Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zeroaccess Windows 7 Won't Boot, Black Screen


  • This topic is locked This topic is locked
9 replies to this topic

#1 mcfab

mcfab

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 04 March 2014 - 09:55 PM

Hi

 

I have a Dell Vostro 470 running windows 7 64 bit.  Last week when I tried to log on the windows logo would appear then it would just go to a black screen with a mouse pointer but not load windows.  Trying to start in safe mode etc had the same result, black screen.

 

After trying startup repair, system restore, etc etc nothing worked and I still have the black screen of death.  Ran the diagnostic tests and the HDD is all good, ran chkdsk and all good.  As I don't want to reinstall windows I searched online and came across a situation that pretty much is the same as mine which Gringo helped solve and it turned out it was zeroaccess stopping windows from loading.

 

So based on Gringo's advice to the other person I ran FRST and ListParts and bingo - zeroaccess!  I have attached the logs for you to look at.  My problem is that because windows won't load how do I remove it?  Using the windows disc I can get to a command prompt, open task manager and notepad.  I'm just an average user so please be specific about what I need to do.  I tried but couldn't get the DSS file to run.

 

Thanks in advance for you assistance.

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-03-2014
Ran by SYSTEM on MININT-IIT8OS9 on 04-03-2014 13:33:47
Running from J:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6457960 2011-12-23] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] - C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1156712 2011-11-15] (Realtek Semiconductor)
HKLM\...\Run: [AtherosBtStack] - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\btvstack.exe [1023104 2012-12-27] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\athbttray.exe [801920 2012-12-27] (Atheros Commnucations)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-20] (Intel Corporation)
HKLM-x32\...\Run: [Dell DataSafe Online] - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [35736 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-11-15] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM\...\InprocServer32: [Default-wbemess]  ATTENTION! ====> ZeroAccess?
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
HKU\Plasma\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_169_ActiveX.exe [513928 2013-06-20] (Adobe Systems Incorporated)

==================== Services (Whitelisted) =================

S2 hasplms; C:\Windows\system32\hasplms.exe [4412872 2012-08-22] (SafeNet Inc.)
S2 N360; C:\Program Files (x86)\Norton 360 Premier Edition\Engine\20.4.0.40\ccSvcHst.exe [144368 2013-05-20] (Symantec Corporation)
S2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe [327296 2012-12-27] (Atheros)
S2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [81536 2012-12-25] (Atheros)

==================== Drivers (Whitelisted) ====================

S3 akshhl; C:\Windows\System32\DRIVERS\akshhl.sys [57088 2012-06-14] (SafeNet Inc.)
S3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [296576 2012-06-14] (SafeNet Inc.)
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20131101.003\BHDrvx64.sys [1524824 2013-10-22] (Symantec Corporation)
S1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1404000.028\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-11-03] (Symantec Corporation)
S2 hardlock; C:\Windows\system32\drivers\hardlock.sys [323584 2012-10-05] (SafeNet Inc.)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20131110.002\IDSvia64.sys [521816 2013-10-31] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20131110.004\ENG64.SYS [126040 2013-11-03] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20131110.004\EX64.SYS [2099288 2013-11-03] (Symantec Corporation)
S3 SRTSP; C:\Windows\system32\drivers\N360x64\1404000.028\SRTSP64.SYS [796760 2013-05-15] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\N360x64\1404000.028\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\N360x64\1404000.028\SYMDS64.SYS [493656 2013-05-20] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\N360x64\1404000.028\SYMEFA64.SYS [1139800 2013-05-22] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-11-02] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\N360x64\1404000.028\Ironx64.SYS [224416 2012-07-27] (Symantec Corporation)
S1 SymNetS; C:\Windows\system32\drivers\N360x64\1404000.028\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-03-04 13:33 - 2014-03-04 13:33 - 00000000 ____D () C:\FRST
2014-03-03 17:46 - 2014-03-03 17:46 - 00003224 ____N () C:\bootsqm.dat
2014-02-27 13:01 - 2014-03-04 09:52 - 00000000 ____D () C:\Windows\Minidump

==================== One Month Modified Files and Folders =======

2014-03-04 13:33 - 2014-03-04 13:33 - 00000000 ____D () C:\FRST
2014-03-04 12:34 - 2013-07-17 20:30 - 00000000 ____D () C:\users\Plasma
2014-03-04 12:34 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\servicing
2014-03-04 12:34 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-03-04 12:34 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\AppCompat
2014-03-04 09:52 - 2014-02-27 13:01 - 00000000 ____D () C:\Windows\Minidump
2014-03-03 17:46 - 2014-03-03 17:46 - 00003224 ____N () C:\bootsqm.dat
2014-03-03 17:43 - 2013-06-20 22:49 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-03-03 17:43 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-03 17:42 - 2013-06-21 13:23 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-02-26 15:48 - 2013-06-20 23:00 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2014-02-26 15:48 - 2013-06-20 23:00 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2014-02-12 14:06 - 2013-07-17 20:49 - 00000000 ____D () C:\Users\Plasma\AppData\Local\CrashDumps
2014-02-04 15:07 - 2013-06-20 22:30 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-04 14:50 - 2009-07-13 20:45 - 00021312 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-04 14:50 - 2009-07-13 20:45 - 00021312 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-04 14:47 - 2009-07-13 21:13 - 00778834 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-02-04 14:46 - 2013-06-21 13:22 - 01744718 _____ () C:\Windows\WindowsUpdate.log
2014-02-04 14:42 - 2009-07-13 20:51 - 00052825 _____ () C:\Windows\setupact.log
2014-02-03 13:52 - 2013-08-29 16:17 - 00000000 ____D () C:\Users\Public\Documents\Procut 8.5

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-10-17 14:09:57
Restore point made on: 2013-10-27 15:23:38
Restore point made on: 2013-11-03 15:45:27
Restore point made on: 2013-11-10 16:47:23
Restore point made on: 2013-11-17 20:25:25
Restore point made on: 2013-11-25 19:17:08
Restore point made on: 2013-12-03 14:17:34
Restore point made on: 2013-12-11 13:30:27
Restore point made on: 2014-01-12 18:32:02
Restore point made on: 2014-01-20 15:58:28
Restore point made on: 2014-01-28 13:46:34
Restore point made on: 2014-02-04 15:21:08
Restore point made on: 2014-02-12 15:37:01
Restore point made on: 2014-02-20 14:31:00
Restore point made on: 2014-02-24 19:00:56
Restore point made on: 2014-02-26 20:41:15

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 8152.95 MB
Available physical RAM: 7177.75 MB
Total Pagefile: 8151.14 MB
Available Pagefile: 7184.31 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:1850.73 GB) (Free:1804.13 GB) NTFS
Drive e: (Mar 04 2014) (CDROM) (Total:0.56 GB) (Free:0.56 GB) UDF
Drive j: () (Removable) (Total:0.97 GB) (Free:0.4 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:12.25 GB) (Free:4.62 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 02B6F3AD)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=-211818643456) - (Type=07 NTFS)

========================================================
Disk: 5 (Size: 990 MB) (Disk ID: 0019E5B3)
Partition 1: (Active) - (Size=990 MB) - (Type=06)

LastRegBack: 2014-02-19 13:34

==================== End Of Log ============================

 

 

 

 

 

ListParts by Farbar Version: 19-02-2014
Ran by SYSTEM (administrator) on 04-03-2014 at 13:37:33
Windows 7 (X64)
Running From: J:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 8152.95 MB
Available physical RAM: 7277.91 MB
Total Pagefile: 8151.14 MB
Available Pagefile: 7268.29 MB
Total Virtual: 8192 MB
Available Virtual: 8191.92 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:1850.73 GB) (Free:1804.13 GB) NTFS
2 Drive e: (Mar 04 2014) (CDROM) (Total:0.56 GB) (Free:0.56 GB) UDF
7 Drive j: () (Removable) (Total:0.97 GB) (Free:0.4 GB) FAT
8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
9 Drive y: (RECOVERY) (Fixed) (Total:12.25 GB) (Free:4.62 GB) NTFS ==>[System with boot components (obtained from reading drive)]

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online         1863 GB      0 B        
  Disk 1    No Media           0 B      0 B        
  Disk 2    No Media           0 B      0 B        
  Disk 3    No Media           0 B      0 B        
  Disk 4    No Media           0 B      0 B        
  Disk 5    Online          990 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: 02B6F3AD

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 39 MB    31 KB
  Partition 2    Primary             12 GB    40 MB
  Partition 3    Primary           1850 GB    12 GB

======================================================================================================

Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 8                      FAT    Partition     39 MB  Healthy    Hidden 

======================================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   RECOVERY     NTFS   Partition     12 GB  Healthy           

======================================================================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition   1850 GB  Healthy           

======================================================================================================

Partitions of Disk 5:
===============

Disk ID: 0019E5B3

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            989 MB    16 KB

======================================================================================================

Disk: 5
Partition 1
Type  : 06
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 7     J                FAT    Removable    989 MB  Healthy           

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 02B6F3AD
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=-211818643456) - (Type=07 NTFS)

==============================
Partitions of Disk 5:
===============
Disk ID: 0019E5B3
Partition 1: (Active) - (Size=990 MB) - (Type=06)

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=Y:
description             Windows Boot Manager
locale                  en-us
inherit                 {globalsettings}
default                 {default}
resumeobject            {22dfc870-dab5-11e2-9b6f-b8ca3a83a181}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {default}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-us
inherit                 {bootloadersettings}
recoverysequence        {4867b0e4-da40-11e2-818b-bc8556311ca0}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {22dfc870-dab5-11e2-9b6f-b8ca3a83a181}
nx                      OptIn

Windows Boot Loader
-------------------
identifier              {4867b0e4-da40-11e2-818b-bc8556311ca0}
device                  ramdisk=[Y:]\Recovery\WindowsRE\Winre.wim,{4867b0e5-da40-11e2-818b-bc8556311ca0}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[Y:]\Recovery\WindowsRE\Winre.wim,{4867b0e5-da40-11e2-818b-bc8556311ca0}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {22dfc870-dab5-11e2-9b6f-b8ca3a83a181}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=Y:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {4867b0e5-da40-11e2-818b-bc8556311ca0}
description             Ramdisk Options
ramdisksdidevice        partition=Y:
ramdisksdipath          \Recovery\WindowsRE\boot.sdi

****** End Of Log ******


Edited by mcfab, 04 March 2014 - 10:38 PM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 05 March 2014 - 03:00 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

I´m currently reviewing your log, please be patient with me


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 05 March 2014 - 03:16 AM

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
    HKLM\...\InprocServer32: [Default-wbemess]  ATTENTION! ====> ZeroAccess?
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

Boot into windows now!

 

 

 

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#4 mcfab

mcfab
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 05 March 2014 - 04:02 PM

Hi Marius

 

I ran the frst script and the log is below.  After running the script I could not boot into windows in any mode eg normal, safe etc I just keep getting the black screen after the windows logo appears.

 

I did not run the combo fix but ran the frst scan again, log also below.

 

Please advise what the next step should be.  If you think the only fix is to reinstall windows please let me know.  I would rather not do this but understand it could be the only way to fix whatever the issue is.

 

Thank you for your assistance.

Karen

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-03-2014
Ran by SYSTEM at 2014-03-06 07:34:21 Run:1
Running from F:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM\...\InprocServer32: [Default-wbemess]  ATTENTION! ====> ZeroAccess?
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore => Value deleted successfully.
HKLM\Software\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default => Value was restored successfully.
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.

==== End of Fixlog ====

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-03-2014
Ran by SYSTEM on MININT-L2BSG9U on 06-03-2014 07:52:56
Running from I:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6457960 2011-12-23] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] - C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1156712 2011-11-15] (Realtek Semiconductor)
HKLM\...\Run: [AtherosBtStack] - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\btvstack.exe [1023104 2012-12-27] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\athbttray.exe [801920 2012-12-27] (Atheros Commnucations)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-20] (Intel Corporation)
HKLM-x32\...\Run: [Dell DataSafe Online] - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [35736 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-11-15] (Adobe Systems Incorporated)
HKU\Plasma\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_169_ActiveX.exe [513928 2013-06-20] (Adobe Systems Incorporated)

==================== Services (Whitelisted) =================

S2 hasplms; C:\Windows\system32\hasplms.exe [4412872 2012-08-22] (SafeNet Inc.)
S2 N360; C:\Program Files (x86)\Norton 360 Premier Edition\Engine\20.4.0.40\ccSvcHst.exe [144368 2013-05-20] (Symantec Corporation)
S2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe [327296 2012-12-27] (Atheros)
S2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [81536 2012-12-25] (Atheros)

==================== Drivers (Whitelisted) ====================

S3 akshhl; C:\Windows\System32\DRIVERS\akshhl.sys [57088 2012-06-14] (SafeNet Inc.)
S3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [296576 2012-06-14] (SafeNet Inc.)
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20131101.003\BHDrvx64.sys [1524824 2013-10-22] (Symantec Corporation)
S1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1404000.028\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-11-03] (Symantec Corporation)
S2 hardlock; C:\Windows\system32\drivers\hardlock.sys [323584 2012-10-05] (SafeNet Inc.)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20131110.002\IDSvia64.sys [521816 2013-10-31] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20131110.004\ENG64.SYS [126040 2013-11-03] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20131110.004\EX64.SYS [2099288 2013-11-03] (Symantec Corporation)
S3 SRTSP; C:\Windows\system32\drivers\N360x64\1404000.028\SRTSP64.SYS [796760 2013-05-15] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\N360x64\1404000.028\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\N360x64\1404000.028\SYMDS64.SYS [493656 2013-05-20] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\N360x64\1404000.028\SYMEFA64.SYS [1139800 2013-05-22] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-11-02] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\N360x64\1404000.028\Ironx64.SYS [224416 2012-07-27] (Symantec Corporation)
S1 SymNetS; C:\Windows\system32\drivers\N360x64\1404000.028\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-03-05 07:52 - 2014-03-05 07:52 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-03-04 13:33 - 2014-03-06 07:52 - 00000000 ____D () C:\FRST
2014-03-03 17:46 - 2014-03-03 17:46 - 00003224 ____N () C:\bootsqm.dat
2014-02-27 13:01 - 2014-03-04 09:52 - 00000000 ____D () C:\Windows\Minidump

==================== One Month Modified Files and Folders =======

2014-03-06 07:52 - 2014-03-04 13:33 - 00000000 ____D () C:\FRST
2014-03-05 12:46 - 2013-06-21 13:23 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-03-05 12:46 - 2013-06-20 22:49 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-03-05 12:46 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-05 07:52 - 2014-03-05 07:52 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-03-04 12:34 - 2013-07-17 20:30 - 00000000 ____D () C:\users\Plasma
2014-03-04 12:34 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\servicing
2014-03-04 12:34 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-03-04 12:34 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\AppCompat
2014-03-04 09:52 - 2014-02-27 13:01 - 00000000 ____D () C:\Windows\Minidump
2014-03-03 17:46 - 2014-03-03 17:46 - 00003224 ____N () C:\bootsqm.dat
2014-02-26 15:48 - 2013-06-20 23:00 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2014-02-26 15:48 - 2013-06-20 23:00 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2014-02-12 14:06 - 2013-07-17 20:49 - 00000000 ____D () C:\Users\Plasma\AppData\Local\CrashDumps
2014-02-04 15:07 - 2013-06-20 22:30 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-04 14:50 - 2009-07-13 20:45 - 00021312 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-04 14:50 - 2009-07-13 20:45 - 00021312 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-04 14:47 - 2009-07-13 21:13 - 00778834 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-02-04 14:46 - 2013-06-21 13:22 - 01744718 _____ () C:\Windows\WindowsUpdate.log
2014-02-04 14:42 - 2009-07-13 20:51 - 00052825 _____ () C:\Windows\setupact.log

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-10-17 14:09:57
Restore point made on: 2013-10-27 15:23:38
Restore point made on: 2013-11-03 15:45:27
Restore point made on: 2013-11-10 16:47:23
Restore point made on: 2013-11-17 20:25:25
Restore point made on: 2013-11-25 19:17:08
Restore point made on: 2013-12-03 14:17:34
Restore point made on: 2013-12-11 13:30:27
Restore point made on: 2014-01-12 18:32:02
Restore point made on: 2014-01-20 15:58:28
Restore point made on: 2014-01-28 13:46:34
Restore point made on: 2014-02-04 15:21:08
Restore point made on: 2014-02-12 15:37:01
Restore point made on: 2014-02-20 14:31:00
Restore point made on: 2014-02-24 19:00:56
Restore point made on: 2014-02-26 20:41:15

==================== Memory info ===========================

Percentage of memory in use: 9%
Total physical RAM: 8152.95 MB
Available physical RAM: 7346.29 MB
Total Pagefile: 8151.14 MB
Available Pagefile: 7335.42 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:1850.73 GB) (Free:1803.97 GB) NTFS
Drive d: (W7SP1_PROFESSIONAL) (CDROM) (Total:5.23 GB) (Free:0 GB) UDF
Drive i: () (Removable) (Total:0.97 GB) (Free:0.39 GB) FAT
Drive j: (RECOVERY) (Fixed) (Total:12.25 GB) (Free:4.62 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 02B6F3AD)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=-211818643456) - (Type=07 NTFS)

========================================================
Disk: 5 (Size: 990 MB) (Disk ID: 0019E5B3)
Partition 1: (Active) - (Size=990 MB) - (Type=06)

LastRegBack: 2014-02-19 13:34

==================== End Of Log ============================



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 06 March 2014 - 01:57 AM

Try to do a system restore to a point where logging in was allowed.

Tell me if that worked for you.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 mcfab

mcfab
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 06 March 2014 - 05:52 PM

Hi

 

In the beginning I tried a system restore but it had no affect, the black screen of death still came up.

 

I have tried to do another one today but am now getting the following error:

 

System Restore did not complete successfully. Your computer's system files and settings were not changed.

Details:
An unspecified error occurred during System Restore. (0x8000ffff)

You can try System Restore again and choose a different restore point. If you continue to see this error, you can try an advanced recovery method. For more information, see What is Recovery?

 

On startup it still goes to the black screen.

 

Thanks

Karen


Edited by mcfab, 06 March 2014 - 05:53 PM.


#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 07 March 2014 - 02:00 AM

System File Check (offline mode)

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

Select Command Prompt
  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your system drive letter and system path (for example, D:\windows\) and close the notepad.
  • enter the following command:


sfc /scannow /offbootdir=d:\ /offwindir=d:\windows


Replace the red and pink parts with the informations you obtained from the last step of this tutorial.

Note: Depending on how your computer is setup, the Command Prompt, when used from outside of Windows, doesn't always assign drive letters in the same way that you see them from inside Windows. In other words, Windows might be at C:\Windows when you're using it, but D:\Windows from the Command Prompt in System Recovery Options.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 mcfab

mcfab
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 07 March 2014 - 06:24 PM

Hi

 

I can only boot from the windows install disc.  I have run the scans and nothing was found. 

I have decided to just go ahead and reinstall windows so please close this thread.

 

Thanks again to eveyone for their assistance.

 

Karen



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 08 March 2014 - 11:59 AM

You´re welcome! :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 08 March 2014 - 11:59 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users