Trojan DOS/Alureon.E and rootkit zeroAccess

Hi geeks

I am having some trouble with my Windows Vista machine since I wanted to properly defrag my harddrive and accidently shut down the anti-virus and firewall processes. My laptop defragged all night with no shields up...

My main problem (except for unusual long boot times) is a broken DHCP service. It returns "system error 1079" when started manually. I am able to cope with this by using static IP but I keep losing the Internet connection alltogether as soon as Windows Update installs and runs Microsoft Windows Malicious Software Removal Tool (KB890830). The Removal Tool tells me that it found and deleted DOS/Alureon.E.

I ran through all procedures of the READ & RUN ME FIRST Malware Removal Guide. I attach the five corresponding log files in this and the next post. ComboFix indicated a rootkit named zeroAccess.

I do not know how to proceed. From my feeling, the system is not clean yet. I have learned that DOS/Alureon.E may be removed by deleting a disk partition but I would like to have some confirmation first. BitDefender seems to have a zeroAccess removal tool. What do you suggest?

Regards
Daniel

 

Fifth amend... erm... attachment.

 

Hi and welcome to Major Geeks, dantown!

You are correct in your assumption,

This partition highlighted in red needs to be deleted:

Code:

Partition	Datenträger Nr. 0, [B][COLOR="Red"]Partition Nr. 3[/COLOR][/B]	
Partitionsgröße	[B][COLOR="Red"]1,33 MB[/COLOR][/B] (1.392.640 Bytes)	
Partitionstartoffset	320.071.532.544 Bytes

Bootable  Name                                Size          Type                     
FALSE     Datentr„ger Nr. 0, Partition Nr. 0  10737418240   Unknown                  
TRUE      Datentr„ger Nr. 0, Partition Nr. 1  305522673664  Installable File System  
FALSE     Datentr„ger Nr. 0, Partition Nr. 2  3806330880    Unknown                  
FALSE     Datentr„ger Nr. 0, [B][COLOR="Red"]Partition Nr. 3[/COLOR][/B]  [B][COLOR="Red"]1392640[/COLOR][/B]       Unknown                  
TRUE      Datentr„ger Nr. 2, Partition Nr. 0  8032092160    Unknown 

The BitDefender "MAXSS Removal Tool" has not yet proven to be effective at all. Another Malware Fighter gave it 2 or 3 tries and it failed each time to do the one primary function it was supposed to do, which is remove the hidden TDL4 partition.

We recommend using a boot CD like GParted to remove the hidden partition but first as a precaution I must ask that you make sure you back any data that you do not want to lose as sometimes there are complications on getting the system to boot to the correct partition again. I will help you resolve this, but just in case I am unsuccessful.

We also may require a bootable Windows Vista CD/DVD in order to restore a clean Master Boot Record (MBR) as well as use it repair any other problems we may come across.

First let's see what MBRCheck reports:

http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach this file to your next message. (How to attach)

 

Thanks for assisting me, thisisu! When I described my issues I forgot to mention that I had already run MBRCheck, that is why I figured a problem with a rootkit in the first place. It found and finds an unknown MBR code (see attachment).

Regarding the Windows Vista CD/DVD, will a Vista Recovery Disk (on a USB stick) be enough? The laptop did not ship with an installation disk.

 

As long as you can get into the Recovery Console with the USB; it should be fine. We will need it to restore a clean Windows Vista MBR code after we delete the TDL partition.

• Have you tested it out to make sure you can boot from the flash drive?
• Have you backed up your data?

Let me know before we proceed.

 

I can boot into the Recovery Console and have made a backup.

By the way, I have got a Vista Recovery Partition (should be the 10 GB partition) including Recovery Console. Would that do the trick, too?

 

Just for clarification, you can boot up to the recovery console using the USB device? Make sure you aren't confusing it with the built in "Repair Windows" boot option that is on the your main hard drive.

 

Using the USB drive, yes :major

 

Preferably from a clean computer, I need you to download: gparted-live-0.11.0-7.iso (119.8 MB)

Create a bootable CD using this .iso file. You can use ImgBurn for instructions on how to create this CD.

Now boot off of the newly created Gparted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png
You should be here...
Press ENTER
http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.
http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]
http://img140.imageshack.us/img140/7958/gpartedgui.th.png
Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is 1.33 MiB (1.33 MB)
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png
Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png
http://img194.imageshack.us/img194/7753/gpartedboot.th.png
Is "boot" next to your OS drive? According to your logs, the OS drive is the 284.54 GiB (284.54 GB) partition.

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags
In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png
Now click Close to save these changes.
Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.
You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.

Now reboot from your USB drive that has the Vista Recovery console on it.
Then type in the following commands, pressing ENTER after each one:

• bootrec /fixmbr
• bootrec /fixboot
• exit

Now reboot your PC.

Once back in Windows.

http://img707.imageshack.us/img707/6703/generalxpicon.gif Rescan with MBRCheck and attach its latest log. (How to attach)

 

I deleted the 1.33 meg partition. Then I entered the Vista Recovery Console and entered the commands you have given me. Strangely, only the LED of the USB drive flashed but not the hard drive light. As far as I can judge, the MBR has not been changed (see attached new MBRCheck log). Could it be that the bootrec programme tried to modify the USB MBR (if such a thing exists)?

 

http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR by gmer to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

 

There you go.

 

http://img684.imageshack.us/img684/6489/aswmbr.gif Reopen aswMBR and press the [FixMBR] button.

• Reboot
• Rescan with aswMBR by pressing the [Scan] button. Attach this newer log. (How to attach)

http://img707.imageshack.us/img707/6703/generalxpicon.gif Reopen MBRCheck and rescan with this as well and attach the newest log. (How to attach)

 

Thanks for hanging in there, thisisu! Another "unknown MBR code"

 

Let's move on I think your MBR issues are resolved:

Code:

aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-29 01:56:41
01:59:21.403    Disk 0 MBR read successfully
01:59:21.418    Disk 0 MBR scan
01:59:21.418    Disk 0 [B][COLOR="DarkGreen"]Windows VISTA default MBR code[/COLOR][/B]

The SHA1 code was changed in MBRCheck too:

Code:

      Size  Device Name          MBR Status
  --------------------------------------------
    298 GB  \\.\PhysicalDrive0   Unknown MBR code
            SHA1: 2EC369C37C7F79F0CBA18E64243AD0066D1AE535


      Size  Device Name          MBR Status
  --------------------------------------------
    298 GB  \\.\PhysicalDrive0   Unknown MBR code
            SHA1: 4447E7A9BED536DB138A7374173EF45AD83CB223

MBRCheck probably just reports Unknown due to the partition table Acer has setup.

_____________________________________________

Code:

DAEMON Tools Lite

http://img17.imageshack.us/img17/8313/rkill.gif Go back to Step #6 of the READ and RUN ME first and complete step #6 involving running DeFogger.exe
Attach the defogger_disable.log file when finished. (How to attach)

_____________________________________________

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 30

http://img825.imageshack.us/img825/2648/hjt.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O9 - Extra button: (no name) - AutorunsDisabled - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
C:\CTX.DAT
C:\Windows\System32\~.tmp
[COLOR="DarkRed"]FileLook::[/COLOR]
c:\windows\system32\drivers\tdx.sys
[COLOR="DarkRed"]Folder::[/COLOR]
c:\windows\$NtUninstallKB272$
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_USERS\S-1-5-21-74614809-430696936-3556563364-1000\Software\SecuROM\License information*]
"datasecu"=hex:52,89,37,67,ed,d8,46,e6,80,aa,00,65,d7,e9,08,22,41,78,2f,b7,0d,
   9d,9d,7c,4f,f8,e4,c4,f3,8f,0e,4d,29,1e,12,32,3a,ce,2b,2b,65,2d,87,7c,6f,14,\
"rkeysecu"=hex:46,d2,f9,10,55,60,61,e7,e9,96,23,ad,ad,47,5d,5f
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{98647924-7539-4D4D-8BEB-B8865B39B6F2}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

___________________________________________________________

========WARNING========
The below is specifically for dantown's computer
Do NOT run the below if you are not dantown
Doing so may damage your PC!
========WARNING========

Attached is tdx.zip

Inside is:

• tdx.reg
• fixme+restart.bat

Extract both files to the infected computer's desktop.

First double-click tdx.reg and allow it to merge into the registry. You should receive a successful message.

Now reboot your PC.

Once you have rebooted...

Test your internet, If it still is not working, run the fixme+restart.bat file by double-clicking it.
Your PC will reboot again. Once you are back in Windows, test your internet again.

If it still does not work, attach the fixme_results.txt file the .bat file created.

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Good news that the MBR is fixed now! Internet continues to be working in general but only with a static IP. One or more of the programmes you had me starting seemed to have reset those settings. DHCP is still broken though (system error 1097), even after fixme+restart.bat.

A general question: Isn't it dangerous to disable protective software (antivirus and firewall in my case) while anti-malware programmes are running? I considered turning off wi-fi but some of the anti-malware software apparently needs an Internet connection to update when necessary.

 

You did not attach fixme_results.txt.

No. Antivirus and Firewalls are supposed to be preventative measures from you getting infected in the first place. We ask that you disable Antivirus/Firewall so there are not any complications with them preventing you running Anti-malware tools.

 

Sure, but couldn't new malware get on the system while the old one is being taken care of?

fixme_results.txt is attached.

 

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller by Tigzy to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the number "1" and press ENTER.
When it is finished -- Notepad will open with the report and the log is saved to your desktop.
Attach RKreport[1].txt to your next message. (How to attach)
You can now type the number "0" and press ENTER to exit RogueKiller.

The possibilities are slim if you are not doing on the PC to reinfect yourself.

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach FSS.txt to your next message. (How to attach)

 

Next set of logs...

 

http://img805.imageshack.us/img805/9659/rktigzy.gif Open RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the number "2" and press ENTER.
When it is finished -- Notepad will open with the report and the log is saved to your desktop.
Attach RKreport[2].txt to your next message. (How to attach)
You can now type the number "0" and press ENTER to exit RogueKiller.

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Reset Registry Permissions
  • Register System Files
  • Repair WMI
  • Repair Internet Explorer
  • Repair Hosts File
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

http://img843.imageshack.us/img843/5891/erunt.gif Backup Your Registry with ERUNT

• Please download Erunt
• Run the setup program to install ERUNT on your computer

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

http://img35.imageshack.us/img35/1911/miniregtool.gif Please download MiniRegTool.zip and unzip it.

• Run the tool.
• Copy and paste the following into the edit box:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHCP
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHCP\0000
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dhcp
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dhcp\Configurations
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dhcp\Linkage
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dhcp\Parameters
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dhcp\Parametersv6
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dhcp\Security

• Check List Permissions radio button.
• Press Go button and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

 

Done. thisisu, I am about to leave for a week of skiing. I will reply to your answer as soon as I will be back.

 

I'm learning German too by reading your logs. :-D I'm guessing "EIGENTÜMERRECHTE" means "Everyone"?

Enjoy your ski trip

________________________________

Whenever you get back here is what I would like you to try:

http://img843.imageshack.us/img843/5891/erunt.gif Backup Your Registry with ERUNT
Create a new backup by using ERUNT that you installed earlier.

Attached is a .zip file (dhcp.zip) with a registry (.reg) file inside the archive.

• dhcp.reg

Extract dhcp.reg to your desktop.

Merge dhcp.reg by right-mouse clicking it once and selecting "Merge".
Let me know if you received a successful message or not.

________________________________

• If you received a successful message, reboot your PC and test your internet.
• If you did not receive a successful message, do not reboot yet. Just let me know that it was unsuccessful.

 

I just happen to be at the keys one last time. I had thought about the German in the logs, too, but it didn't seem to bother you until now "EIGENTÜMERRECHTE" means "owner's rights"; "everyone" would be "jeder".

When merging dhcp.reg with the registry, not all data could be entered because some keys were in use. However, I tried to start DHCP, which succeeded for the first time since long.

 

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

After you complete the above, then do the following:

• Press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below command and paste it into the Open: text-field and then press ENTER.

swreg.exe ACL "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /E /GE:F

• A DOS prompt window should have flashed quickly. If it did, then copy this command too and paste it into the Open: text-field and then press ENTER.

swreg.exe ACL "HKLM\SYSTEM\CurrentControlSet\Services\Dhcp" /E /GE:F

• A DOS prompt window should have flashed quickly again.
• If it did, please reattempt to merge dhcp.reg into the registry.
• Let me know if you received an error message this time.
  
• If you did not receive an error message. Reboot your PC and test out the internet.

 

I'm back from skiing, thisisu. A day earlier, in fact, as today most of runs were closed due to a storm. It's been a fine holiday though!

On the DHCP front, the hints you gave unfortunately did not succeed. After executing both of the DOS commands as instructed, dhcp.reg again could not be registed.

I executed the new MGtools and attached the logs.

 

Hi and welcome back

Your logs are showing that there is full internet connectivity now. You are able to ping google.com as well as browse it via http. Have you tested out the internet? Let me know before we proceed.

Also let me know what other problems you are still experiencing.

 

Just reviewed the logs more thoroughly and yes everything from dhcp.reg is now in your latest MGlogs.zip. Despite the error you received, it's all there heh

Plus the aforementioned being able to ping and http google.com successfully.

 

You're right, thisisu. Internet is back now using DHCP. I had to reboot though. Thank you very much!

Speaking of rebooting, the boot process is still very slow (about five minutes). The system seems to halt with the task bar clock not moving. Is there a utility to analyse this? I ran Windows Performance Tools some time ago but they did not really help.

Would you recommand any other firewall than the Windows one? I know it's not very sophisticated but it seems not to grab too much resources and is easy to configure.

 

You're welcome

Well we know it's not anything malware related at this point. Your latest logs are clean. Most likely it's due to too many applications starting up on boot. For that you can use Autoruns. Just be careful on what you are removing from startup. Some of those items you may want to start automatically. It's more of a personal preference so I leave that choice up to you. Also keep in mind that you have Windows Vista, probably the worst Windows OS to date IMO.

That's how I feel too. I have never had any problems with the Windows Firewall. I have tried Zone Alarm Free firewall and found that it was more frustrating than anything with it constantly popping up alerts, asking permission if I wanted to open applications I already marked as trusted. Tried it twice, uninstalled it rather quickly twice.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!

 

OK, I completed the final steps. Thanks again for your help, patience and persistence. You and the other malware fighters at MajorGeeks are doing a great job!

 

You're welcome! and thank you!

 

I'm back :-( Sorry to bother you again, thisisu. I recently discovered that Windows Update doesn't work any more: error 80096001. I tried to remedy this myself, using tips and tools available on the Internet.

Do you think you can help me here? I have read other threads where you tried to help but it seems that you didn't succeed. Although I am sure that my system is now malware-free (thanks to you!), the Windows Update corruption obviously is a typical effect of malware.

 

Hi,

Let's scan with the below settings:

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  C:\Windows\SoftwareDistribution\* /s
  C:\Windows\SoftwareDistribution\* /lockedfiles
  C:\Windows\System32\catroot2\* /s
  C:\Windows\System32\catroot2\* /lockedfiles
  C:\Windows\System32\catroot\* /s
  C:\Windows\System32\catroot\* /lockedfiles
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

OK, the files come zipped.

 

Not much to see here. Was hoping we would find something malicious in those folders.

C:\Windows\System32\catroot2\dberr.txt

Can you attach this file to your next message?

 

It seems that Tweaking.com's Windows Repair tool has been updated to solve this (a big congrats to them if so!). I have not seen this exact aftermath of a ZeroAccess infection first hand but here is what I read.

Let's test this theory and let me know if it works for you as well:

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Repair MDAC/MS Jet
  • Repair Windows Updates
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

 

I tried Windows Repair with the settings you suggested but it didn't work out.

Unfortunately, all of a sudden the Internet was gone again although DHCP service was running. I'm not sure whether it was Windows Repair or a driver update I ran via Slim Drivers (recommended by MajorGeeks). I tried to roll back with System Restore (to a point after malware removal) but to no avail. Static IP worked though.

Anyway, I was really unnerved and went to the store to buy Windows 7. I installed it over the weekend and I got the major applications installed, too - hell of work however...

It's a pity that we could remove the malware but not its effects. Thanks again for your support though!

 

You're welcome Surf safely!