Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 64bit//Logo Splash Boot Loop//BSOD "Rootkit Infection"?


  • This topic is locked This topic is locked
5 replies to this topic

#1 bkajiki

bkajiki

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Mexico
  • Local time:08:46 PM

Posted 31 July 2016 - 01:40 AM

Hello I was requested by CKing123 to post a new topic. Its very possible I have a rootkit infection on my Desktop. I ran a Farbar scan earlier today. Scan results attached to this post.

 

Thanks

 

 

Alright, so something interesting in the FRST logs:

ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Windows\system64

This suggests a malware infection (Rootkit)

 

Please create a new topic in the Virus, Trojan, Spyware, and Malware Removal Logs forums and follow the posting instructions.

 

-CKing

 


 

 

Original Post: http://www.bleepingcomputer.com/forums/t/621554/windows-7-64bitlogo-splash-boot-loopbsod/?p=4052632

 

 

Attached Files


Edited by bkajiki, 31 July 2016 - 01:42 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:46 PM

Posted 31 July 2016 - 09:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2662472 2016-04-18] ()
HKU\OB\...\Run: [AdobeBridge] => [X]
HKU\OB\...\Run: [SCheck] => C:\Users\OB\AppData\Roaming\SCheck\SCheck.exe [51200 2015-10-26] ()
AppInit_DLLs: C:\PROGRA~2\SN_X64~1.BO~ => No File
S2 vToolbarUpdater19.4.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\19.4.0\ToolbarUpdater.exe [1888328 2016-04-18] (AVG Secure Search)
S2 1a34a8e0; "C:\Windows\system32\rundll32.exe" "c:\progra~2\SNSvc.dll",service
S2 AfterFLICS v3; C:\Program Files (x86)\AFLICS\AfterFLICS.exe [X]
S2 InstallerService; "C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe" [X]
S2 tgsrvc_smartagent; %systemroot%\system32\z800mdfl.dll [X]
S3 easytether; system32\DRIVERS\easytthr.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
S3 johci; system32\DRIVERS\johci.sys [X]
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]
NETSVC: tgsrvc_smartagent -> C:\Windows\system32\z800mdfl.dll ==> No File
C:\Users\OB\AppData\Roaming\SCheck
c:\progra~2\SNSvc.dll
DeleteJunctionsInDirectory: C:\Windows\system64
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the logs and include the Addition.txt file that was created by the Farbar tool.

Let me know what problem persists.

#3 bkajiki

bkajiki
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Mexico
  • Local time:08:46 PM

Posted 31 July 2016 - 11:16 AM

Okay; so I did as instructed, and I'm still receiving a bootloop. Once the Windows splash logo comes on, the animation happens creating the full logo symbol and restarts as soon as the logo is complete.

 

So I executed the farbar scan again, and retried the fixlist and I still came up with the same results. The FRST.TXT is from the scan just now.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:46 PM

Posted 31 July 2016 - 01:15 PM

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
aswMBRScan.gif
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    Wait for further instructions.


#5 bkajiki

bkajiki
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Mexico
  • Local time:08:46 PM

Posted 31 July 2016 - 03:48 PM

Hello, I can't boot into windows at all. Not even in Safe Mode. The only thing I can get too is startup repair, or if I use Kaspersky rescue disk. I'm using my laptop to post.


Edited by bkajiki, 31 July 2016 - 03:50 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:46 PM

Posted 01 August 2016 - 06:51 AM

I suggest you start a new topic in the Windows 7 Forurm
http://www.bleepingcomputer.com/forums/f/167/windows-7/

Make the title "unbootbable win 7 computer"

An expert with that operating system should be able to help you better than I can. This is not my forte.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users