virus wont let me connect to the internet or open spyware/virus protection.

If anyone has any info on fixing this I would appriciate it.

See if you can boot the ill machine to Safe Mode with Networking and access the forum that way. Let us know.

I'll probably be gone until Thursday night, but another volunteer ought to be able to help you.

Best Luck
PP :)

I tried to connect in safe mode with networking last night and I didnt have any luck. I tried it again now to make sure and it still wouldnt connect. I also figured I would try to run malwarebytes again and it went further than before (it just popped up an error 372 msg). But malwarebytes was still no help.

I tried to connect in safe mode with networking last night and I didnt have any luck. I tried it again now to make sure and it still wouldnt connect.

Ok - That's going to make things a bit more difficult.

I'd like you to download all of these tools and put them on cd/flash drive and have them ready for use Thursday evening EST, if possible......

1) http://ad13.geekstogo.com/Win32kDiag.exe

2) http://swandog46.geekstogo.com/avenger.zip

3) http://download.bleepingcomputer.com/sUBs/ComboFix.exe
When you download Combofix and it asks you to "Save File As," rename combofix to Bunnyfix.exe and then save it to the desktop or wherever as bunnyfix.exe before you transfer it to cd/flash drive

4) FindIt.zip

5) http://rootrepeal.googlepages.com/RootRepeal.zip

6) Keep your MBA-M handy, too

I'll probably be back Thursday evening/night and will try to guide you through a fix then. Post back when you have those six tools.

Cheers :)
PP

I have them all except for #5 on your list. When I tried to downlaod it this popped up "The bandwidth or page view limit for this site has been exceeded and the page cannot be viewed at this time. Once the site is below the limit, it will once again begin serving as normal. "

I will try to get it again in an hour or so then I'll message back. Thanks for the help.

I have them all except for #5 on your list.

Drat! - I should've posted a few mirrors.

If you get a chance, try this link:
http://ad13.geekstogo.com/RootRepeal.exe

I'll be back tonight when I have more time, but the first thing we need to try is this:

Transfer Combofix to the desktop and try to get it to run as bunnyfix.exe.

If it runs . . . post me the log :)

PP

Ok that linked works so now i have them all. I will try to put bunnyfix.exe on the desk top but yesterday it wouldnt allow me to drag and drop anything or cut and past anything to the desk top. Will it not let me run the program from my flash drive? (im guessing not or you probably wouldnt have specified a location)

Yea I just tried to cut and past it/copy and past it and drag and drop it but none of that would get it on the desk top. I also right clicked and tried to send it to the desktop and mydocuments and that didnt work either. Is there a way to move things to the desk top that I dont know about?

Can you get a command prompt?
Either Start > Run > Cmd
or
Start > Run > Command.com

-- I have to run - be back in a few hours.

Also - I should've suggested this before - see if you can run winsock.fix to try to re-establish internet connection - if it will run.

http://majorgeeks.com/WinSock_XP_Fix_d4372.html

PP :)

Yes I can get the command prompt (although I dont know anything about it)..is it supposed to help me move the bunnyfix.exe file to my desktop?

Also I ran winsock on the computer. It fixed things then restarted the computer but the computer still wont access the internet.

See you on in a few hours. Thanks again.

a suggestion for malwarebytes ,go to C:\Program Files\Malwarebytes' Anti-Malware,and change mbam.exe to biteme.exe and try running it from there

See you on in a few hours. Thanks again.

Happy to try to help :)

What is the path to your external drive? If I were to assume F:\ then we would do this:

Open a command prompt and type:
XCOPY F:\bunnyfix.exe “%userprofile%\desktop” ENTER

See if that works to put combofix on the desktop. If the path is different, you'll need to type the correct path. Note to leave a space after XCOPY and after .exe & don't forget the quotes...

Let me know if this works.

PP :)

It put bunnyfix.exe on the desk top but when i tried to open it a message popped up that said some of the installation files are currupt and that I needed to redownload it and try again.

Should I just download it again from the link in this thread or try somthing else?

Should I just download it again from the link in this thread or try somthing else?

Yes - let's try that again. Getting combofix to run is the best and easiest way to proceed.
This time, try COPY instead of XCOPY and see if that changes anything.

BTW - It is very possible that your Flash drive is infected . . . The best procedure is to burn the tools onto a CD (something non-re-writable)

Let me know how it shakes out :)

-- Did you try Safe Mode With Networking AFTER running WinsockFix?

PP

EDIT: - Let me doublecheck - may need to use a switch with the copy commands....

I did not try the internet in safe mode networking. I will try that when I get back.

I did not try the internet in safe mode networking. I will try that when I get back.

I think XCOPY might have borked it. I should have added switches.

Try this:

XCOPY F:\bunnyfix.exe “%userprofile%\desktop” /v /s /h

Let me know:)

I tried it again with just copy I: and it worked...the scan is running now.

I tried it again with just copy I: and it worked...the scan is running now.

Great!

Keep me posted :)

PP

Ok it scanned then told me to write down somethings on paper...after I wrote it all down I clicked Ok and the computer restarted. Now it just has the desktop pulled up (no scans are running or anything).

Ok it scanned then told me to write down somethings on paper...after I wrote it all down I clicked Ok and the computer restarted. Now it just has the desktop pulled up (no scans are running or anything).

What did it tell you to write?

Are things functioning better? Can you run MBA-M?

PP :)

I didnt want to do anything until you said because I didnt want to do anything out of order.

This is what it told me to write down:
C:\WINDOWS\system32\drivers\rotscxxyansxdt.sys
C:\WINDOWS\system32\rotscxjdykmrmi.dll
C:\WINDOWS\system32\rotscxrkrghrnt.dat
C:\WINDOWS\system32\rotscxhmsmwxtp.dll
C:\WINDOWS\system32\rotscxwkvnxicx.dat
C:\WINDOWS\system32\drivers\UACbocfkaftxs.sys
C:\WINDOWS\system32\UACnsdrcunxkq.dll
C:\WINDOWS\system32\UACoiaktqxumn.dll
C:\WINDOWS\system32\UACmoolndvkaw.dat
C:\WINDOWS\system32\UAClialnwnelk.db
C:\WINDOWS\system32\UACdahiwrtppf.dll
C:\WINDOWS\system32\UACyhlcmkotsa.dll

Thats it. I will go and run Malwarebytes now if it will let me.

This is what it told me to write down:

Those are components of the rootkit that is causing this hassle.

-- Is there a log at C:\ComboFix.txt ?

PP :)

When I tried to run Malwarebytes I got this message:
Run-time error '372':
Failed to load control 'vbalGrid' from vbalsgridb.ocx. Your version of vbalsgridb.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.

I dont see this: C:\ComboFix.txt
I went into the C drive and didnt see it. I also went into program files and didnt see it.

I dont see this: C:\ComboFix.txt
I went into the C drive and didnt see it. I also went into program files and didnt see it.

This is quite a doozy!

-- What about in C:\Qoobox\ComboFix.txt ?

-- How did you transfer MBA-M to the compy?
You might need to reinstall MBA-M.

-- Maybe we can try running combofix again.

-- First, try a command prompt and type rstrui.exe and see if there are any vaible restore points....

PP :)

\Registry\Machine\System\CurrentControlSet\Services\vkquwexg

*******************

Script file located at: \??\C:\BunnyFix\ComboDel.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\QooBox
*******************

Beginning to process script file:

File move operation C:\WINDOWS\system32\drivers\rotscxxyansxdt.sys|C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\rotscxxyansxdt.sys.vir completed successfully.
File move operation C:\WINDOWS\system32\rotscxjdykmrmi.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\rotscxjdykmrmi.dll.vir completed successfully.
File move operation C:\WINDOWS\system32\rotscxrkrghrnt.dat|C:\QooBox\Quarantine\C\WINDOWS\system32\rotscxrkrghrnt.dat.vir completed successfully.
File move operation C:\WINDOWS\system32\rotscxhmsmwxtp.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\rotscxhmsmwxtp.dll.vir completed successfully.
File move operation C:\WINDOWS\system32\rotscxwkvnxicx.dat|C:\QooBox\Quarantine\C\WINDOWS\system32\rotscxwkvnxicx.dat.vir completed successfully.
File move operation C:\WINDOWS\system32\drivers\UACbocfkaftxs.sys|C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\UACbocfkaftxs.sys.vir completed successfully.
File move operation C:\WINDOWS\system32\UACnsdrcunxkq.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\UACnsdrcunxkq.dll.vir completed successfully.
File move operation C:\WINDOWS\system32\UACoiaktqxumn.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\UACoiaktqxumn.dll.vir completed successfully.
File move operation C:\WINDOWS\system32\UACmoolndvkaw.dat|C:\QooBox\Quarantine\C\WINDOWS\system32\UACmoolndvkaw.dat.vir completed successfully.
File move operation C:\WINDOWS\system32\UAClialnwnelk.db|C:\QooBox\Quarantine\C\WINDOWS\system32\UAClialnwnelk.db.vir completed successfully.
File move operation C:\WINDOWS\system32\UACdahiwrtppf.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\UACdahiwrtppf.dll.vir completed successfully.
File move operation C:\WINDOWS\system32\UACyhlcmkotsa.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\UACyhlcmkotsa.dll.vir completed successfully.
Program C:\BunnyFix\C.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

"-- First, try a command prompt and type rstrui.exe and see if there are any vaible restore points...."

It is not recognized as an internal or external command. That was what popped up when I tried it.

Do you have a known working link for Malwarebytes like your other links. I tryed to reinstall it again and it said the same thing so I probably need to redownload it all together.

"-- First, try a command prompt and type rstrui.exe and see if there are any vaible restore points...."

It is not recognized as an internal or external command. That was what popped up when I tried it.

My fault - doing ten things at once here :)

I should've had you type this:
%systemroot%\system32\restore\rstrui.exe

But, let's wait and do this first:

Reboot.

If combofix doesn't start, run it again and let's see how that shakes out....

PP :)

Do you have a known working link for Malwarebytes like your other links. I tryed to reinstall it again and it said the same thing so I probably need to redownload it all together.

Let's wait on that and try my previous post first.

PP :)