zero access trojan desktop.ini

New to forum. Need help. My computer became infected with a zero access trojan desktop.ini ...please help

-Tiffany

 

logs attached

logs....could not fund a zip file for the mgtools.

 

Welcome to MajorGeeks, Tiffany

http://img827.imageshack.us/img827/1263/frst.gif Boot to System Recovery Options and run FRST again.
Type the below bolded text in the edit box after "Search:".

services.exe

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

frst and search

new logs attached. Sorry about the repeats, posts were not showing up.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

 

fixlog attached

 

Can you attach the dllhpand64.dll file that is in the C:\FRST\Quarantine folder for analysis?

You can delete the entire FRST folder afterwards.

Also let me know what problems remain.

 

not able to upload dllhpand64.dll it says it is an invalid file

 

Zip it first

 

zipped

 

Got it thanks.

Test out the computer for a while and let me know if there are any additional malware related problems.

 

I deleted frst folder then ran a mcafee scan then restarted--now I can't log into windows. I can get to the system recovery options. What do I do?

 

What happens when you try to boot now -- be specific.
Did the McAfee scan find something? A log from that would be great. In the meantime, run a new FRST scan and attach it here if you are still unable to boot.

 

I did the McAfee scan....Some errors showed up that it needed to fix but needed to restart to fix them. I then restarted but it now is unable to start up windows and goes directly to start up repair and it says it can not repair this computer automatically with these details:
problem signature 01 startuprepairoffine
problem signature 02 6.1.76000.16385
problem signature 03 6.1.76000.16385
problem signature 04 21201064
problem signature 05 autofailover
problem signature 06 4
problem signature 07 corruptregistry
os version 6.1.7600.2.0.0.256.1
locale id 1033

 

I need to review your logs a bit further but I'm pointing out some discrepancies I see so far to remind myself later:

First FRST log:

Code:

1 Drive c: (OS) (Fixed) (Total:58.59 GB) (Free:[COLOR="Indigo"]9.61 GB[/COLOR]) NTFS

Second FRST log:

Code:

1 Drive c: (OS) (Fixed) (Total:58.59 GB) (Free:[COLOR="Red"]7.82 GB[/COLOR]) NTFS

Nearly 2GB missing now. Drivers missing!

Code:

HKU\Tiffany\...\Run: [DelayShred] "c:\PROGRA~1\mcafee\mqs\ShrCL.EXE" /P1 /q "C:\FRST.SH!" [129184 2012-03-22] ()

Moved system64

 

Hi, try this one first. If boot is still unsuccessful, attach both the fixlog.txt and a new FRST.txt scan.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

 

Still going to startup repair after reboot.

 

frst

 

Go into System Recovery Options and this time choose System Restore

http://www.sevenforums.com/attachments/tutorials/1059d1229784383t-system-restore-system_recovery_options.jpg

Follow the prompts to restore your computer to an earlier point in time.

 

No restore points have been created on your computers system drive. To create a restore point open system protection.==>your computer is running in a limited diagnostic state. If you use system restore in this limited state, you cannot undo the restore operation.

 

Ok I think I realized what went wrong. I need to try to get some more information though. Try the following fixlist:

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

 

not sure if this went through alright. when uploading the log there was a fixlist and a fixlist(1) on my flashdrive

 

Delete all fixlists from your flash and then copy only the one above.
Then re-run the fix

 

fixlog

 

New fixlist to gather more information.
Delete previous fixlists and then copy this one over.

I probably won't be on for much longer tonight.

 

fixlog

 

Go into System Recovery Options ==> Command Prompt and use the Notepad trick to locate your operating system (OS) drive. It should be around 58.59 GB in size.

Once you have found the drive letter, type in the following command, replacing c: with the appropriate drive letter you found earlier.

• sfc /scannow /offbootdir=c:\ /offwindir=c:\windows

This process usually takes around an hour to complete. Be patient.
You should receive a message similar to "Starting integrity scan.."

 

Did as directed. A few seconds later it had /scannow,/verifyonly,/scanfile,/verifyfile,/offbootdir,/offwindir and their definitions. Ending with
x:\windows\system32>

 

Try again using the picture below for reference:

http://img825.imageshack.us/img825/8841/sfcofflinespace.jpg

 

Beginning system scan. This process will take some time.

Windows Resource protection could not preform the requested operation.
>

 

Weird.. ok, try the following command:

• chkdsk c: /r

Note: remember to replace c: with your OS drive letter.

Also run this command after the above has been completed:

• bootrec /rebuildbcd

Let me know what output you receive after typing that.

 

successfully scanned windows installations.
total identified windows installations: 0
the operation completed successfully.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

__

If boot still fails, please attach a new scan of FRST.txt

 

fixlog

 

frst

 

Seeking advice from colleagues, thanks for your continued patience.

 

Standing by...any idea what could have gone wrong?

 

Waiting for a response. Do you have your Windows 7 DVD by chance? I'd like you to retry what I posted here a couple more times, preferably once you have booted from the Windows 7 DVD and entered System Recovery Options from it.

 

No I do not have the windows 7 dvd. It was preloaded and the only disks that came with the computer are drivers and utilities, application for cyberlink powerdvd, application for dell webcam, and microsoft works 9.

 

Ok, retry the sfc /scannow /offbootdir=c:\ /offwindir=c:\windows command using the built in System Recovery Options. Try it a couple of times.

 

I just contacted dell to send me the windows disk. I should receive it in 3 days. Tried the operation 2x and all I get is
Beginning system scan. This process will take some time.
Windows Resource Protection could not perform the requested operation.

 

Received the windows 7 disk...what do I need to do?

 

Inserted the windows 7 disk and preformed command (e is my os drive)
sfc /scannow /offbootdir=e:\ /offwindir=e:\windows
Beginning system scan. This process will take some time.
Windows Resource Protection could not perform the requested operation.

 

Hi Tiffany,

I'm very sorry for the delay.

We have a couple of ideas so let's try idea #1..

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

 

fixlog attached. Still boots to startup repair

 

Is there a way you can see the other boot options using F8 prior to boot?
Now we're uncertain what is causing the boot issue because the system64 and reparse points are both gone according to your logs.

When your computer is booting up, try pressing the F8 key repeatedly to see if you can get a screen like this:

http://www.sevenforums.com/attachments/tutorials/44121d1262006739t-advanced-boot-options-advanced_boot_options.jpg
Bigger picture ==> http://www.sevenforums.com/attachme...vanced-boot-options-advanced_boot_options.jpg

 

It doesn't do anything when pressing f8 except go to the startup repair. It does give me two options in the lower right corner when starting up f2 setup and f12 boot options. I tried f12 to boot from CD drive with the windows 7 disk installed--it goes to a windows install screen, if I install will it loose all my information?

 

It depends. If you delete/format the existing partition, then you will lose all data. However, if you install Windows 7 on a NEWLY CREATED partition (not your existing OS!!), then it should make a clean install and you should able to access your old partition's data files as well.

 

I went to install now. Given 2 options Upgrade and custom. Went to custom it says:
Where do you want to install Windows?
name total size free space type
Disk 0 partition 1 100.0 MB 91.0 MB OEM(Reserved)
Disk 0 partition 2 9.8 GB 5.4 GB System
Disk 0 partition 3:OS 58.6 GB 9.5 GB Primary
Disk 0 partition 4 229.6 GB 213.3 GB Logical

refresh drive options (advanced)
load driver

The recommended free space for installation is 17256 MB.

Next

 

Drive Options (Advanced) => New

On the new partition (you will have to enter its size) is where you would Install.