• Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About RBlackhall

  • Rank
  1. Hello, Arthur. Things appear to be ok. I reinstalled AVG and ran a full scan. It found one file it didn't like (C:\Windows\winsxs\x86_...\afd.sys which it said was a "Trojan horse PSW.Agent.ASTO" and it quarantined. I rebooted and reran the full scan a few hours later and nothing shows up. I'm hoping this means everthing is clean. I deleted all the recent backups and took a couple full-system backups. All seems well. To fix the unable to find "Status.msi" problem, I reinstalled the HP Printer software. That problem has cleared up. To fix the missing "hookdll.dll" problem, I uninstalled TMMonitor. I will finish fixing this later. Repeated boots seem clean now. I believe the computer was infected some time ago. The system had anti-virus (McAfee) at the time, but it was silently quarantining the viruses. I found 80,000+ McAfee quarantined entries when I was cleaning up files this week. I gave the user of the computer a rather stern and lengthy lecture about NOT EVER disabling anti-virus, even if it is taking a lot of the processor. This is where things probably went bad -- during the times the user had shut anti-virus off. Having to do without the computer a few days reinforced my argument to the user that disabling anti-virus leads to severe consequences. When we recently switched to AVG, I believe it was already too late. Arthur, I appreciate your assistance in getting rid of all the problems. Thank you!
  2. Much better. Desktop and Internet access are back.
  3. Lost Desktop, Lost internet access and have Hookdll.dll missing popup. Attaching Combofix.txt and picutre of "desktop" via USB drive on another machine Just caught window in bottom right saying Failed to Connect to Group Policy Client service.
  4. I cut pasted the lines you gave me into a notepad and dropped it onto Combofix, as requested. New log attached.
  5. I clicked Add-reply before it was done uploading. It is attached now.
  6. That ran a good, long, while. The report.log result is attached.
  7. Thank you, I have internet access on that system again. I still have the STATUS.MSI install popup boxes. There was also a popup box TMController.exe System Error "The program can't start because Hookdll.dll is missing from your computer" I forgot to mention this last time. I also have something new -- WINDOWS SECURITY ALERT - Windows Firewall has blocked some features of this program ... Akamai Netsession Client What's the next step?
  8. I did as you asked -- booted into recovery console, deleted and copied the file you requested. After reboot, I no longer have internet access again. I downloaded Combofix on another computer loaded it to the desktop via USB drive. I am still getting the popup to install STATUS. I attached a screen print of that. If I click CANCEL it pops up again. Over and over. I ran Combofix again. It detected zeroaccess and asked to reboot. After reboot, it ran a while and produced a log, which I've attached, as well.
  9. Ok, Arthur, I have done as you asked. The report is attached. (still have the hanging INSTALL box open from yesterday asking me where to find status.msi -- maybe that is holding up the virus for a bit)
  10. I believe I have some good news. I downloaded combofix to a USB drive and copied it to the problem system (no internet access) I ran Combofix and it reported "You are infected with Rootkit.zeroaccess! ...." It rebooted. Tried to logon 'ADAM' user, and it said "User PROFILE SERVICE FAILED THE LOGON", etc with an OK box, which I clicked. Then it logged on and I got a blue combo-fix box -- Combofix is preparing to run Then it ran stage_1 through stage_50 and listed out a ton of files. Then it said it was rebooting and "Tried to write to a nonexistant pipe" After the reboot, got a combfix box saying "do not run any programs until Combofix has finished" while it was running, the Windows Installer ran and installed something. Also, a windows box popped up labeled "STATUS" saying "The feature you are trying to use is on a network resource that is unavailable." Click OK to try again or enter an alternate path to a folder containing the installation package "status.msi" in the box below. filename box user source: C:\Users\Adam\AppData\Local\Temp\7Zs%DB4 .... can read rest. That box is still on the screen --- I haven't clicked OK or Cancel yet. THe Combofix seemed to end. It said "Combo Fixes' Log shall be located at C:\combofix.txt and the file popped up in Notepad. The Internet works again through my wireless device, and I'm replying on the infected machine. I'm attaching the combofix.txt to this reply
  11. Sorry, Authur, I didn't mean to spell your name wrong (I just noticed).
  12. Hello, Auther. I ran TDSSKILLER. It found two things, VIRUS.WIN32.ZACCESS.K and ROOTKIT.BOOT.PIHAR.B After it rebooted I was not able to properly log on. I got sparse desktop a balloon that said "failed to connect to a window service" or similar. It went away before I could capture it all. Something about the USER PROFILE SERVICE not working. I went to SERVICES, and USER PROFILE SERVICE was started, so I logged off and was able to then log back on to the ADAM userid successfully. Now, TDSSKILLER shows VIRUS.WIN32.ZACCESS.C and I have lost internet connection on that computer. Awaiting the next round of instructions.