Vista won't load SP2.Suspect rootkit.spent 5 days on it so far.HELP! Logs incld.

[mangotel]

I've been working on this for five #@*&%!^ so far. Major problems-computer freezes and pulling up the Task Manager unfreezes it. Also it will not install Service Pack 2. Also there was a consistent eDSLoader error on start-up. I've tried F-Secure virus scans, CCleaner registry cleaner, Spybot were my first efforts with it helping some on speed. I updated the drivers with DriverBoost and I've tried so much other stuff that I did fix the problem with the eDSLoader start-up error. I was talking at work and someone described a rootkit problem and how hard it is to get rid of.

However the computer still hangs and I have to pull up repetitive Task Managers to unfreeze it and it still won't install Service Pack 2 (KB975560) and the error code is 8024200D.

Next I'm going to try the aswMBR cleaner to see if that gets me anywhere. HELP!

Attached are the Extras and OTL logs after running OTL.

Now I've run the aswMBR scan and attached the scan log.

[mikaelrask]

hey a malware expert will check those logs out and give you instruction on how to proceed, i suggest you you also do a scan with malwarebytes antimalware and see what coming up from it. and don't forget to attach the result. after you have got help i would suggest you drop spybot, since it can't keep up with the malware out there. malwarebytes is a better option.

[SafeSurf]

You can try running an MBAM (Malwarebytes) scan.  Update it first - see directions here:  http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions of obtaining an MBAM log (make sure you update MBAM first).  Post the log as an attachment (Additional Options > Attach > Post). 

I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine after you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone and any other devices.

Let us know if you have any questions.  Thank you.

[essexboy]

Hi there lets clear the edsloader problem first

That error is related to eDataSecurity Loader from Acer Empowering Technology.
Go to Start>RUN
Type in msconfig
Click OK
Go to the Startup tab
Find an entry for eDSloader.exe, usually located in C:\Acer\Empowering Technology\eDataSecurity
Uncheck that item
Click Apply, OK
Reboot
See if it still comes up

NEXT

I will remove the Babylon toolbar and clear the temp files along with security loopholes

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  IE - HKU\S-1-5-21-1097535190-3505522486-456637137-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=113959&tt=010712_8&babsrc=HP_ss&mntrId=0c484371000000000000001dd93b4b78
  IE - HKU\S-1-5-21-1097535190-3505522486-456637137-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=113959&tt=010712_8&babsrc=SP_ss&mntrId=0c484371000000000000001dd93b4b78
  FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
  FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
  FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
  FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA}:5.0.14
  FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
  FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
  FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
  [2012/07/08 14:34:34 | 000,002,351 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
  O3 - HKU\S-1-5-21-1097535190-3505522486-456637137-1000\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No CLSID value found.
  O3 - HKU\S-1-5-21-1097535190-3505522486-456637137-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
  O16 - DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab (Java Plug-in 1.5.0_14)
  O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
  O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
  O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
  [2012/07/08 14:33:58 | 000,000,000 | ---D | C] -- C:\Users\Rickie1953\AppData\Roaming\Babylon
  [2012/07/08 14:33:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon
  
  :Files
  C:\Users\Rickie1953\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

UPDATE PROBLEM

OTL is reporting that SP2 is installed, but lets confirm this

Download and run the readiness tool http://go.microsoft.com/fwlink/?LinkId=167357

Once done the retry windows updates

[mangotel]

Thanks for the input all.
However, I already have fixed the eDSLoader problem.
The KB947821 Hotfix for Windows was successfully downloaded and installed in April of this year.
And the Control Panel>Windows Update>View update history keeps telling me , since 7/14/2010, almost daily, that "Security Update for Windows Vista(KB975560) Failed (to install)".
This, with the freezes and it takes pulling up the Windows Task Master to unfreeze it, is what's driving me crazy.

So if OTL is saying KB975560 is installed and my Security Update says it ain't so while my Security Update says KB947821 is installed and OTL says it ain't, is copying and pasting the script into the OTL Custom Scans safe?

Or should I just junk this anchor imitating a laptop?

[mangotel]

I went ahead and ran the script. Here's the log.

[mangotel]

Update! - After rechecking the KB975560 description, apparently I do have SP2 installed, but a security issue that could allow an unauthenticated remote attacker to compromise my system and gain control over it (how embarrassing) is what has beening giving me nightmares and ulcers.
Microsoft Security Bulletins MS09-038 ( http://technet.microsoft.com/en-us/security/bulletin/MS09-038 ) better describes it than I can.

Does Microsoft have:
1.  the responsibility (and even better question, do they have the capability) to provide help to resolve this security issue free (as infered in the "Support Section here:  http://technet.microsoft.com/en-us/security/bulletin/MS09-038#section30 ) ?
2.  the ability to remote access and fix this problem?
       2.1   if so, WILL they remote access and fix this security problem as part of their service?
3.  or is there a known, easy to implement fix I can do in an hour or less?

I've been going to work then coming home to wrestle this until it's time to go to sleep, for a solid week now (spent the entire waking last weekend on this too). I'm frazzled and cranky and need to get this resolved for my sanity. I greatly appreciate your guidence and help.

[essexboy]

If you have a retail version.. I.e you bought the disc and it was not a part of the computer when you bought it then yes, they will assist

If it is a branded computer and the windows is an OEM copy then not, they will expect the computer manufacturer to fix it

[mangotel]

This Vista OS came on this coputer when I bought it from HHGregg about 4-5 years ago. I did a cursory look-around for the disk but did not find it. So long ago I don't know if one came with it or not.

[polonus]

Sometimes Vista won't complete the SP2 install because of an earlier buggy uninstall routine. ZA uninstalls are famous for causing these kind of tragedies.
Users start to look for causes in all nooks and crannies of their set-up and then a buggy install & uninstall routine might be the cause of it. Think hard and try to repair the cause.
Another way is to get the original install disks from the retailer, reinstall the Service Packs and you are as good to go, but first check that other option.
That will cost you a few bucks, or go right on to Win8...

polonus

[essexboy]

One thought .. This is a very old update 2010 ..  Have you tried a downloaded install ?

Download from here to your desktop and then run http://www.microsoft.com/en-us/download/details.aspx?id=20412