Internet stops working, RootKit?

The internet connection works when first logged on but stops working after a few minutes and the IP address can not be renewed.
Internet generally works fine in Safe Mode with Networking but when I was about to post this, it stopped working.

Some of the scans had no results in normal boot so I ran all of them in Safe Mode.

Combofix says RootKit.ZeroAccess detected, that afd.sys is infected and fixed but any change to afd.sys is quickly reverted.

RootRepeal crashes computer when starting scan.

I am not around to work on the computer for all but just a few nights a week so I will most likely not be able to respond for a few days.

 

Hi and welcome to Major Geeks, Level

From Add/Remove Programs (via Control Panel), please uninstall the below:

• avast! Free Antivirus
• CA Anti-Spyware
• CA Internet Security Suite
• SUPERAntiSpyware

Please download and run AVG Remover

Please download and run Avast! Uninstall Utility
This utility must be run from Safe Mode.

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Hi thisisu, thanks for helping me.

There were a few problems:

I have tried getting rid of both CA and AVG multiple times in the past and again as instructed but it looks like they are still leaving parts behind.

SUPERAntiSpyware left a hardware object "root/legacy_saskutil/0000" that wants to be installed every time windows starts, they do have a downloadable uninstaller to use instead of Add/Remove Programs.

The network connection is now rapidly connecting and disconnecting, flashing between "Internet is now connected" and "A network cable is unplugged".

OTL.Txt:
Your file of 408.0 KB bytes exceeds the forum's limit of 375.0 KB for this filetype. I'll Zip it.

 

Attached is OTLfix.txt
Download and save this to the infected computer's desktop.
Try to run the follow steps from Normal Mode. If the fix gets stuck, abort and try it from Safe Mode instead. (How to start your computer in Safe mode)

Now reopen OTL
Then drag OTLfix.txt into the text-field.
You should see a bunch of text transferred over into the text-field.
Now click the button.
The fix will need a reboot. Allow the PC to reboot into Normal Mode.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Run TDSSKiller using these directions. Make sure you update TDSSKiller prior to scanning: TDSSKiller - How to run

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

So your F: drive (the 500GB hdd) is being used as DATA only right? I see quite a few "program files" there but no Windows directory. Just want to make sure there is no Windows directory here.

Let me know problems remain after running the above fixes /scans.

 

Yes the F: drive is data only.

It is still rapidly connecting and disconnecting.

 

I would prefer if you ran this fix while in Safe Mode for the highest chance of success.
See: How to start your computer in Safe mode

Attached is OTLfix.txt
Download and save this to your desktop.


Now reopen OTL
Then drag OTLfix.txt into the text-field.
You should see a bunch of text transferred over into the text-field.
Now click the button.
The fix will need a reboot. Allow the PC to reboot into Normal Mode.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Open the Device Manager

• Press and hold the Windows key and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • devmgmt.msc
• Now press ENTER

The Device Manager should have opened.
Collapse the Network Adapters list.
Right mouse click: NVIDIA nForce Networking Controller
Choose "Uninstall".
You be asked to confirm your actions, choose OK and let it uninstall.
If it asks you if you want to delete the driver software / files too, say No.
When you have done this and NVIDIA nForce Networking Controller is no longer in the Device Manager list -- Press the Scan for hardware changes button () or Action -> Scan for hardware changes
Allow it to reinstall your network adapter.
Reboot for changes to occur.
Test internet once you have rebooted.

__

If the internet is now working, you can stop here and let me know.
Otherwise, proceed with these directions as well:

Scan with OTL
Reopen OTL and press the button.
Attach the latest OTL.txt when finished. (How to attach)

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

It is back to working for a few minuets then stopping.

 

Please rescan with OTL and MGlogs.bat while in Normal Mode.
Then attach those logs for review.

 

Ok, here they are.

 

From Add/Remove Programs (via Control Panel), please uninstall the below (if they appear):

• CA Anti-Spyware
• CA Internet Security Suite
• McAfee SiteAdvisor
• Spybot - Search & Destroy

I would prefer if you ran this fix while in Safe Mode for the highest chance of success.
See: How to start your computer in Safe mode

Attached is OTLfix.txt
Download and save this to your desktop.


Now reopen OTL
Then drag OTLfix.txt into the text-field.
You should see a bunch of text transferred over into the text-field.
Now click the button.
The fix will need a reboot. Allow the PC to reboot into Normal Mode.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

I would like you try the below.

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

When you are prompted to confirm the deletion, click Yes.
Close the Registry Editor.

Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

Once you have rebooted...
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK.
Restart your computer.
Test your Internet connectivity.

If the internet is now working, you can stop here and just let me know.
Otherwise, proceed with these steps below too:
_________________________________________

Update and scan with ComboFix

• Please download a new copy of ComboFix.exe and transfer it to the computer with the issue.
• Now run ComboFix.exe by double-clicking it and following all prompts.

Now download the latest MGtools.exe to the root of your c: drive.

• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

Question: How many minutes can you stay connected until you are unable to connect again?

 

After creating the new TCP/IP the internet connection worked for about eight minutes, I almost finished a post saying that it worked. Other times it has worked for about three minutes.

ComboFix still says RootKit.ZeroAccess is in the TCP/IP stack.

 

Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\WINDOWS\$NtUninstallKB917953$
C:\WINDOWS\$NtUninstallKB2660465$
C:\WINDOWS\$NtUninstallKB2653956$
C:\WINDOWS\$NtUninstallKB2647518$
C:\WINDOWS\$NtUninstallKB2641653$
C:\WINDOWS\$NtUninstallKB2621440$
[COLOR="DarkRed"]Domains::[/COLOR]
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\documents and settings\Lehi\Application Data\Mozilla\Firefox\Profiles\n66n6h9x.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Please download MiniToolBox and save it to your desktop and run it.

Checkmark following checkboxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List IP configuration
• List Winsock Entries
• List Devices -> All
• List last 10 Event Viewer log

Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

 

Here are the logs.

 

Is this a business computer? I see that the user account "Lehi" is logged into a domain called "BLACKY" with other users.

and... is there a ethernet addon card you can install to see if the LAN connection is intermittent with this as well?

I am not suspecting additional malware issues at this point as your last few logs have been clean.

 

No, it is a home computer. "BLACKY" is the name of the computer and there is no domain.

I was wondering if was primarily a malware, or a hardware problem, ComboFix still gave the RootKit.ZeroAccess warning but it did not find anything.

I will see if I have a working ethernet card I can put in. It will most likely several days before I can report back.