A Nasty Virus RootKit, MS Updates not working.

[Woger]

Well took some days to Fix, Virus/rootkit ??


Here is 2 Advent logs for both Problems,

The Automatic Updates service failed to start due to the following error:
The system cannot find the file specified. Event ID: 7000


The Background Intelligent Transfer Service terminated with the following
error: The system cannot find the file specified Event ID: 7023

Had altered the Paths in the registry so that the system did not have access
to the Auto Updates and the BITS, plus Locked the Permissions, so after
resetting the Permissions was able to change the paths

IE, %systemroot%\system32\svchost.exe -k netsvcs was %fstemroot%

The Same alteration with the BITS service

Auto Updates would now list the files but BITS was not running, I had a MS
file on how to reinstall Auto Updates and Bits, but when trying to install the
BITS it loaded all the files and came up with a ERROR..? not listed but the
Events log showed it up as

The Security Registry key denied access to SYSTEM account programs so the
Service Control Manager took ownership of the Registry key.

Event ID: 7028


Decided that some of the Registry keys had Lock privileges and just found the
BITS also had a missing Key..

But found a way to reset the Security Privileges with a CMD file MS also has
one but never tried it.


Now I found that I could reinstall the BITS Service, and Auto Updates are
fully working..

But I can't find the Scesrv.log file, but that might be back now..


Plus other problem With Bluescreen and the Lan driver being removed, so had
to reinstall that some 4 times and reenter TCP/IP Properties, plus reinstall
my Nvidia driver..

So keeping my fingers cross, I have yet to reboot after the Updates..

 

[David H. Lipman]

From: "Woger" <[email protected]>

| Well took some days to Fix, Virus/rootkit ??


| Here is 2 Advent logs for both Problems,

| The Automatic Updates service failed to start due to the following error:
| The system cannot find the file specified. Event ID: 7000


| The Background Intelligent Transfer Service terminated with the following
| error: The system cannot find the file specified Event ID: 7023

| Had altered the Paths in the registry so that the system did not have access
| to the Auto Updates and the BITS, plus Locked the Permissions, so after
| resetting the Permissions was able to change the paths

| IE, %systemroot%\system32\svchost.exe -k netsvcs was %fstemroot%

| The Same alteration with the BITS service

| Auto Updates would now list the files but BITS was not running, I had a MS
| file on how to reinstall Auto Updates and Bits, but when trying to install the
| BITS it loaded all the files and came up with a ERROR..? not listed but the
| Events log showed it up as

| The Security Registry key denied access to SYSTEM account programs so the
| Service Control Manager took ownership of the Registry key.

| Event ID: 7028


| Decided that some of the Registry keys had Lock privileges and just found the
| BITS also had a missing Key..

| But found a way to reset the Security Privileges with a CMD file MS also has
| one but never tried it.


| Now I found that I could reinstall the BITS Service, and Auto Updates are
| fully working..

| But I can't find the Scesrv.log file, but that might be back now..


| Plus other problem With Bluescreen and the Lan driver being removed, so had
| to reinstall that some 4 times and reenter TCP/IP Properties, plus reinstall
| my Nvidia driver..

| So keeping my fingers cross, I have yet to reboot after the Updates..



Do NOT assume you are out of the woods yet !



Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Then post the contents of the HJT log in your post with a full explanation of your problem
and what you have done to date in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

 

[Woger]

From: "Woger" <[email protected]>

| Well took some days to Fix, Virus/rootkit ??


| Here is 2 Advent logs for both Problems,

| The Automatic Updates service failed to start due to the following error:
| The system cannot find the file specified. Event ID: 7000


| The Background Intelligent Transfer Service terminated with the following
| error: The system cannot find the file specified Event ID: 7023

| Had altered the Paths in the registry so that the system did not have access
| to the Auto Updates and the BITS, plus Locked the Permissions, so after
| resetting the Permissions was able to change the paths

| IE, %systemroot%\system32\svchost.exe -k netsvcs was %fstemroot%

| The Same alteration with the BITS service

| Auto Updates would now list the files but BITS was not running, I had a MS
| file on how to reinstall Auto Updates and Bits, but when trying to install the
| BITS it loaded all the files and came up with a ERROR..? not listed but the
| Events log showed it up as

| The Security Registry key denied access to SYSTEM account programs so the
| Service Control Manager took ownership of the Registry key.

| Event ID: 7028


| Decided that some of the Registry keys had Lock privileges and just found the
| BITS also had a missing Key..

| But found a way to reset the Security Privileges with a CMD file MS also has
| one but never tried it.


| Now I found that I could reinstall the BITS Service, and Auto Updates are
| fully working..

| But I can't find the Scesrv.log file, but that might be back now..


| Plus other problem With Bluescreen and the Lan driver being removed, so had
| to reinstall that some 4 times and reenter TCP/IP Properties, plus reinstall
| my Nvidia driver..

| So keeping my fingers cross, I have yet to reboot after the Updates..



Do NOT assume you are out of the woods yet !



Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Then post the contents of the HJT log in your post with a full explanation of your problem
and what you have done to date in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

Hijack this did Not report any problems at all, but UnHackme did, and that
was from the vey start of my problems..

 

[David H. Lipman]

From: "Woger" <[email protected]>



| Hijack this did Not report any problems at all, but UnHackme did, and that
| was from the vey start of my problems..

That's NOT the point.

The point is to get you started in a ono-on-one assistive program in cleaning your PC and
posting what you have, what you have done to data with a HJT log is the starting point.

 

[Woger]

From: "Woger" <[email protected]>



| Hijack this did Not report any problems at all, but UnHackme did, and that
| was from the vey start of my problems..

That's NOT the point.

The point is to get you started in a ono-on-one assistive program in cleaning your PC and
posting what you have, what you have done to data with a HJT log is the starting point.

Been in the computer game for some 35 Years and have managed to fix all my
Viruses even ones that have not even been posted about..


Yes I did read the Log but found nothing wrong..

 

[David H. Lipman]

From: "Woger" <[email protected]>

| On Fri, 24 Apr 2009 21:02:15 -0400, "David H. Lipman"



| Been in the computer game for some 35 Years and have managed to fix all my
| Viruses even ones that have not even been posted about..


| Yes I did read the Log but found nothing wrong..


OK. Your choice. However you are still most likely, and almost to a certainty, still
infected.

What antimalware have you used besides UnHackme?

 

[Woger]

From: "Woger" <[email protected]>

| On Fri, 24 Apr 2009 21:02:15 -0400, "David H. Lipman"




| Been in the computer game for some 35 Years and have managed to fix all my
| Viruses even ones that have not even been posted about..


| Yes I did read the Log but found nothing wrong..


OK. Your choice. However you are still most likely, and almost to a certainty, still
infected.

What antimalware have you used besides UnHackme?

MS malware remover the Sysinternal one and Malwarebytes..



And Avast

 

[David H. Lipman]

From: "Woger" <[email protected]>


| MS malware remover the Sysinternal one and Malwarebytes..

| And Avast

Do a scan with the Gmer anti RootKit - http://www.gmer.net/index.php

As well as the Sophos and McAfee modules in...

Download MULTI_AV.EXE from the URL --
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/


To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.



* * * Please report back your results * * *

 

[Woger]

From: "Woger" <[email protected]>


| MS malware remover the Sysinternal one and Malwarebytes..

| And Avast

Do a scan with the Gmer anti RootKit - http://www.gmer.net/index.php

As well as the Sophos and McAfee modules in...

Sophos and Panda did not find a thing but Sysinternal did, sort of shows
you how unreliable this software can be and even Kaspersky found nothing.

Download MULTI_AV.EXE from the URL --
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/


To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.



* * * Please report back your results * * *

 

[Woger]

From: "Woger" <[email protected]>


| MS malware remover the Sysinternal one and Malwarebytes..

| And Avast

Do a scan with the Gmer anti RootKit - http://www.gmer.net/index.php

Did that it only listed my Avast and COMODO Firewall.

As well as the Sophos and McAfee modules in...

Download MULTI_AV.EXE from the URL --
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/


To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.



* * * Please report back your results * * *