I have another thread pending for my first sick computer, but I am also seeking help for an Acer Aspire running Windows Vista.
In short, I believe I may have transferred a rootkit from the first (Dell XP) computer to this Acer through a memory stick. The other computer had been receiving messages from Combofix detecting rootkit activity, even after reinstalling XP from disk (didn't realize I wasn't supposed to run Combofix before I posted about that computer).
Shortly after the memory stick was moved to the Acer Vista computer (yes, I am an idiot), I got a message from the new computer that the boot information had been changed.
"Warning: The boot devices have been changed. BBS boot priority will be affected. Please enter setup to check."
Soon afterward, I got error messages from Windows update that I did not have the necessary permissions to update, even though I was the administrator for the computer.
Then the computer alerted me that unauthorized changes had been made to Windows and I would no longer receive notifications. I could not log into my account, and Windows informed me that my account had been disabled.
I tried to restore to factory settings several times using Acer's recovery program. I do not have a disk, so used the "restore to factory settings" option in Acer. Each time, the problems eventually recurred. I was able to get online a few times and download updates before being shut out. McAfee Stinger found an Artemis virus and deleted about 50 to 75 files. It also noted two boot sectors????? Following directions I found online, I even attempted to flash the bios and then reinstall, but I am not sure if the bios flash was successful, because problems recurred.
During this process (I am sorry I don't remember the sequence), I got a black screen a couple of times, stating that the disk was invalid.
I also got a blue screen, with the following message:
BC Code 1000007e
os Version 6-0-6000
Service Pack 0
I was given the option to do startup repair during one reboot. When I tried to run it, I got the following message:
Startup repair cannot repair this computer.
Problem Event Name: Startup Repair V2
Problem Signature 01 - Auto Fallover
Problem Signature 02 - 6.0.6000.16318.104.22.16801.18000
Problem Signature 03 - 2
Problem Signature 04 - 65537
Problem Signature 05 - Unknown
Problem Signature 06 - Bad Patch
Problem Signature 07 - 0
Problem Signature 08 - 3
Problem Signature 09 - Wrp Repair
I just restored to factory settings again. I noticed that during the system install, a command box appeared on the screen with writing on it. It was something in system32, but it disappeared so quickly I could not read it.
Upon arrival to my desktop for the first time, I entered the Control Panel and then the Event log and noticed many errors and alerts, including the following:
Security Auditing - Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\System32\drivers\srtsp.sys
The audit log was cleared
Log Name: Security (Date from 2006????!)
A logon was attempted using explicit credentials
Special privileges assigned to new logon.
Windows firewall was unable to notify the user that it blocked an application from accepting incoming connections onthe network (this message appeared prior to setting up networking)
The event logging service has shut down
An attempt was made to register a security event service.
IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 9, function 0.
IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 11, function 0.
IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 12, function 0.
Windows Defender has detected changes. Microsoft recommends that you analyze the software that made these changes for potential risks.
The process C:\Windows\system32\winlogon.exe has initiated the restart of computer on behalf of user....No title for this reason could be found.
The Netbios name and DNS host of this machine have been changed from ....... to ......
The shadow copies of volume .......... were aborted during detection.
******There are about 50 notifications about USER PnP.**********
I am not even sure which alerts may be important and which aren't, and where to start to address these problems. I am sorry if I have cluttered this post with unnecessary information. Please, I would be very grateful for any help you can give.
Edited by pacificdenizen, 29 May 2011 - 11:16 AM.