Rootkit zeroaccess cleaned by Combofix but still no internet access

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by thekops, Dec 30, 2011.

  1. thekops

    thekops Private E-2

    I have a Dell Dimension 4600 with XP Home SP3 that has not been able to connect to the internet since Avast found and cleaned a virus about mid-Dec. After booting it shows: "Avast will not be able to protect mail/news (error 10050). Please check that the Avast service (AvastSVC.exe) is not blocked by your personal firewall". Plus my SYSTRAY shows "Acquiring network address..." continually.

    I completed the "read and run me first" with the following results:

    a. Internet connection is still broken and "Acquiring network address..." still shows continually.
    b. While doing backup of the data, found many folders were changed to be HIDDEN (which ComboFix seemed to clear up some). I was still able to backup the data because of "view hidden files..." settings.
    c. Updating Java steps stated 7.1 as the current version, but the link took me to 6.30 so I used that one (wasn't sure where to find 7.1).
    d. Ran SUPERAntiSpyware. It found an old version and uninstalled it first. After the new one installed, found the screens were rather different than the instructions, but I was able to find and set as directed. It found and cleaned 1 item. I tried using its "Repair Broken Network..." but still no internet connection.
    e. Ran Malwarebytes. Probably due to no internet, received error "PROGRAM_ERROR_UPDATING (11004,0,No Address found)" but the application still opened. I exited the program, manually downloaded the updates and installed them, but got "The Malware Anti-Malware database is missing or corrupt. Would you like to download a new copy?" I answered NO since no interenet connection. Got another error: "Product files are missing or corrupt, please reinstall product PROGRAM_ERROR_LOAD_DATABASE (0,13,SDKCreate)." So I reinstalled Malwarebytes, got same 11004 message. It still opened the application and I continued with your instructions. Nothing was found.
    f. Ran Combofix. It found "rootkit.zeroaccess... particularily difficult infection...". When done, still no internet connection. I tried their "manually repair" steps but still no internet connection.
    g. Ran RootRepeal with no problems.
    h. Ran MGtools with no problems.

    Thanks for all the good that you do in this forum.
     

    Attached Files:

  2. thekops

    thekops Private E-2

    Here is the fifth log.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The infection you have causes signicant damage to the Windows Operating System. It shuts down many required services and corrupts many registry keys. It takes quite a bit of work to fix. So let's begin.



    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    Please download MiniToolBox and save it to your desktop and run it by right clicking and selecting Run As Administrator.


    Checkmark following checkboxes:
    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List IP configuration
    • List Winsock Entries
    • List Devices -> All
    • List last 10 Event Viewer log
    Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run from.



    Now download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now open Repair_Windows.exe
    • Go to Start Repairs tab.
    • Choose "Custom Mode" and press "Start".
    • Create a System Restore point if prompted.
    • In the Custom Mode window, select the following repair options:
      • Repair Windows Firewall
      • Repair Internet Explorer
      • Repair Hosts File
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Windows Updates
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.
    Now please click Start, Run and type services.msc into the Run box and click OK. This will open up the Services form. Scroll down to the Application Layer Gateway Service service and double click on it. If the Service status: shows Stopped or Disabled, click the Start button. Does it Start? Make sure that the Startup type is set to Manual.

    Now locate the IPSEC Services service and Start it and set the Startup type to Automatic, Did this Start?

    Now locate the DNS Client service and Start it and set the Startup type to Automatic, Did this Start?

    Now locate the Windows Firewall/Internet Connection Sharing (ICS) service and Start it and set the Startup type to automatic, Did this Start?

    Now locate the Plug and Playservice and Start it and set the Startup type to Automatic, Did this Start?

    Now locate the Workstationservice and Start it and set the Startup type to Automatic, Did this Start?

    Now locate the Serverservice and Start it and set the Startup type to Manual, Did this Start?

    Now locate the Computer Browser service and Start it and set the Startup type to Automatic, Did this Start?

    Now locate the TCP/IP NetBIOS Helperservice and Start it and set the Startup type to Automatic, Did this Start?

    Now locate the SSDP Discovery Serviceservice and Start it and set the Startup type to Manual, Did this Start?


    Now Click Start, then Run, and type cmd into the Run box and click OK. This will bring up the command prompt. Now enter the below commands the below into the command prompt window one at a time each followed by the enter key. Tell me EXACTLY why message you get for each

    netsh int ip reset resetlog.txt


    Now no matter what has happened above, continue to do the below.

    Reboot your PC!!!!



    After reboot, please download Farbar Service Scanner and run it
    • Make sure to put a check in each of the check boxes for
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please attach this log to your next reply.
    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • the Result.txt log from MiniToolBox
    • the FSS.txt log from Farbar's Service Scanner
    • C:\MGlogs.zip
     
  4. thekops

    thekops Private E-2

    Thanks for your quick reply. Here are my results:

    a. Ran fixme.reg & got error: "Cannot import c:\Documents and settings\Owner\Desktop\fixme.reg: Error accessing registry".

    b. Ran MiniToolBox & got error: "Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced".

    I booted into SAFE MODE and set the Administrator account with a password, then booted back into Normal Mode. Saw a notice popup in my SYSTRAY about some update available for DIVx so I checked my internet connection and found it working with Internet Explorer. Firefox is still not working. I also noticed many of the folders under Program Files are also still in a HIDDEN state (example: CCleaner folder, Mozilla Firefox folder, etc).

    c. Ran fixme.reg again & got a different error: "Cannot import c:\Documents and settings\Owner\Desktop\fixme.reg not all data was successfully written to the registry. Some keys are open by the system or other processes.

    d. Ran MiniTool again (using new administrator password I created) & got same error as above.

    e. Ran WindowsRepair with no problems and rebooted when prompted (seeing all 6 of 6 jobs completed).

    Results of services.msc instructions:
    Application Layer - shows started and manual.
    IPSEC - shows started and auto.
    DNS Client - shows started and auto.
    Windows Firewall - shows started and auto.
    Plug and Play - shows started and auto.
    Workstation - shows started and auto.
    Services - shows started, was auto, set to manual.
    Computer Browser - shows started and auto.
    TCP/IP - shows started and auto.
    SSDP Discover - shows start and manual.

    Results of netsh... in cmd box: it did not display anything and just went back to the C:... prompt.

    Attached are 2 of 3 logs (since MiniTools could not be run).

    Things are looking better and better! I will continue to wait for further instructions before using this computer. Have a Happy New Year!
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run the below and tell me if it helps.

    Please download and save the below tool from Grinler @ bleepingcomputer to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

    http://download.bleepingcomputer.com/grinler/unhide.exe

    Now run it. Now see if you can find the items that seemed to be missing ( like shortcuts, Start Programs... etc )?
     
  6. thekops

    thekops Private E-2

    Ran it and now folders that are suppose to be visibile ARE visible. Thanks.

    So are we done? I have internet connection now with Internet Explorer. But not with Mozilla (which I can easily uninstall and reinstall).
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Log look good. But before we finish, tell me what happened after the reinstall of Firefox.
     
  8. thekops

    thekops Private E-2

    I did not reinstall Firefox yet until you approved. Will do and then get back with you.
     
  9. thekops

    thekops Private E-2

    Uninstall and reinstall of Mozilla Firefox did not help. It still does not startup. I did KEEP personal data and customer information. Should I have totally deleted and then reinstalled?

    I also see some automatic windows updates downloaded and required me to reboot.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it would be better to uninstall Firefox completely which means also deleting all the related folders
    • C:\Program Files\Mozilla Firefox
    • C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla
    Then reboot. After reboot reinstall Firefox but do not reinstall any addons initially until you are sure it is working properly.
     
  11. thekops

    thekops Private E-2

    Yippee! Mozilla is now working! Instead of using original install file, I downloaded a clean and updated version of Mozilla. I will import the old bookmarks later after I'm sure all is working and the computer is clean.

    What's next?
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  13. thekops

    thekops Private E-2

    Thanks once again for all your help. Completed the final steps and all looks great!

    You truly provide a great service!
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome and thanks! :)

    Surf safely.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds