[Jintan]

Even if the drivers are running, you should have some more access to those files.

Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:

sc config akerneldrv start= disabled

sc config pcrasys start= disabled

exit

If you were allowed to make the changes, you should have gotten a confirmation after each one. before we go further, post back an update on that please.

[Advertisements]

Both Succeeded.

[Kasey21]

Both Succeeded.

[Jintan]

Reboot, and upload copies of those files.

Also after the reboot, open Task Manager, and under Processes locate and End Process servicescache.exe, then upload that as well.

[Kasey21]

Same error message.

Also when you asked this:

Earlier we did "net user administrator /active:yes". This enabled the actual Admin account. You are using this as your regular account (not recommended)? If not, reboot to that actual Admin account to handle the files. I thought you created a new account, and migrated to it?

I was never able to use the Administrator account. There was a password. I never set a password so there shouldn't have been one. And I didn't know it.

[Jintan]

Log in to the Administrator account, and just press Enter for the password (no password). Then try the file uploads. No joy, we will need to use a tool to gain copies, so we can ID these items and move forward.

[Kasey21]

I had tried not password and it didn't work either.

[Jintan]

Foof. When the computer is right out of the box, you are usually offered then to create that password. I usually hedge my bet on most folks fearing they will forget it, and passing it by at that time (they do).


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

KillAll::
Suspect::
C:\Windows\system32\Drivers\akerneldrv32.sys
C:\Windows\system32\Drivers\pcrasys32.sys
C:\Windows\system32\servicescache.exe

Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.


ComboFix will now run as it did before. Allow the scan to run. When the scan completes this time a text log will open, as well as an indication the removed files need to be submitted for analysis (showing under "Collect" in the CFScript). You can just close the browser window and allow the scan to complete, as we will be assessing these locally.

Once the ComboFix scan completes, I would like you to locate the new zipped file on your desktop, called Submit [Date Time].zip, and go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select that zip file on your computer. You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.