Zero Access cannot be removed...

Hello,

I believe I have a variation of the Zero Access Rootkit. It creates a file consrv.dll in the system32 directory. Hitmanpro has detected it and has tried to remove it, but it keeps reappearing.
Other symptoms have included the loss of internet connection (removing McAfee has resolved that issue). The windows firewall and service is completely missing and I have not been able to restore it. If left alone the system becomes unstable and I am forced to do a restore just to get it to boot.
I am running Windows 7 Home Pre 64 bit.
I have run the following without success Superantispyware, Malwarebytes, Spybot, rootkitbuster, Sophos, TDSSKiller, Kaspersky Rescue disk and a few others. All without success

I have attached MGLOS.zip.

Thanks,

Larry

 

Hi Larry,

Did you go through the READ & RUN ME FIRST Malware Removal Guide

If not, please do so now.

If you have already gone through it, attach all the logs requested.

Thanks!

 

Hi thiisu,

I did go through the instrucitons. Superantispyware did not find anything, Malwarebytes did not find anything. I ran combofix and the instructions say not to post the log. Rootrepeal does not run on 64 bit OS and the MGlogs.zip was attached to my first posting.

Did you want the combofix log?

La

 

Yes, and I would also like to see the SAS and MBAM log even though they did not find anything.

 

No problem, I reran the scans and here they are.

Thansk!

 

We have a lot of work to do. I see that your Windows Firewall is broken too. We can fix this too but let's remove malware first.

Please refrain from doing anything other than what is requested here.

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Driver::[/COLOR]
MEMSWEEP2
aclient
srvdpi
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\A239.tmp
c:\windows\system32\3FED.tmp
c:\windows\Tasks\SystemToolsDailyTest.job
c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
C:\temp428.bat
C:\temp582.bat
c:\windows\system32\1851.tmp
c:\windows\system32\9194.tmp
c:\windows\system32\F27A.tmp
c:\windows\system32\E8E7.tmp
C:\ProgramData\XbiW1oiy0.dat
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
[COLOR="DarkRed"]FileLook::[/COLOR]
c:\windows\system32\ntshrui.dll
c:\windows\SysWow64\ntshrui.dll
c:\windows\system32\termsrv.dll
c:\windows\system32\systemcpl.dll
c:\windows\system32\srrstr.dll
c:\windows\system32\slwga.dll
c:\windows\system32\fxsst.dll
[COLOR="DarkRed"]Folder::[/COLOR]
c:\program files (x86)\Sophos
C:\Windows\assembly\tmp
C:\Windows\assembly\temp
C:\ProgramData\DAEMON Tools Lite
c:\windows\system64.bad
c:\windows\system64
[COLOR="DarkRed"]NetSvc::[/COLOR]
aclient
srvdpi
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,69,83,0c,3f,28,af,ec,4a,aa,c1,c3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,69,83,0c,3f,28,af,ec,4a,aa,c1,c3,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\services\MEMSWEEP2]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-
"HP Software Update"=-
"iTunesHelper"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
  00,73,00,72,00,73,00,73,00,2e,00,65,00,78,00,65,00,20,00,4f,00,62,00,6a,00,\
  65,00,63,00,74,00,44,00,69,00,72,00,65,00,63,00,74,00,6f,00,72,00,79,00,3d,\
  00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,68,00,61,00,\
  72,00,65,00,64,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,3d,00,31,00,30,\
  00,32,00,34,00,2c,00,32,00,30,00,34,00,38,00,30,00,2c,00,37,00,36,00,38,00,\
  20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,3d,00,4f,00,6e,00,20,00,53,\
  00,75,00,62,00,53,00,79,00,73,00,74,00,65,00,6d,00,54,00,79,00,70,00,65,00,\
  3d,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,65,00,72,00,76,\
  00,65,00,72,00,44,00,6c,00,6c,00,3d,00,62,00,61,00,73,00,65,00,73,00,72,00,\
  76,00,2c,00,31,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,\
  00,3d,00,77,00,69,00,6e,00,73,00,72,00,76,00,3a,00,55,00,73,00,65,00,72,00,\
  53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,\
  00,69,00,61,00,6c,00,69,00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,33,00,\
  20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,77,00,69,\
  00,6e,00,73,00,72,00,76,00,3a,00,43,00,6f,00,6e,00,53,00,65,00,72,00,76,00,\
  65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,00,69,00,61,00,6c,00,69,\
  00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,32,00,20,00,53,00,65,00,72,00,\
  76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,73,00,78,00,73,00,73,00,72,00,76,\
  00,2c,00,34,00,20,00,50,00,72,00,6f,00,66,00,69,00,6c,00,65,00,43,00,6f,00,\
  6e,00,74,00,72,00,6f,00,6c,00,3d,00,4f,00,66,00,66,00,20,00,4d,00,61,00,78,\
  00,52,00,65,00,71,00,75,00,65,00,73,00,74,00,54,00,68,00,72,00,65,00,61,00,\
  64,00,73,00,3d,00,31,00,36,00,00,00

[HKEY_LOCAL_MACHINE\system\controlset001\control\session manager\subsystems]
"Windows"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
  00,73,00,72,00,73,00,73,00,2e,00,65,00,78,00,65,00,20,00,4f,00,62,00,6a,00,\
  65,00,63,00,74,00,44,00,69,00,72,00,65,00,63,00,74,00,6f,00,72,00,79,00,3d,\
  00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,68,00,61,00,\
  72,00,65,00,64,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,3d,00,31,00,30,\
  00,32,00,34,00,2c,00,32,00,30,00,34,00,38,00,30,00,2c,00,37,00,36,00,38,00,\
  20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,3d,00,4f,00,6e,00,20,00,53,\
  00,75,00,62,00,53,00,79,00,73,00,74,00,65,00,6d,00,54,00,79,00,70,00,65,00,\
  3d,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,65,00,72,00,76,\
  00,65,00,72,00,44,00,6c,00,6c,00,3d,00,62,00,61,00,73,00,65,00,73,00,72,00,\
  76,00,2c,00,31,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,\
  00,3d,00,77,00,69,00,6e,00,73,00,72,00,76,00,3a,00,55,00,73,00,65,00,72,00,\
  53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,\
  00,69,00,61,00,6c,00,69,00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,33,00,\
  20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,77,00,69,\
  00,6e,00,73,00,72,00,76,00,3a,00,43,00,6f,00,6e,00,53,00,65,00,72,00,76,00,\
  65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,00,69,00,61,00,6c,00,69,\
  00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,32,00,20,00,53,00,65,00,72,00,\
  76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,73,00,78,00,73,00,73,00,72,00,76,\
  00,2c,00,34,00,20,00,50,00,72,00,6f,00,66,00,69,00,6c,00,65,00,43,00,6f,00,\
  6e,00,74,00,72,00,6f,00,6c,00,3d,00,4f,00,66,00,66,00,20,00,4d,00,61,00,78,\
  00,52,00,65,00,71,00,75,00,65,00,73,00,74,00,54,00,68,00,72,00,65,00,61,00,\
  64,00,73,00,3d,00,31,00,36,00,00,00

[HKEY_LOCAL_MACHINE\system\controlset002\control\session manager\subsystems]
"Windows"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
  00,73,00,72,00,73,00,73,00,2e,00,65,00,78,00,65,00,20,00,4f,00,62,00,6a,00,\
  65,00,63,00,74,00,44,00,69,00,72,00,65,00,63,00,74,00,6f,00,72,00,79,00,3d,\
  00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,68,00,61,00,\
  72,00,65,00,64,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,3d,00,31,00,30,\
  00,32,00,34,00,2c,00,32,00,30,00,34,00,38,00,30,00,2c,00,37,00,36,00,38,00,\
  20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,3d,00,4f,00,6e,00,20,00,53,\
  00,75,00,62,00,53,00,79,00,73,00,74,00,65,00,6d,00,54,00,79,00,70,00,65,00,\
  3d,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,65,00,72,00,76,\
  00,65,00,72,00,44,00,6c,00,6c,00,3d,00,62,00,61,00,73,00,65,00,73,00,72,00,\
  76,00,2c,00,31,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,\
  00,3d,00,77,00,69,00,6e,00,73,00,72,00,76,00,3a,00,55,00,73,00,65,00,72,00,\
  53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,\
  00,69,00,61,00,6c,00,69,00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,33,00,\
  20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,77,00,69,\
  00,6e,00,73,00,72,00,76,00,3a,00,43,00,6f,00,6e,00,53,00,65,00,72,00,76,00,\
  65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,00,69,00,61,00,6c,00,69,\
  00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,32,00,20,00,53,00,65,00,72,00,\
  76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,73,00,78,00,73,00,73,00,72,00,76,\
  00,2c,00,34,00,20,00,50,00,72,00,6f,00,66,00,69,00,6c,00,65,00,43,00,6f,00,\
  6e,00,74,00,72,00,6f,00,6c,00,3d,00,4f,00,66,00,66,00,20,00,4d,00,61,00,78,\
  00,52,00,65,00,71,00,75,00,65,00,73,00,74,00,54,00,68,00,72,00,65,00,61,00,\
  64,00,73,00,3d,00,31,00,36,00,00,00
[COLOR="DarkRed"]SecCenter::[/COLOR]
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

I want you to read and follow these instructions: TDSSKiller - How to run

Now install the current version of Sun Java from: jre-7u3-windows-x64.exe

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  %windir%\system32\*.sys /90
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

It's late here. I kicked off the CFScript and I will finish and post in the morning.

 

No problem. Take your time.

 

When CFScript/combofix went to reboot the system went into a startup repair. Which failed. When this has happened before the only way to get out of it was to do a system restore. I kicked that off, it takes a while. I am off to work and may be back at mid day to check on this again.

 

Ok. Update me whenever you get a chance.

 

All the restore points are failing, at this point I cannot get to the desktop.

 

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

Hi Agent ST,

Although my last recovery said it failed, the system did boot to the desktop with a recovery date of 2/8/12.
I do not have a Windows install disk, I have ordered from Dell but the shipping date is 2/28 - apparently the manufacturing facility is underwater...
I do have a Win 7 64b recovery CD which I used to boot to the command console and run the frst64.exe program. I have attached the log file.

Larry

 

Wrong forum ? :-o

 

http://www.bleepingcomputer.com/forums/topic442831.html

In the future, please do not cross-post.

Resources that help perform malware removal are very precious and very limited, and cross-posting only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems. If you wish to work this here on Major Geeks, then please post messages at all other forums where you have posted asking them to close the threads so that you do not waste anymore resources on duplicate work.

 

My apologies, but I had originally read that it could take up to a week for a response from this forum. I was a bit surprised when you did respond. I will close the other posting.

 

No problem.

Thank you. I imagine this fix will get rid of the bulk of your problems.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

 

Hello,

I ran FRST64 with the fixlist.txt and have attached the log file.

I did reboot the PC and it behaving a bit better. Browsing the internet appears normal. I am still missing Windows firewall. Hitman pro did a scan on boot and did not find anything. Looking a lot better!

Thanks,

Larry

 

Glad to hear it

I'd like you to update MalwareByte's Anti-Malware and run another Quick Scan.
Attach the latest MBAM log when finished. (How to attach)

Afterwards, complete the below:

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Hello,

I have attached the mbam log file, found a few registry entries and removed those.
There was no GetLogs.bat - actually the only thing that was in the MGtools folder was the logs files from the other day. I had to get a little creative to get this to work, let me know if the log files are useful.

Larry

 

Nice, congrats to MBAM for finding and deleting NetSvcs data values now :cool

From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 24 (64-bit)

I want you to read and follow these instructions: TDSSKiller - How to run

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Driver::[/COLOR]
SPService
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Windows\assembly\temp
C:\Windows\assembly\temp\U
[COLOR="DarkRed"]NetSvc::[/COLOR]
SPService

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  %windir%\system32\drivers\*.sys /90
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

Now install the current version of Sun Java from: jre-7u3-windows-x64.exe

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Everything ran ok, except MGTools created a log file too large to upload > 4mb. There was a temp folder within the zip file. I pulled that out, let me know if you need it. :clap

 

Much better :cool

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
O2:64bit: - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
O2 - BHO: (no name) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
[2012/02/17 18:20:26 | 000,000,000 | ---D | C] -- C:\FRST
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
@Alternate Data Stream - 171 bytes -> C:\ProgramData\Temp:DFC5A2B2
[COLOR="DarkRed"]:files[/COLOR]
net stop winmgmt /y /c
del /f/q/s %windir%\system32\wbem\repository\*.* /c
net start winmgmt /c
C:\ProgramData\McAfee
C:\ProgramData\PC Tools
C:\ProgramData\Spybot - Search & Destroy
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Tools Security
C:\Program Files (x86)\Spybot - Search & Destroy
C:\ProgramData\Trend Micro
C:\Program Files (x86)\McAfee
C:\Program Files (x86)\PC Tools Security
C:\Program Files (x86)\Trend Micro
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now install the current version of Sun Java from: jre-7u3-windows-x64.exe

Are you still having a problem with turning on Windows Firewall? According to your latest logs everything is in tact with it.

Let me know what other problems you are still experiencing, if any.

 

Please download the following to remove remaining traces of McAfee: MCPR.exe
Note: the CAPTCHA is case-sensitive.

Also uninstall Sophos Anti-Rootkit 1.5.20

You have/had way too many security applications. I edited my OTL fix to remove the traces I could find of Trend Micro, PC Tools, Spybot Search and Destroy, and McAfee since neither of them appear to be properly installed / functional.

 

I ran mCPR.exe and removed Sophos, although Sophos said it had already been removed and was just listed in Programs. System has been rebooted.

 

Alright, attach your OTL fix log whenever you are ready.

 

Ran into a little detour. I missed OTL the last time. I just finished running it and the system went into the startup repair loop. This time there were no restore points. I booted to a command prompt and ran frst64.exe and have attached the log file. While I was there I grabbed the OTL log file and also attached that.

The startup repair indicated that ntoskrnl.exe was corrupt...

I'm not too sure what your reference to " CAPTCHA is case-sensitive"?

la

:confused

 

Sorry, here's the FRST log.

 

Can you try to boot into Last Known Good Configuration?

Or Safe Mode.

Please verify that both of these are not working before I attempt an FRST fix which doesn't show anything obviously wrong.

 

Here is the fixlist.txt to try with FRST if no boot mode is working for you.

I found some traces of McAfee and Sophos still trying to load on startup. There's a good chance that this is what is causing the boot issue now.

 

It means the alphanumeric code you have to enter into the McAfee Removal Tool is case-sensitive.

 

Tried a few things including chkdsk, safe mode, last know good config, disable restart. Still not booting, stuck in startup repair land....

 

You can try what I suggested in post #30

 

How long should the Fix take? Been going on for a couple of hours now...

 

Normally it only takes a few seconds.

If you are still having trouble with it, try this one I have attached. Make sure you replace this fixlist.txt with your existing one (or delete the old one).

 

No luck yet. This time it did only take a few seconds, but boot still went to startup repair and failed...

 

Please attach the fixlog.txt and then an updated FRST.txt.

 

Redid the scan, here's the FRST.txt and the fixlog.txt files.
Thanks,
la

 

Ok I'm not sure why because OTL wouldn't have tampered with this but your Recovery partition is marked active (it should not be). So follow the instructions below so that C: (your operating system partition) is active again.

Reboot into System Recovery Options -> Command Prompt

Type in each of the following commands in the order listed below, pressing ENTER after each one:

1. diskpart
2. select disk 0
3. select partition 3
4. active
5. exit
6. bootrec /fixmbr
7. bootrec /fixboot
8. exit

Now restart your computer. If it does not boot immediately on the first try, enter System Recovery Options -> Startup Repair
You may need run Startup Repair twice in a row.

 

Nope still in same loop. Looks like the right partition is active now. But I get an unknown error in startup repair. I ran the FRST scan again and attached it here. It's late here, so I will try again in the morning.

There's one really odd thing that I have noticed. The time in this system keeps changing, even after I have corrected it...

Thanks,

la

 

Boot to System Recovery Options and run FRST again.
Type the below bolded text in the edit box after "Search:".

1394ohci.sys

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

Most likely a bad CMOS battery.

 

Here's the search.txt file.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

If this does not work, run another scan with FRST but include "Check Drivers MD5".

 

Still no go...

Here's the fixlog and FRST logs.

 

Have you attempted a startup Repair since the last fix?

Try to give me some more details on EXACTLY what is happening when you attempt to boot.
I also have a new fixlist.txt I'd like you to try.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

If this does not work, run another scan with FRST but include "Check Drivers MD5".

 

Ok, here's what's happening from a cold start:
System boots directly to startup repair, no other option is offered. So startup repair has been kicking off on every attempt so far.
- I can get to the Safe Boot menu by pressing F8, but that goes directly to startup repair too.

The startup repair fails.
The details have differed from time to time, but presently say that:

Problem Signature 01: 6.1.7600.16385
Problem Signature 02: 6.1.7600.16385
Problem Signature 03: unknown
Problem Signature 04: 21200412
Problem Signature 05: AutoFailover
Problem Signature 06: 24
Problem Signature 07: CorruptFile
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 1033

Viewing diagnostics and repair details gives C:\Windows as the drive and all the Test Performed return an error code of 0x0.
The root cause found is:
Startup Repair has tried several times but still cannot determine the cause of the problem.

From that point I can either Finish and shutdown or go to advance options.

Did you have a new fixlist.txt? I did not see one attached.

Larry

 

It is attached now.

 

Have you gone into the advanced options?

From there advanced options menu, select Startup Repair.

Let me know if you get teh same results.

 

Yeah, same results...

THis doesn't make sense...:confused