Rootkit Zero Access and so much more

I'm helping my sister with her laptop, which has been running slow, music coming out of speakers randomly, and so forth. She has a Vista, which I've never tried before to do the MG malware removal process on; so some of the programs are new to me. One of them was Hitman, and I'm doing this remotely, so I kept minimizing and maximizing between her remote computer and my own with your instructions up, so I think I might have hit Next before I should have. Not sure, because then it came back to the same results window where I then changed all the Deletes to Ignores and saved the log. Not sure if I did something unintentionally before that. **I just tried to attach hitmanpro.xml log, but it is coming up as an invalid file. Did I do something wrong when I saved this one?**

The RogueKiller log is attached. Also, when I was running MGTools, I got an error message. I'll attach a screenshot of the error in a Word doc in another post, because I already have the max 4 attachments on this one. Out of habit from running through your steps in the past, I also ran SuperAntiSpyware, so I'll attach that log in the next post. I ran TDSSKiller, and the log is attached. Also, I wanted to mention that I attempted to run ComboFix early on in the removal process (again, out of habit), but although it appeared to get started, it never really ran after the first window came up and extracted some files.

Thanks for your help!

 

More attachments: SuperAntiSpyware and the Word doc with the error msg I received while running MGTools (wouldn't allow me to attach the .docx, so I turned it into a PDF). Still can't attach hitmanpro.xml, so I'm attaching a PDF of that as well. Not sure if that's good enough. You can let me know. Thanks.

 

Hello Lydster

You need to zip it prior to attempting to attach. This is explained in the instructions.

__

http://img805.imageshack.us/img805/9659/rktigzy.gif Delete items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

__

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif - Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

__

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif Once you are back in Windows, run another scan with HitmanPro and then attach the latest hitmanpro.zip log. (How to attach)

__

Completely delete these two folders manually using Windows Explorer:

• c:\users\lynda\appdata\local\{c0ca3251-50ed-482e-48ca-742bf0cfe0af}
• c:\windows\installer\{c0ca3251-50ed-482e-48ca-742bf0cfe0af}

Let me know if you were successful or not.

 

Hi there. Thanks for your response. On the HitmanPro, wanted to clarify one thing: When I do Replace on services.exe, do I still change the other items to Ignore, or can I let them Delete?

 

Only Replace services.exe and you can choose to Delete: c:\windows\assembly\gac\desktop.ini if its detected again. Ignore all other detections besides these two.

 

Ran RogueKiller -- appeared to go fine. Attached is log. Ran HitmanPro twice, as instructed, but neither time did it seem to manage to either Replace services.exe Virus or Delete c:\windows\assembly\gac\desktop.ini. Attached is the HitmanPro log as well.

I was able to delete the folder as instructed in the user profile, Lynda; but I was unable to delete the one in Windows/Installer because the system said it was in use by another program. I ended some processes that I knew were unnecessary, to see if it might be one of those, but it still wouldn't delete the folder.

Look forward to hearing what comes next.

 

This is the log of the scan only.
I requested the log of when you pressed the Delete button.
Please attach that one for review.
Thanks

 

I have so many copies of these logs anymore. I hope this is the one you want.

 

Yes that it is, thank you.
Let's try this another way:

http://img225.imageshack.us/img225/760/blitzblank.gif Please download BlitzBlank to your desktop.

• Double-click BlitzBlank.exe to open (Vista/7 right-click and select Run as Administrator)
• Press OK at the warning prompt.
• Click the Script tab
• Copy the text inside the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]DeleteFile:[/COLOR]
C:\Windows\assembly\GAC\Desktop.ini
[COLOR="DarkRed"]DeleteFolder:[/COLOR]
c:\users\lynda\appdata\local\{c0ca3251-50ed-482e-48ca-742bf0cfe0af}
c:\windows\installer\{c0ca3251-50ed-482e-48ca-742bf0cfe0af}

• Now click the Execute Now button.
• The fix will require a reboot in order to complete successfully.
• Upon reboot, locate C:\blitzblank.log and attach this log to your next message. (How to attach)

__

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif - Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.
Ignore any and all other detections.
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Ran BlitzBlank. When I first pasted your script and tried to execute, I got a syntax error which I eventually realized was because one folder was already deleted by me manually from the c:\users\lynda... folder. So I removed that line from the script. Then when I executed, I got a different error about running as administrator. See PDF attached. Although this isn't a Windows 7 station (it's Vista), I went back out and did right-click Run as Administrator to open BlitzBlank, but the same error came up again. I thought I'd send this over while I move on to Hitman.

 

Do not bother with HitmanPro until those folders have been prioritized.

I've never heard of BlitzBlank failing to run but try getting this to work before doing anything else:

http://img194.imageshack.us/img194/4930/combofix.gif Please download and run ComboFix and attach its log.
Read these instructions on how to use it: How to use ComboFix
Do not uninstall ComboFix yet as we may need it to fix remaining malware issues.

 

Wow, things are looking up! ComboFix appears to have done what you expected, because after it ran successfully, when I ran BlitzBlank again, first I got a syntax error on (C:\Windows\assembly\GAC\Desktop.ini), which I took to mean that CF had removed it, so I took out that script and ran only the Delete on c:\windows\installer\{c0ca3251-50ed-482e-48ca-742bf0cfe0af}. After Execute Now and reboot, I moved on to HitmanPro, which ran and found no threats (hurray!). Then I ran C:\MGtools\GetLogs.bat.

All logs are attached. I'm feeling hopeful...!

 

Much better indeed.

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe previously downloaded is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
C:\user.js
[COLOR="DarkRed"]Folder::[/COLOR]
C:\found.000
C:\Windows\system32\%APPDATA%
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Here are the latest CF and MG logs. Thanks!

 

You're welcome.
You're latest logs are clean.

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

You are a GOD! (Goddess?) Many thanks for your help.

 

I prefer God (lol). You're welcome. Be safe