Root kit infection

Welcome to Major Geeks!

You actually forgot to attach it. Please attach the MGlogs.zip file from MGtools.

Also run the below scan.

Please do the below so that we can boot to System Recovery Options to run a scan. There will be two options to choose from. One if you do not have your Windows 7 boot DVD and another when you have your DVD.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Option1: Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

Option2: Enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

 

You're welcome.

Download this >> View attachment fixlist.txt


Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Where are you looking to see these? Are you looking in Services.msc?

Yes I do see many questionable items in your logs for services and also NetSvcs ( see your ComboFix log under the section having the title HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs ) , but there is no real easy way for me to tell which are valid and which are non-valid since most of these added items actually use names that are from valid services. The best we may be able to do is remove ones that have no files associated with them but even this is somewhat risky because there are valid services that do not have files associated with them too.

You could probably run the AutoRuns program by SysInternals to help you identify all of these services having the description you describe above ( highlighted in purple ) and then delete them.

Running the following may also be of use >> http://www.pandasecurity.com/usa/homeusers/support/card?id=1672&idIdioma=2

 

Let me know how it goes. If you get to the point where you are considering a reinstall, before you do that we can try as a last resort to perform some steps with our cleaning tools to remove many of these bad drivers and services. We may or may not succeed in removing them without making the PC unbootable, but if you were at the point of a reinstall anyway, it would not matter and may serve to better help understand these types of infections which are happening frequently now in the last week or so.

 

We can attempt to delete them using tools like ComboFix, Avenger, or OTL. Would you like to attempt doing this? If yes, I suggest first backing up important data just to be safe if something goes wrong.