service safeboot c:\windows\system32\drivers\safeboot.sys **LOCKED** 32

[subzerobob]

this is my wife's computer. windows xp professional SP3
here is briefly what happened. after i threw everything at this: malwarebytes, ccleaner, superantispyware, and even deleted some things which windows defender found as trojans, the computer still wasn't connecting to windows updates and i couldn't install microsoft fix it. this was before i found out about this forum. So at that time [june 20th i believe] I decided to revert back to a previous date in the restore option under admin tools. That automatically fixed the windows update issue, but then other things seemed to be messed up like the volume button no longer displays the volume indicator on the screen. the volume goes up and down when you press the button but the green bars on the screen are gone. and similar things like that. I left it alone because my wife wants to continue to go to school and it is working so what the heck right? but now I am starting to notice other things like a window just came up that said something about security certificates - do you want to proceed "yes" or "no" and I clicked "no", and another one popped up even though i didn't have a browser open, "no" again and then another one, etc. until eventually it stopped. And I regret not capturing it with screen capture... microsoft fix it still won't install and windows defender seems like it is not updating itself now...

aswMBR says: service safeboot c:\windows\system32\drivers\safeboot.sys **LOCKED** 32

and computer seems to be running slower than before...
so I have decided to get going with this process, and I am very thankful and appreciative of you guys being here and helping us with this!

attached are MBAM, OTL and aswMBR logs
looking forward to working with you! Thanks again in advance!

[mikaelrask]

hey thanks for attaching the necessary logs. a malware expert will guide you from here but it might take a will for one to get on the forum.

[subzerobob]

it's been a long time now and I haven't got a reply. Just wondering if anyone is coming to help me?

[DavidR]

Sorry looks like this was missed.

A malware removal specialist has been informed of your topic.

[essexboy]

Hi there and sorry we missed you

Safeboot.sys is part of McAfees endpoint protection..  Did you have that on the computer at some stage ?

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks
• Allow the installation of the recovery console

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

THEN

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[subzerobob]

regarding McAfee - no she never had that installed
one of the viruses she had, looked like antivirus program but it wasn't - it basically took over her entire system not letting you do anything...

now, I was able to screen capture the dialog box that is talking about the certificates. That is the first attachment.
Also when I ran Combo Fix it was trying to create a restore point but it said that the restore software wasn't installed and tried to connect to the internet but said that I wasn't connected, which I was, because I ran Chrome and Chrome was navigating to igoogle and google.com but super slow.

after Combo Fix was done it rebooted the computer and that is when the dialog box about the certificates popped-up again [after the reboot]. The second attachment is the first log that Combo Fix created.


after I ran FSS, and got that log [the third attachment] I decided to run Combo Fix one more time to see if this time it will do a restore point but the same thing happened - it said that I wasn't connected to the internet even though i clearly was connected [I verified that via browsing with Chrome]. the fourth attachment is the second log that Combo Fix created.

[essexboy]

Microsoft has messed up the location of the recovery console files so Combofix at this stage cannot download it

Do you have more than one user on the system ?  If so could you log onto another user and see if the same popups appear as this appears to be a user related logon problem

[subzerobob]

no i don't have any other users and I don't want to add any because i've had problems with xp in the past and the new users thing

but i can tell you that the certificates dialog box appeared only after I ran this services repair from this link [found it on ESET website] http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe
before that there wasn't any such problem.

but even before that I couldn't install microsoft fix it center tool either, it says "encountered error"
plus the internet [chrome browser wise] runs much slower on this machine than any other machine in the house.

It seems to me that for some reason the programs are not able to connect to the internet or something of that sort. Eventhough the browser can. Like windows defender for example also doesn't seem to update itself perhaps because it cannot connect to the internet...
see attached pictures for visuals taken in chronological order 1-3  and the 4th is MS fix it tool.


PS
 besides - why does combo fix say that there is no recovery software installed, when I clearly was able to use windows recovery to restore to a previous date...

[essexboy]

What does that file do as I can find no data on it ?

[essexboy]

Ok I have just run it on my VM

It produced a log in the CC support folder could you attach that...

On my VM it did mess with my services, telling me that they were broken when I knew they were not

[subzerobob]

sorry i don't know what is VM?
where is CC? what log am I looking for?
I have to go to work now... I will reply back in 8 hours.  plus take note above post I posted a PS.

[essexboy]

Recovery console and System restore are both different elements

I have a Virtual Machine (VM)  that runs XP as a guest system on my windows 7

Below is a screenshot of the repair tool and its associated folder with the log as shown on my VM desktop

[subzerobob]

oh, wow! that is awesome! 
ok, attached are the cc logs, thanks!

[essexboy]

From those logs it appears that you thought you had sirfef/zero access

There is no indication of that and none of the tools you used would have cleared it

However as we are looking at well over a month some items would not show within my 30 day scan limit

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[subzerobob]

...but we did the combofix thing in the previous steps above, and i posted two of the combofix logs « Reply #5 on: Yesterday at 05:08:38 AM »

do you still want me to run combofix again? that would be the third time...