Combifix removed rootkit zeroaccess now no internet

Go through these instructions again: http://forums.majorgeeks.com/showpost.php?p=1696640&postcount=19

But this time when you are editing Nettcpip.inf

Change the 0x80 entry by replacing 0x80 with 0xA0

The rest of the instructions are the same.

 

I just noticed that when i get to this part:

Select Internet Protocol (TCP/IP), and then click OK. It [/B]will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

When I am at the SelectNetworkProtocal window, my choices never include TCP/IP,only WLAN Transport when performing the firstpart (the uninstall). When I am in the reinstall partof the process, similarly, I select Internet Protocol TCP/IP in the right windowarea and click havedisk, selectwindows inf and click ok, the nextwindow say click the type of network I want to install and I had to choose Microsoft on the left window to get TCP/ip as a choice, as the default was intel WLAN Transport. I think I had been installing WLAN not .

Now in Network Connections, I have something called internet gateway installed. Not usre what thatis,but FF and IE still cannot call up pages,and the internet still reports connected.

 

Did you have this problem the first time you went through these steps?

You have to follow them explicitly.

I'm not sure where exactly you are getting mixed up.

 

Yeah it was the same all the times i've done this. I'm going to try it all again. For clarification, I am performing these steps by workingon the wireless connection in network connections, not the local area connection as dictated by the instructions, because my local area connection has no ethernet calbe here at home. I hope this doesn't screw anything up as far as your fixes go.

 

It won't. These fixes are to completely rebuild the TCP/IP stack which ComboFix keeps complaining about.

 

I hope you don't mind looking at the attached. YOu will see that when I am going through the uninstall process, it defaults to "intel" (first screencap)where the only choice is WLAN, and I need to select "Microsoft" to get the choice of TCP/IP (second screencap). Is this okay?

 

This is why you have to click "Have Disk... and then enter c:\windows\inf.

Then and only then will Internet Protocol (TCP/IP) be listed.

You're right, by default it is not listed. Refer to the below screenshot

 

Sorry I may have looked too far into your question. Yes, you can switch it to Microsoft to get the choice of TCP/IP.

Have Disk -> c:\windows\inf should do the same thing + more options to choose from.

As long as you're selecting Internet Protocol (TCP/IP) to uninstall that is what we want.

 

Once you successfully edit and save the Nettcpip.inf file, you will be able to Uninstall (the button becomes available) Internet Protocol (TCP/IP).

See the screenshot below:

 

Done again, but same result, connected but FF and IE can't bring up pages.

You're getting tired of me aren't you....

 

No, it's OK. As long as you're willing to keep trying my ideas I don't mind. It's just hard to troubleshoot something I cannot see first hand and all of your logs look good to me

First I would like you to check here:

Start -> Control Panel -> Administrative Tools -> Local Security Policy -> IP Security Policies on Local Computer.

Take a screenshot or list the "Name", "Description", and "Policy Assigned" for each of the items listed here.

 

Is this what you wanted?

 

I should have asked this earlier but this is a laptop correct?

On some laptops there is usually a toggle for the wireless to work. Please make sure that is turned on

See the below screenshots:

 

Yes, and there is nothing wrong there.

 

I know what you mean - I wish I could drive to your house with my laptop, a pizza and a sixer of whatever you like to drink and watch you work your magic!

It is a laptop and the wireless radio is working - I just now printed a word doc to my wireless printer without any problem at all. Which kind of surprised me, but then again, that is just the local router, which we know I am connected to because windows says it is connected and because I can enter the IP address into IE or FF and pages come up. It just wont translate the names and go. This is why I think it the DNS. But we have rebuilt the TCP IP stack several times,which I assume inlcudes the DNS portion, to no avail. I see there are many other folks on the forum having this same problem right now.

I still find it incredible that Combofix had to mess with the DNS like this in order to get the rootkit removed. Nasty virus. There were other items that were fixed as well in the process (I had ping.exe in the processes taking up lots of cycles and memory, now removed). Clearly I should have gone through all the MG steps before running CF, maybe I wouldn't have deleted the DNS. Speaking of, why do you think CF still says it detects rootkit when I run it? Kaspersky's thing and MBAM and TDSS all say I am clean and you say my logs look okay. That is odd.

The only OS CD I have here at home is from the wife's laptop, a gateway, and I am pretty sure if I tried to load the OS (Vista from 2007) I will get as far as entering the CD key and it will tell me the copy of Vista has already been registered. I guess I am beginning to think only a clean reinstall will get the pc working again.

Unless you have more tricks up your sleeve, that is......

 

Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach)

Download Virus Removal Tool from Here to your desktop

Run the program you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

• Click the cog in the upper right
  
  
  
  
• Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
  
  
  
  
• Allow Virus Removal Tool to delete all infections found
• Once it has finished select report tab (last tab)
• Select Detected threads report from the left and press Save button
• Save it to your desktop and attach to your next post. (How to attach)

 

:-D

I do not think it is. All your logs say you are connected and that you have an IP address. Still unsure why you are having troubles browsing.

Yes. The entire front page is full of people with ZeroAccess rootkits. Some are easier to solve than others but the ones we have been seeing lately are ruining so many parts of the OS and corrupting TCP/IP stacks to the point that we end up having to completely rebuild it from scratch.

I've seen many ZeroAccess rootkits first hand and none of them have been too bad. I even purposely infected one of my older systems with it on 3 separate occasions to learn more about it but I've never had to go through the extremes we are having to go through nowadays on the forums.

ComboFix isn't intended to be run first as many people may think.

I do not know yet. We are running a couple more deeper scans to find out if there any other traces of it. I do not think your TCP/IP stack is infected even though ComboFix reports it.

Usually we would see error codes whenever you tried to run any type of ipconfig command.

Unfortunately you may be right. The damage to the OS on this one may have been too great to overcome.

 

Attached. That virus scan took literally hours and found a trojan. The win32diag did not seem to do much and the log is pretty bare as you will see.

 

Did you already try resetting or powering off/on your wireless modem/router?

Both logs are clean. The one file AVP found was in System Restore.

 

YEs, but I just did it again for goog measure. The laptop I am typing on right now as well as the infected one reconnected just fine, but still no browsing.

 

At this point I would recommend reinstalling Service Pack 3 for XP.

Download Link : Microsoft Windows XP Service Pack 3 Final

 

Reinstalled SP3 and.....no change. Still cannot browse even though I am connected.

 

MGtools was recently updated. Please complete the below directions:

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Attached

 

For good measure, I want you to run this removal tool: Norton Removal Tool

And uninstall the the following from Add/Remove programs: Intel(R) PROSet/Wireless Software

After you have done that and then rebooted, follow the below too:

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  ipsec.sys
  lsass.exe
  netbt.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\netbt
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\ipsec
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Scans attached. Windows wanted to reinstall the intel wireless driver, I declined. Should I let windows reinstall the wireless driver?

 

Hmm, that should have only gotten rid of the software. Driver is typically still in tact whenever I have done that.

To answer your question, yes let Windows reinstall the driver only. Not the software!

Also you need to attach c:\MGlogs.zip so I can review these logs too.

If Windows cannot find the driver on its own. Then wait and we will completely uninstall/reinstall it. Let me know first.

 

MGlogs attached. Upon startup windows says found new hardware and wants to reinstall the software for the network controller. I am unsure about how to only install the driver without the software. Currently, the wireless connection is not listed as a choice in network connections

 

Most likely it will install the driver only. Allow it to install, even if it comes with software.

If this does not work we are going to uninstall everything related to the wireless and reinstall it from scratch.

Follow the below instructions if Windows reinstalled the driver and you still do not have internet.
______________________________________________________________

First, uninstall Intel(R) PROSet/Wireless Software again if it is present in Add/Remove Programs. Let me know if it was present or not.

Reboot if it was present.

Next:

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (TVTPktFilter)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (s24trans)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (NETw3x32) Intel(R)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
O3 - HKU\S-1-5-21-1572940114-2199989120-3573736101-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1572940114-2199989120-3573736101-1005\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
@Alternate Data Stream - 48 bytes -> C:\Documents and Settings\All Users\DRM:مايكروسوفت
@Alternate Data Stream - 1227 bytes -> C:\Documents and Settings\Computer\Start Menu\Programs\Startup\Registration Myst V: End of Ages.LNK
[COLOR="DarkRed"]:services[/COLOR]
NETw3x32
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now download the following file: 7kwc50ww.exe to your desktop. Do not do anything with it yet.

Then download 7z920.exe to your desktop and install it.

Once you have installed 7Zip successfully... Right-mouse click on the 7kwc50ww.exe file on your desktop -> 7-Zip -> Extract to "7kwc50ww\"

Now you will see that there is a new folder on your desktop: 7kwc50ww

• Open this folder by double-clicking it.
• Then open the XP folder.
• Then open the Drivers folder.
• Now the x32 folder
• Now double-click DPInst32.EXE to install your wireless driver.
• Reboot and test your internet. Also check the Device Manager to make sure there are no missing or corrupt devices.

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

______________________________________________________________

Reference links for me. (you do not have to do anything with the below)
ThinkPad R60 (9456-FCU)
Readme: http://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/7kwc50ww.txt

 

OK, no windows says it cannot install the new hardware because it cannot find the necessary files, and asks me for a CDROM which I do not have.

 

In that case, proceed with the directions above.

 

I can get a driver off the intel website and reinstall that...

 

Have you already tried the one I found for you? http://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/7kwc50ww.exe

Also don't forget to attach the requested logs.

 

The wireless is up and running again but still no browsing. IE thought about it for a long time before throwing up the error, I thought you had it there for about 15 seconds. Logs attached. Device manager shows everythig is ok.

 

Attached is another .bat file I would like you to run.
It will reboot your PC.
Attach the srvstates.txt log once you are back in Windows.

 

Log Attached.

 

Looks good.

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Attached

 

Can you test for connectivity while in Safe Mode with Networking? -> Starting your computer in Safe mode

Let's make sure it's not working here either.

Also, are you using the paid version of MalwareBytes'? Can you uninstall it / disable it while we are troubleshooting.

 

IE does not work in safe mode with networking.

 

Unfortunately I am out of ideas here.

It seems like only a complete reinstall of Windows will do the trick.

 

Thanks so much for all your help. I'll try to find a repair/reinstall disc online somewhere. Any suggestions?

 

You're welcome.

http://www.microsoft.com/windows/buy/default.aspx
Get the Full Version, not the Upgrade License.

Home Premium would just fine for you IMO.