Restoring internet connection after Zeroaccess..

Well it's good that things are working better but you may want to slowly enable the services and startups you have disabled to see if you can pin point the one causing your blue screens.

Also If you start to have any more strange problems, I would have to recommend fixing the MBR.

 

MBR = Master Boot Record. This is used to boot up your PC's hard disk before the Windows operating system is loaded. To fix it, you need to rewrite the MBR with valid information. Typically when an infection is in place, you have to boot from a CD into a receovery environment to repair this otherwise the infected MBR would still be running and would block any attempted fix. This is why I ask if you had your boot DVD.

Yes.

Is there any other steps I can take while I try and find what is causing the blue screens? And How do you repair it?[/QUOTE] You cannot even attempt to fix anything until you find out which application is causing the problem. You need to do this yourself as stated in my last message by enabling one item at a time until you see which one is the cause. It is possible that other steps we have taken have already fixed it, but on the other hand it may not be fixed. Also it is possible that the MBR is really infected and it is the reason for the blue screen when you enable all services and processes.

 

Potentially yes. I will give you a couple things to try ( in a different message ) first without this disc and we will see what happens. Maybe you will get lucky.

You really want a full boot and reinstall disc and you would have to purchase one since your PC manufacturer was irresponsible and did not provde you with one. NO PC vendor should be allowed to do this these days. There is too much malware and too many other reasons where Windows can become broken and needs to be repaired. You need the system boot disc period. You vendor will tell you there is a factory recovery partition on your PC and you can restore to factory state with it, but who in there right mind really would ever want to put their PC back into that state and lose everything they have setup on the PC.

Yes.

You cannot be concerned with this right now. You have 114 services disabled right now and you also have 18 other Startup processes disabled. There are many many things not working properly on your PC right now. Obviously you cannot stay in this state permanently. For record keeping, I attached a text file to this message that has the currently disabled services and processes listed.

You're welcome.

 

Let's see if we can get your PC to boot up into the System Recovery Options. Normally this comes preinstalled as part of Vista and Win 7 PCs. Sometimes, it is possible to repair an MBR from this.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
​

• Select Command Prompt
• At the command prompt, type in the below commands and hit enter. The last command will cause your PC to reboot. Allow it to boot normally.

bootrec /fixmbr
exit
​

After reboot, rerun MBRcheck as you did earlier and then attach a new log from it.

 

You got lucky. It was able to fix it.

No that would take way too long and too many reboots. Divide and conquer. Ever hear of the power of two process of elimination? You will eliminate half of the services in each reboot. Here is a brief example using a smaller set of numbers just to describe the process. Let's suppose you had 30 service items you wanted to test for this kind of issue.


Step 1:

• Divide the services into two halfs. The lower 15 and the upper 15 in any easier order you want. Very Important:Just keep track of which are in which bucket. You need to know your starting point!!!!!
• Let's enable the lower 15 and see what happens. Two things can happen
  1. Successful boot - meaning these 15 should not be the problem and can be left enabled. Thus you would skip to Step 2
  2. Unsuccessful boot - should mean that this set of 15 contains the problem service or services ( note there could be more than one or an interaction of some which could make problem solving more time consuming ). But let's assume only one is the problem for this example. This you divide the problem in half again splitting this group of 15 into a lower 7 and upper 8. And then repeat the concept from above. Until the problem is found. Then leave it disabled and move on to step 2 to be sure that there are not other problem services in the 2nd group.

Step2:

• Enable the upper 15 services. Two things can happen
  1. Successful boot - meaning these 15 should not be the problem and can be left enabled. Thus you would skip to Step 3
  2. Unsuccessful boot - should mean that this set of 15 contains the problem service or services But let's assume only one is the problem for this example. This you divide the problem in half again splitting this group of 15 into a lower 7 and upper 8. And then repeat the concept from above in step 1.

Step 3:

• If you got here and have all services from both groups of 15 ( that is all 30 ) enabled, then the services are not your problems by themselves and you have to start seeing what happens by following the same kind of procedure in enabling your disabled startup processes.
• If you windup getting all services enabled and all processes enabled then it is possible that all the fixes we did ( including the recent MBR fix ) cure the problem.

 

That's what you are doing with this process. When you find the service (s) that causes the problem, disable it again.

Only to disable the problem service or services and then go back to normal more.

Nope!

This is why I said

You need to know you exact starting point so you can get back to it easily if necessary. Also you need to keep track as you are testing which services can also remain enabled. i.e., ones that you have eliminated from being the problem. So that rather that going all the way back to where you are now. You just continue from the previous step before the blue screen came back.

 

So are you saying that you now have ALL services and also all startup procesess enabled and do not have a problem?

Did you try setting MSconfig back to Normal Startup mode too?

 

Why???? This was not part of my instructions. You are only supposed to be doing what we request. Nothing else.

But you need to specifically anser my question.

 

Great! Then let's get a new log from MGtools so I can see how things are looking.

Now download another new version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

 

Quite possibly yes. You will have to reboot and see. Remember what I said a few messages back

Nothing else means nothing else.

Google is far from a safe site. They may not agree with this statement but it is the truth. Thousands of people are getting infected daily from unpoliced/unsupervised junk links that appear on google. While in general milions of people are using Google all the time without an issue on properly protected PCs, your PC is not protected right now which is another reason why you should only be coming here and doing what is requested and absolutely nothing else.

If your PC does appear to be infected when you boot it up, you will have to start all over again with the READ & RUN ME FIRST.

 

We always want logs from normal boot mode unless it is impossible, but just to be a little safer to start, boot into safe mode and run a full scan with Malwarebytes and fix anything it finds. Whether it finds anything or not, immediately reboot into normal mode and run the below scans in the order given:

• SUPERAntiSpyware
• Malwarebytes
• MGtools

And attach the new logs ( yes we are skipping ComboFix right now ).

 

Note: You should not be scanning for Cookies in SUPERAntiSpyware. Out instructions said to uncheck this option as it is a waste of time. Cookies are not problems.

Your logs look fine.


Are you having any malware problems? Bootup time is not malware. It is Vista plus all the stuff you are loading at startup, much of which is likely unnecessary.

 

If you are not having any other malware problems, it is time to do our final steps. Make sure you get your protection software reinstalled. I would not run a scan though until you have cleaned up from what we have done. This way you avoid detecting what we have already quarantined.

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Possibly due to any infection present at the time but Windows Update is problematic for many many many other non-malware issues.

This was all working before. Your logs back in message #67 showed everything was fine. I did not check these services in you last logs. Looks like you managed to break it again. You will have to import all of the changes for the registry again and then reboot to see if they work. So repeat the steps I gave you back in message # 43.

 

Based on those logs, the Win Firewall is running now. Are you having any other problems?

 

Yes! Do not do any surfing until you have completed these instructions and gotten your PC properly protected again.

 

Yes. The free versions of MBAM and SAS provide no active protection. They are only scanners. Note that you still need a good firewall ( which excludes the Windows firewall since it is poor ). Comodo Firewall would be a good choice.

 

Yo have Comodo Firewall. The Window Firewall is supposed to be disabled. Just like antivirus programs, only one firewall should be running.

 

Nope! We are finished.

 

You're welcome. Surf safely!