Hacktool.rootkit & Packed.Generic.200 virus

After all these tools are done with, then scan with Norton and it will have enough control over the system to remove all other threats.

Just run combofix and show us the log.

Here's the link to Combofix if you like, please attach the combofix log.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

HKLM\SOFTWARE\UAC      3/24/2009 12:04 PM      0 bytes      Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\UACd.sys      3/24/2009 12:06 PM      0 bytes      Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\UACd.sys      3/24/2009 12:06 PM      0 bytes      Hidden from Windows API.

the above registry entries are bad, running Combofix should removed its related bad files.

I just ran combofix. Here's the log. I am not able to boot windows normally. Only safe mode. So I can't install SuperantiSpyware to run.
Can you tell why windows won't start?

Sorry for my late reply, I just got back. ComboFix has removed a lot of bad things from your computer for sure. Hmm.. you have interesting things in this log, the TDSS RootKit has added the below entries in registry to disable your antivirus notifications:

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

My suggestion is to first of delete all files from c:\documents and settings\ADMINIstrator\LOCALSettings\Temp. Secondly, run MalwareBytes Anti-Malware (MBAM) while still in safe mode and let us know, what you find. If you are unable to run or install MBAM, then I suggest that you do an online scan with AVG antivirus.

http://www.ewido.net/en/onlinescan/

Then, download ZoneAlarm free firewall and install it. It might not install in the safe mode, but download it and keep it nonetheless to install in normal mode.

Try that and let us know, what you get.

If you are able to delete the temporary files without any problems, then its good, if not download ATF Cleaner and run it from (it is designed to delete all temporary files from areas which can harbour any viruses within):

http://www.atribune.org/public-beta/ATF-Cleaner.exe

You can also try renaming the MalwareBytes or SuperAntiSpyware files to allow installation, the virus might be checking for filenames to prevent detection or removal. You can download them again and save them with a completely different name like - jabbathehut.exe or idontlikevirus.exe or something like that.

Thanks - I'm doing a Malwarebytes scan right now.
I'll let you know what it finds.

I'm curious about the registry items that you saw:
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

Should I edit these? Or will Malware correct them?

MalwareBytes will take care of the big fries, then you will have to scan your PC with your own antivirus to take care of small fries. MalwareBytes will restore the control back to your own antivirus. Don't forget to install the firewall though, its essential.

And don't worry about those registry entries, they will be taken care of.

Malwarebyes finished - found NOTHING!
Went to install Zone Alarm firewall . Won't let me "The system administrator has set policies to prevent this installation"
Reboot - won't let me boot windows
Can boot safe mode
Should I rename SuperAntiSpyware and try to install that?
Something has still got a hold.
"The system administrator has set policies to prevent this installation"

Yes, please try the SuperAntiSpyware installation as well. And send us a HijackThis report as well.

Here's the Hijack This log.
I still can't install Super AntiSpyware so I'm dead in the water until I hear something new
Thanks

PART I: TDss RootKit removal

Step 1: Disable TDSSserv trojan driver.
Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
Click Properties.
Click Hardware Tab.
Click Device Manager.
In the top menu, click View and click Show Hidden Drivers.
Scroll down to non Plug and Play drivers.
Click + at left.
In the list of drivers right click TDSSserv.sys or UACd.sys (Whichever is present). (If you do not find these, then skip to Step 2)
Click Disable.
Click YES for confirm.
Close all windows and reboot your computer.

PART 2:

Then execute regedit and goto the location: HKEY_LOCAL_MACHINE\SOFTWARE and delete the folder called UAC. Then reboot

PART 3:

Please copy the below into a notepad window and save it as CFScript.txt in the same folder as ComboFix.exe file (or the renamed file). Then drag this file on top of ComboFix executable and send us the log.

KILLALL::
File::
c:\windows\system32\uactmp.db
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

This should take care of most the things that are creating problems as well as awaken your Symantec antivirus. Try that and let us know what you get. Do not click on ComboFix window while its running or it might stop.

I had to add another process to kill, here it is. Please read the instructions from above to find how to execute it:

KILLALL::
File::
c:\windows\system32\uactmp.db
c:\docume~1\ADMINI~1\LOCALS~1\Temp\WEC.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

Now it looks perfect!

WarTurtle
Thanks for all of your attention today. I started following your instructions prior to your last post.
#1 & #2 unbelievably were not listed! I checked & re-checked.
I then performed the CF before your new edition. I will re-do. Then send you the log
Thank you again

Here are the logs

Hmm.. the log looks normal to me except for one strange process which is still standing...c:\docume~1\ADMINI~1\LOCALS~1\Temp\WEC.exe, do you know this file?

If not, then I suggest using FileAssasin from within MalwareBytes Anti-Malware to kill this file permanently from your system. You can access FileAssasin by opening MalwareBytes interface and going to 'More Tools' interface. Then click on 'Run Tool' and browse to this file. Or copy and paste the file's address from above.

Do that reboot your system in normal mode. Then scan with your own Symantec antivirus and all problems should be history.

I booted up the computer using ERD disk
HKLM\SYSTEM\ControlSet001\Services\UACd.sys - This is not listed
HKLM\SYSTEM\ControlSet003\Services\UACd.sys - This WON'T delete! "Cannot delete UACd.sys: Error while deleting key."
c:\docume~1\ADMINI~1\LOCALS~1\Temp\WEC.exe is not showing anywhere either

I will run the file assasin now

Download Avenger (http://swandog46.geekstogo.com/avenger.zip) and unzip to your desktop.
Run Avenger, copy & paste the following text in Input script Box:

Drivers to delete:
UACd.sys

Click on Execute, followed by yes on other and reboot. This will delete the driver file which is the rootkit and after that we should delete the registry key: HKLM\SYSTEM\ControlSet003\Services\UACd.sys

And reboot. Let me know, how it goes.

WOW!
I followed your instructions Exactly - then went to HKLM\SYSTEM\ControlSet003\Services\UACd.sys and I still can't delete the key!
I'm getting worn down.

Don't worry, the infection I feel is almost finished. Have you tried to reboot in normal mode?

Yes, I have tried to boot normal. It just continues in a loop until I choose Safe mode.
I'm glad you are confident that the infection is almost done.
What's next?

OK, we need to use Registry Assasin now to kill the unwanted registry entries:

Download it from: http://www.malwarebytes.org/RegASSASSIN.exe and copy and paste the below 2 keys to be deleted from system:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys

Then try to reboot. If it still goes to Safe Mode, then please run ComboFix again and send us the log. Please let me know, what you get.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC - was not found
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys - This is GONE - Yeah

I still can't boot normally
Here's the CF log
I see that this c:\docume~1\ADMINI~1\LOCALS~1\Temp\WEC.exe is still listed but I can't find it

I can't thank you enough for all of your attention.
SW

Hmm.. I would suggest taking this machine off network, some basic things to do now:

1. Run MalwareBytes scan again.

2. When your computer reboots, select 'Last Known, Good Configuration' to start it off. See if it is working normally and at the first chance that it works normally, install the firewall.

3. Open msconfig and disable everything except for Windows and Antivirus to start at bootup. Saving the setting would ask you to reboot your computer, do that and let us know, if you can bootup in normal mode or not.

4. Go back to safe mode go to start->run and type msconfig. Goto boot.ini tab and make sure that "/safeboot" option is cleared.if not clear it and restart.

Try those things and let us know, what you get.

I immediately took the laptop off network a couple of days ago when the bug was detected. I am using a clean computer to contact you and download tools. Then transfer to the sick laptop with a flash drive.
I have tried Last Known, Good Configuration many times. Will this work if system restore has been shut off? This was one of the only suggestions Symantec had/has for dealing w/bugs.
I cleared everything in msconfig
/safeboot" option is cleared

I'm running MalwareBytes now

Good! The 'Last Known, Good Configuration' might not work if system restore has been shut down. It might try to pickup settings from when it was actually on.

There is a System Repair install, which is non-destructive and would restore the computer back to normal again, I don't usually advise this unless the system has been left in a difficult state by viruses:

http://www.informationweek.com/news/windows/showArticle.jhtml?articleID=189400897&cid=ref-true

As per the ComboFix logs, I can't see anything harmful on your computer except for some strange entries:

- AegisI5Installer.exe
- Internet Connection Wizard,ShellNext = hxxp://www.fulldotfind.com/pubac/ac.php?aid=62&sid=clean
- c:\docume~1\ADMINI~1\LOCALS~1\Temp\WEC.exe

Let me know, what you get from MalwareBytes scan. CCleaner can also be used to clean all unneeded things from registry and temporary folders. That might also help.

warturtle
I went ahead and did a windows repair. I can now boot normally. I was also able to install Super AntiSpyware and I'm doing a scan with it now. I haven't yet attached to my network or internet. I'm still afraid of residual poop.

Good to see that the machine is normal again. I don't know what it might have been used for before with the HackTool rootkit, but it would also be worth checking a couple of other machine in your network for any possible worm infection or presence of a botnet. TrendMicro have recently released a tool for this called RUBotted, but it is still in Beta phase, so don't know about the reliability of it.  Its available from:

http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted/overview

I read about it through another thread on Experts Exchange.

warturtle is awesome