Ok, lets give this a try as part of the fix is going to require running in safe mode
Download avz4en.zip
here - it may be a slow download so be patient.
Unzip it to a folder on your desktop.
Double click on
AVZ.exe.
Click on File -
System Recovery.
Put a checkmark next to "
10. Restore SafeBoot registry keys"
Click on Execute selected operations (if you get a warning asking you to continue, click the "ok" button to the left in the display - the software source is written in Russian so may not translate correctly). Once completed click
OK- Close and close AVZ Antiviral Toolkit (do not use this for any other purposes there to avoid damaging your system).
Then reboot, allow a full startup and next reboot into Safe Mode.
-------------------------------------------------------------------------------------------------------
You May Want To Add the following instructions to a Notepad file On your Desktop
1)Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
2)Use Task Manager to terminate the worm process (it may be called "hidr.exe" or "srosa.sys").
3)# Delete the following files if there:
C:\Windows\System32\drivers\srosa.sys
C:\Windows\System32\drivers\hidr.exe
C:\Windows\svchost.exe
4)Select Start - Search -> search for both
srosa.sys and
hidr.exe
if either are found delete all instances of them
5)Select Start - Run - Type
regedit
*Delete the following parameter only if there:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit" = "%System%\drivers\hidr.exe"
6)Delete the following registry key:
[HKCU\Software\FirstRRRun]
7)Delete the following folder and its contents:
Run a scan only with Hijackthis and fix
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: BVWIFOLT - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\BVWIFOLT.exe (file missing)
O23 - Service: FNQT - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FNQT.exe (file missing)
O23 - Service: FXTISOL - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FXTISOL.exe (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: ZAXHQLNL - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ZAXHQLNL.exe (file missing)
-------------------------------------------------------------------------------------------------------------------------------------------------
Reboot to Normal Mode and post a fresh Hijackthis log and Deckard Scan log