Still have malware problems after the readme

I have some questions at the end of this post, but here is my story.

On Friday my computer (Windows XP) started making a series of beeps, then suddenly a popup from Microsoft Security Essentials showed up saying "MSE is not running because the service is stopped [etc.]" Trying to start the service gave me a "Access denied" error and a hex code. Could not run windows update, it said the website did not exist. Nothing in the hosts file to redirect traffic. My computer locked up and I reset it.

I booted into safe mode and downloaded microsoft's standalone scanner (Microsoft Support Emergency Response Tool). A full scan found a trojan and a trojan dropper (sorry I didn't write down which one.)

After reboot, MSE seemed to start okay, but as I was getting ready to run Windows Update it got that error again. Windows update still didn't run. I did a bing search (I was still in IE) to try to find this page and got redirected to a page full of ads.

A google search on firefox got me here. I started reading the read me and kept getting OUTLOOK.EXE errors and the computer would stop responding. I needed to get some work done on Saturday so I disconnected all four drives in my computer, picked up a brand new hard drive, and installed linux on it.

On Sunday I disconnected the linux drive and re-connected my windows boot drive (but not the others) to get a file off it. I completely forgot that I had those other three drives disconnected.

Later that day I started working my way through the readme. I uninstalled java entirely from my computer, I checked all of the add remove programs entries, and made sure that I didn't have any disk emulation software installed. I then downloaded all of the tools. This took a very long time because the computer would freeze up and I had to hard reset it with the reset button. During this time, opening task manager would cause the computer to lock up.

1. SuperANTISpyware: I got it installed and running okay. Performed the first full scan and it crashed (as in, suddenly the program was just gone) as it was scanning processes. Then the computer froze up again. On restart, I could not start the program, and had to use the alternate start. Did a second scan, trying a quick scan instead, and got the same result.

2. I installed Malwarebytes, but immediately when I tried to run it it said that I didn't have permission to run that program. I checked the permissions, and Everyone had full control, but there was a "special permissions" line and the effective permissions were that everyone was denied access. So I created a special entry for my user account giving my user account full control and execute permissions on the process. Then I was able to get it to run. But it got just a few seconds into the scan and was forcibly terminated.

3. I ran Combofix from the desktop. It tried to install the windows recovery console. The network was acting very flaky and the install failed. I continued, and ComboFix popped up a message saying that I had a rootkit: Rootkit.ZeroAccess, and that the rootkit was in my TCP/IP stack and was "particularly difficult" to remove. Then after some more thinking it popped up another Rootkit popup. Then I went to the store and when I came back 2 hours later the computer was hung. (It never displayed stage_1, stage_2, etc.)

I reset the machine and ran it again. This time it booted much faster and was more responsive. Combofix was able to download and install the windows recovery console, and then it was able to complete the entire scan successfully.

4. I rebooted and tried running root repeal but it stayed stuck in the initializing screen for several hours. I rebooted (after combofix I was able to reboot using the start menu instead of the reset switch) and tried again and it still did not work.

5. I ran MGtools and it appeared to work fine.


So, am I clean? I don't know how to read these log files to know for sure. Although my machine is more responsive I'm still experiencing some network flakiness.

Also, what do I do with the 3 drives I forgot to connect to my machine? Should I reconnect them and run the Readme process from the top?

Re: Logs: SAS left no log. Malwarebytes is back to being un-runnable because of permission problems. Root repealer never got far enough to generate a log.

Thank you kindly for your help and time.

 

I'm not sure how to describe the network flakiness. My network is usually reliable, works like a rock, if a bit slow. I have an ancient router in the mix and that will occasionally up and die, requiring a plug-unplug kind of thing. Ever since I got this virus my network has been acting... flaky. Losing connection with the outside world, downloads go super slow, then everything will be fine again, then suddenly I have no network connection.

Another problem is that I still cannot connect to Windows Update using IE.

Another symptom is that when I reboot, there is a pause, a long, long pause, far longer than what I'm accustomed to seeing, between the "welcome to windows" screen and the "choose an account" screen. About 20-30 seconds.

Attached is my log of TDSKiller. When I tried to run the MBR scanner, it locked up my computer. I took a picture of the screen but I can't upload the picture right now so I'll type it out.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Informaion: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

\\.C: --> \\.\PhysicalDrive0 at offset 0x00000000'00007e00 (NTFS)

Size Device Name MBR
-------------------------------------------------------------------
69 GB \\.\PhysicalDrive0 [cursor sat here]

The cursor just sat there blinking. I let it go for 5-10 minutes before I hit printscreen to take a picture of it. Then when I clicked on the start menu the whole machine locked up.

 

Here is my log file.

I can now run windows update, and I haven't seen any network weirdness since I ran that program and rebooted. Thank you so much!

My next question is, what do I do with the other three disks? I used to have them connected to my computer but right now they are not connected. Should I connect and scan them one at a time? Which program should I use to scan them?

 

I am connecting each drive and doing a full scan (so it rescans the C Drive).

Can I be doing anything else with my computer while these scans are going on? The MAB one takes forever.

Also of note, I still can't get MBR check to run successfully. It crashes before it is finished. I tried booting off a linux recovery CD to peek at the MBR but I guess I don't really know what I'm looking for. fdisk says I have one windows NTFS partition, although it also says I have around 14k unallocated 512 byte sectors, which is odd because I remember using up all of the space on the disk when I formatted it.

Anyway here are the results from drive E. Currently scanning drive L.

 

Drive L. Again, MBR check locks up when running it.

 

Here are the logs from Drive F.

I just noticed that MBRcheck was leaving behind text files this whole time. I've been running it from the desktop and my desktop is rather... cluttered.

I've included the MBRcheck file for the most recent run, I can upload the others.

 

No, it looks like I'm all clean. Thanks!