created a dropbox account and put the ntbsoft file in it. How do I share it with you?

[Buddierdl]

When you have your dropbox open online, there should be a paperclip symbol on the far right for each file. For ntbsoft, click the paperclip and it will give you a link to copy/paste into your next reply.

[skullkrusher78]

https://www.dropbox....nimkzey/ntbsoft

[Buddierdl]

Okay. Give me a little while to find the malicious loading point and remove it, and then we can restore the registry.

By the way, are there more than 1 user accounts on this computer?

[skullkrusher78]

Maybe, when my friend bought the computer, it was apparently a return, and someone named Gene Fulks was the previous owner. Kevin should be the other & current user.

[Buddierdl]

Ok hopefully this works. Download repsoft to your flash drive and delete ntbsoft from it. Then boot to xPud and run hives.sh again (the latest version) and type software again. Hopefully, it will say successfully replaced. Then try and boot the computer to normal mode.

[skullkrusher78]

Ok, got result /mnt/sda2/windows/system32/config/software
Restoring SOFTWARE hive
SOFTWARE hive has been restored

Rebooted the computer normally, but the virus is still locking the pc.

[Buddierdl]

Okay, before we go any further with this, I want to try something that came to mind today. Would be so much easier if it worked...


This is an iso of the Windows 7 Recovery Environment. We can use it to boot to a PE environment and run FRST.

Burn this iso to a flash drive with Rufus. Then add Farbar Recovery Scan Tool to the root of the flash drive.

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB

When you reboot you will see this although yours will say windows 7. The windows might be somewhat different, but the general steps are the same.

Click repair my computer


Select your operating system. No OS will be found in your case. You will be given two options, start the recovery environment, or system restore. Please choose to start the recovery environment.


Select Command prompt


At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[skullkrusher78]

I ran it twice and got this error both times:

The instruction at 0x77588b6e referenced memory at 0x00000000. The memory could not be read. Click on OK to terminate the program

However, it still created the frst.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-11-2013
Ran by SYSTEM on MININT-9ID6U8V on 25-11-2013 02:53:03
Running from G:\
Microsoft Windows XP (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ATICCC] - C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [90112 2006-05-10] ()
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [761946 2006-03-03] (Synaptics, Inc.)
HKLM\...\Run: [Sprint SmartView] - C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe [75072 2010-12-15] (Sprint)
HKLM\...\Run: [RDVCHG] - C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe [316736 2010-12-15] (C-motech Co.,Ltd)
HKLM\...\Run: [AppleSyncNotifier] - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-10-06] (Apple Inc.)
HKLM\...\Run: [ePower_DMC] - C:\Acer\Empowering Technology\ePower\ePower_DMC.exe [421888 2006-05-30] ()
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-11-28] (Apple Inc.)
HKLM\...\Run: [ATT-SST_McciTrayApp] - C:\Program Files\ATT-SST\pcTrayApp.exe [1939968 2012-06-07] (Alcatel-Lucent)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - D:\Program Files\iTunes\iTunesHelper.exe [152544 2012-12-12] (Apple Inc.)
HKLM\...\Run: [e7bfb0a2-a05f-43c2-bdf9-ad4cc5f3c016] - C:\Documents and Settings\Gene Fulks\Application Data\e7bfb0a2-a05f-43c2-bdf9-ad4cc5f3c016.exe [107520 2013-03-17] (NetVision Co.)
Winlogon\Notify\AtiExtEvent: C:\Windows\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKU\Gene Fulks\...\Run: [PCShowServer] - C:\Documents and Settings\Gene Fulks\Local Settings\Application Data\DIRECTV Player\PCShowServerPMWrapper.exe [ 2012-10-15] (NDS Technologies)
HKU\Gene Fulks\...\Run: [e7bfb0a2-a05f-43c2-bdf9-ad4cc5f3c016] - C:\Documents and Settings\Gene Fulks\Application Data\e7bfb0a2-a05f-43c2-bdf9-ad4cc5f3c016.exe [ 2013-03-17] (NetVision Co.)

========================== Services (Whitelisted) =================

S2 AcerMemUsageCheckService; C:\Acer\Empowering Technology\ePerformance\MemCheck.exe [28672 2006-03-29] (Acer Inc.)
S2 Amazon Download Agent; C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [401920 2009-10-23] (Amazon.com)
S2 LVSrvLauncher; C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe [101152 2006-11-28] (Logitech Inc.)
S2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation)
S2 NIS; C:\Program Files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll [262584 2011-03-31] (Symantec Corporation)
S2 NvtlService; C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [82944 2010-01-11] ()
S2 pcServiceHost; C:\Program Files\Common Files\Motive\pcServiceHost.exe [342016 2012-06-14] (Alcatel-Lucent)
S3 SprintRcAppSvc; C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe [120128 2010-12-15] (SmithMicro Inc.)
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
S2 RoxLiveShare9; "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe" [x]

==================== Drivers (Whitelisted) ====================

S0 abp480n5; C:\Windows\System32\DRIVERS\ABP480N5.SYS [23552 2004-08-10] (Microsoft Corporation)
S1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [36864 2006-05-10] (Advanced Micro Devices)
S3 AR5211; C:\Windows\System32\DRIVERS\ar5211.sys [488448 2006-01-24] (Atheros Communications, Inc.)
S3 bcm; C:\Windows\System32\DRIVERS\drxvi314.sys [319488 2010-03-26] (Beceem communications pvt ltd.)
S3 bcmbusctr; C:\Windows\System32\DRIVERS\BcmBusCtr.sys [51456 2010-03-26] (Beceem communications pvt ltd.)
S1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20111221.003\BHDrvx86.sys [819320 2011-11-14] (Symantec Corporation)
S3 Cam5603D; C:\Windows\System32\Drivers\BisonCam.sys [806272 2006-05-12] (Bison Electronics. Inc. )
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [374392 2011-11-09] (Symantec Corporation)
S3 EMSCR; C:\Windows\System32\DRIVERS\EMS7SK.sys [61056 2006-05-24] (ENE Technology Inc.)
S3 ESDCR; C:\Windows\System32\DRIVERS\ESD7SK.sys [40064 2006-05-24] (ENE Technology Inc.)
S3 ESMCR; C:\Windows\System32\DRIVERS\ESM7SK.sys [74752 2006-05-24] (ENE Technology Inc.)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [51120 2005-03-07] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2005-03-07] (HP)
S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21744 2005-03-07] (HP)
S3 HSFHWAZL; C:\Windows\System32\DRIVERS\HSFHWAZL.sys [208384 2006-06-12] (Conexant Systems, Inc.)
S3 HSF_DPV; C:\Windows\System32\DRIVERS\HSF_DPV.sys [990592 2006-06-12] (Conexant Systems, Inc.)
S3 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120106.002\IDSxpx86.sys [356280 2011-08-23] (Symantec Corporation)
S2 int15; C:\WINDOWS\system32\drivers\int15.sys [69632 2006-06-02] ()
S3 irsir; C:\Windows\System32\DRIVERS\irsir.sys [18688 2001-08-17] (Microsoft Corporation)
S3 LVMVDrv; C:\Windows\System32\DRIVERS\LVMVDrv.sys [1962784 2006-11-28] (Logitech Inc.)
S3 MREMP50; C:\Program Files\Common Files\Motive\MREMP50.sys [21248 2012-06-14] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\Program Files\Common Files\Motive\MRESP50.sys [20096 2012-06-14] (Printing Communications Assoc., Inc. (PCAUSA))
S3 NAVENG; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20120107.009\NAVENG.SYS [86136 2011-12-24] (Symantec Corporation)
S3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20120107.009\NAVEX15.SYS [1576312 2011-12-24] (Symantec Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
S3 PCASp50; C:\Windows\System32\Drivers\PCASp50.sys [27072 2010-01-11] (Printing Communications Assoc., Inc. (PCAUSA))
S3 Rasirda; C:\Windows\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S3 SMCIRDA; C:\Windows\System32\DRIVERS\smcirda.sys [46592 2004-12-09] (SMSC)
S3 SRTSP; C:\Windows\System32\Drivers\NIS\1206000.01D\SRTSP.SYS [516216 2011-03-30] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NIS\1206000.01D\SRTSPX.SYS [50168 2011-03-30] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\NIS\1206000.01D\SYMDS.SYS [340088 2011-01-27] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\NIS\1206000.01D\SYMEFA.SYS [744568 2011-03-14] (Symantec Corporation)
S3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [126584 2011-05-10] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NIS\1206000.01D\Ironx86.SYS [136312 2011-01-27] (Symantec Corporation)
S1 SYMTDI; C:\Windows\System32\Drivers\NIS\1206000.01D\SYMTDI.SYS [369784 2011-03-21] (Symantec Corporation)
S0 UBHelper; C:\Windows\System32\Drivers\UBHelper.sys [13952 2004-12-17] ()
S3 wandrv; C:\Windows\System32\DRIVERS\wandrv.sys [22608 2001-08-09] (America Online, Inc.)
S2 eLock2BurnerLockDriver; \??\C:\WINDOWS\system32\eLock2BurnerLockDriver.sys [x]
S2 eLock2FSCTLDriver; \??\C:\WINDOWS\system32\eLock2FSCTLDriver.sys [x]
S3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
S3 Nmea; system32\DRIVERS\pctnullport.sys [x]
S3 RimUsb; System32\Drivers\RimUsb.sys [x]
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2013-11-24 20:05 - 2012-08-21 08:33 - 02148864 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-11-24 20:05 - 2012-08-21 07:58 - 02027520 _____ (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-11-24 19:39 - 2013-11-24 19:45 - 33423360 _____ C:\Windows\System32\config\software.ntb
2013-11-18 04:41 - 2013-11-18 04:41 - 00000000 __SHD C:\FOUND.069
2013-11-18 03:35 - 2013-11-18 03:35 - 00000000 ____D C:\FRST
2013-11-17 12:38 - 2013-11-17 12:38 - 00000000 __SHD C:\FOUND.071
2013-11-17 08:44 - 2013-11-17 08:44 - 00000000 __SHD C:\FOUND.070
2013-11-15 12:01 - 2013-11-15 12:01 - 00000000 __SHD C:\FOUND.068
2013-11-15 11:52 - 2013-11-15 11:52 - 00000000 __SHD C:\FOUND.067
2013-11-15 10:57 - 2013-11-15 10:57 - 00000000 __SHD C:\FOUND.066
2013-11-15 10:18 - 2013-11-15 10:18 - 00000000 __SHD C:\FOUND.065
2013-11-13 07:42 - 2013-11-13 07:42 - 00000000 __SHD C:\FOUND.064
2013-11-13 07:04 - 2013-11-13 07:04 - 00000000 __SHD C:\FOUND.063

==================== One Month Modified Files and Folders =======

2013-11-25 02:39 - 2006-06-01 18:30 - 01291831 _____ C:\Windows\WindowsUpdate.log
2013-11-25 02:39 - 2006-06-01 18:30 - 00032050 _____ C:\Windows\SchedLgU.Txt
2013-11-25 02:39 - 2006-06-01 16:19 - 00000275 _____ C:\Windows\wiadebug.log
2013-11-25 02:39 - 2006-06-01 16:19 - 00000050 _____ C:\Windows\wiaservc.log
2013-11-24 20:52 - 2006-06-01 17:07 - 00524288 _____ C:\Windows\System32\config\ACEEvent.evt
2013-11-24 20:50 - 2006-06-01 18:30 - 00001158 _____ C:\Windows\System32\wpa.dbl
2013-11-24 20:05 - 2013-02-14 03:09 - 00247575 _____ C:\Windows\KB2799494Uninst.log
2013-11-24 20:05 - 2013-02-14 03:07 - 00020708 _____ C:\Windows\updspapi.log
2013-11-24 20:05 - 2013-02-13 19:41 - 00745506 _____ C:\Windows\KB2799494.log
2013-11-24 19:45 - 2013-11-24 19:39 - 33423360 _____ C:\Windows\System32\config\software.ntb
2013-11-22 20:19 - 2013-02-13 19:41 - 00154520 _____ C:\Windows\KB2778344.log
2013-11-22 19:52 - 2013-02-10 09:27 - 00167654 _____ C:\Windows\setupapi.log
2013-11-22 15:43 - 2006-06-01 21:31 - 33554432 _____ C:\Windows\System32\config\software.orig
2013-11-22 15:43 - 2006-06-01 21:31 - 16777216 _____ C:\Windows\System32\config\system.orig
2013-11-22 15:43 - 2006-06-01 21:31 - 00262144 _____ C:\Windows\System32\config\security.orig
2013-11-22 15:43 - 2006-06-01 21:31 - 00262144 _____ C:\Windows\System32\config\sam.orig
2013-11-22 15:40 - 2013-03-17 10:09 - 00006532 _____ C:\Documents and Settings\Gene Fulks\Local Settings\Application Data\8a942c8d-a9ba-4baa-aeb5-2d162bbed49a.crx
2013-11-18 04:41 - 2013-11-18 04:41 - 00000000 __SHD C:\FOUND.069
2013-11-18 03:35 - 2013-11-18 03:35 - 00000000 ____D C:\FRST
2013-11-17 12:38 - 2013-11-17 12:38 - 00000000 __SHD C:\FOUND.071
2013-11-17 08:44 - 2013-11-17 08:44 - 00000000 __SHD C:\FOUND.070
2013-11-15 12:01 - 2013-11-15 12:01 - 00000000 __SHD C:\FOUND.068
2013-11-15 11:52 - 2013-11-15 11:52 - 00000000 __SHD C:\FOUND.067
2013-11-15 10:57 - 2013-11-15 10:57 - 00000000 __SHD C:\FOUND.066
2013-11-15 10:18 - 2013-11-15 10:18 - 00000000 __SHD C:\FOUND.065
2013-11-13 07:45 - 2006-12-02 08:45 - 00000178 ___SH C:\Documents and Settings\Gene Fulks\ntuser.ini
2013-11-13 07:42 - 2013-11-13 07:42 - 00000000 __SHD C:\FOUND.064
2013-11-13 07:04 - 2013-11-13 07:04 - 00000000 __SHD C:\FOUND.063
2013-11-13 07:04 - 2006-06-01 18:19 - 00196160 _____ C:\Windows\System32\FNTCACHE.DAT

[Buddierdl]

Ok, we should be able to lick it now!

Download the attached fixlist to the root of the flash drive. Run FRST again in the same way, but click "Fix" this time. Post the resulting fixlog.txt.

See if it will boot normally now.

Attached Files

•  fixlist.txt   634bytes   597 downloads

[skullkrusher78]

Success!! The virus didn't lock the screen and I could move around and open files and programs. Tested a pdf file and iTunes with no problem. Here is the fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-11-2013
Ran by SYSTEM at 2013-11-25 10:10:16 Run:1
Running from G:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
HKLM\...\Run: [e7bfb0a2-a05f-43c2-bdf9-ad4cc5f3c016] - C:\Documents and Settings\Gene Fulks\Application Data\e7bfb0a2-a05f-43c2-bdf9-ad4cc5f3c016.exe [107520 2013-03-17] (NetVision Co.)
HKU\Gene Fulks\...\Run: [e7bfb0a2-a05f-43c2-bdf9-ad4cc5f3c016] - C:\Documents and Settings\Gene Fulks\Application Data\e7bfb0a2-a05f-43c2-bdf9-ad4cc5f3c016.exe [ 2013-03-17] (NetVision Co.)
C:\Documents and Settings\Gene Fulks\Application Data\e7bfb0a2-a05f-43c2-bdf9-ad4cc5f3c016.exe
2013-11-22 15:40 - 2013-03-17 10:09 - 00006532 _____ C:\Documents and Settings\Gene Fulks\Local Settings\Application Data\8a942c8d-a9ba-4baa-aeb5-2d162bbed49a.crx
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\e7bfb0a2-a05f-43c2-bdf9-ad4cc5f3c016 => Value deleted successfully.
HKU\Gene Fulks\Software\Microsoft\Windows\CurrentVersion\Run\\e7bfb0a2-a05f-43c2-bdf9-ad4cc5f3c016 => Value deleted successfully.
C:\Documents and Settings\Gene Fulks\Application Data\e7bfb0a2-a05f-43c2-bdf9-ad4cc5f3c016.exe => Moved successfully.
C:\Documents and Settings\Gene Fulks\Local Settings\Application Data\8a942c8d-a9ba-4baa-aeb5-2d162bbed49a.crx => Moved successfully.

==== End of Fixlog ====

[Buddierdl]

Great. Let's get a FRST scan in normal mode to check. Just run FRST.exe from normal mode and select "Scan." You will also get an Addition.txt to post.

[skullkrusher78]

The scan keeps crashing and I'm not getting the addition.txt. I moved the program onto the PC and ran it from there but the only file it is creating is the frst.txt. I tried it once from the usb and twice from the pc with the same result. It seem to crash when in gets to "Listing Files and Folders: coredmp".

[Buddierdl]

Please post just the first.txt.