Cannot do much on my computer - 0x80070005

Please see the instructions in the below link:

Fixing Google Redirection/hijacking and other redirection problems

If you are still having problems after getting down to step 5, make sure that you continue on and run the READ & RUN ME and attach the logs.

Many times Error 0x80070005 may not be related to malware.

 

You need to finish the rest of what is in step 5 then.

Your TDSSkiller log shows that you have a ZeroAccess infection.

 

Everything? You tried every single program including ComboFix and MGtools?

How did you get GooRed, TDSSkiller and MBRCheck to run?

 

If you are still having a problem getting started, try the below.


Please download DummyCreator.zip by farbar and unzip it to your Desktop

• Run the DummyCreator.exe file by right clicking on it and selecting Run As Administrator.
• Copy and paste the following into the edit box:
  
  C:\Windows\880465167
• Press Create button and post the result here.

Important: Restart the computer immediately and then try continuing with the instructions from the READ & RUN ME FIRST.

 

You appear to be trying to run DummyCreator.exe from inside of the ZIP file. You need to extract it from the ZIP file first and then run it.

We don't need you to run the same scans you already attach logs from. You need to first run DummyCreator properly and then immediately reboot. Then you need to run the READ & RUN ME FIRST

READ & RUN ME FIRST. Malware Removal Guide

 

You need to finish the READ & RUN ME and attach the logs from RootRepeal and MGtools

 

Have you run DummyCreator.exe properly now from outside of the ZIP file?

Did you run MGtools.exe? Did you notice any errors? The log is located the root folder of your boot drive. Thus it will be C:\MGlogs.zip and I see it in your ComboFix log so it is there.

 

Make sure that you shutdown Microsoft Security Essentials before running the below.
Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You have some left overs from Avast. Not sure if this is causing a problem but it needs to be cleaned up. Your problem could be related to MSE itself or an issue with file system or registry permissions. Please uninstall MSE right now while I look at your logs. DO NOT reinstall it or anything else at this time. Wait for my next post and only do what is requested.

 

If you have uninstalled MSE, then do the below.

Run this >> Resetting Registry and File Permissions

and make sure you reboot. After reboot, tell me if the above ran okay. Still do not install any protection software. I will give you the next steps after you report back

 

Okay run the Resetting Registry and File Permissions procedure and then reboot.

See if you can uninstall after the reboot. Let me know when finished.

 

Please run the following:

• please download GrantPerms.zip and save it to your desktop.
• Unzip the file and run GrantPerms.exe
• Copy and paste the following into the edit box of GrantPerms:

Code:

C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client 
c:\documents and settings\All Users\Application Data\abno.exe
c:\documents and settings\All Users\Application Data\eyli.exe
c:\documents and settings\All Users\Application Data\gjew.exe
c:\documents and settings\All Users\Application Data\hkyk.exe
c:\documents and settings\All Users\Application Data\x4b53ld614gvls8yk373n4653qf420356ed4o7r6
c:\documents and settings\Home\Local Settings\Application Data\llwa.exe
c:\documents and settings\Home\Local Settings\Application Data\lomd.exe
c:\documents and settings\Home\Local Settings\Application Data\x4b53ld614gvls8yk373n4653qf420356ed4o7r6
c:\documents and settings\Home\Local Settings\Application Data\ygag.exe
c:\documents and settings\Home\Local Settings\Application Data\yjyg.exe
c:\documents and settings\Home\Templates\4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27
c:\documents and settings\Home\Templates\x4b53ld614gvls8yk373n4653qf420356ed4o7r6

• Now Click Unlock.
• When it is done click "OK".
• Now click List Permissions and attach the which is the Perms.txt file that pops up.
• A copy of Perms.txt will be saved in the same directory from where the tool is run.

Now shutdown MSE if it is running. Then do the below>






Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )





Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Hmmmm! You had them saved in folders which were not really named properly. They were just called New Folder (2). Previously I had ComboFIx check to see if anything was in these folders and it did not show anything in them. It just showed the below

Code:

.
---- Directory of c:\documents and settings\Home\Desktop\New Folder (2) ----
.
.
---- Directory of c:\documents and settings\Home\Desktop\New Folder (3) ----
.
.
---- Directory of c:\documents and settings\Home\Desktop\New Folder ----

So I thought they were just empty folders and deleted them. Let's see if we can restore them. ComboFix normally puts everything into its Quarantine folder called C:\QooBox but I don't see them listed there.




Now let's see if ComboFix can hopefully DeQuarantine the pictures

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named C:\DeQuarantine_log.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\DeQuarantine_log.txt
• C:\MGlogs.zip

Also attach the perms.txt log from previously running GrantPerms

 

Did your pictures come back.


You need to attach the log from running GrantPerms. Not the GrantPerms program that we asked you to download.

 

Damn! I'm so sorry to hear this. I'm not sure why ComboFix would have shown those folders to be empty to begin with. And I also don't understand why it would not have moved items being deleted to the Quarantine folder it creates ( the C:\Qoobox folder ) so that they could be restored. Were these really just backups and do you have copies stored somewhere as implied by folder names?

We could try using the below program to see if they can be recovered:

Recuva Portable


You still have malware problems but right now I'm more concerned about your pictures than doing anything about malware recovery which also make it more difficult to possibly recover your pictures.

 

Hello there, Chaslang is bust at the moment, so I just wanted to ask you, considering your last positive response, is there anything else you need help with? Are you ready to follow final steps?

 

If you wish to further discuss the camera dump, this can be done in the software forum. Thanks. (Sorry, I meant positive as in NO MALWARE. )

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required (If we renamed it please rename it back to Combofix.exe.
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Sorry for the delay. I have had some family emergencies to take care of.

You can just ignore this.

However I think you may have been given final instructions to soon. We are probably not finished yet. Do the below files still exist?

Code:

 
"C:\Documents and Settings\Home\Local Settings\Application Data\"
llwa.exe      Sep 29 2011           0  "llwa.exe"
lomd.exe      Sep 29 2011           0  "lomd.exe"
ygag.exe      Sep 29 2011           0  "ygag.exe"
yjyg.exe      Sep 29 2011           0  "yjyg.exe"

"C:\Documents and Settings\All Users\Application Data\"
abno.exe      Sep 29 2011           0  "abno.exe"
eyli.exe      Sep 29 2011           0  "eyli.exe"
gjew.exe      Sep 29 2011           0  "gjew.exe"
hkyk.exe      Sep 29 2011           0  "hkyk.exe"

"C:\Documents and Settings\Home\Templates\"
4jt08j~1      Aug  4 2011       17616  "4jt08j3453lv6eerv3ryh58wlpwkbx274umkyc5s2batk27"
x4b53l~1      Aug 10 2011       17498  "x4b53ld614gvls8yk373n4653qf420356ed4o7r6"
 

Can you remove these yourself if they still exist?

Looks like there are either residual permissions issues, or some active malware somewhere.

 

Excellent!

You're welcome.

 

This could be due to residual damage to your copy of Windows from the malware or for other reasons. It did seem that your PC had some serious issues with permissions on files, folder, and registry keys which can happen from the type of infection that you had. We can attempt to continue to see if we can find anymore hiding malware, and also see if we can repair any remaining permissions issues ( which can be quite difficult to find and perform sometimes ).

However before we go any further, I highly suggest that you first backup important personal data so we can avoid anymore possible data loss. Also this is a good idea anyway since the kind of damage your PC may have suffered may ultimately lead to a clean reinstall in order to resolve the instabilities.

If you wish to continue, and if you have backed up important data, continue with the below.

• Run this: Resetting Registry and File Permissions
• After resetting from the above, run this: Using ESET's Online Scanner
• Now run this: GMER - running with a random name

• Now please save Win32kDiag file to your desktop.
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

"%userprofile%\desktop\win32kdiag.exe" -f -r


Attach the logs from ESET, GMER and Win32kDiag