Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 won't boot - possible ZeroAccess?


  • This topic is locked This topic is locked
19 replies to this topic

#1 utjww

utjww

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 26 May 2014 - 03:50 AM

Hello and thank you for your help with my computer problem.

 

I have Windows 7 Pro 32 bit and was browsing the Internet on 5/23 when the computer shut down the applications for a reboot.  After rebooting the computer will not go past the Starting Windows message.  I can't boot the computer into Safe mode.  I am able to get to the System Recovery Options by pressing F8.  I ran Startup Repair, but it could not detect the problem.  I ran memory tests, chkdsk and an sfc scan without error.  I downloaded and ran FRST and the scan is indicating a possible ZeroAccess infection.  There are also files and a folder with the name 777884d that were created near the time this happened.  I have attached the FRST.txt file produced from the scan.  Please help me by providing a fixlist.txt to remove the infection and recommendations on other steps I should take.

Attached Files

  • Attached File  FRST.txt   36.71KB   5 downloads


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 28 May 2014 - 05:42 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
    HKU\Wendel_Warner\...\Run: [777884] => C:\777884d\777884d.exe
    HKU\Wendel_Warner\...\Run: [777884d] => C:\Users\Wendel_Warner\AppData\Roaming\777884d.exe
    HKU\Wendel_Warner\...\RunOnce: [*77884] - C:\777884d\777884d.exe
    HKU\Wendel_Warner\...\RunOnce: [*77884d] - C:\Users\Wendel_Warner\AppData\Roaming\777884d.exe
    HKU\Wendel_Warner\...\Policies\Explorer: [HideSCAHealth] 1
    Startup: C:\Users\Wendel_Warner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\777884d.exe ( )
    
    C:\$Recycle.Bin\S-1-5-18\$42681552ef6e993b31302f6eba0cc470
    C:\$Recycle.Bin\S-1-5-21-120810831-3082433198-1416529062-1007
    C:\777884d\777884d.exe
    C:\Users\Wendel_Warner\AppData\Roaming\777884d.exe
    C:\Users\Wendel.Warner\AppData\Local\Temp\Feedback.CA.dll
    C:\Users\Wendel_Warner\AppData\Local\Temp\1426300293.exe
    C:\Users\Wendel_Warner\AppData\Local\Temp\2vovkandnnndddddd.exe
    C:\Users\Wendel_Warner\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
    C:\Users\Wendel_Warner\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
    C:\Users\Wendel_Warner\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
    C:\Users\Wendel_Warner\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
    C:\Users\Wendel_Warner\AppData\Local\Temp\wpilauncher.exe
    C:\Users\Wendel_Warner\AppData\Local\Temp\{7014E919-2EAA-4158-AB8A-7483300316F4}.dll

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

 

Boot into windows now!

 

 

 

 

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 utjww

utjww
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 28 May 2014 - 12:16 PM

Thank you for your help, Marius.

 

I used FRST with the fixlist.txt you provided. I have attached the Fixlog.txt file.  I rebooted and my computer still won't go past the Starting Windows message.  I tried booting into safe mode and the only windows file that loads is "\Windows\system32\config\system"

 

Please let me know your recommendations.

 

Attached Files



#4 utjww

utjww
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 30 May 2014 - 02:18 PM

I scanned using Farbar again and have attached the results.  Please let me know if you need anything else to help figure out the solution to my problem.  Thank you.

Attached Files



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 31 May 2014 - 01:58 PM

This is weird...

 

 

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    Startup: C:\Users\Wendel_Warner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\777884d.exe ( )
    2014-05-23 21:42 - 2014-05-28 09:45 - 00000000 ___HD () C:\777884d

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 utjww

utjww
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 31 May 2014 - 11:19 PM

Thank you for your help, Marius.  I ran frst.exe with the fixlist.txt file you provided and have attached the resulting Fixlog.txt.  I ran a scan afterwards and verified that 777884d files were no longer listed in the frst.txt file.  I have attached the new frst.txt file from this scan.

 

I still cannot boot past the Starting Windows message.  Booting into safe mode will not go past the "Loading \Windows\system32\config\system" file.  I have the Windows 7 DVD so I can try an in place upgrade if necessary.  I'm not sure what else to try.  What are your recommendations?

 

Attached Files



#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 02 June 2014 - 03:17 PM

It seems that the registry is corrupt...

 

 

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    LastRegBack: 2014-05-18 22:36

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 utjww

utjww
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 02 June 2014 - 04:33 PM

Thank you for your help, Marius.  I have done as you asked and have attached the resulting fixlist.txt file.  The problem persists and I cannot boot past the Starting Windows message.  I have attached the latest results of the FRST scan.  Please let me know your recommendations.

Attached Files



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 05 June 2014 - 01:31 AM

System File Check (offline mode)

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

Select Command Prompt
  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your system drive letter and system path (for example, D:\windows\) and close the notepad.
  • enter the following command:


sfc /scannow /offbootdir=d:\ /offwindir=d:\windows


Replace the red and pink parts with the informations you obtained from the last step of this tutorial.

Note: Depending on how your computer is setup, the Command Prompt, when used from outside of Windows, doesn't always assign drive letters in the same way that you see them from inside Windows. In other words, Windows might be at C:\Windows when you're using it, but D:\Windows from the Command Prompt in System Recovery Options.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 utjww

utjww
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 05 June 2014 - 10:30 AM

Thank you, Marius.  I ran sfc as instructed and was shown the following message: "Windows Resource Protection did not find any integrity violations."  The computer still will not boot.



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 06 June 2014 - 03:07 AM

Create/Scan with Kaspersky Rescue Disk

Follow the instructions on this page for downloading the kav_rescue_10.iso (200 mb) file and creating the Kaspersky Rescue Disk.

Make sure you set to boot the machine from the CDRom drive first. Then save and exit the BIOS. The computer will begin to boot. Insert the disc in the CDrom drive, then restart the machine. It should then boot from that CD.

It's best if you refer to the instructions and images at Kaspersky How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

Once it boots from CD, press a key so it continues to boot from that CD.

Select the language, then be sure to select Kaspersky Rescue Disk Graphic Mode.

Kaspersky should begin scanning your machine. If it finds infection, look carefully at the files it lists. If any of them seem to be legit files, do not allow it to clean/quarantine/delete them. Rather, save the log and post the results for me to look over.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 utjww

utjww
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 07 June 2014 - 02:00 AM

Thank you, Marius.  I was able to scan my computer using the Kaspersky Rescue Disk.  I have attached the resulting report.  Please let me know your recommendations.

Attached Files



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 10 June 2014 - 02:04 AM

Please remove the found threats.

Boot into trecovery environment afterwards and run startup recovery.

 

Tell me the result.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 utjww

utjww
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 10 June 2014 - 09:13 PM

I have removed the found threats and ran the startup recovery.  It came back with the message "Startup Repair cannot repair this computer automatically" with the following problem details:

 

Problem signature:
  Problem Event Name: StartupRepairOffline
  Problem Signature 01: 6.1.7600.16385
  Problem Signature 02: 6.1.7600.16385
  Problem Signature 03: unknown
  Problem Signature 04: 21200582
  Problem Signature 05: ManualRepair
  Problem Signature 06: 6
  Problem Signature 07: NoRootCause
  OS Version: 6.1.7600.2.0.0.256.1
  Locale ID: 1033

 

Thank you for your help with this, Marius.



#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 11 June 2014 - 07:13 AM

Please boot into recovery environment and start the command prompt.

Enter the following command:

chkdsk [your real hard disk drive letter followed by a colon here] /r

As you know, inside recovery environment the drive letter you´ve booted to and the drive letter really indicating your system drive may vary.

So if your system drive is for example D, the command would read like this:
 

chkdsk D: /r

(see the blank after the colon!).

 

Hit enter now.

 

Checkdisk will scan your hard drive sector by sector, searching for defects and other errors.

This may take several hours.

 

When finished, tell me if any errors were found.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users