Still not willing to give up....

Hi everyone
I have a Lenovo laptop with Vista OS; have received tons of friendly help on another forum/site but after seemingly clearing the rootkit issue, it has left me unable to access the internet.
Have used

1. SAS scan,
2. Malwarebytes,
3. DDT,
4. OTL,
5. multiple attempts with Combofix including changing its name but tells me it finds rootkit and to close/reboot
6. aswMBR
7. MBRcheck
8. using System Recovery Options Window, bootrec/fixmbr
   combofix again but message 'failed to get data for Enable LUA'
   Avenger
   TDSSKiller
   Avenger again
   Combofix finally rerun and file created
   ESET online scan - never done as no connection to scan
   MiniToolbox
   Farbar SS
   SystemLook:
   
   
   Also do not have basic Vista disk.
   
   The above is over all of february; I'll take any help as laptop seems fine but cannot access internet

 

Hello MtlWeb39,

http://img17.imageshack.us/img17/3214/baticonvista7.gif I have attached fix.zip.

• Inside is fix.bat
• Extract fix.bat to the desktop with the internet issue.
• Now right-mouse click fix.bat and select "Run as Administrator".
• Notepad should appear and say 1 files(s) copied.
• Now reboot your PC and test for internet connectivity.

__

http://img600.imageshack.us/img600/2693/mgtools.gif If the internet is still not working, please follow these instructions for obtaining a MGlogs.zip. -> Using MGtools

 

Tried fixzip with no change.

In order to bring in MGlogs to the infected laptop, I need to transfer using a USB; of course, downloading from work PC does not allow me to save onto USB but instead chooses to tell me its a risky program and forces me to run it instead of saving it onto the stick.

 

Had already saved it on USB.
Ran MGlogs with no fighting from laptop.
Attached are the zip file created.

Thanks for the help!!

 

Delete your old copy of ComboFix.exe
Download a new one from here and transfer it to the desktop of the PC with the issue.

__

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
If ComboFix.exe it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\blackpudding.bat
C:\blackpudding.bat32004b
C:\blackpudding.bat10272b
C:\blackpudding.bat26814b
[COLOR="DarkRed"]Domains::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
C:\Users\Costa\AppData\Local\34063eb8
C:\Users\Costa\AppData\Roaming\c81f1e27
C:\Users\Costa\AppData\Roaming\Microsoft\Windows\Templates\a6e832ee
C:\ProgramData\0lIk14t3.exe.b
C:\ProgramData\0lIk14t3.exe.d
C:\ProgramData\0lIk14t3.exe_.b
C:\ProgramData\22cd857d
C:\ProgramData\t276GN0w4.dat
C:\Program Files\Internet Explorer\959f83a9
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Windows\$NtUninstallKB26827$
C:\Users\Costa\AppData\Roaming\0A1FD
C:\Users\Costa\AppData\Roaming\9EB0A
C:\Users\Costa\AppData\Roaming\Bavu
C:\Users\Costa\AppData\Roaming\Xiypyc
C:\Program Files\0A1FD
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"services"=dword:00000000
"startup"=dword:00000000
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[COLOR="DarkRed"]Suspect::[/COLOR]
C:\Users\Costa\Documents\blackpudding.bat.exe

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)

 

Hi Thisisu

Combofix
Did exactly as you said below; pasted the CFscript onto combofix and it ran but stopped at same point as previous...with a pop-up saying the 'combofix has detected rootkit activity and needs to close'. I left it alone to not interfere and this morning still stuck at same page; not sure if sleep on laptop screws things up but changed sleep settings to never this AM. Therefore I x'ed the popup and the laptop rebooted; can't find the txt result (even though I found one from march 9).
Update: did a search for the txt and found an older combofix within c drive; have deleted it and am retrying your method as we speak.

MGTools
Typed it in 'run' (hope this is correct way); it starts but then asks for registry editor permission which i give it but keeps on asking it over and over; i see some comments within the tool box but it closes once i deny permission (after 15 Oks)

FarBar
I have attached below.

Update
New attempt at Combofix seems to be stuck at same pop-up as one mentioned above from yesterday evening (ComboFix has detected the presence of rotokit activity and needs to reboot the machine).

Questions
1. Are there files created by combofix anyway even if it does not complete its 'fix'; where would they be if applicable?
2. Are there settings that i should change to allow MGTools to do what it wants? If yes, where do i find them?
3. have heard of so many similar rootkit trojan issues with people here at work; seems like an epidemic.
Glad to have you guys on the good side and thanks.

 

When ComboFix notifies you about this, press OK in the dialog box to continue.

In general, just keep pressing OK to the nofications sent by ComboFix.

Retry the ComboFix steps.

 

Deleted old Combofix; resent one to desktop. Ran it and pressed OK at same pop-up as described previously.
Not sure where to find log in c-drive.
Am presently running MGTools

 

It will be at the root of C: ( C:\ComboFix.txt ).
However, once you run MGtools, it will automatically get zipped up with the rest of logs (if it is present).

 

Attached Farbar and MG below.

 

The file I need you to attach is C:\MGlogs.zip

It's an archive with a bunch of logs in it.

 

Found it and attached below.

 

Explain to me what happened while you attempted to run ComboFix. The more details the better.

 

Combofix opens up after giving it permission to run.
extracts....files in box
Then tells me that it needs to 'create a new system restore point' as well as 'unable to find LVA or LUA'

then

Blue screen box 'scanning for infected files...typically takes more than 10 minutes
However scan times for badly infected machines may easily double


lasts 2 minutes then

Popup box
You are infected with Rootkit.Zeroaccess!It has inserted itself..................
stays on for ~2 minutes

then

Next box pops up; 'Rootkit is detected. Be patient as this may take some moments' this one stays for 2 minutes

then

Next box 'combofix has detected the presence of rootkit activity and needs to reboot the machine' This is the box that stays as is for more than a day unless I 'OK' it.

Once I OK it it does shut down and reopen back to my password windows screen; accepts my password and all seems OK except I cannot access internet

 

I'd like you to rerun the CFScript I outlined earlier for you

When you get to here:

Login like before, ComboFix should appear again with the blue window.
Be patient as the tool prepares a log for you.
Then attach the log. It should be at C:\ComboFix.txt

This most likely isn't going to restore your internet but this log is fairly important at this stage.

 

Tried again and left it on overnight to see if combofix screen returned/left txt. Have tried a search and other than the execute file, I find
resident.txt
pend.txt
OsId.txt ...these 3 were created when I ran the combofix.

Cannot find the combofix one.

 

I'm not sure why you are having difficulty running ComboFix now when you were able to run it multiple times in your other thread.

I would like to finish off removing the malware from your PC before we continue working on repairing your internet connection, so complete the below

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:files[/COLOR]
rd /s/q C:\Windows\$NtUninstallKB26827$ /c
dir C:\blackpudding.bat /c
dir C:\blackpudding.bat32004b /c
dir C:\blackpudding.bat10272b /c
dir C:\blackpudding.bat26814b /c
C:\Users\Costa\AppData\Local\34063eb8
C:\Users\Costa\AppData\Roaming\c81f1e27
C:\Users\Costa\AppData\Roaming\Microsoft\Windows\Templates\a6e832ee
C:\ProgramData\0lIk14t3.exe.b
C:\ProgramData\0lIk14t3.exe.d
C:\ProgramData\0lIk14t3.exe_.b
C:\ProgramData\22cd857d
C:\ProgramData\t276GN0w4.dat
C:\Program Files\Internet Explorer\959f83a9
C:\Program Files\0A1FD
C:\Users\Costa\AppData\Roaming\0A1FD
C:\Users\Costa\AppData\Roaming\9EB0A
C:\Users\Costa\AppData\Roaming\Bavu
C:\Users\Costa\AppData\Roaming\Xiypyc
xcacls.exe C:\Windows\$NtUninstallKB26827$ /p Administrators:f SYSTEM:f /y /c
fsutil reparsepoint delete C:\Windows\$NtUninstallKB26827$ /c
rd /s/q C:\Windows\$NtUninstallKB26827$ /c
ipconfig /flushdns /c
netsh int ip reset resetlog.txt /c
netsh winsock reset /c
type c:\combofix.txt /c
type c:\log.txt /c
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"services"=dword:00000000
"startup"=dword:00000000
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[COLOR="DarkRed"]:commands[/COLOR]
[emptyjava]
[emptyflash]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Thanks thisisu for all the help.
Attached are the 2 files below.

Am actually using laptop for kids games instead of internet for now; bonus, less gigs being used on account!!

 

These look a lot better.

Uninstall these two programs:

• Browser Defender 3.0
• Conduit Engine

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions (UPDATED): TDSSKiller - How to run


http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Reset Registry Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

Now open this folder: c:\MGtools
Find the following file: FixWFW.bat
Right mouse click it, and select "Run as administrator"
Now reboot your PC.

After rebooting...

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Removed Conduit Engine
Tried removing Browser defender but could not; had this popup: cannot import dll:c:\ProgramFiles\PCToolsSecurity\\BDT\DRM\SDDRMHelper.dll.

TSDKiller completed; log attached below
Windows repair done; rebooted.
Fix.bat done (very quick?)
NewMGlogszip attached.

What should I do for defender?

 

Please download and update TDSSKiller just as the guide on How to run TDSSKiller suggests.
Latest version is 2.7.23.0
Run another scan and attach the latest one.

Do not worry about this.

 

Sorry about that; attached the wrong file.

Here is the latest scan.

 

Please download RestoreBFE.exe
Double click on the downloaded file. It should only take a few seconds to run.
When complete, it will say .. "Done! Please check if BFE service is running now"

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Both tasks completed; attached is MG file.

 

We're getting there. Make sure you have your ethernet cable plugged in. Some of your logs are suggesting it is not plugged in.

http://img205.imageshack.us/img205/4783/regeditb.gif Open Notepad and copy everything in the code box below into it.

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC\0000]
"Service"="MpsSvc"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23090"

• File -> Save As -> Save as type: "All Files" -> File Name: fixme.reg > Save.

Now merge this into the registry by double-clicking it.
Let me know if the merge was successful or not.

 

Hi Thisisu
Was away from home til tomorrow; will try in evening once I am back

 

Saved it onto desktop
Popup appears 'Registry editor'

Cannot import C:\Users\Costa\Desktop\fixme.reg: Error accessing the registry.

Tried via doubleclicking as well as right click and merge but both attempts results in the above message.

 

UPDATEUPDATEUPDATE

For the first time in 3 months, the laptop has accessed internet.
Thanks Thanks Thanks a ton.

What programs should I have running for protection? Malware? etc.

Would love to tell you Go Astros Go but I have a feeling they're going to have a year like our Mtl Canadiens.

 

That's great news
Did the registry fix finally merge?

__

I will be able to answer your concerns later this evening.

 

Tried three more times and always failed.
Decided to protect the laptop and did
1. Set-up Avast as antivirus
2. Cleaned out files with TFC.
3. Uninstalled combofix.
4. Tried to update Windows but failed for 4 updates due to error 80096001 (googled this and found that one should not be online as laptop may be compromised) if this error appears
5. Installed WOT.
6. Spyware blaster from major Geeks
7. Spybot immunization and update and scan

Should the Windows Update issue-code be a concern?

 

Yes the Windows Update issue was caused by the ZeroAccess rootkit you had.

First, don't install (or remove) anything else on the computer, and then attach an updated MGlogs.zip for me to review.

 

Have left everything as posted last night
Here is the log

 

http://img17.imageshack.us/img17/3214/baticonvista7.gif Follow these instructions:

• Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • swreg.exe ACL "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /E /GE:F
• Now press ENTER
• A black Command Prompt window should have opened and closed quickly.

http://img205.imageshack.us/img205/4783/regeditb.gif Open Notepad and copy everything in the code box below into it.

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC\0000]
"Service"="MpsSvc"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23090"

• File -> Save As -> Save as type: "All Files" -> File Name: fixme2.reg > Save.

Now merge this into the registry by double-clicking it.
Let me know if the merge was successful or not.

 

Same as previos
error accessing the registry; cannot import

I am double-clicking and then following the prompt.

 

Try this:

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC\0000]
"Service"="MpsSvc"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23090"

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)