Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Rootkit scan ruined starting Windows 7 Ultimate [Solved]

Rootkit scan Win 7 sign-in screen

  • This topic is locked This topic is locked

#31
mtnester

mtnester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts

Should I leave Create a bootable disk using ISO image checkmarked? If so, I have to choose an image. My choices are FRST and recdisc.iso. Not sure since you had me download an ISO file.

 

Thanks.


  • 0

Advertisements


#32
mtnester

mtnester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts

Dakeyras,

 

I'm sorry to say the USB did not work for the reason that the files were not compatible with my version of Windows (Ultimate).

 

This is the error message that came up:

 

Sys Rec Op not avail.jpg

 

 

Is there anything else to be done?


  • 0

#33
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

My sincere apologies for the delay...

OK we will merely use a different ISO file I located in my personal backups(Win7 x64 RE). I will send you a PM in due course with the download link. Once downloaded use it to recreate a new System Repair USB Drive as outlined in post #28.
  • 0

#34
mtnester

mtnester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts

No problems re: the delay. I'm trying to keep up with things on here, but truthfully the last 2 weeks we've been 850 miles from home to be by the side of a beloved family member who passed a couple of nights ago, so we are in the throes of those American "rituals" involved with his passing. We are happy he is with God, but grieve for his passing. That being said, there are WAY too many family members and friends constantly in attendance from all over the US, so I'm glad for an excuse to remove myself temporarily on occasion.

 

Please forgive my ignorance, but how will I know there is a PM and where will it be? My email account? Thanks.


  • 0

#35
mtnester

mtnester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts

Hi,

 

I am wondering why what seems to be a simple task turns into a major event when I try to do it. (Grr.) I downloaded the file to my desktop and according to Post #28 inserted my USB stick to reformat and redownload Rufus using the new ISO file you sent. Unfortunately, the stick won't reformat. When I attempt to do so, nothing happens. When I try to view the files on the stick I get an error notice--

 

insert disk.jpg

 

How do I get around that, please?


  • 0

#36
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

beloved family member who passed a couple of nights ago

My sincere condolences.

I am wondering why what seems to be a simple task turns into a major event when I try to do it.

Not a problem and do not worry about it, these things happen.

OK, remove the USB drive and reboot the machine in use. Then re-insert and format the USB drive first before using Rufus to burn the new ISO file etc.
  • 0

#37
mtnester

mtnester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts

Hi,

 

Two steps forward, one step back--or something like that. The good news: I was successful in running FRST64 this time. The bad news. I received an error message when I selected "Fix." Here's the screenshot that resulted.

 

sreenshot 001.jpg

 

 

And, all that was in the fixlist.txt file was this:  LastRegBack: 2015-01-27 14:23

 

Also, I was unsuccessful in booting into normal mode any further than I was able to from the beginning, which is to say a blank Welcome screen--nothing on it. At least the color is much prettier than a BSOD. LOL

 

What else can I try?

 

 

 

 


  • 0

#38
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

Is the fixlist in the same location as FRST64 on the USB drive and not say within a folder on the drive ? Please check for myself the contents of the USB drive and it should look like this:-

SRUSBDC.gif

If it is not ensure fixlist is on the drive per the above screen-shot and if so merely reboot and try again please.
  • 0

#39
mtnester

mtnester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts

Hi Dakeyras,

 

Hurray!! I think we finally got somewhere.

 

My USB stick looked like this:

 

Repair drive Win 7 64-bit.jpg

 

 

The tool will make a log on the usb drive (Fixlog.txt). Please copy and paste the contents of the aforementioned notepad file in your next reply.

 

 

I was successful this time in running FRST and selecting Fix (I did the same things as before when it would not work, so go figure.)

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by SYSTEM at 2015-03-27 06:46:51 Run:2
Running from e:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
LastRegBack: 2015-01-27 14:23
*****************

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog 06:46:59 ====

 

 

And YES (!!!) the machine booted up normally. I do keep getting an error message about there being no local files, however, Not sure what that means.

 

 

 


  • 0

#40
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

And YES (!!!) the machine booted up normally.

Good.

I do keep getting an error message about there being no local files, however, Not sure what that means.

Acknowledged and lets proceed as follows shall we...

Boot the machine up into Normal Mode then, carry out the below scans for myself so I can ascertain the current state of the machine.

Scan with TDSSKiller:

Please download TDSSKiller to the desktop.

Alternate download is here.
  • Right-click on TDSSKiller.exe and select Run as Administrator to start the program and follow the prompts.
  • When the main GUI(graphical user interface) window opens, click on Change Parameters
  • Under Additional options, select both Verify driver digital signatures & Detect TDLFS File System >> OK
  • Click on Start Scan, the scan will run.
  • When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
  • A Report will have been created by TDSSKiller in your root directory C:\
  • To find the log go to Start(Windows 7 Orb) > Computer > C: >> TDSSKiller.V.V.V.VV_DD.DD.YYYY_TT.TT.TT_log <-- The letters denote the version and date & time etc.
  • Post the contents of that log in your next reply please.
Note: Do not have TDSSKiller remove anything if found at this point in time!

Scan with Farbar Recovery Scan Tool:

Please download and save Farbar Recovery Scan Tool 64-Bit to the desktop.
  • Right-click on FRST.exe and select Run as Administrator to start FRST >> follow the prompt/click on Yes
  • After the tool has checked for any updates/backed up the registry and The tool is ready to use is denoted:-
  • Under Optional Scan ensure both Drivers MD5 and Addition.txt are selected.
  • Now click on the Scan button/radio tab >> at the Scan completed prompt click on OK
  • At the next prompt denoting Addition.txt is saved in the same location FRST tool is run >> click on OK
  • There will now be two logs on your desktop, Addition.txt and FRST.txt. Post the contents of both in your next reply.
Next:

When completed the above, please post back the following in the order asked for:
  • How is your computer performing now, any further symptoms and or problems encountered?
  • TDSSKiller Log.
  • Both FRST logs. <-- Post them individually please, IE: one Log per post/reply.

  • 0

Advertisements


#41
mtnester

mtnester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts

Hi,

 

 

  • How is your computer performing now, any further symptoms and or problems encountered?

 

I am happy to report that although I have not had a chance to do much, things seem to be working well at this time.

 

 

  • TDSSKiller Log.

 

Attached File  TDSSKiller.3.0.0.44_29.03.2015_00.34.02_log.txt   197.55KB   153 downloads

 

 

  • Both FRST logs. <-- Post them individually please, IE: one Log per post/reply.

 

 

Attached File  FRST.txt   45.72KB   149 downloads

 

 

Attached File  Addition.txt   26.65KB   168 downloads

 

 

How are things looking to you?  Thanks!

 

 


  • 0

#42
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

How are things looking to you? Thanks!

A fair few things too address and check etc in due course and you are most welcome!

Also please refrain from attaching any logs I request unless otherwise advised. Mainly because this is also a teaching forum and it would be a aid for the trainees to be able to review the logs, thank you.

Temp' Disable Windows Defender:

This is so it will not hinder the Malware Removal process. A graphical tutorial explaining how this can be implemented can be viewed here.

You may re-enable this when I give the all clear, though personally I would leave it disabled as it is not a particularly effective application and unfortunately it cannot be uninstalled because it is a integral part of the Windows 7 Operating System.

Java Advice:

There has been a recent severe exploitation of this software. Even though this exploit has been reportedly fixed there is still a vulnerability with the software, the below is currently all that it is installed Java related:-

Java 7 Update 67
Java 8 Update 25


So you need to uninstall all of the above out of date versions(if still present via Uninstall a program or Programs and Features located in the Control Panel)...Your choice if you wish to go ahead and reinstall but as mentioned I advise against it and for the present I do not even have anything Java related installed on my machines.

Please let myself know what you wish to do about this in your next reply please and if you opt to re-install I will provide both the appropriate instructions and safety advice etc.

Custom FRST Script:

Please download the attached fixlist.txt(see below) and save to the desktop.

  • Now right-click on FRST.exe and select Run as Administrator to start FRST.
  • Then click on the Fix button/radio tab >> at the Fix completed prompt click on OK
  • Your machine should now automatically reboot itself.
  • Post the contents of the newly created Fixlog in your next reply.
Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.

Scan with AdwCleaner:

Please download AdwCleaner from here and save to your desktop.
  • Right-click on adwcleaner.exe and select Run as Administrator to launch the application.
  • Now click on the Scan tab >> once the scan is complete click on the Cleaning tab and follow the prompts.
  • Allow the system to reboot. You will then be presented with the report. Copy & Paste this report into your next reply.
Note: The log can also be located at C: >> AdwCleaner >> AdwCleaner[S0].txt

Next:

When completed the above, please post back the following in the order asked for:
  • Your decision to reinstall Java or not.
  • Fixlog from the Custom FRST Script.
  • AdwCleaner Log.

  • 0

#43
mtnester

mtnester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts

Hi Dakeyras,

 

First, I do not plan to reinstall Java at this time. I believe I have come across a website or two in the past that required Java in order to work properly, but I do not believe they were/are sites that I visit on a regular basis. I do not know whether I have any programs currently that require it. Also, it looks like you are recommending that I not use Windows Defender; therefore I will not re-enable it.

 

I have performed the steps requested, but before posting anything I am a bit confused by one of your statements and need a little clarification.

 

 

Also please refrain from attaching any logs I request unless otherwise advised. Mainly because this is also a teaching forum and it would be a aid for the trainees to be able to review the logs, thank you.
 

 

I understand this to mean that you might request a log but that I should not post it unless you specifically tell me to. Therefore, in my next post I should publish only

  • Fixlog from the Custom FRST Script.
  • AdwCleaner Log.

Is this correct?

 

Thank you.

 

 


  • 0

#44
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

I do not plan to reinstall Java at this time.

Acknowledged, I will provide the appropriate instructions once your machine appears to be malware free.

Also, it looks like you are recommending that I not use Windows Defender; therefore I will not re-enable it.

As mentioned prior you can re-enable if you so wish after I give the all clear. As long at it remains disabled for the duration of the malware removal process.

Is this correct?

Not quite, I was merely asking that you post the contents of any logs I request rather than attach them.
  • 0

#45
mtnester

mtnester

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts

Hi,

 

Okay, now I have it. Thank you, and my apologies for a temporarily non-functioning brain. I am in the midst of traveling and the computer with which you are helping me is not accessible at this time.

 

I should be able to respond with the proper logs within the next 24 hours.


  • 0






Similar Topics


Also tagged with one or more of these keywords: Rootkit scan, Win 7, sign-in screen

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP