I downloaded Avast due to a nasty problem on my laptop. After a boot scan failed, I am getting blue screen and %hs missing. I have tried the AVG recovery disk fix, with no luck. I ran FRST.exe, and here is my FRST.txt. I am in need of a fix file for this.
Hi,
WARNINGUnfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.
Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.
If you would like to format and reinstall your Operating System please let me know and we can assist you with that.
If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.
Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2
Note: It is important that it is saved directly to your desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.
First, I am running everything from elevated cmd prompt using windows 7 repair disk.
Second, when I try to run combofix as administrator, it fails: Extract: error writing to file list.bat
My computer is not booting up, so I am limited with what I can do from here. I would like to continue trying to fix, though if possible.
After rebooting back to repair disk and cmd prompt, Combofix loads, but then warns me not to run in compatability mode. So it appears I can’t run combofix without getting the pc to actually boot up to desktop.
here is the combofix log. stuck with safe mode, regular boot gives me blue screen, windows failed to load correctly.
Hi,
Let’s work with FRST since ComboFix right now seems to be giving you some problems.
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
2 a016mdfl; C:\Windows\System32\usrbridg.dll [6656 2009-07-13] (Oak Technology Inc.)
NETSVC: a016mdfl
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 20-05-2012
Ran by SYSTEM at 2012-05-22 22:59:09 Run:1
Running from F:\
==============================================
HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager\SubSystems\Windows Value was restored.
a016mdfl service deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs a016mdfl Deleted successfully.
The operation completed successfully.
The operation completed successfully.
==== End of Fixlog ====
Ok…Good job!!
Now run a new scan with ComboFix in Normal Mode if possible. If not you can run it in Safe Mode. Attach the new log that is made.
ComboFix log attached. Have to run in safe mode. Normal boot starts chkdisk, then that stops and says it was cancelled. Then I get blue screen, says a problem occured and windows has to shut down, with a counter on the bottom counting up to 100, then reboot and endless cycle of that. Safe mode opens fine.
Running MBAM, OTL, and aswMBR. Logs to follow. Also found a post on how to turn off auto chkdisk. Did that, and now I can boot Windows normal (not safe mode). PC running slow right now, but it is booted up.
OTL and aswMBR logs. MBAM keeps stopping during run, it just hangs up. Been running for 4 hours now, and still not even close to done.
Hi,
Thanks for the malware logs but please only run what is asked. Even with the best of intentions, some of our tools may remove something that we do not want and would need to see to remove the infection on the system. Thanks.
Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{9DD68AF1-0860-429F-B9AA-7AF7FBE75DBA}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscql
IE - HKLM\..\SearchScopes\{9DD68AF1-0860-429F-B9AA-7AF7FBE75DBA}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscql
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
[2012/05/17 08:54:44 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll ()
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll ()
[2012/05/14 20:10:53 | 000,000,000 | ---D | C] -- C:\Users\Steven\AppData\Roaming\IObit
[2012/05/14 20:10:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IObit
[6 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]
[2012/01/01 23:40:48 | 000,008,900 | -HS- | C] () -- C:\ProgramData\qdc6io7rx11746o6u722u7
[2012/01/01 23:12:18 | 000,008,522 | -HS- | C] () -- C:\ProgramData\l26k8yy406d1pq25721uxtt37hrj487rs5n2
[2012/01/01 00:40:01 | 000,009,840 | -HS- | C] () -- C:\ProgramData\vh76r2cm27r
[2011/12/31 02:25:03 | 000,008,060 | -HS- | C] () -- C:\ProgramData\1pwc3wym24u02vu4m8ncko
[2011/12/22 23:50:11 | 000,010,470 | -HS- | C] () -- C:\ProgramData\onyjp1hx77po832tr117ov1g77b1s
[2012/05/14 20:10:53 | 000,000,000 | ---D | M] -- C:\Users\Steven\AppData\Roaming\IObit
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Sorry, I was running the recommended programs in the Forum Sticky for Malware removal while waiting for a reply. I will run these 2 and post logs soon.
Here is the OTL fix log and the OTL log from after the scan.
Hi,
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/CQNOT/1
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {87F72B24-3242-416F-BF68-8B2044310431}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{87F72B24-3242-416F-BF68-8B2044310431}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{9DD68AF1-0860-429F-B9AA-7AF7FBE75DBA}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscql
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/CQNOT/1
IE - HKLM\..\SearchScopes,DefaultScope = {87F72B24-3242-416F-BF68-8B2044310431}
IE - HKLM\..\SearchScopes\{87F72B24-3242-416F-BF68-8B2044310431}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
O2:[b]64bit:[/b] - BHO: (no name) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - No CLSID value found.
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll ()
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Malwarebytes
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
Please run a free online scan with the ESET Online Scanner
[i]Note: You will need to use Internet Explorer for this scan[/i]
[*]Tick the box next to YES, I accept the Terms of Use
[*]Click Start
[*]When asked, allow the ActiveX control to install
[*]Click Start
[*]Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
[*]Click Scan (This scan can take several hours, so please be patient)
[*]Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner[b]log.txt
[*]Copy and paste that log as a reply to this topic
In your next reply please attach the logs created by OTL, Malwarebytes and ESET online scanner.