Zero Access and Windows Update

I recently had the zero access rootkit virus (about two weeks ago). I ran Combo Fix to remove, but now have found that windows update will no longer run (error code 80096001).

I have attached logs from combo fix (ran yesterday), MBAM (ran yesterday), Hijackthis (ran today).

I found this link (http://forums.majorgeeks.com/showthread.php?t=249924) that somewhat addresses my issue, but I am not sure if the steps pertain to that particular system.

Thank you for your time and advice.

 

Hi and welcome to Major Geeks, rykbowski!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and then attach the requested logs to your next reply when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes, you could use a flash drive too, but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

* Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated - our system works the oldest threads FIRST.
​

 

Thank you for the information. I have attached a log for Combo Fix, MBAM, and hijack this. I have also uninstalled Avg using the AVG removal tool, attempted microsoft fix it 5052 (no luck), and ran tweaking.com windows repair (no luck). Please let me know if there are additional logs needed.

Thank you

(combo fix and hijack this logs below on first post....will not let me reupload)

 

As my previous post stated, you need to click this link: READ & RUN ME FIRST. Malware Removal Guide

Then read it thoroughly.

 

ok here is what I gathered from the information

1. Getting Started: do not have a redirect problem, but have clearned browser cache

2. Uninstalling Multiple Protection Applications: Uninstalled AVG 2012. Only use windows firewall, which is disabled

3. House Cleaning: Updated java, deleted avg quarantine files, no traces of viewpoint, do not have norton

4. Configuration & Setup: 32bit Windows 7, displaying hidden files, and in normal boot mode (though this does not seem to be a start-up issue)

5. Uninstall Known Malware and Unwanted Software: nothing found in control panel add/remove programs

6. Disable Any Disk Emulation Software (like Daemon Tools..etc): do not use these tools, or at least I do not believe i use these

7. Windows OS Specific Cleaning Instructions: Windows 7

SUPERAntispyware= log below (found lots of cookies)
Combo fix log= on first post (site will not let me reupload)
Malware bytes log= on 2nd post (will not let me reupload)
MGTools= zip below
rootrepeal= crashes, will not run on my computer

 

Perfect!


http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach this file to your next message. (How to attach)

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach FSS.txt to your next message. (How to attach)

 

I have attached the logs for Far bar and MBR Check

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• J2SE Runtime Environment 5.0 Update 3
• Java(TM) 6 Update 24

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\Users\Ryker\AppData\Roaming\FixZeroAccess
C:\Users\Ryker\AppData\Roaming\PC Cleaners
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\users\Ryker\AppData\Roaming\Mozilla\Firefox\Profiles\umvgdi3z.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/cse?cx=partner-pub-5528014799800033:cevktqnfrvl&ie=ISO-8859-1&q=
[COLOR="DarkRed"]File::[/COLOR]
C:\Users\Ryker\AppData\Local\0d16ps5l74g467
C:\Users\Ryker\AppData\Roaming\Microsoft\Windows\Templates\0d16ps5l74g467
C:\Users\Ryker\AppData\Local\gnknnt2n7ojj3gnm8xoe8a087t8f
C:\Users\Ryker\AppData\Local\q8ek34q6dk3uce
C:\Users\Ryker\AppData\Roaming\Microsoft\Windows\Templates\q8ek34q6dk3uce
C:\Users\Ryker\AppData\Roaming\Microsoft\Windows\Templates\kjKmVd7cW2
[COLOR="DarkRed"]FileLook::[/COLOR]
:\windows\system32\drivers\rdvgkmd.sys

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Put your computer back into Normal Startup Mode and reboot before proceeding to the next step. See >> Use MSconfig to setup for Normal Startup Mode

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

I noticed that Java claimed that uninstall failed, but it is no longer listed on my add/remove programs.

Attached is the new combo fix log.

Windows update still not working

 

sorry, just saw the rest of the instructions. Installed Java 7 and have attached MGlogs.zip

 

Attached is fixme.zip
Inside is fixme.bat
First extract fixme.bat onto your desktop.

http://img17.imageshack.us/img17/3214/baticonvista7.gif Then run it by right-mouse clicking it once and selecting "Run as Administrator".

A notepad window will open, copy the results into here are attach the fixme.txt file on your desktop.

http://img97.imageshack.us/img97/8120/fss.gif Afterwards, reboot your PC and run another scan with FSS.

 

Looks like your Windows Firewall is broken too.

Let's try to fix Windows Update first since that one has been more difficult lately and that is the one you noticed.

 

Ran the bat file and FSS (log is attached)

windows update still down

 

You forgot to attach fixme.txt

Complete the below too:

http://img35.imageshack.us/img35/1911/miniregtool.gif Please download MiniRegTool.zip and unzip it.

• Run the tool.
• Copy and paste the following into the edit box:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv

• Check Export keys radio button.
• Press the Go button and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

In your next message you should be attaching:

• Result.txt
• fixme.txt

 

sorry for missing the last text file. I have attached both

 

Those both look good.

Attached is start.zip

http://img17.imageshack.us/img17/3214/baticonvista7.gif Extract the start.bat file and run it using Administrator privileges.

Attach start.txt when finished.

Then reboot and press the "Check for Updates" button. Let me know which error message you receive if any.

 

attached is start.txt. Windows update is still down. The error code is

WindowsUpdate_80096001

(picture attached)

 

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Register System Files
  • Remove Policies Set By Infections
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

Test Windows Update again after you have rebooted.

 

no luck. I do not see a log file associated with this program as well

 

http://img97.imageshack.us/img97/8120/fss.gif Attach a new log from FSS.exe

 

attached is a new fss log

 

Heh that log looks fine. Not sure what is causing it at this point.

Try this: http://support.microsoft.com/kb/971058

Run the fix it tool from here and let me know what the diagnosis results were.

There is a "View Report Details" link at the bottom of the tool when it is finished.

Save it as ResultReport.txt and upload here

 

the utility says there is not an issue, yet update still gives the same error

I have attached a picture of the utility's findings

 

http://img706.imageshack.us/img706/3941/minitoolbox.gif Please download MiniToolBox and save it to your desktop and run it.

Checkmark following checkboxes:

• List last 10 Event Viewer log

Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

 

here is also a txt file of the findings from the fix it utility

 

here is the mini tool box log

 

http://img17.imageshack.us/img17/3214/baticonvista7.gif Attached is another file I would like you to run as Administrator. There is no log produced by this one. Just reboot when it is finished and retest Windows Update.

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

here is the updated mglogs.zip

I also noticed that once the bat file was run, the cmd window said

"service stopped successfully"
"the system cannot find the specified file"
"The windows update service is starting"

don't know if that gives any clues...

 

Can you try creating another User Account and then testing Windows Update on it?

 

created a new user account, with no luck on the new account

 

through cmd, I ran "nslookup windowsupdate.microsoft.com" (without quotes). I noticed that my server is listed as "Unknown." Don't know if that means anything....

 

I'm still doing research on the error you received.

I'd like for you to try this .bat file next.
When prompted, press OK at the warning.

The Dos prompt window my hang for a while, just be patient

Notepad will open on its own when finished. Once you close notepad, the Dos prompt window will also close.

Attach repair database.txt when finished.

 

here is the repair database log

 

i tried windows update again, but now am getting a new error (says service is not running). However, windows update is NOT listed in the services? Has it been deleted?

 

disregard last message. The service is back, but still getting the same error message 80096001

 

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Repair MDAC/MS Jet
  • Repair Windows Updates
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

 

no luck, same error code. Here is something I noticed from the windows update log (file to large to attach whole log)



2012-01-01 13:51:10:805 996 dbc AU #############
2012-01-01 13:51:10:805 996 dbc AU ## START ## AU: Search for updates
2012-01-01 13:51:10:805 996 dbc AU #########
2012-01-01 13:51:10:806 996 dbc AU <<## SUBMITTED ## AU: Search for updates [CallId = {4A9C19E7-8B99-4D1D-B5BB-D50ACF53548D}]
2012-01-01 13:51:10:806 996 d40 Agent *************
2012-01-01 13:51:10:806 996 d40 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2012-01-01 13:51:10:806 996 d40 Agent *********
2012-01-01 13:51:10:806 996 d40 Agent * Online = Yes; Ignore download priority = No
2012-01-01 13:51:10:806 996 d40 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2012-01-01 13:51:10:806 996 d40 Agent * ServiceID = {9482F4B4-E343-43B6-B170-9A65BC822C77} Windows Update
2012-01-01 13:51:10:806 996 d40 Agent * Search Scope = {Machine}
2012-01-01 13:51:10:880 996 d40 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2012-01-01 13:51:10:883 996 d40 Misc WARNING: Error: 0x80096001 when verifying trust for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab
2012-01-01 13:51:10:883 996 d40 Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab are not trusted: Error 0x80096001
2012-01-01 13:51:10:939 996 d40 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2012-01-01 13:51:10:942 996 d40 Misc WARNING: Error: 0x80096001 when verifying trust for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab
2012-01-01 13:51:10:942 996 d40 Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab are not trusted: Error 0x80096001
2012-01-01 13:51:11:059 996 d40 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2012-01-01 13:51:11:062 996 d40 Misc WARNING: Error: 0x80096001 when verifying trust for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab
2012-01-01 13:51:11:062 996 d40 Misc WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab are not trusted: Error 0x80096001
2012-01-01 13:51:11:062 996 d40 Agent WARNING: Failed to obtain the authorization cab URLs, hr=0x80096001
2012-01-01 13:51:11:062 996 d40 Agent * WARNING: Online service registration/service ID resolution failed, hr=0x80096001
2012-01-01 13:51:11:063 996 d40 Agent * WARNING: Exit code = 0x80096001
2012-01-01 13:51:11:063 996 d40 Agent *********
2012-01-01 13:51:11:063 996 d40 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
2012-01-01 13:51:11:063 996 d40 Agent *************
2012-01-01 13:51:11:063 996 d40 Agent WARNING: WU client failed Searching for update with error 0x80096001
2012-01-01 13:51:11:063 996 bb8 AU >>## RESUMED ## AU: Search for updates [CallId = {4A9C19E7-8B99-4D1D-B5BB-D50ACF53548D}]
2012-01-01 13:51:11:063 996 bb8 AU # WARNING: Search callback failed, result = 0x80096001
2012-01-01 13:51:11:063 996 bb8 AU # WARNING: Failed to find updates with error code 80096001
2012-01-01 13:51:11:063 996 bb8 AU #########
2012-01-01 13:51:11:063 996 bb8 AU ## END ## AU: Search for updates [CallId = {4A9C19E7-8B99-4D1D-B5BB-D50ACF53548D}]
2012-01-01 13:51:11:063 996 bb8 AU #############
2012-01-01 13:51:11:063 996 bb8 AU Successfully wrote event for AU health state:0
2012-01-01 13:51:11:063 996 bb8 AU AU setting next detection timeout to 2012-01-02 02:51:11
2012-01-01 13:51:11:063 996 d40 Report REPORT EVENT: {932136E2-1BC4-4A51-A9F7-FAF3C65244AE} 2012-01-01 13:51:09:957-0800 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80096001 AutomaticUpdates Failure Software Synchronization Windows Update Client failed to detect with error 0x80096001.
2012-01-01 13:51:11:063 996 d40 Report REPORT EVENT: {5F64AA06-5B1A-4152-83F0-A216847590B7} 2012-01-01 13:51:11:062-0800 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80096001 AutomaticUpdates Failure Software Synchronization Windows Update Client failed to detect with error 0x80096001.
2012-01-01 13:51:11:064 996 bb8 AU Successfully wrote event for AU health state:0
2012-01-01 13:51:11:064 996 bb8 AU Successfully wrote event for AU health state:0
2012-01-01 13:51:11:134 996 d40 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2012-01-01 13:51:11:134 996 d40 Report WER Report sent: 7.5.7601.17514 0x80096001 00000000-0000-0000-0000-000000000000 Scan 101 Unmanaged
2012-01-01 13:51:11:137 996 d40 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2012-01-01 13:51:11:137 996 d40 Report WER Report sent: 7.5.7601.17514 0x80096001 00000000-0000-0000-0000-000000000000 Scan 101 Unmanaged
2012-01-01 13:51:11:137 996 d40 Report CWERReporter finishing event handling. (00000000)
2012-01-01 13:51:16:062 996 d40 Report CWERReporter finishing event handling. (00000000)

 

Try the FixMe from this site: http://support.microsoft.com/kb/822798

Direct: http://go.microsoft.com/?linkid=9748992

 

This appears to be something new. Not seeing anyone that has resolved this yet.

http://www.bleepingcomputer.com/forums/topic425412.html
http://answers.microsoft.com/en-us/...ror-code/e7110943-588d-4b07-84c7-ce7416fb999b

 

If the FixIt tool did not work, try the below attached fixme2.bat file.

No log produced

 

neither the fix or the bat worked. I have seen a few Google searches where others experienced the error code, but no solutions.

 

I would have thought completely rebuilding the SoftwareDistribution folder would have solved this.. but apparently not.

I will keep researching and will post any other potential fixes I find.

Seems to be something with "E-Trust" which I am not yet familiar with. I'm guessing the digital signatures of the updates are not passing.

 

Kind of want to try some more aggressive techniques here. I would recommend creating a restore point just in case something does not go as planned.

First open a command prompt window and type in the following: net stop wuauserv


If the Windows update service was stopped successfully or was already stopped, then proceed with these directions. Otherwise, stop now and let me know

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
c:\windows\system32\catroot2
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Windows\SoftwareDistribution

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

After you have completed the above.

Let me know if you able to rename this folder: c:\windows\system32\catroot2

For example, try renaming catroot2 to catroot2_old

I am thinking something is hiding in this folder and will prevent you from doing so which we will find out soon once you attach the ComboFix log.

 

Neither method worked. I went ahead and re-installed windows, and everything seems to up and running. Thank you so much for all your time and effort. You and the rest of the Major Geeks staff are truly appreciated. Thank you again

 

You're welcome. Sorry things did not go our way this time. Take care and be safe!