1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Combifix removed rootkit zeroaccess now no internet

Discussion in 'Malware Removal' started by Denver5613, Dec 28, 2011.

  1. Denver5613

    Denver5613 Private E-2

    MG,

    On 12-22-2011 I began to get random IE redirects to a webiste I cannot recall. Ran MBAM which found trojan.fakealert and three securitycenterdisablenotify infections, which were reported as removed/quarrantined. The redirects continued the next day and MBAM foudn an deleted gnik6o trojan.email. The redirects continued but MBAM did not find any other infections. Combofix was then run by me and reported a rootkit zeroaccess trojan which was in the TCP/IP stack on my XP SP3 computer and the warning came up about possibly losing internet connection, which I did. I had used combofix before for another problem but am now stymied. Neither the wireless at home nor the network at work will have anything other that low or no connectivity, and IE will not connect. I have followed the Read and Run me First procedures and followed the XP Malware removal guide and saved all the logs.

    And yes, you can scold me now for trying to use fixes recommended for others, including ESETSirefef Remover, Antizeroaccess, tdsskiller, and even Winsockxpfix and xptcprep. I realize now this is not the recommended course of action. Sorry, but I have never not been able to remove a problem by myself before just by reading what others have done. I am now officially over my head. In any case, the requested logs are attached, and I thank you in advance for trying to help out. MG zip file to follow...
     

    Attached Files:

  2. Denver5613

    Denver5613 Private E-2

    MGlogs zip file attached...
     

    Attached Files:

  3. Denver5613

    Denver5613 Private E-2

    I should also mention that I cannot get Windows Firewall to turn on either because the "firewall/internet connection sharing service(ICS)" I am guessing this could be due to the lack of an internet connection.

    Thanks again in advance.
     
  4. thisisu

    thisisu Malware Consultant

    Hi and welcome to Major Geeks, Denver5613!

    [​IMG] Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
    • Double-click MessengerDisable.exe to run it.
    • Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
    • Click Apply
    • Click Exit

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]File::[/COLOR]
    C:\Documents and Settings\Computer\Local Settings\Application Data\0k23om0f05f343
    C:\Documents and Settings\All Users\Application Data\0k23om0f05f343
    C:\Documents and Settings\Computer\Templates\0k23om0f05f343
    C:\Documents and Settings\Computer\Local Settings\Application Data\o46m08r2kous668313xtbml47c0l680o07f
    C:\Documents and Settings\Computer\Templates\o46m08r2kous668313xtbml47c0l680o07f
    C:\Documents and Settings\All Users\Application Data\axLuD5M.dat
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\Documents and Settings\Computer\Local Settings\Application Data\sfjhhunoq
    C:\Documents and Settings\Computer\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
    [COLOR="DarkRed"]Registry::[/COLOR]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "PDF4 Registry Controller"=-
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)

    [​IMG] Please attach the existing log (FSS.txt) from Farbar Service Scanner. (How to attach)
    Code:
    "C:\Documents and Settings\Computer\Desktop\"
    fss.txt       Dec 27 2011        1292  "FSS.txt"
    [​IMG] I have attached a .zip file to this message.

    Inside of it is:
    • fixme+restart.bat
    Extract this file to your desktop and run it by double-clicking it. It will reboot your PC. Test your internet when you get back and also attach the fixme_results.txt to your next reply.


    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     

    Attached Files:

  5. Denver5613

    Denver5613 Private E-2

    Thanks for the reply thisisu. I have done as you directed. Combofix again fount a rootkit infection. The LAN wired internet at work does not connect and I get the same limited connectivity message. However, I am not at home so I cannot say about the wireless until I get home tonight. I have attached the three new logs you requested.
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    Looks like afd.sys is faked.

    Did you run the .bat file (fixme+restart.bat) I requested?
     
  7. Denver5613

    Denver5613 Private E-2

    Yes I did. The computer restarted. FYI, the FSS txt file I sent was from yesterday, i have attached another one I ran just a minute ago, and it still shows afd.sys in the txt file.
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    Attach the fixme_results.txt file from your desktop.
     
  9. Denver5613

    Denver5613 Private E-2

    Sorry, I thought I did here you go...
     

    Attached Files:

  10. thisisu

    thisisu Malware Consultant

    No problem. ;)

    [​IMG] Open Farbar Service Scanner
    Type the following in the edit box after "Search:".

    afd.sys

    Click the Search Files button and post the log (FSS.txt) it makes to your reply.
     
  11. Denver5613

    Denver5613 Private E-2

    Here you are...
     

    Attached Files:

  12. thisisu

    thisisu Malware Consultant

    Attached is fix.zip.
    Inside is:
    fix.bat

    Extract fix.bat to your desktop and run it.
    When finished a Notepad window should open and say: "1 file(s) copied"

    If you received that message, then reboot your PC and test out your internet.
     

    Attached Files:

    • fix.zip
      File size:
      276 bytes
      Views:
      63
  13. Denver5613

    Denver5613 Private E-2

    Well, the LAN at work now says "connected, firewalled" as it should but I still can't get IE to open a page. This is something with our work network, I believe, and not your problem.

    However, the good news is that the firewall is back on, the yellow Windows update shield has appeared after having gone missing for months, and I am optimistic that when I get home my wireless may work. I'll check back in later tonight or tomorrow after testing the wireless at home, but in the meantime, thank you thank you! I feel like we at least made progress today!

    Cheers
     
  14. thisisu

    thisisu Malware Consultant

    You're welcome. Keep me informed :)
     
  15. Denver5613

    Denver5613 Private E-2

    So, the internet reports that it is connected, and I am no longer getting the limite connectivity message, but neither IE nor Firefox will pull up any pages. I get a "firefox cannot find the server at www.google.com" error. Similarly, itunes will not connect to the store and MS Outlook will not connect either. My PC appears to be connected, but will not connect. Any more ideas? I am on our other computer right now obviously.
     
  16. thisisu

    thisisu Malware Consultant

    [​IMG] Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:

    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List IP configuration
    • List Winsock Entries
    • List Devices -> All
    • List last 10 Event Viewer log
    Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.
     
  17. Denver5613

    Denver5613 Private E-2

    Attached
     

    Attached Files:

  18. thisisu

    thisisu Malware Consultant

    Code:
    Name: Broadcom NetXtreme Gigabit Ethernet
    Description: Broadcom NetXtreme Gigabit Ethernet
    Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Manufacturer: Broadcom
    Service: b57w2k
    Problem: : [B][COLOR="Red"]This device is disabled[/COLOR][/B]. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
    Do you know how to get into the Device Manager to check to see if this is disabled? If it is disabled it will have a red X near following device in Network Adapters:
    • Broadcom NetXtreme Gigabit Ethernet

    Its service appears to be started, it's just disabled which would prevent internet access.
    Code:
    b57w2k              TRUE     OK
     
  19. thisisu

    thisisu Malware Consultant

    I also see a few errors like the below:
    Code:
    Error: (12/28/2011 08:39:37 AM) (Source: JavaQuickStarterService) (User: )
    Description: Unable to create JQS API server: socket() failed ([B][COLOR="Red"]Socket error 10050[/COLOR][/B])
    Which may be suggesting that your TCP/IP stack is completely dead.

    Here are the steps to resolve this:

    I would like you try the below.

    Click Start, and then click Run.
    In the Open box, type regedit, and then click OK.
    In Registry Editor, locate the following keys, right-click each key, and then click Delete:
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
    When you are prompted to confirm the deletion, click Yes.
    Close the Registry Editor.

    Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
    Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
    In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
    On the General tab, click Install, select Protocol, and then click Add.
    In the Select Network Protocols window, click Have Disk.
    In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
    Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

    Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
    Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
    You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

    Once you have rebooted...
    In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
    On the General tab, click Install, select Protocol, and then click Add.
    In the Select Network Protocols window, click Have Disk.
    In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
    Select Internet Protocol (TCP/IP), and then click OK.
    Restart your computer.
    Test your Internet connectivity.
     
  20. Denver5613

    Denver5613 Private E-2

    Thanks again for your help. I am following your directions, however, be advised that the wireless connection is the one I really want to work, as I have no LAN cable internet at my house and I see you have me working on the gigabit ethernet connection here. Will this fix the wireless connection too?
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds