I can't remove RootKit.0access.h

Hello all

First let me say that this is on my sister-in-law's computer. Her husband passed away a few years ago and not long after her son passed away so I have been doing all that I can to help her including trying to fix this computer for her.

The first thing I did was run Malwarebytes which found the RootKit but did not remove it.
So I did some reading and found a software called tdsskiller and ran it and it found the RootKit after restarting the computer and ran scans again they found nothing.
So I thought the computer was clear but now it will not connect to the internet and seems to be even slowing than it was before.

So I found this site and started reading. I downloaded all of the software that you guys recommended. I installed SuperAntiSpyware but when I try to run it it will not open. So I downloaded the portable version and tried but still can not get it to run.

I tried Malwarebytes again and it will start but I can not download the updates because the computer will not connect to the internet.

So I thought I should stop there and post this to see what you guys recommend.

I don't know much about this computer except it's old like a pentium-4.

Thank ahead for any help you guys can give me on this.

 

Hi and welcome to Major Geeks, oldreb!

I want you to read and follow these instructions: TDSSKiller - How to run

Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

 

Hello and thanks

Here are the files in order

Opps it says that the RKreport file is to big so I had to split it into five parts.

 

Here are the rest of the RKreport files

 

Code:

¤¤¤ Registry Entries: [COLOR="Red"][B]17039[/B][/COLOR] ¤¤¤

Wow!

__

Scan with RogueKiller again, and then press the Delete button when the scan is finished.
I do not need the log(s).

Afterwards, let's try to remove the bulk of this using by you scanning with the below:

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

I don't see anything the menu about "Repair your computer menu".

What I see is listed below.

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Enable Boot Logging
Enable VGA Mode
Last Known Good Configuration (your most resent settings that worked)
Directory Services Restore Mode (Windows domain controllers only)
Debugging Mode
Disable automatic restart on system failure

Start Windows Normally
Reboot
Return to OS Choices Menu

 

I apologize, did not realize you were on WinXP.

Boot into Windows Normally and start the below scan:

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Okay here is the report file.

It also created a file called Extras.txt so if you need it let me know and I'll post it

Oh wow here we go again the file was too large so I had to split it.

 

I would prefer if you ran this fix while in Safe Mode for the highest chance of success.
See: How to start your computer in Safe mode

Attached is OTLfix.txt
Download this and transfer it to the computer with the issue.

Now reopen OTL
Then drag OTLfix.txt into the text-field.
You should see a bunch of text transferred over into the text-field.
Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Let me know if your internet was restored with this fix as it may change what tool we use next.

 

Yes the internet is working again.

 

Great.

Now refer back to the Windows XP Malware Removal/Cleaning Procedure
Complete as many steps here as possible and let me know if you are still having problems.
Remember to update the programs specified to the latest versions since you have internet access now.

 

Okay everything seems okay now but I will not count on that until you say all is clean.

Here are the logs

 

Here is the MGlogs zip

 

From Add/Remove Programs (via Control Panel), please uninstall the below:

• ALOT Toolbar
• Ask Toolbar
• Dogpile Bundle Toolbar
• Java(TM) 6 Update 30
• MapNeto 1 Toolbar
• SpeedyPC Pro
• TranslatorBar 1.2 Toolbar

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:files[/COLOR]
c:\program files\AskBarDis /d
c:\program files\Dogpile Bundle Toolbar /d
c:\program files\MapNeto_1 /d
c:\windows\Tasks\SpeedyPC*.job
c:\program files\SpeedyPC Software /d
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1e7e4de1-5ef4-4baa-9250-c26258dc499a}"=-
"{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}"=-
[-HKEY_CLASSES_ROOT\clsid\{1e7e4de1-5ef4-4baa-9250-c26258dc499a}]
[-HKEY_CLASSES_ROOT\clsid\{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}]
[-HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[-HKEY_CLASSES_ROOT\TypeLib\{C766F9AD-E91E-43DE-91DC-D007680ED4AF}]
[-HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1e7e4de1-5ef4-4baa-9250-c26258dc499a}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
"{548f6736-8fe4-4680-82f2-170d6c07e1d2}"=-
"{1e7e4de1-5ef4-4baa-9250-c26258dc499a}"=-
"{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"=-
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[-HKEY_CLASSES_ROOT\clsid\{548f6736-8fe4-4680-82f2-170d6c07e1d2}]
[-HKEY_CLASSES_ROOT\clsid\{1e7e4de1-5ef4-4baa-9250-c26258dc499a}]
[-HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
[-HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
[-HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-
"{548F6736-8FE4-4680-82F2-170D6C07E1D2}"=-
"{1E7E4DE1-5EF4-4BAA-9250-C26258DC499A}"=-
"{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"=-
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[-HKEY_CLASSES_ROOT\clsid\{548f6736-8fe4-4680-82f2-170d6c07e1d2}]
[-HKEY_CLASSES_ROOT\clsid\{1e7e4de1-5ef4-4baa-9250-c26258dc499a}]
[-HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
[-HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
[-HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{548f6736-8fe4-4680-82f2-170d6c07e1d2}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{36377DD7-B3EB-42f5-986F-680BAF59BA9D}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now install the current version of Sun Java from: jre-7u3-windows-i586.exe

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Here are the logs

 

These look good

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

It's running like a new one now.:-D

That family has really had some bad times the past few years so I try to help as much as I can but I couldn't do anything with this RootKit virus so I really do appreciate all of your help with this.

 

I'm glad I could help