also @ TechSpot: Intel says Haswell will improve battery life by 50 percent

Pretty sure I have Rootkit.ZeroAccess on my computer

Discussion in 'Virus and Malware Removal' started by Syreynna, Jun 25, 2012.

Post New Reply
Page 2 of 7

  1. Syreynna Newcomer, in training Posts: 73

    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ==================== Restore Points (XP) =====================
    RP: -> 2012-06-25 02:08 - 028672 _restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2786
    RP: -> 2012-06-24 06:08 - 028672 _restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2785
    RP: -> 2012-06-23 20:15 - 028672 _restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2784

    ========================= Memory info ======================
    Percentage of memory in use: 24%
    Total physical RAM: 3070.09 MB
    Available physical RAM: 2312.59 MB
    Total Pagefile: 2894.75 MB
    Available Pagefile: 2359.29 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2001.55 MB
    ======================= Partitions =========================
    1 Drive b: (RAMDisk) (Fixed) (Total:0.5 GB) (Free:0.5 GB) FAT
    2 Drive c: (Local Disk) (Fixed) (Total:69.79 GB) (Free:27.53 GB) NTFS ==>[Drive with boot components (Windows XP)]
    3 Drive d: () (Removable) (Total:3.8 GB) (Free:3.79 GB) FAT32
    4 Drive e: (Sims3) (CDROM) (Total:5.54 GB) (Free:0 GB) UDFFS10
    5 Drive f: (New Volume) (Fixed) (Total:465.76 GB) (Free:341.46 GB) NTFS
    6 Drive x: (UBCD4Windows) (CDROM) (Total:0.63 GB) (Free:0 GB) CDFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 74 GB 0 B
    Disk 1 Online 466 GB 0 B *
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 55 MB 32 KB
    Partition 2 Primary 70 GB 55 MB
    Partition 3 Unknown 4754 MB 70 GB
    ======================================================================================================
    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 FAT Partition 55 MB Healthy
    ======================================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 C Local Disk NTFS Partition 70 GB Healthy
    ======================================================================================================
    Disk: 0
    Partition 3
    Type : DB
    Hidden: Yes
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 FAT32 Partition 4754 MB Healthy
    ======================================================================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Dynamic Data 466 GB 32 KB
    ======================================================================================================
    Disk: 1
    Partition 1
    Type : 42
    Hidden: Yes
    Active: No
    There is no volume associated with this partition.
    ======================================================================================================
    ======================= End Of Log ==========================
    Syreynna, Jun 26, 2012
    #21

  2. Broni Malware Annihilator Posts: 39,391   +177

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next....

    Restart normally.

    Delete your Combofix file, download fresh one and try to run it again.

    Attached Files:

    Broni, Jun 26, 2012
    #22

  3. Syreynna Newcomer, in training Posts: 73

    How do I boot into the UBCD? Also.. Does the usb have to be able to try and run during boot up like the cdrom drive did?
    Syreynna, Jun 26, 2012
    #23

  4. Syreynna Newcomer, in training Posts: 73

    oh, that was a total derp moment. that's the cd ive been working off of ><
    Syreynna, Jun 26, 2012
    #24

  5. Broni Malware Annihilator Posts: 39,391   +177

    Follow very steps you just did to create FRST report.
    Make sure you save fixlist.txt to the very same USB stick.
    This time you'll click on "Fix" button instead of "Scan" button.
    Broni, Jun 26, 2012
    #25

  6. Broni Malware Annihilator Posts: 39,391   +177

    LOL
    Broni, Jun 26, 2012
    #26
     

  7. Syreynna Newcomer, in training Posts: 73

    Bsod when trying to run normally(posting from ipad). Do you want me to run the ubcd and post the fix log?
    Syreynna, Jun 26, 2012
    #27

  8. Broni Malware Annihilator Posts: 39,391   +177

    Yes please.
    Broni, Jun 26, 2012
    #28

  9. Syreynna Newcomer, in training Posts: 73

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-06-2012 01
    Ran by SYSTEM at 2012-06-26 22:35:41 Run:1
    Running from D:\
    ==============================================
    HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
    C:\Windows\System32\consrv.dll not found.
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\\Default value was restored successfully .
    C:\Windows\$NtUninstallKB56711$ moved successfully.
    ==== End of Fixlog ====
    Syreynna, Jun 26, 2012
    #29

  10. Broni Malware Annihilator Posts: 39,391   +177

    See if you can boot to safe mode.
    Broni, Jun 26, 2012
    #30

  11. Syreynna Newcomer, in training Posts: 73

    A very sad blue screen!
    Syreynna, Jun 26, 2012
    #31

  12. Broni Malware Annihilator Posts: 39,391   +177

    Delete current "fixlist.txt" file from your USB flash drive.

    Then....

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Attached Files:

    Broni, Jun 26, 2012
    #32

  13. Syreynna Newcomer, in training Posts: 73

    Is it fine if I just copy it and paste it while I'm in ubcd mode or write it in manually? Or would youlike me to wait until I can download on a clean computer? I don't have access to another computer witha usb drive currently since I was using my neighbors computer and they are now sleeping!
    Syreynna, Jun 26, 2012
    #33

  14. Broni Malware Annihilator Posts: 39,391   +177

    That's fine.
    Broni, Jun 26, 2012
    #34

  15. Syreynna Newcomer, in training Posts: 73

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-06-2012 01
    Ran by SYSTEM at 2012-06-26 23:57:20 Run:2
    Running from D:\
    ==============================================

    ========= fixmbr =========
    'fixmbr' is not recognized as an internal or external command,
    operable program or batch file.
    ========= End of CMD: =========

    ========= fixboot =========
    'fixboot' is not recognized as an internal or external command,
    operable program or batch file.
    ========= End of CMD: =========

    ==== End of Fixlog ====
    Syreynna, Jun 27, 2012
    #35

  16. Broni Malware Annihilator Posts: 39,391   +177

    We need to use the Recovery Console to try to fix your issue.

    • You'll need to find your Windows XP installation disk.
    • Insert the Windows XP CD into the CD-ROM drive, then restart your computer.
    • If prompted, click any options that are required to start the computer from the CD-ROM drive.
    • When the Welcome to Setup screen appears, press R to start the Recovery Console.
    • The Recovery Console will start and ask you which Windows installation you would like to log on to.
      • If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press Enter.
    • It will then prompt you for the Administrator's password. If there is no password, simply press enter.
    • You will now be presented with a C:\Windows> prompt
    • Type with an Enter after each line:

    • fixmbr

      fixboot

      exit
    • Restart computer.

    ************************

    If you don't have Windows CD...
    Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
    Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
    Using Imgburn, burn rc.iso to a CD.
    Boot to the CD...let it finish loading.
    When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    Broni, Jun 27, 2012
    #36

  17. Syreynna Newcomer, in training Posts: 73

    It's not asking me which windows installations or for the admin password. It just came up with its thing about how rc provides system repair and recovery functionality and then thecommand prompt c:\> after I hit R. Should I still proceed as instructed? :)
    Syreynna, Jun 27, 2012
    #37

  18. Broni Malware Annihilator Posts: 39,391   +177

    Go ahead.
    Broni, Jun 27, 2012
    #38

  19. Syreynna Newcomer, in training Posts: 73

    It's asking if I am sure I want to write a new boot sector for the c drive? I am assuming yes since mine won't even work anyways.
    Syreynna, Jun 27, 2012
    #39

  20. Broni Malware Annihilator Posts: 39,391   +177

    Yes.
    Broni, Jun 27, 2012
    #40
Page 2 of 7

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.