MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 12-28-11, 13:28
Denver5613 Denver5613 is offline
Private First Class
 
Join Date: Dec 2011
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Combifix removed rootkit zeroaccess now no internet

MG,

On 12-22-2011 I began to get random IE redirects to a webiste I cannot recall. Ran MBAM which found trojan.fakealert and three securitycenterdisablenotify infections, which were reported as removed/quarrantined. The redirects continued the next day and MBAM foudn an deleted gnik6o trojan.email. The redirects continued but MBAM did not find any other infections. Combofix was then run by me and reported a rootkit zeroaccess trojan which was in the TCP/IP stack on my XP SP3 computer and the warning came up about possibly losing internet connection, which I did. I had used combofix before for another problem but am now stymied. Neither the wireless at home nor the network at work will have anything other that low or no connectivity, and IE will not connect. I have followed the Read and Run me First procedures and followed the XP Malware removal guide and saved all the logs.

And yes, you can scold me now for trying to use fixes recommended for others, including ESETSirefef Remover, Antizeroaccess, tdsskiller, and even Winsockxpfix and xptcprep. I realize now this is not the recommended course of action. Sorry, but I have never not been able to remove a problem by myself before just by reading what others have done. I am now officially over my head. In any case, the requested logs are attached, and I thank you in advance for trying to help out. MG zip file to follow...
Attached Files
File Type: log SUPERAntiSpyware Scan Log - 12-28-2011 - 10-55-33.log (613 Bytes, 4 views)
File Type: txt mbam-log-2011-12-28 (11-32-56).txt (908 Bytes, 4 views)
File Type: txt ComboFix.txt (9.5 KB, 9 views)
File Type: txt RRlog12-28-2011.txt (690 Bytes, 2 views)
Reply With Quote
Sponsored links
  #2  
Old 12-28-11, 13:29
Denver5613 Denver5613 is offline
Private First Class
 
Join Date: Dec 2011
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

MGlogs zip file attached...
Attached Files
File Type: zip MGlogs.zip (237.6 KB, 9 views)
Reply With Quote
  #3  
Old 12-28-11, 14:13
Denver5613 Denver5613 is offline
Private First Class
 
Join Date: Dec 2011
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

I should also mention that I cannot get Windows Firewall to turn on either because the "firewall/internet connection sharing service(ICS)" I am guessing this could be due to the lack of an internet connection.

Thanks again in advance.
Reply With Quote
  #4  
Old 12-28-11, 15:33
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

Hi and welcome to Major Geeks, Denver5613!

Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
  • Double-click MessengerDisable.exe to run it.
  • Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
  • Click Apply
  • Click Exit

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:
Code:
KillAll::
ClearJavaCache::
File::
C:\Documents and Settings\Computer\Local Settings\Application Data\0k23om0f05f343
C:\Documents and Settings\All Users\Application Data\0k23om0f05f343
C:\Documents and Settings\Computer\Templates\0k23om0f05f343
C:\Documents and Settings\Computer\Local Settings\Application Data\o46m08r2kous668313xtbml47c0l680o07f
C:\Documents and Settings\Computer\Templates\o46m08r2kous668313xtbml47c0l680o07f
C:\Documents and Settings\All Users\Application Data\axLuD5M.dat
Folder::
C:\Documents and Settings\Computer\Local Settings\Application Data\sfjhhunoq
C:\Documents and Settings\Computer\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"PDF4 Registry Controller"=-
Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Please attach the existing log (FSS.txt) from Farbar Service Scanner. (How to attach)
Code:
"C:\Documents and Settings\Computer\Desktop\"
fss.txt       Dec 27 2011        1292  "FSS.txt"
I have attached a .zip file to this message.

Inside of it is:
  • fixme+restart.bat
Extract this file to your desktop and run it by double-clicking it. It will reboot your PC. Test your internet when you get back and also attach the fixme_results.txt to your next reply.


Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
Attached Files
File Type: zip fixme+restart.zip (332 Bytes, 46 views)
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #5  
Old 12-28-11, 16:39
Denver5613 Denver5613 is offline
Private First Class
 
Join Date: Dec 2011
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

Thanks for the reply thisisu. I have done as you directed. Combofix again fount a rootkit infection. The LAN wired internet at work does not connect and I get the same limited connectivity message. However, I am not at home so I cannot say about the wireless until I get home tonight. I have attached the three new logs you requested.
Attached Files
File Type: txt FSS.txt (1.3 KB, 5 views)
File Type: txt ComboFix.txt (11.6 KB, 4 views)
File Type: zip MGlogs.zip (239.8 KB, 5 views)
Reply With Quote
Sponsored links
  #6  
Old 12-28-11, 16:46
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

Looks like afd.sys is faked.

Did you run the .bat file (fixme+restart.bat) I requested?
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #7  
Old 12-28-11, 16:53
Denver5613 Denver5613 is offline
Private First Class
 
Join Date: Dec 2011
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

Yes I did. The computer restarted. FYI, the FSS txt file I sent was from yesterday, i have attached another one I ran just a minute ago, and it still shows afd.sys in the txt file.
Attached Files
File Type: txt FSS12-28-2011.txt (2.0 KB, 4 views)
Reply With Quote
  #8  
Old 12-28-11, 16:56
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

Attach the fixme_results.txt file from your desktop.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #9  
Old 12-28-11, 16:59
Denver5613 Denver5613 is offline
Private First Class
 
Join Date: Dec 2011
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

Sorry, I thought I did here you go...
Attached Files
File Type: txt fixme_results.txt (1.4 KB, 4 views)
Reply With Quote
  #10  
Old 12-28-11, 17:03
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

No problem.

Open Farbar Service Scanner
Type the following in the edit box after "Search:".

afd.sys

Click the Search Files button and post the log (FSS.txt) it makes to your reply.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
Sponsored links
  #11  
Old 12-28-11, 17:08
Denver5613 Denver5613 is offline
Private First Class
 
Join Date: Dec 2011
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

Here you are...
Attached Files
File Type: txt FSS afdsys search.txt (1.5 KB, 8 views)
Reply With Quote
  #12  
Old 12-28-11, 17:18
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

Attached is fix.zip.
Inside is:
fix.bat

Extract fix.bat to your desktop and run it.
When finished a Notepad window should open and say: "1 file(s) copied"

If you received that message, then reboot your PC and test out your internet.
Attached Files
File Type: zip fix.zip (276 Bytes, 63 views)
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #13  
Old 12-28-11, 17:38
Denver5613 Denver5613 is offline
Private First Class
 
Join Date: Dec 2011
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

Well, the LAN at work now says "connected, firewalled" as it should but I still can't get IE to open a page. This is something with our work network, I believe, and not your problem.

However, the good news is that the firewall is back on, the yellow Windows update shield has appeared after having gone missing for months, and I am optimistic that when I get home my wireless may work. I'll check back in later tonight or tomorrow after testing the wireless at home, but in the meantime, thank you thank you! I feel like we at least made progress today!

Cheers
Reply With Quote
  #14  
Old 12-28-11, 17:39
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

You're welcome. Keep me informed
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #15  
Old 12-28-11, 20:23
Denver5613 Denver5613 is offline
Private First Class
 
Join Date: Dec 2011
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

So, the internet reports that it is connected, and I am no longer getting the limite connectivity message, but neither IE nor Firefox will pull up any pages. I get a "firefox cannot find the server at www.google.com" error. Similarly, itunes will not connect to the store and MS Outlook will not connect either. My PC appears to be connected, but will not connect. Any more ideas? I am on our other computer right now obviously.
Reply With Quote
Sponsored links
  #16  
Old 12-28-11, 20:26
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

Please download MiniToolBox and save it to your desktop and run it.

Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List IP configuration
  • List Winsock Entries
  • List Devices -> All
  • List last 10 Event Viewer log
Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #17  
Old 12-28-11, 20:43
Denver5613 Denver5613 is offline
Private First Class
 
Join Date: Dec 2011
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

Attached
Attached Files
File Type: txt Result.txt (34.4 KB, 9 views)
Reply With Quote
  #18  
Old 12-28-11, 21:24
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

Code:
Name: Broadcom NetXtreme Gigabit Ethernet
Description: Broadcom NetXtreme Gigabit Ethernet
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Broadcom
Service: b57w2k
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
Do you know how to get into the Device Manager to check to see if this is disabled? If it is disabled it will have a red X near following device in Network Adapters:
  • Broadcom NetXtreme Gigabit Ethernet

Its service appears to be started, it's just disabled which would prevent internet access.
Code:
b57w2k              TRUE     OK
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #19  
Old 12-28-11, 21:39
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,433 Times in 1,355 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

I also see a few errors like the below:
Code:
Error: (12/28/2011 08:39:37 AM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10050)
Which may be suggesting that your TCP/IP stack is completely dead.

Here are the steps to resolve this:

I would like you try the below.

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
When you are prompted to confirm the deletion, click Yes.
Close the Registry Editor.

Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

Once you have rebooted...
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK.
Restart your computer.
Test your Internet connectivity.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #20  
Old 12-28-11, 22:00
Denver5613 Denver5613 is offline
Private First Class
 
Join Date: Dec 2011
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Combifix removed rootkit zeroaccess now no internet

Thanks again for your help. I am following your directions, however, be advised that the wireless connection is the one I really want to work, as I have no LAN cable internet at my house and I see you have me working on the gigabit ethernet connection here. Will this fix the wireless connection too?
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with rootkit.zeroaccess elias7 Malware Removal 3 12-21-11 11:04
ZeroAccess Rootkit zq1 Malware Removal 6 12-06-11 22:39
Zeroaccess Rootkit Removed - Still no connection dmoranda Malware Removal 4 11-30-11 23:02
HELP please - Rootkit.Zeroaccess argentia Malware Removal 15 10-02-11 00:19


All times are GMT -5. The time now is 14:42.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger