No Windows Update After Zero Access Rootkit

Hello,

After a couple of missed starts I completed READ & RUN ME FIRST.

The logs are attached, and this is my story.

A buddy asked me to look at his computer after attempting to run an update on McAfee Enterprise returned an error. I guessed he had a virus and Google'd to find it was likely Zero Access Rootkit. I used TDSS killer to get rid of it and followed up with Malware Bytes. Each of these required multiple runs to complete without issue.

16 updates were queued from Windows Update, but it would not run. It would return with error 80096001. I tried many times, and on some attempts it did report that eight were downloaded. On these occasion, Install updates was a shutdown option, and Windows indicated that it was installing the updates during the shutdown process. But after restarting they were not installed. I ran the Fix it program from MS troubleshooting site, but that had no success. Windows update no longer appears functional at all.

I then attempted to run a system restore, but windows reported there were no saved restore points.

At this point I started with the instructions from this forum. On the first run, SAS found 125 threats most of which were in the critical section. Unfortunately I ran the portable version and lost the log on reboot. I then installed SAS to at least get a clean log.

MBAM ran with nothing to report.

ComboFix ran for an hour, but gave no indication of a completed step. I assumed it had gotten hung up on something and killed it.

Shortly thereafter I realized I had skipped over the msconfig instruction, and the system was not set to boot normally. So I uninstalled ComboFix and started over with a normal boot.

I Disabled Avast.

Again SAS and MBAM ran with nothing to report.

Again ComboFix ran for an hour same as above.

RootRepeal: Nothing to note.

MGTools:
I see it listing directories that are reported as having too long a name. c:\Windows\{$NtUninstallKb41927$ or System32\config}\systemprofile\AppData\local\{Application Data (11x)}\...

An Error occurred in HijackThis. I clicked yes to report. IE opened. It appeared as if it was first run, But could not connect. Closed IE. Clicked accept again in HijackThis, and the script continued.

This is where I left the system. I did not uninstall ComboFix after the recent failed run.

Thank you for the help.

Regards,
Brian

 

I ran many of the fixes on MS support site notably 822798 and 971058 step by step rather that the fixme utility. This did not appear to help.

I then tried tweaking.com Windows Repair again. I selected the options that seemed pertinent and ran it with AV disabled. (unfortunately i did not note the options, and I don't see a log.)

There was no apparent change at first after reboot, but when I rebooted again I noticed that the option to install update was available again. When I finished the reboot Windows update looked normal.

I'm not sure which action or combination did the trick.

Thanks for the helpful forum.

Regards,
Brian

 

Hi and welcome to Major Geeks, Brain!

Do you still need assistance?

 

I don't think so. Windows Update seems to be working as expected.

Thank you.

Regards,
Brian

 

No problem. Surf safely!