Rootkit warning

Avast prompted me that there was a rootkit and that I should delete it, which I did. I didn’t see any other option other than to ignore.

When I start my computer, I get a rather long message which doesn’t stay up on the screen long enough for me to read but says something to the effect “failed to connect to the system event notification services”.

When I tried to do Windows updates, I’m told that Windows could not search for new updates. I followed the steps shown by MS for this particular message.

I restored to the last restore point (which was before this “rootkit” was removed) and that didn’t help.

I think Avast had me remove something critical… I sure hope I don’t have to reinstall Windows because that’s going to take me hours to clean off all the junk that Dell puts on a computer and reinstall my programs.

Needless to say, I’m really upset about this!

64-bit Vista laptop, which is kept updated.

Follow this guide from Essexboy and post the logs http://forum.avast.com/index.php?topic=53253.0

To avoid using 20 post with copy and paste you have to attach the log`s

Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

I guess I don’t understand how this is going to help?

Avast had me remove what it considered malware in the c:\Windows\Services folder. After removing that file, I’ve been unable to update Windows.

Unfortunately I have been unable to find a log to identify what was removed…

MBAM full scan did not detect any problems.

Some rootkits block windows updates

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[
] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
[] IAT/EAT
[
] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please copy and paste the report into your Post.

THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select Scan all users
[*]Under the Custom Scan box paste this in


netsvcs
%SYSTEMDRIVE%*.*
%systemroot%\Fonts*.com
%systemroot%\Fonts*.dll
%systemroot%\Fonts*.ini
%systemroot%\Fonts*.ini2
%systemroot%\Fonts*.exe
%systemroot%\system32\spool\prtprocs\w32x86*.*
%systemroot%\REPAIR*.bak1
%systemroot%\REPAIR*.ini
%systemroot%\system32*.jpg
%systemroot%*.jpg
%systemroot%*.png
%systemroot%*.scr
%systemroot%*._sy
%APPDATA%\Adobe\Update*.*
%ALLUSERSPROFILE%\Favorites*.*
%APPDATA%\Microsoft*.*
%PROGRAMFILES%*.*
%systemroot%\AppPatch\Custom*.*
%APPDATA%\Update*.*
%systemroot%*. /mp /s
/md5start
explorer.exe
winlogon.exe
/md5stop
CREATERESTOREPOINT
%systemroot%\System32\config*.sav
%PROGRAMFILES%\Common Files*.*
%systemroot%*.src
%PROGRAMFILES%\Mozilla Firefox\firefox.exe /md5
%PROGRAMFILES%\Internet Explorer\iexplore.exe /md5
%systemroot%\install*.*
%systemroot%\system32\DLL*.*
%systemroot%\system32\HelpFiles*.*
%systemroot%\system32\rundll*.*
%systemroot%\winn32*.*
%systemroot%\Java*.*
%systemroot%\system32\test*.*
%systemroot%\system32\Rundll32*.*
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu*.lnk /x
%systemroot%\system32\config\systemprofile*.dat /x
%systemroot%*.config
%systemroot%\system32*.db
%PROGRAMFILES%\Internet Explorer*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch*.lnk /x
%USERPROFILE%\Desktop*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach all logs

Ok - here ya go…

In the GMER window, I couldn’t select all those options - they were grayed out. The only things selected were Services, Registry, Files, drive C and ADS.

Thanks.

I restored to the last restore point (which was before this "rootkit" was removed) and that didn't help.
If a system file had been removed then this would have restored it. Could you look in the Avast log and let me know the file name. Also what error do you get when it tries to update - that will give me an idea as to where the problem is

But first confirm that the service is running
Start button > in the search box, enter services.msc > press Enter > uac prompt > scroll down to System Event Notification > right click > select properties . confirm that it is set to Auto and running

I cannot find any Avast log. I have no idea what the name of the file is that was removed.

When I click to Check for Updates, I get the message: "Windows could not search for new updates. An error occurred while checking for new updates for your comptuer. Error(s) found:
Code 80070002 Windows Update encountered an unknown error.

System Event Notification shows Started and Automatic.

The “fix” for the error message in updates was to stop the Windows Update service, delete specified temp file and then resetart it, which I did - no help.

Thanks.

This is evidently a known problem and I found a fix that appears to work here http://www.vistax64.com/windows-updates/230226-error-found-code-80070002-a.html#post1056562

Let me know how it goes. It may be related to a .net update

I did the second part previously - that was one of the fixes recommended in Windows Help.

Re the first one listed on the Vista Forums website, there is no “Install” folder in the “Download” folder. Only a couple dozen folders with subfolders and files in those folders.

Also the boot-up of the laptop has been very slow compared to what it used to be.

Since I did the steps of shutting off services and deleting the specified files, Windows Update show no update history.

Could you download and run the system readiness update tool from here http://support.microsoft.com/?kbid=947821 selecting the right one for your system

Could you then post the generated logs at
%SYSTEMROOT%\Logs\CBS\CheckSUR.log
%SYSTEMROOT%\Logs\CBS\CheckSUR.persist.log

Ok, I downloaded the huge file (three cheers for broadband) and ran it - took forever! Nothing happened. No logs popped up, no warnings.

I read on the website that it fixes any problems but I still am unable to get Windows Updates - same message as before.

Attached are the log files

This is the second time I have had to do this - but I kept the destructions I made

These errors are usually caused by a corruption in the .NET Framework installation or by an inconsistency on the MSI database state. Alas there is only one way to fix this and it is quite long winded

Part 1:

Manually remove

[]Click Start, and then click Control Panel.
[
]Double-click Add or Remove Programs.
[]Note each version of the .NET Framework that is already installed on the computer. Then, uninstall all the versions of the .NET Framework.
[
]When you are prompted, restart the computer.

.
Part 2:

Cleanup

[]Download and extract dotnet cleanup tool to your desktop
[
]Run the Cleanup_tool.exe programme
[*]Reboot once it has completed

.
Part 3:

Reinstallation

To make the final cure you will need to download and re-install all .net frameworks that were uninstalled

To download the .NET Framework 1.0, visit the following Microsoft Web site:
(http://www.microsoft.com/downloads/details.aspx?FamilyID=d7158dee-a83f-4e21-b05a-009d06457787&DisplayLang=en)
To download the .NET Framework 1.0 Service Pack 3, visit the following Microsoft Web site:
(http://www.microsoft.com/downloads/details.aspx?familyid=6978D761-4A92-4106-A9BC-83E78D4ABC5B&amp;displaylang=en)
To download the .NET Framework 1.1, visit the following Microsoft Web site:
(http://www.microsoft.com/downloads/details.aspx?familyid=262D25E3-F589-4842-8157-034D1E7CF3A3&amp;displaylang=en)
To download the .NET Framework 1.1 Service Pack 1, visit the following Microsoft Web site:
(http://www.microsoft.com/downloads/details.aspx?familyid=A8F5654F-088E-40B2-BBDB-A83353618B38&amp;displaylang=en)
To download the .NET Framework 2.0, visit the following Microsoft Web site:
(http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5&amp;DisplayLang=en)
To download the .NET Framework 2.0 Service Pack 1, visit the following Microsoft Web site:
(http://www.microsoft.com/downloads/details.aspx?familyid=79BC3B77-E02C-4AD3-AACF-A7633F706BA5&displaylang=en)
To download the .NET Framework 3.0, visit the following Microsoft Web site:
(http://www.microsoft.com/downloads/details.aspx?familyid=10CC340B-F857-4A14-83F5-25634C3BF043&displaylang=en)
To download the .NET Framework 3.0 Service Pack 1, visit the following Microsoft Web site:
(http://www.microsoft.com/downloads/details.aspx?familyid=EC2CA85D-B255-4425-9E65-1E88A0BDB72A&displaylang=en)
To download the .NET Framework 3.5, visit the following Microsoft Web site:
(http://www.microsoft.com/downloads/details.aspx?familyid=333325FD-AE52-4E35-B531-508D977D32A6&displaylang=en)
When you are prompted, restart the computer

Ok - before I start uninstalling - I have two .NET entries:

.NET Framework 3.5 SP1
.NET Framework 4 Client Profile

Do I delete the client profile as well as the v3.5 SP1?

Yes, basically all .net needs to be removed and then re-installed after running the .net cleanup

Done. Except the .NET Framework 4 Client Profile wasn’t on your list so I just reinstalled the .NET Framework 3.5 - no SP1. It did tell me to run Windows Update after I finished the install…

However, after the reboot - Windows Update still doesn’t work.

I need my laptop for a class tomorrow and without being able to do updates, I’m nervous about having it on a public internet connection!

Sherry

OK as a stop gap for this situation one of the MSDN developers has made a tool, full details and download are here
http://www.emergingtechs.com/posts/how-manually-download-and-install-windows-updates/

I will continue to search for a resolution that does not involve .net

Appreciate all your help, Essexboy.

I can’t figure out which updates to run. I don’t need them all since I update regularly. I thought I had seen updates in the Control Panel uninstall in the past but there’s nothing there now, probably because I lost my update history when I deleted the files specified in the Windows fix for the problem. Restoring them didn’t help either.

I’m thinking I might just dig out my CD (not sure where it is) and use the repair tool on it to try to restore whatever it is that’s missing and if that doesn’t work, just bite the bullet and reinstall Windows.

OK if you need assistance in either the repair install or fresh install give me a shout and I will help

The System Startup Repair Tool didn’t find any problems

I did a system restore to the restore point of 12 Aug, figuring that’s far enough past when I deleted the file. I had a ton of updates to reinstall but YAY! Everything appears to be working just fine now! No warnings about any rootkits either I’m going to go ahead and run a full virus scan just to be on the safe side.

Apparently the restore I did before didn’t go back far enough.

Thanks for your persistence, essexboy.

My pleasure, I like a good mystery ;D