No mouse or internet after rootkit (zero.access?)

Welcome to Major Geeks!


Will use ComboFix to add back in a missing IPsec registry key.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Based on additional checks of your logs, you have other services stopped that need to be running too. Had anyone been experimenting with disabling services to improve performance. Just doing a quick look, besides the i8042prt service I also see the below:

Code:

SSDPSRV                         FALSE    OK 
upnphost                        FALSE    OK 

see if you can use the below to start these:

net start ssdpsrv
net start upnphost

Then see if the i8042prt will start.

Have you tried using other user accounts on this PC. If not, try others and see if the mouse works.

I also noticed in your first message you said you disabled System Restore. This was bad idea. We never disable system restore until we are finished removing malware. You now have no ability to attempt using system restore to fix registry entries that may have been changed. Also you have no fallbacks if something goes wrong during malware removal. So at least turn system restore back on now so that you at least have the current state saved.


Since you seem to be able to navigate around using your keyboard to perform various tasks, see if you can get the below file save to this PC. If you can then from Windows Explorer, navigate to the file using your keyboard and once you have the file selected, hit enter

fixserv.reg

And allow it to be added to the registry. If you can accomplish this, then reboot and see where things stand.

 

Yes but this is the wrong approach to take as shown in our cleaning procedures. Contrary to what AV companies tell you to do. You should not do this until you have remove all malware and gotten your PC working properly. Those restore points even if infected are better than none at all especially if/when something goes wrong. In fact one of them, may have been able to fix your problems. Any infections reinstalled can always be removed again especially when you use a forum like ours to help you.

Okay so we have made a little progress getting your wired and wireless interfaces working which is good.
I'm a little surprise at this though since your logs still show that IPsec, DHCP and other services are not running.

If your mouse is working once in awhile, it is not sounding like a malware problem but rather a Windows problem. If services or drivers required for the mouse were broken or missing, it would be unlikely that it would work sometimes and not others. Are you sure you are not having a hardware problem with this mouse?

See if you can bring up MSconfig and select Normal Startup as requested in step 4 of the READ & RUN ME FIRST. Then OK and then reboot your PC so that all the processes and services you disabled with MSconfig load properly.

Then run C:\MGtools\GetLogs.bat by selecting it and hitting enter on your keyboard.

Attach the new MGlogs.zip file.

 

Ah! That explains it.

Well what we have accomplished is the below. You can see which service/drivers are still not running and which we have fixed since starting.

Code:

Service states
================================
ALG                  FALSE    OK        Fixed
Dhcp                 FALSE    OK        Fixed
Dnscache             FALSE    OK        Fixed
Nla                  FALSE    OK        Fixed
NVSvc                FALSE    OK        Fixed
PolicyAgent          FALSE    OK        Fixed
SharedAccess         FALSE    OK        Fixed
SSDPSRV              FALSE    OK        [B][COLOR=darkred]Still not correct[/COLOR][/B]
upnphost             FALSE    OK        [B][COLOR=darkred]Still not correct [/COLOR][/B]
WebClient            TRUE    Degraded   Fixed
 
Service Driver states
================================
i8042prt             FALSE    OK        [B][COLOR=darkred]Still not correct   [/COLOR][/B]
IpFilterDriver       FALSE    OK        [B][COLOR=darkred]Still not correct  [/COLOR][/B]
IpNat                FALSE    OK        Fixed      
IPSec                FALSE    OK        Fixed  
Tcpip                FALSE    OK        Fixed   

The main ones inhibiting your mouse are i8042prt, SSDPSRV. The upnphost is dependent on SSDPSRV so it may start as soon as SSDPSRV is started.


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :filefind
  i8042prt.sys
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

 

Please run the search again and this time search for the filename I requested. Your search results showed that you searched for i8042 but I asked you to search for i8042prt.sys

 

Download and save the below to the C:\MGtools folder. Then select it and run it. It will run in less than 10 seconds.

GetMsrv.bat

Once it finishes, it will update the C:\MGlogs.zip file. Attach the updated log.

 

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Then reboot your PC.

Then rerun the GetMsrv.bat file I had you download.

Once it finishes, it will update the C:\MGlogs.zip file. Attach the updated log.

 

I just found that the below is missing from your registry too


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSDPSRV\0000\Control]
"ActiveService"="SSDPSRV"


But this will take some additional work to get permissions to import this. And I have to leave for work now.

 

You're welcome. Sorry we could not help you get this fixed. This is new type problem that has just recently started occurring, and right now, there is no easy fix for them. In fact, there may be no fix other than reinstall as their could be too much damage to the registry and files to repair. This would just render the PC very unreliable.

It seems the hacker's goal is to now destroy a user's PC when any attempt is made to remove the malware.

 

Yes that is one of my big concerns right now with these new infections. Even if we get the problems on the service resolved, there may be many instabilities due to other uncovered problems/damage that we could not see.

 

It doesn't surprise me.

Yes it should be okay on this PC but that may not be enough to fix your networking problems. We also had to fix IPsec first last time. You really would be better served starting a new thread for this second computer so that we can properly see what is going on. Applying registry patches without first removing any hiding malware, may be a waste of time.