MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 12-30-11, 13:08
thekops thekops is offline
Private First Class
 
Join Date: Oct 2004
Location: Michigan
Posts: 39
Thanks: 13
Thanked 0 Times in 0 Posts
Default Rootkit zeroaccess cleaned by Combofix but still no internet access

I have a Dell Dimension 4600 with XP Home SP3 that has not been able to connect to the internet since Avast found and cleaned a virus about mid-Dec. After booting it shows: "Avast will not be able to protect mail/news (error 10050). Please check that the Avast service (AvastSVC.exe) is not blocked by your personal firewall". Plus my SYSTRAY shows "Acquiring network address..." continually.

I completed the "read and run me first" with the following results:

a. Internet connection is still broken and "Acquiring network address..." still shows continually.
b. While doing backup of the data, found many folders were changed to be HIDDEN (which ComboFix seemed to clear up some). I was still able to backup the data because of "view hidden files..." settings.
c. Updating Java steps stated 7.1 as the current version, but the link took me to 6.30 so I used that one (wasn't sure where to find 7.1).
d. Ran SUPERAntiSpyware. It found an old version and uninstalled it first. After the new one installed, found the screens were rather different than the instructions, but I was able to find and set as directed. It found and cleaned 1 item. I tried using its "Repair Broken Network..." but still no internet connection.
e. Ran Malwarebytes. Probably due to no internet, received error "PROGRAM_ERROR_UPDATING (11004,0,No Address found)" but the application still opened. I exited the program, manually downloaded the updates and installed them, but got "The Malware Anti-Malware database is missing or corrupt. Would you like to download a new copy?" I answered NO since no interenet connection. Got another error: "Product files are missing or corrupt, please reinstall product PROGRAM_ERROR_LOAD_DATABASE (0,13,SDKCreate)." So I reinstalled Malwarebytes, got same 11004 message. It still opened the application and I continued with your instructions. Nothing was found.
f. Ran Combofix. It found "rootkit.zeroaccess... particularily difficult infection...". When done, still no internet connection. I tried their "manually repair" steps but still no internet connection.
g. Ran RootRepeal with no problems.
h. Ran MGtools with no problems.

Thanks for all the good that you do in this forum.
Attached Files
File Type: txt SASlog.txt (682 Bytes, 2 views)
File Type: txt MBAMlog.txt (1.8 KB, 2 views)
File Type: txt COMBOlog.txt (17.4 KB, 2 views)
File Type: txt RRlog.txt (568 Bytes, 2 views)
Reply With Quote
Sponsored links
  #2  
Old 12-30-11, 13:09
thekops thekops is offline
Private First Class
 
Join Date: Oct 2004
Location: Michigan
Posts: 39
Thanks: 13
Thanked 0 Times in 0 Posts
Default Re: Rootkit zeroaccess cleaned by Combofix but still no internet access

Here is the fifth log.
Attached Files
File Type: zip MGlogs.zip (138.9 KB, 3 views)
Reply With Quote
  #3  
Old 12-30-11, 21:50
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,686 Times in 4,145 Posts
Default Re: Rootkit zeroaccess cleaned by Combofix but still no internet access

The infection you have causes signicant damage to the Windows Operating System. It shuts down many required services and corrupts many registry keys. It takes quite a bit of work to fix. So let's begin.



Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHCP\0000]
"Service"="Dhcp"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="DHCP Client"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHCP\0000\Control]
"ActiveService"="Dhcp"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
"DisplayName"="AFD"
"Description"="AFD Networking Support Environment"
"Group"="TDI"
"ImagePath"="\\SystemRoot\\System32\\drivers\\afd.sys"
"Start"=dword:00000001
"Type"=dword:00000001
"ErrorControl"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000]
"DeviceDesc"="AFD"
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000\Control]
"ActiveService"="AFD"
Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.



Please download MiniToolBox and save it to your desktop and run it by right clicking and selecting Run As Administrator.


Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List IP configuration
  • List Winsock Entries
  • List Devices -> All
  • List last 10 Event Viewer log
Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run from.



Now download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
  • Now open Repair_Windows.exe
  • Go to Start Repairs tab.
  • Choose "Custom Mode" and press "Start".
  • Create a System Restore point if prompted.
  • In the Custom Mode window, select the following repair options:
    • Repair Windows Firewall
    • Repair Internet Explorer
    • Repair Hosts File
    • Remove Policies Set By Infections
    • Repair Winsock & DNS Cache
    • Repair Windows Updates
  • Now click the Start button.
  • Be patient while the tool repairs the selected items.
  • If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.
Now please click Start, Run and type services.msc into the Run box and click OK. This will open up the Services form. Scroll down to the Application Layer Gateway Service service and double click on it. If the Service status: shows Stopped or Disabled, click the Start button. Does it Start? Make sure that the Startup type is set to Manual.

Now locate the IPSEC Services service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the DNS Client service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Windows Firewall/Internet Connection Sharing (ICS) service and Start it and set the Startup type to automatic, Did this Start?

Now locate the Plug and Playservice and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Workstationservice and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Serverservice and Start it and set the Startup type to Manual, Did this Start?

Now locate the Computer Browser service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the TCP/IP NetBIOS Helperservice and Start it and set the Startup type to Automatic, Did this Start?

Now locate the SSDP Discovery Serviceservice and Start it and set the Startup type to Manual, Did this Start?


Now Click Start, then Run, and type cmd into the Run box and click OK. This will bring up the command prompt. Now enter the below commands the below into the command prompt window one at a time each followed by the enter key. Tell me EXACTLY why message you get for each

netsh int ip reset resetlog.txt


Now no matter what has happened above, continue to do the below.

Reboot your PC!!!!



After reboot, please download Farbar Service Scanner and run it
  • Make sure to put a check in each of the check boxes for
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please attach this log to your next reply.
Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:
  • the Result.txt log from MiniToolBox
  • the FSS.txt log from Farbar's Service Scanner
  • C:\MGlogs.zip
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #4  
Old 12-31-11, 09:17
thekops thekops is offline
Private First Class
 
Join Date: Oct 2004
Location: Michigan
Posts: 39
Thanks: 13
Thanked 0 Times in 0 Posts
Default Re: Rootkit zeroaccess cleaned by Combofix but still no internet access

Thanks for your quick reply. Here are my results:

a. Ran fixme.reg & got error: "Cannot import c:\Documents and settings\Owner\Desktop\fixme.reg: Error accessing registry".

b. Ran MiniToolBox & got error: "Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced".

I booted into SAFE MODE and set the Administrator account with a password, then booted back into Normal Mode. Saw a notice popup in my SYSTRAY about some update available for DIVx so I checked my internet connection and found it working with Internet Explorer. Firefox is still not working. I also noticed many of the folders under Program Files are also still in a HIDDEN state (example: CCleaner folder, Mozilla Firefox folder, etc).

c. Ran fixme.reg again & got a different error: "Cannot import c:\Documents and settings\Owner\Desktop\fixme.reg not all data was successfully written to the registry. Some keys are open by the system or other processes.

d. Ran MiniTool again (using new administrator password I created) & got same error as above.

e. Ran WindowsRepair with no problems and rebooted when prompted (seeing all 6 of 6 jobs completed).

Results of services.msc instructions:
Application Layer - shows started and manual.
IPSEC - shows started and auto.
DNS Client - shows started and auto.
Windows Firewall - shows started and auto.
Plug and Play - shows started and auto.
Workstation - shows started and auto.
Services - shows started, was auto, set to manual.
Computer Browser - shows started and auto.
TCP/IP - shows started and auto.
SSDP Discover - shows start and manual.

Results of netsh... in cmd box: it did not display anything and just went back to the C:... prompt.

Attached are 2 of 3 logs (since MiniTools could not be run).

Things are looking better and better! I will continue to wait for further instructions before using this computer. Have a Happy New Year!
Attached Files
File Type: txt FSS.txt (2.2 KB, 2 views)
File Type: zip MGlogs.zip (149.9 KB, 5 views)
Reply With Quote
  #5  
Old 12-31-11, 12:44
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,686 Times in 4,145 Posts
Default Re: Rootkit zeroaccess cleaned by Combofix but still no internet access

Quote:
Originally Posted by thekops View Post
I also noticed many of the folders under Program Files are also still in a HIDDEN state (example: CCleaner folder, Mozilla Firefox folder, etc).
Run the below and tell me if it helps.

Please download and save the below tool from Grinler @ bleepingcomputer to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it. Now see if you can find the items that seemed to be missing ( like shortcuts, Start Programs... etc )?
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #6  
Old 01-02-12, 12:37
thekops thekops is offline
Private First Class
 
Join Date: Oct 2004
Location: Michigan
Posts: 39
Thanks: 13
Thanked 0 Times in 0 Posts
Default Re: Rootkit zeroaccess cleaned by Combofix but still no internet access

Ran it and now folders that are suppose to be visibile ARE visible. Thanks.

So are we done? I have internet connection now with Internet Explorer. But not with Mozilla (which I can easily uninstall and reinstall).
Reply With Quote
  #7  
Old 01-02-12, 17:51
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,686 Times in 4,145 Posts
Default Re: Rootkit zeroaccess cleaned by Combofix but still no internet access

Quote:
Originally Posted by thekops View Post
So are we done?
Log look good. But before we finish, tell me what happened after the reinstall of Firefox.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #8  
Old 01-02-12, 21:13
thekops thekops is offline
Private First Class
 
Join Date: Oct 2004
Location: Michigan
Posts: 39
Thanks: 13
Thanked 0 Times in 0 Posts
Default Re: Rootkit zeroaccess cleaned by Combofix but still no internet access

I did not reinstall Firefox yet until you approved. Will do and then get back with you.
Reply With Quote
  #9  
Old 01-04-12, 09:15
thekops thekops is offline
Private First Class
 
Join Date: Oct 2004
Location: Michigan
Posts: 39
Thanks: 13
Thanked 0 Times in 0 Posts
Default Re: Rootkit zeroaccess cleaned by Combofix but still no internet access

Uninstall and reinstall of Mozilla Firefox did not help. It still does not startup. I did KEEP personal data and customer information. Should I have totally deleted and then reinstalled?

I also see some automatic windows updates downloaded and required me to reboot.
Reply With Quote
  #10  
Old 01-04-12, 18:43
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,686 Times in 4,145 Posts
Default Re: Rootkit zeroaccess cleaned by Combofix but still no internet access

Quote:
Originally Posted by thekops View Post
Uninstall and reinstall of Mozilla Firefox did not help. It still does not startup. I did KEEP personal data and customer information. Should I have totally deleted and then reinstalled?

I also see some automatic windows updates downloaded and required me to reboot.
Yes it would be better to uninstall Firefox completely which means also deleting all the related folders
  • C:\Program Files\Mozilla Firefox
  • C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla
Then reboot. After reboot reinstall Firefox but do not reinstall any addons initially until you are sure it is working properly.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #11  
Old 01-05-12, 09:48
thekops thekops is offline
Private First Class
 
Join Date: Oct 2004
Location: Michigan
Posts: 39
Thanks: 13
Thanked 0 Times in 0 Posts
Default Re: Rootkit zeroaccess cleaned by Combofix but still no internet access

Yippee! Mozilla is now working! Instead of using original install file, I downloaded a clean and updated version of Mozilla. I will import the old bookmarks later after I'm sure all is working and the computer is clean.

What's next?
Reply With Quote
  #12  
Old 01-05-12, 21:20
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,686 Times in 4,145 Posts
Default Re: Rootkit zeroaccess cleaned by Combofix but still no internet access

Quote:
Originally Posted by thekops View Post
What's next?

If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /uninstall
      • Notes: The space between the combofix" and the /uninstall, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
  4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  7. Go to add/remove programs and uninstall HijackThis.
  8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
    related to MGtools and some other items from our cleaning procedures.
  9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 7 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  10. After doing the above, you should work thru the below link:
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
thekops (01-06-12)
  #13  
Old 01-06-12, 13:36
thekops thekops is offline
Private First Class
 
Join Date: Oct 2004
Location: Michigan
Posts: 39
Thanks: 13
Thanked 0 Times in 0 Posts
Default Re: Rootkit zeroaccess cleaned by Combofix but still no internet access

Thanks once again for all your help. Completed the final steps and all looks great!

You truly provide a great service!
Reply With Quote
  #14  
Old 01-06-12, 14:46
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,686 Times in 4,145 Posts
Default Re: Rootkit zeroaccess cleaned by Combofix but still no internet access

You're welcome and thanks!

Surf safely.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Combifix removed rootkit zeroaccess now no internet Denver5613 Malware Removal 92 01-08-12 15:33
Rootkit Zeroaccess Gone With Combofix, but comes back and have no internet access Cap116 Malware Removal 2 12-30-11 21:04
Rootkit.zeroaccess mpetro1 Malware Removal 12 12-29-11 16:04
Help with rootkit.zeroaccess elias7 Malware Removal 3 12-21-11 11:04


All times are GMT -5. The time now is 18:54.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger