so after it’s done downloading, I burn this iso image and frst64 to the CD, then run this instead of that Reatogo environment? then after the scan there, how do I burn that txt result file back to CD from the RC?
From the RC you should be able to copy it to the CD … I will check to see if there are additional commands required…
One other thing to try is to use the CD and select startup repair initially to see if that can get us part way in
just to let you know, it does boot into windows, but after everything is loaded up, then a popup appears that says critical error, will restart in 1 min, would a repair still be needed?
Can you get to safe mode ? I was under the impression it was looping
I can get to safe mode, but it does the same thing with that popup that then reboots the pc after 1 min, so I can’t really do any scanning from within Windows.
Try a startup repair then - Is the warning NT access perchance or just critical error
Also within that minute have you tried shutdown /a from an elevated command prompt ?
critical error, but it doesn’t look like a standard Windows error, but it using the aero theme though. it says to save any work and stuff like that, when the current av (MSE) tries to automatically remove it.
haven’t tried that. after shutdown /a it still reboots.
without logging into Windows, it reboots itself with no error message.
Is there any way you can disable MSE before it removes it, or tell it to ignore it ?
I tried, MSE still tries.
OK there are options that you could try
Either use FRST and read the log
Let me know if there are any references to ZA or Zero Access
Or from the recovery console select to system restore prior to the malware infection
I think the ZA first installed itself in January, according to the directory, which couldn’t be deleted, but I eventually did. it was under c:\windows\installer\ called {0d5f61ab-623a-4f10-8749-5309355bb099}.
or call it a day, and I’ll have a flash drive tomorrow, so I could post the OTL logs, and continue from Reatogo.
OK run OTLPE
look down the log and you will see entries similar to c:\windows\installer{0d5f61ab-623a-4f10-8749-5309355bb099}
Also check this area
bO38 - SubSystems\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\Windows: (ServerDll=sxssrv,4)[/b]
If the red element is consrv then put that line in its entirety there as well in this format
O38 - SubSystems\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)[/b]
If so in the OTLPE Custom scans and fixes box copy the folder path only as we will delete it in its entirety
like so :
c:\windows\installer{0d5f61ab-623a-4f10-8749-5309355bb099}[/b]
Similar to this one http://forum.avast.com/index.php?topic=99747.0
Once you have entered it into the box, press run Fix
On completion try to boot back to windows
Microsoft Safety Scanner actually deleted some items before (a few days ago), and I was able to manually delete this folder in installer. should I still check for this line?
I’m going go look for that line, then call it a day. I’ll be back same time tomorrow, with flash drive, and will continue from that point.
I searched for winsrv, consrv, and that 0d5f61ab… and nothing found. I’ll have a flash drive tomorrow, I’ll be here same time, will post OTL, and those 2 other logs.
thanks for your help today. 
If you use the flash drive then FRST will be the best option… Talking to OT he has not yet updated OTLPE to the latest version
ok. got the flash drive. more than enough space. MSE finds Trojan Win64 Win64/Sirefef.Y. and it says System32 Services.exe C:\windows\sys32\services.exe->731.