Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

[visitavisroy]

Dell Inspiron mini with Window XP, 32 bit, sp3 installed. Google searches were redirecting for a few days in Mozilla Firefox. Found AVG scan components absent. Did some search on google forums and took advise of running ComboFix after removing AVG. Post combofix, unable to connect to internet. Lists wireless networks but no ip is allocated. Task manager shows no active network adapters. Wired ethernet also same status. Re-installed driver of wireless card (Dell Wireless 1397 WLAN Minicard) from Dell cd but no luck.

Also it is now taking too long to start up and show active task bar. Sometimes shutdown is taking much longer than usual and gets stuck with the shutdoen screen.

Followed and ran all the processes of READ ME AND RUN ME FIRST. The logs are attached.

Any help will be much appreciated. Thanks in advance for your time!

[visitavisroy]

MGlogs attached now.

[chaslang]

Welcome to Major Geeks!

Please see step 4 of the READ & RUN ME and run MSconfig and put your PC in normal startup mode as requested.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

ClearJavaCache::
KILLALL::

Fcopy::
C:\WINDOWS\system32\dllcache\ipsec.sys | C:\WINDOWS\System32\drivers\ipsec.sys

Folder::
C:\WINDOWS\$NtUninstallKB48732$
C:\Documents and Settings\Bubble\Local Settings\temp\{1D688AB8-E9D2-4FD6-805E-F4547BDCA514}
C:\Documents and Settings\Bubble\Local Settings\temp\{D6CC266B-CC66-4425-9F8E-717A36C17B54}

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now continue with the below procedure:

1. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • The above file will open in the notepad.
   • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
   • Edit 0xA0 and replace it with 0x80 (replace A with 8)
   • Under File menu click Save and close the notepad.
2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install a popup window opens.
   • Select Protocol from the list and then click Add.
   • A new window opens, click Have Disk....
   • In the browse... box type c:\windows\inf
     
   • Click OK.
   • Select Internet Protocol (TCP/IP), and then click OK.
   • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
3. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
   • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
   • Under File menu click Save and close the notepad.
4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install
   • A popup window opens. Select Protocol.
   • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
5. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
   
   
   Then attach the below logs:
   • the new combofix.txt log
   • C:\MGlogs.zip

[visitavisroy]

First I must thank you profusely for your time and attention to my problem.

I followed all your exact instructions. ComboFix actually detected ZeroAccess Rootkit again, so clearly it was not removed initially.

After combofox and reboot, the internet connection was actually back!! yet, to follow your full prescription, I went through the rest of the 5 steps to re-intall the TCP/IP stack.

The internet connectivity is back now - both wired and wireless. I have made some test searches and no re-directions have been observed.

You are GOD. ABSOLUTE RESPECT!

The 2 logs are attached. Now that the connectivity is back, should I remove the tools recently installed and re-install AVG? Please advise.

Thanks again and again!

[visitavisroy]

Hi chaslang, couple of hours back when I made the last post, everything was fine as I had mentioned. I had kept the machine shutdown because there was no anti-virus running and it was connected to the net.

I started the computer a few minutes back to take a few files and strangely the machine was back to its previous state - no connectivity, no active network adapters detected

I rebooted the machine, but no luck.

May be the malware is still there and messing around.

[chaslang]

Quote:

Originally Posted by visitavisroy

I started the computer a few minutes back to take a few files and strangely the machine was back to its previous state - no connectivity, no active network adapters detected

Okay then let's get some new logs because your last ones looked okay other than one question I have. Inside the MGlogs.zip file is a log named nwktst.txt. Did you edit this file to insert questions marks in a few locations?

• Make sure your network cable is plugged in even if you do not have the ability to get a connection to work.
• Shutdown your AV
• Then rerun C:\MGtools\GetLogs.bat and attach the new MGlogs.zip file.

[visitavisroy]

I am 100% sure I have not tried to edit anything in the logs. Kept the network cable connected now, No AV, rerun the MGtool. New logs attached.

Thanks for your response.

[chaslang]

Okay we need to run a couple other scans and then apply some additional fixes.


Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Now please also download MBRCheck to your desktop.

See the download links under this icon

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

ClearJavaCache::
KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,70,00,73,00,65,00,63,00,2e,\
00,73,00,79,00,73,00,00,00
"DisplayName"="IPSEC driver"
"Group"="PNP_TDI"
"Description"="IPSEC driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Enum]
"0"="Root\\LEGACY_IPSEC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPSEC]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPSEC\0000]
"Service"="IPSec"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="IPSEC driver"
"Capabilities"=dword:00000000
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\\0013"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPSEC\0000\LogConf]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPSEC\0000\Control]
"ActiveService"="IPSec"

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now please download Farbar Service Scanner and run it on the computer with the issue.

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

If you do no have a network connection at this point, rerun the procedure from the 2nd half of message #3 with nettcpip.inf again

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• FSS.txt
• C:\MGlogs.zip

How are things working now?

[visitavisroy]

Thanks again for your advises. Ran the TDSSKiller, MBRcheck and Combofix as instructed.

This time ZeroAccess Rootkit was not detected while running ComboFix. However, unlike last time, the network connectivity was not back after reboot post-ComboFix.

Ran Farbar Service Scanner. Still no connectivity.

So re-ran the procedure from the 2nd half of message #3 with nettcpip.inf again. BUT at the last stage (step 4 of the procedure), when I clicked OK after selecting Internet Protocol (TCP/IP), it popped up an error message as "Access is Denied". So, could not complete this procedure.

Ran MGtools getlogs. Attached MGlogs and error message snapshot in next message.

[visitavisroy]

MGlogs and error screenshot attached now.

2 observations:

- at step 2 of nettcpip.inf procedure, while selecting Internet Protocol (TCP/IP), I observed that it was not digitally signed

- At step 4 of the procedure, in the Network Connections window, both the wired and wireless network connection icons had 'connected' written underneath them though there was no connection.

[chaslang]

Okay some additional registry entries for services have now gone missing. When I last had you run the fix with ComboFix, only the IPSec service had entries missing. Now several other services are missing from the registry. And in addition, the fix with ComboFix was only able to partially restore the IPSec service. I'm wondering if there are permissions issue broken in the registry and also whether there is still some active component of the infection that is hiding somewhere. Let's run another tool to check deeper for possible infections and also attempt some fixed to correct permissions.



Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Reset Registry Permissions
  • Register System Files
  • Repair WMI
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

Now download SubInACL.msi from Microsoft.

• Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
• Now download the below file and save it to your Desktop:
  • resetperm.cmd
• Now double click on resetperm.cmd to run this script. Be patient as this may take awhile to run.

Once it finishes, reboot your PC and then continue with the below.



Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  lsass.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce

• Now click the Run Scan button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (See how to attach)

[visitavisroy]

Hi! Thanks again for spending so much time on my problem and trying so hard to solve it. Whether or not my machine finally gets fixed, you will always have my best wishes.

I performed your instructions. The logs are attached.

While executing the Repair_Windows.exe, an error popped up several times. A screenshot is attached. The program went on everytime I clicked OK. So not sure whether the program could actually do the job it was supposed to do.

Just for sake of records, no connectivity yet.

Thanks again.

[chaslang]

You're welcome.

Quote:

Originally Posted by visitavisroy

While executing the Repair_Windows.exe, an error popped up several times.

Yes this is due to the Microsoft program named psexec.exe crashing. The Windows Repair program makes use of this to perform the repairs. I can see the crashes in your Extras.txt log

Quote:

[ Application Events ]
Error - 08/05/2012 06:43:51 | Computer Name = FUNBOOK | Source = Application Error | ID = 1000
Description = Faulting application psexec.exe, version 1.98.0.0, faulting module
psexec.exe, version 1.98.0.0, fault address 0x00002b46.

Not sure if the repairs actually worked or not but let's continue. To attempt repair to all the damage this infection has caused.

Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.

WARNING: The below fix is only meant for visitavisroy and no other PCs!!!


Download the below file and save it to your Desktop

visitavisroy.reg

Then double click on it and allow it to be added to your registry. Let me know if you receive a success message. You may receive a message stating something like not all keys were successfully added or merged to the registry.

Now reboot your PC.

If you do no have a network connection at this point, rerun the procedure from the 2nd half of message #3 with nettcpip.inf again


Now please download Farbar Service Scanner and run it on the computer with the issue.

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).




Then attach the below logs:

• FSS.txt
• C:\MGlogs.zip

How are things working now?

[visitavisroy]

Hi chaslang, firstly apologies for the late response; was traveling on work a bit.

Ran your instructions today. During the /scannow process, it did access the windows CD several times. The visitavisroy.reg gave a clear success message. No connectivity thereafter, so went through the nettcpip.inf procedure.

Bingo! Connectivity was back after the nettcpip.inf process. I even updated the Malwarebytes database and ran a quick scan to see there are no infections. So ran the Faber scan and MGlogs. Logs attached.

However, just like last time .... one reboot and strangely the connectivity was again gone ... as if something is getting corrupted during reboot. So, for your analysis, ran FSS and MGlogs again. These logs are named with the postfix '-after' and attached too.

[chaslang]

Repeat all the instructions in message #13 again including redownloading visitavisroy.reg
because it has been modified. This time or any time in the future, once your network access is working, DO NOT power down, reboot, reset....etc your PC. Just attach the latest logs and wait for me to get back to you.

[visitavisroy]

Hi chaslang, thanks indeed. I ran the procedure again. This time after the visitavisroy.reg successful execution and reboot, the connectivity was back. So did not have to go through the nettcpip.inf precedure. The 2 logs are attached.

Not shutting down, rebooting, etc. Will await your instructions.

Sincere thanks once again!

[chaslang]

These logs look fine, but still do not allow a reboot yet.

Did you knowingly install and do you use the below remote access applications?

O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\Bubble\Application Data\Mikogo Extra\B-Service.exe
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe

Also I don't see where the Mikogo B-Service program is even still installed but the service is there. Did you uninstall it?


Now follow the instructions in the below to run an online scan with ESET. Attach the log. Note, it will likely find a few files like process.exe in the MGtools folder. The process.exe file is completely safe. It is just a command line task manager program ( a process manager hence the file name ).

Using ESET's Online Scanner

[visitavisroy]

Hi chaslang, yes I had installed both Mikogo and Teamviewer but uninstalled Mikogo long ago. Mikogo is a screen sharing add-on that comes with skype. I use the Teamviewer quite frequently.

Attached is the ESETScan.txt. No reboot yet.

Thanks once again.

[chaslang]

Quote:

Originally Posted by visitavisroy

but uninstalled Mikogo long ago

Okay well since it still is trying to load a service, let's remove it.

Open a command prompt window by clicking Start, Run, and enter cmd and click OK. If the window opens type each of the below commands in. Follow each by the enter key. Note there are spaces after the sc and after the stop and after the delete.

sc stop B-Service
sc delete B-Service


Now see if the below folder exists and delete it if found:
C:\Documents and Settings\Bubble\Application Data\Mikogo Extra


Now let's power down your PC ( not reboot -- power down ). Leave it powered down for at least a two minutes. Then make sure that any/all removable type devices have been disconnected from any USB ports. Then power your PC back up and see where we stand as far as having network access. Attach the below new log no matter what the status is.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

[visitavisroy]

Hi chaslang, followed all your instructions. This time connectivity was OK after starting up the machine. Finally, it seems like OK now

Attached is the logs. Should I now go ahead and re-install AVG?

Many many many thanks once again for all this effort and attention!