Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by visitavisroy, May 2, 2012.

  1. visitavisroy

    visitavisroy Private E-2

    Dell Inspiron mini with Window XP, 32 bit, sp3 installed. Google searches were redirecting for a few days in Mozilla Firefox. Found AVG scan components absent. Did some search on google forums and took advise of running ComboFix after removing AVG. Post combofix, unable to connect to internet. Lists wireless networks but no ip is allocated. Task manager shows no active network adapters. Wired ethernet also same status. Re-installed driver of wireless card (Dell Wireless 1397 WLAN Minicard) from Dell cd but no luck.

    Also it is now taking too long to start up and show active task bar. Sometimes shutdown is taking much longer than usual and gets stuck with the shutdoen screen.

    Followed and ran all the processes of READ ME AND RUN ME FIRST. The logs are attached.

    Any help will be much appreciated. Thanks in advance for your time!
     

    Attached Files:

  2. visitavisroy

    visitavisroy Private E-2

    MGlogs attached now.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please see step 4 of the READ & RUN ME and run MSconfig and put your PC in normal startup mode as requested.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now continue with the below procedure:

    1. Go to Start ==> Run (or Windows key+R)
      • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
        (note that there is space after notepad)
      • The above file will open in the notepad.
      • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
      • Edit 0xA0 and replace it with 0x80 (replace A with 8)
      • Under File menu click Save and close the notepad.
    2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
      • On the General tab, click Install a popup window opens.
      • Select Protocol from the list and then click Add.
      • A new window opens, click Have Disk....
      • In the browse... box type c:\windows\inf
      • Click OK.
      • Select Internet Protocol (TCP/IP), and then click OK.
      • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
      • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
    3. Go to Start ==> Run (or Windows key+R)
      • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
        (note that there is space after notepad)
      • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
      • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
      • Under File menu click Save and close the notepad.
    4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
      • On the General tab, click Install
      • A popup window opens. Select Protocol.
      • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
      • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
    5. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


      Then attach the below logs:
      • the new combofix.txt log
      • C:\MGlogs.zip
     
  4. visitavisroy

    visitavisroy Private E-2

    First I must thank you profusely for your time and attention to my problem.

    I followed all your exact instructions. ComboFix actually detected ZeroAccess Rootkit again, so clearly it was not removed initially.

    After combofox and reboot, the internet connection was actually back!! yet, to follow your full prescription, I went through the rest of the 5 steps to re-intall the TCP/IP stack.

    The internet connectivity is back now - both wired and wireless. I have made some test searches and no re-directions have been observed.

    You are GOD. ABSOLUTE RESPECT!

    The 2 logs are attached. Now that the connectivity is back, should I remove the tools recently installed and re-install AVG? Please advise.

    Thanks again and again!
     

    Attached Files:

  5. visitavisroy

    visitavisroy Private E-2

    Hi chaslang, couple of hours back when I made the last post, everything was fine as I had mentioned. I had kept the machine shutdown because there was no anti-virus running and it was connected to the net.

    I started the computer a few minutes back to take a few files and strangely the machine was back to its previous state - no connectivity, no active network adapters detected :(

    I rebooted the machine, but no luck.

    May be the malware is still there and messing around.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then let's get some new logs because your last ones looked okay other than one question I have. Inside the MGlogs.zip file is a log named nwktst.txt. Did you edit this file to insert questions marks in a few locations?

    • Make sure your network cable is plugged in even if you do not have the ability to get a connection to work.
    • Shutdown your AV
    • Then rerun C:\MGtools\GetLogs.bat and attach the new MGlogs.zip file.
     
  7. visitavisroy

    visitavisroy Private E-2

    I am 100% sure I have not tried to edit anything in the logs. Kept the network cable connected now, No AV, rerun the MGtool. New logs attached.

    Thanks for your response.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay we need to run a couple other scans and then apply some additional fixes.


    Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
    Now please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now please download Farbar Service Scanner and run it on the computer with the issue.
    • Put a check mark in each option box on the left side.
    • Click "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please attach this log to your next reply.
    If you do no have a network connection at this point, rerun the procedure from the 2nd half of message #3 with nettcpip.inf again

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • FSS.txt
    • C:\MGlogs.zip
    How are things working now?
     
  9. visitavisroy

    visitavisroy Private E-2

    Thanks again for your advises. Ran the TDSSKiller, MBRcheck and Combofix as instructed.

    This time ZeroAccess Rootkit was not detected while running ComboFix. However, unlike last time, the network connectivity was not back after reboot post-ComboFix.

    Ran Farbar Service Scanner. Still no connectivity.

    So re-ran the procedure from the 2nd half of message #3 with nettcpip.inf again. BUT at the last stage (step 4 of the procedure), when I clicked OK after selecting Internet Protocol (TCP/IP), it popped up an error message as "Access is Denied". So, could not complete this procedure.

    Ran MGtools getlogs. Attached MGlogs and error message snapshot in next message.
     

    Attached Files:

  10. visitavisroy

    visitavisroy Private E-2

    MGlogs and error screenshot attached now.

    2 observations:

    - at step 2 of nettcpip.inf procedure, while selecting Internet Protocol (TCP/IP), I observed that it was not digitally signed

    - At step 4 of the procedure, in the Network Connections window, both the wired and wireless network connection icons had 'connected' written underneath them though there was no connection.
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay some additional registry entries for services have now gone missing. When I last had you run the fix with ComboFix, only the IPSec service had entries missing. Now several other services are missing from the registry. And in addition, the fix with ComboFix was only able to partially restore the IPSec service. I'm wondering if there are permissions issue broken in the registry and also whether there is still some active component of the infection that is hiding somewhere. Let's run another tool to check deeper for possible infections and also attempt some fixed to correct permissions.



    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now open Repair_Windows.exe
    • Go to Start Repairs tab.
    • Choose "Custom Mode" and press "Start".
    • Create a System Restore point if prompted.
    • In the Custom Mode window, select the following repair options:
      • Reset Registry Permissions
      • Register System Files
      • Repair WMI
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.
    Now download SubInACL.msi from Microsoft.
    • Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
    • Now download the below file and save it to your Desktop:
    • Now double click on resetperm.cmd to run this script. Be patient as this may take awhile to run.
    Once it finishes, reboot your PC and then continue with the below.



    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      dhcpcsvc.dll
      explorer.exe
      lsass.exe
      nsiproxy.sys
      regedit.exe
      services.exe
      svchost.exe
      tcpip.sys
      tdx.sys
      userinit.exe
      winlogon.exe
      /md5stop
      %systemdrive%\*.*
      %systemdrive%\MGtools\*.*
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.sys /90
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      hklm\system\currentcontrolset\services\dhcp
      hklm\system\currentcontrolset\services\afd
      hklm\system\currentcontrolset\services\tdx
      hklm\system\currentcontrolset\services\tcpip
      hklm\system\currentcontrolset\services\nsiproxy
      hklm\software\microsoft\windows\currentversion\run
      hklm\software\microsoft\windows\currentversion\runonce
      
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
     
  12. visitavisroy

    visitavisroy Private E-2

    Hi! Thanks again for spending so much time on my problem and trying so hard to solve it. Whether or not my machine finally gets fixed, you will always have my best wishes.

    I performed your instructions. The logs are attached.

    While executing the Repair_Windows.exe, an error popped up several times. A screenshot is attached. The program went on everytime I clicked OK. So not sure whether the program could actually do the job it was supposed to do.

    Just for sake of records, no connectivity yet.

    Thanks again.
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    Yes this is due to the Microsoft program named psexec.exe crashing. The Windows Repair program makes use of this to perform the repairs. I can see the crashes in your Extras.txt log
    Not sure if the repairs actually worked or not but let's continue. To attempt repair to all the damage this infection has caused.

    Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.

    WARNING: The below fix is only meant for visitavisroy and no other PCs!!!


    Download the below file and save it to your Desktop

    visitavisroy.reg

    Then double click on it and allow it to be added to your registry. Let me know if you receive a success message. You may receive a message stating something like not all keys were successfully added or merged to the registry.

    Now reboot your PC.

    If you do no have a network connection at this point, rerun the procedure from the 2nd half of message #3 with nettcpip.inf again


    Now please download Farbar Service Scanner and run it on the computer with the issue.
    • Put a check mark in each option box on the left side.
    • Click "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please attach this log to your next reply.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).




    Then attach the below logs:
    • FSS.txt
    • C:\MGlogs.zip
    How are things working now?
     
    Last edited: Aug 20, 2012
  14. visitavisroy

    visitavisroy Private E-2

    Hi chaslang, firstly apologies for the late response; was traveling on work a bit.

    Ran your instructions today. During the /scannow process, it did access the windows CD several times. The visitavisroy.reg gave a clear success message. No connectivity thereafter, so went through the nettcpip.inf procedure.

    Bingo! Connectivity was back after the nettcpip.inf process. I even updated the Malwarebytes database and ran a quick scan to see there are no infections. So ran the Faber scan and MGlogs. Logs attached.

    However, just like last time .... one reboot and strangely the connectivity was again gone :( ... as if something is getting corrupted during reboot. So, for your analysis, ran FSS and MGlogs again. These logs are named with the postfix '-after' and attached too.
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Repeat all the instructions in message #13 again including redownloading visitavisroy.reg
    because it has been modified. This time or any time in the future, once your network access is working, DO NOT power down, reboot, reset....etc your PC. Just attach the latest logs and wait for me to get back to you.
     
    Last edited: Aug 20, 2012
  16. visitavisroy

    visitavisroy Private E-2

    Hi chaslang, thanks indeed. I ran the procedure again. This time after the visitavisroy.reg successful execution and reboot, the connectivity was back. So did not have to go through the nettcpip.inf precedure. The 2 logs are attached.

    Not shutting down, rebooting, etc. Will await your instructions.

    Sincere thanks once again!
     

    Attached Files:

  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    These logs look fine, but still do not allow a reboot yet.

    Did you knowingly install and do you use the below remote access applications?

    O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\Bubble\Application Data\Mikogo Extra\B-Service.exe
    O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe

    Also I don't see where the Mikogo B-Service program is even still installed but the service is there. Did you uninstall it?


    Now follow the instructions in the below to run an online scan with ESET. Attach the log. Note, it will likely find a few files like process.exe in the MGtools folder. The process.exe file is completely safe. It is just a command line task manager program ( a process manager hence the file name ).

    Using ESET's Online Scanner
     
  18. visitavisroy

    visitavisroy Private E-2

    Hi chaslang, yes I had installed both Mikogo and Teamviewer but uninstalled Mikogo long ago. Mikogo is a screen sharing add-on that comes with skype. I use the Teamviewer quite frequently.

    Attached is the ESETScan.txt. No reboot yet.

    Thanks once again.
     

    Attached Files:

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay well since it still is trying to load a service, let's remove it.

    Open a command prompt window by clicking Start, Run, and enter cmd and click OK. If the window opens type each of the below commands in. Follow each by the enter key. Note there are spaces after the sc and after the stop and after the delete.

    sc stop B-Service
    sc delete B-Service


    Now see if the below folder exists and delete it if found:
    C:\Documents and Settings\Bubble\Application Data\Mikogo Extra


    Now let's power down your PC ( not reboot -- power down ). Leave it powered down for at least a two minutes. Then make sure that any/all removable type devices have been disconnected from any USB ports. Then power your PC back up and see where we stand as far as having network access. Attach the below new log no matter what the status is.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below log:
    • C:\MGlogs.zip
     
  20. visitavisroy

    visitavisroy Private E-2

    Hi chaslang, followed all your instructions. This time connectivity was OK after starting up the machine. Finally, it seems like OK now :)

    Attached is the logs. Should I now go ahead and re-install AVG?

    Many many many thanks once again for all this effort and attention!
     

    Attached Files:

  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Don't reinstall AVG until you get to last step in the below where the instruction in the How to protect.... link talk about having an antivirus installed.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  22. visitavisroy

    visitavisroy Private E-2

    Hi chaslang, really sorry to bother you again but seems like some final healing touches are still needed.

    I followed your instructions of final cleanup (removing tools, combofix, MGClean, etc). Removed Malwarebytes, replaced trial SuperAntiSpyrare with a paid version, installed Avira, installed Comobo Firewall-only, CCleaner and updated windows.

    However, after downloading windows updates and a reboot (required after removal of old SAS), the machine again had no connectivity. I re-ran your last instructions (ie sfc /scannow, visitavisroy.reg). The .reg merger was a partial success. Reboot and the connectivity was back.

    Ran full version SAS and found no malware infection. Also ran FSS and MGlogs.bat. Comodo threw up a lot of warnings during MGlogs.bat but allowed them to let it run.

    Attached are the logs. Keeping the machine turned on till your response.

    I am bothering you on this one case for way too long :(
     

    Attached Files:

  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Something has deleted your IPsec registry key again. At this point your problems do not really seem to be due to malware but rather seem to be due to either something you are running or due to just some corruption of drivers on your PC or due to a problem with Windows itself. The only way to probably resolve this at this point is likely to perform a totally new clean install of Windows.

    Otherwise we would just be repeating the same kind of steps every day.
     
  24. visitavisroy

    visitavisroy Private E-2

    Yes, you are right as usual. I just re-installed xp and things are fine now :)

    Thanks a lot for your all your effort.

    Cheers!
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  26. visitavisroy

    visitavisroy Private E-2

    Hi chaslang, have done the needful as per your instructions. Guess we can terminate the thread here. As always, thanks again!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds