MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 05-02-12, 11:28
visitavisroy visitavisroy is offline
Private E-2
 
Join Date: May 2012
Posts: 15
Thanks: 11
Thanked 0 Times in 0 Posts
Default Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Dell Inspiron mini with Window XP, 32 bit, sp3 installed. Google searches were redirecting for a few days in Mozilla Firefox. Found AVG scan components absent. Did some search on google forums and took advise of running ComboFix after removing AVG. Post combofix, unable to connect to internet. Lists wireless networks but no ip is allocated. Task manager shows no active network adapters. Wired ethernet also same status. Re-installed driver of wireless card (Dell Wireless 1397 WLAN Minicard) from Dell cd but no luck.

Also it is now taking too long to start up and show active task bar. Sometimes shutdown is taking much longer than usual and gets stuck with the shutdoen screen.

Followed and ran all the processes of READ ME AND RUN ME FIRST. The logs are attached.

Any help will be much appreciated. Thanks in advance for your time!
Attached Files
File Type: txt SASlog.txt (744 Bytes, 2 views)
File Type: txt Malwarebytes Anti-Malware log.txt (2.0 KB, 2 views)
File Type: txt ComboFix.txt (15.2 KB, 16 views)
File Type: txt RRlog.txt (690 Bytes, 0 views)
Reply With Quote
Sponsored links
  #2  
Old 05-02-12, 11:29
visitavisroy visitavisroy is offline
Private E-2
 
Join Date: May 2012
Posts: 15
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

MGlogs attached now.
Attached Files
File Type: zip MGlogs.zip (124.4 KB, 9 views)
Reply With Quote
  #3  
Old 05-02-12, 23:22
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,255
Thanks: 61
Thanked 7,615 Times in 4,100 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Welcome to Major Geeks!

Please see step 4 of the READ & RUN ME and run MSconfig and put your PC in normal startup mode as requested.


Now we need to use ComboFix
  • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
  • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
  • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
  • Open Notepad and copy/paste the text in the below quote box into it:
Quote:
ClearJavaCache::
KILLALL::

Fcopy::
C:\WINDOWS\system32\dllcache\ipsec.sys | C:\WINDOWS\System32\drivers\ipsec.sys

Folder::
C:\WINDOWS\$NtUninstallKB48732$
C:\Documents and Settings\Bubble\Local Settings\temp\{1D688AB8-E9D2-4FD6-805E-F4547BDCA514}
C:\Documents and Settings\Bubble\Local Settings\temp\{D6CC266B-CC66-4425-9F8E-717A36C17B54}
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now continue with the below procedure:
  1. Go to Start ==> Run (or Windows key+R)
    • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
      (note that there is space after notepad)
    • The above file will open in the notepad.
    • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
    • Edit 0xA0 and replace it with 0x80 (replace A with 8)
    • Under File menu click Save and close the notepad.
  2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
    • On the General tab, click Install a popup window opens.
    • Select Protocol from the list and then click Add.
    • A new window opens, click Have Disk....
    • In the browse... box type c:\windows\inf
    • Click OK.
    • Select Internet Protocol (TCP/IP), and then click OK.
    • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
    • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
  3. Go to Start ==> Run (or Windows key+R)
    • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
      (note that there is space after notepad)
    • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
    • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
    • Under File menu click Save and close the notepad.
  4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
    • On the General tab, click Install
    • A popup window opens. Select Protocol.
    • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
    • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
  5. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the new combofix.txt log
    • C:\MGlogs.zip
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
visitavisroy (05-03-12)
  #4  
Old 05-03-12, 04:54
visitavisroy visitavisroy is offline
Private E-2
 
Join Date: May 2012
Posts: 15
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

First I must thank you profusely for your time and attention to my problem.

I followed all your exact instructions. ComboFix actually detected ZeroAccess Rootkit again, so clearly it was not removed initially.

After combofox and reboot, the internet connection was actually back!! yet, to follow your full prescription, I went through the rest of the 5 steps to re-intall the TCP/IP stack.

The internet connectivity is back now - both wired and wireless. I have made some test searches and no re-directions have been observed.

You are GOD. ABSOLUTE RESPECT!

The 2 logs are attached. Now that the connectivity is back, should I remove the tools recently installed and re-install AVG? Please advise.

Thanks again and again!
Attached Files
File Type: txt ComboFix.txt (17.7 KB, 2 views)
File Type: zip MGlogs.zip (137.7 KB, 7 views)
Reply With Quote
  #5  
Old 05-03-12, 08:08
visitavisroy visitavisroy is offline
Private E-2
 
Join Date: May 2012
Posts: 15
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Hi chaslang, couple of hours back when I made the last post, everything was fine as I had mentioned. I had kept the machine shutdown because there was no anti-virus running and it was connected to the net.

I started the computer a few minutes back to take a few files and strangely the machine was back to its previous state - no connectivity, no active network adapters detected

I rebooted the machine, but no luck.

May be the malware is still there and messing around.
Reply With Quote
Sponsored links
  #6  
Old 05-03-12, 22:12
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,255
Thanks: 61
Thanked 7,615 Times in 4,100 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Quote:
Originally Posted by visitavisroy View Post
I started the computer a few minutes back to take a few files and strangely the machine was back to its previous state - no connectivity, no active network adapters detected
Okay then let's get some new logs because your last ones looked okay other than one question I have. Inside the MGlogs.zip file is a log named nwktst.txt. Did you edit this file to insert questions marks in a few locations?
  • Make sure your network cable is plugged in even if you do not have the ability to get a connection to work.
  • Shutdown your AV
  • Then rerun C:\MGtools\GetLogs.bat and attach the new MGlogs.zip file.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
visitavisroy (05-04-12)
  #7  
Old 05-04-12, 03:36
visitavisroy visitavisroy is offline
Private E-2
 
Join Date: May 2012
Posts: 15
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

I am 100% sure I have not tried to edit anything in the logs. Kept the network cable connected now, No AV, rerun the MGtool. New logs attached.

Thanks for your response.
Attached Files
File Type: zip MGlogs.zip (134.0 KB, 3 views)
Reply With Quote
  #8  
Old 05-05-12, 14:58
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,255
Thanks: 61
Thanked 7,615 Times in 4,100 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Okay we need to run a couple other scans and then apply some additional fixes.


Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
  • Be sure to attach your log from TDSSKiller
Now please also download MBRCheck to your desktop.

See the download links under this icon
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    • Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    • Found non-standard or infected MBR.
    • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
  • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now we need to use ComboFix
  • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
  • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
  • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
  • Open Notepad and copy/paste the text in the below quote box into it:
Quote:
ClearJavaCache::
KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,70,00,73,00,65,00,63,00,2e,\
00,73,00,79,00,73,00,00,00
"DisplayName"="IPSEC driver"
"Group"="PNP_TDI"
"Description"="IPSEC driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Enum]
"0"="Root\\LEGACY_IPSEC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPSEC]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPSEC\0000]
"Service"="IPSec"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="IPSEC driver"
"Capabilities"=dword:00000000
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\\0013"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPSEC\0000\LogConf]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPSEC\0000\Control]
"ActiveService"="IPSec"
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now please download Farbar Service Scanner and run it on the computer with the issue.
  • Put a check mark in each option box on the left side.
  • Click "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please attach this log to your next reply.
If you do no have a network connection at this point, rerun the procedure from the 2nd half of message #3 with nettcpip.inf again

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • C:\ComboFix.txt
  • FSS.txt
  • C:\MGlogs.zip
How are things working now?
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
visitavisroy (05-06-12)
  #9  
Old 05-06-12, 06:16
visitavisroy visitavisroy is offline
Private E-2
 
Join Date: May 2012
Posts: 15
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Thanks again for your advises. Ran the TDSSKiller, MBRcheck and Combofix as instructed.

This time ZeroAccess Rootkit was not detected while running ComboFix. However, unlike last time, the network connectivity was not back after reboot post-ComboFix.

Ran Farbar Service Scanner. Still no connectivity.

So re-ran the procedure from the 2nd half of message #3 with nettcpip.inf again. BUT at the last stage (step 4 of the procedure), when I clicked OK after selecting Internet Protocol (TCP/IP), it popped up an error message as "Access is Denied". So, could not complete this procedure.

Ran MGtools getlogs. Attached MGlogs and error message snapshot in next message.
Attached Files
File Type: txt TDSSKiller.2.7.34.0_06.05.2012_10.31.12_log.txt (94.1 KB, 1 views)
File Type: txt MBRCheck_05.06.12_10.39.22.txt (9.0 KB, 1 views)
File Type: txt ComboFix.txt (42.6 KB, 2 views)
File Type: txt FSS.txt (2.9 KB, 3 views)
Reply With Quote
  #10  
Old 05-06-12, 06:22
visitavisroy visitavisroy is offline
Private E-2
 
Join Date: May 2012
Posts: 15
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

MGlogs and error screenshot attached now.

2 observations:

- at step 2 of nettcpip.inf procedure, while selecting Internet Protocol (TCP/IP), I observed that it was not digitally signed

- At step 4 of the procedure, in the Network Connections window, both the wired and wireless network connection icons had 'connected' written underneath them though there was no connection.
Attached Images
File Type: jpg error.JPG (89.8 KB, 2 views)
Attached Files
File Type: zip MGlogs.zip (154.0 KB, 5 views)
Reply With Quote
Sponsored links
  #11  
Old 05-07-12, 21:15
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,255
Thanks: 61
Thanked 7,615 Times in 4,100 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Okay some additional registry entries for services have now gone missing. When I last had you run the fix with ComboFix, only the IPSec service had entries missing. Now several other services are missing from the registry. And in addition, the fix with ComboFix was only able to partially restore the IPSec service. I'm wondering if there are permissions issue broken in the registry and also whether there is still some active component of the infection that is hiding somewhere. Let's run another tool to check deeper for possible infections and also attempt some fixed to correct permissions.



Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
  • Now open Repair_Windows.exe
  • Go to Start Repairs tab.
  • Choose "Custom Mode" and press "Start".
  • Create a System Restore point if prompted.
  • In the Custom Mode window, select the following repair options:
    • Reset Registry Permissions
    • Register System Files
    • Repair WMI
    • Remove Policies Set By Infections
    • Repair Winsock & DNS Cache
    • Repair Proxy Settings
    • Repair Windows Updates
  • Now click the Start button.
  • Be patient while the tool repairs the selected items.
  • If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.
Now download SubInACL.msi from Microsoft.
  • Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
  • Now download the below file and save it to your Desktop:
  • Now double click on resetperm.cmd to run this script. Be patient as this may take awhile to run.
Once it finishes, reboot your PC and then continue with the below.



Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
    Code:
    netsvcs
    /md5start
    afd.sys
    atapi.sys
    csrss.exe
    dhcpcsvc.dll
    explorer.exe
    lsass.exe
    nsiproxy.sys
    regedit.exe
    services.exe
    svchost.exe
    tcpip.sys
    tdx.sys
    userinit.exe
    winlogon.exe
    /md5stop
    %systemdrive%\*.*
    %systemdrive%\MGtools\*.*
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %windir%\assembly\GAC\*.ini
    %windir%\assembly\GAC_MSIL\*.ini
    %windir%\assembly\gac_32\*.ini
    %windir%\assembly\gac_64\*.ini
    %windir%\assembly\temp\*.ini
    %windir%\assembly\tmp\u /s
    %allusersprofile%\application data\*.exe
    hklm\system\currentcontrolset\services\dhcp
    hklm\system\currentcontrolset\services\afd
    hklm\system\currentcontrolset\services\tdx
    hklm\system\currentcontrolset\services\tcpip
    hklm\system\currentcontrolset\services\nsiproxy
    hklm\software\microsoft\windows\currentversion\run
    hklm\software\microsoft\windows\currentversion\runonce
  • Now click the Run Scan button.
  • Two reports will be created:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
visitavisroy (05-08-12)
  #12  
Old 05-08-12, 06:52
visitavisroy visitavisroy is offline
Private E-2
 
Join Date: May 2012
Posts: 15
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Hi! Thanks again for spending so much time on my problem and trying so hard to solve it. Whether or not my machine finally gets fixed, you will always have my best wishes.

I performed your instructions. The logs are attached.

While executing the Repair_Windows.exe, an error popped up several times. A screenshot is attached. The program went on everytime I clicked OK. So not sure whether the program could actually do the job it was supposed to do.

Just for sake of records, no connectivity yet.

Thanks again.
Attached Images
File Type: jpg error.jpg (102.9 KB, 5 views)
Attached Files
File Type: txt Extras.Txt (40.1 KB, 1 views)
File Type: txt OTL.Txt (198.3 KB, 2 views)
Reply With Quote
  #13  
Old 05-09-12, 22:01
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,255
Thanks: 61
Thanked 7,615 Times in 4,100 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

You're welcome.
Quote:
Originally Posted by visitavisroy View Post
While executing the Repair_Windows.exe, an error popped up several times.
Yes this is due to the Microsoft program named psexec.exe crashing. The Windows Repair program makes use of this to perform the repairs. I can see the crashes in your Extras.txt log
Quote:
[ Application Events ]
Error - 08/05/2012 06:43:51 | Computer Name = FUNBOOK | Source = Application Error | ID = 1000
Description = Faulting application psexec.exe, version 1.98.0.0, faulting module
psexec.exe, version 1.98.0.0, fault address 0x00002b46.
Not sure if the repairs actually worked or not but let's continue. To attempt repair to all the damage this infection has caused.

Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.

WARNING: The below fix is only meant for visitavisroy and no other PCs!!!


Download the below file and save it to your Desktop

visitavisroy.reg

Then double click on it and allow it to be added to your registry. Let me know if you receive a success message. You may receive a message stating something like not all keys were successfully added or merged to the registry.

Now reboot your PC.

If you do no have a network connection at this point, rerun the procedure from the 2nd half of message #3 with nettcpip.inf again


Now please download Farbar Service Scanner and run it on the computer with the issue.
  • Put a check mark in each option box on the left side.
  • Click "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please attach this log to your next reply.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).




Then attach the below logs:
  • FSS.txt
  • C:\MGlogs.zip
How are things working now?
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter

Last edited by chaslang; 08-20-12 at 21:32.. Reason: change stored location of reg patch
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
visitavisroy (05-13-12)
  #14  
Old 05-13-12, 12:51
visitavisroy visitavisroy is offline
Private E-2
 
Join Date: May 2012
Posts: 15
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Hi chaslang, firstly apologies for the late response; was traveling on work a bit.

Ran your instructions today. During the /scannow process, it did access the windows CD several times. The visitavisroy.reg gave a clear success message. No connectivity thereafter, so went through the nettcpip.inf procedure.

Bingo! Connectivity was back after the nettcpip.inf process. I even updated the Malwarebytes database and ran a quick scan to see there are no infections. So ran the Faber scan and MGlogs. Logs attached.

However, just like last time .... one reboot and strangely the connectivity was again gone ... as if something is getting corrupted during reboot. So, for your analysis, ran FSS and MGlogs again. These logs are named with the postfix '-after' and attached too.
Attached Files
File Type: txt FSS.txt (2.2 KB, 2 views)
File Type: zip MGlogs.zip (191.7 KB, 1 views)
File Type: txt FSS-after.txt (3.3 KB, 2 views)
File Type: zip MGlogs-after.zip (189.1 KB, 3 views)
Reply With Quote
  #15  
Old 05-14-12, 21:24
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,255
Thanks: 61
Thanked 7,615 Times in 4,100 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Repeat all the instructions in message #13 again including redownloading visitavisroy.reg
because it has been modified. This time or any time in the future, once your network access is working, DO NOT power down, reboot, reset....etc your PC. Just attach the latest logs and wait for me to get back to you.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter

Last edited by chaslang; 08-20-12 at 21:32..
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
visitavisroy (05-15-12)
Sponsored links
  #16  
Old 05-15-12, 13:22
visitavisroy visitavisroy is offline
Private E-2
 
Join Date: May 2012
Posts: 15
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Hi chaslang, thanks indeed. I ran the procedure again. This time after the visitavisroy.reg successful execution and reboot, the connectivity was back. So did not have to go through the nettcpip.inf precedure. The 2 logs are attached.

Not shutting down, rebooting, etc. Will await your instructions.

Sincere thanks once again!
Attached Files
File Type: txt FSS.txt (2.2 KB, 3 views)
File Type: zip MGlogs.zip (191.9 KB, 2 views)
Reply With Quote
  #17  
Old 05-15-12, 21:49
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,255
Thanks: 61
Thanked 7,615 Times in 4,100 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

These logs look fine, but still do not allow a reboot yet.

Did you knowingly install and do you use the below remote access applications?

O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\Bubble\Application Data\Mikogo Extra\B-Service.exe
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe

Also I don't see where the Mikogo B-Service program is even still installed but the service is there. Did you uninstall it?


Now follow the instructions in the below to run an online scan with ESET. Attach the log. Note, it will likely find a few files like process.exe in the MGtools folder. The process.exe file is completely safe. It is just a command line task manager program ( a process manager hence the file name ).

Using ESET's Online Scanner
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
visitavisroy (05-16-12)
  #18  
Old 05-16-12, 01:17
visitavisroy visitavisroy is offline
Private E-2
 
Join Date: May 2012
Posts: 15
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Hi chaslang, yes I had installed both Mikogo and Teamviewer but uninstalled Mikogo long ago. Mikogo is a screen sharing add-on that comes with skype. I use the Teamviewer quite frequently.

Attached is the ESETScan.txt. No reboot yet.

Thanks once again.
Attached Files
File Type: txt ESETScan.txt (679 Bytes, 4 views)
Reply With Quote
  #19  
Old 05-16-12, 21:58
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,255
Thanks: 61
Thanked 7,615 Times in 4,100 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Quote:
Originally Posted by visitavisroy View Post
but uninstalled Mikogo long ago
Okay well since it still is trying to load a service, let's remove it.

Open a command prompt window by clicking Start, Run, and enter cmd and click OK. If the window opens type each of the below commands in. Follow each by the enter key. Note there are spaces after the sc and after the stop and after the delete.

sc stop B-Service
sc delete B-Service


Now see if the below folder exists and delete it if found:
C:\Documents and Settings\Bubble\Application Data\Mikogo Extra


Now let's power down your PC ( not reboot -- power down ). Leave it powered down for at least a two minutes. Then make sure that any/all removable type devices have been disconnected from any USB ports. Then power your PC back up and see where we stand as far as having network access. Attach the below new log no matter what the status is.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below log:
  • C:\MGlogs.zip
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
visitavisroy (05-17-12)
  #20  
Old 05-17-12, 01:58
visitavisroy visitavisroy is offline
Private E-2
 
Join Date: May 2012
Posts: 15
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Rootkit ZeroAccess removed by Combofix, no internet connection thereafter

Hi chaslang, followed all your instructions. This time connectivity was OK after starting up the machine. Finally, it seems like OK now

Attached is the logs. Should I now go ahead and re-install AVG?

Many many many thanks once again for all this effort and attention!
Attached Files
File Type: zip MGlogs.zip (190.6 KB, 2 views)
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Combifix removed rootkit zeroaccess now no internet Denver5613 Malware Removal 92 01-08-12 15:33
Rootkit zeroaccess cleaned by Combofix but still no internet access thekops Malware Removal 13 01-06-12 14:46
ZeroAccess Rootkit removed after combofix, internet won't work typro Malware Removal 5 01-04-12 15:13
Rootkit Zeroaccess Gone With Combofix, but comes back and have no internet access Cap116 Malware Removal 2 12-30-11 21:04
Zeroaccess Rootkit Removed - Still no connection dmoranda Malware Removal 4 11-30-11 23:02


All times are GMT -5. The time now is 02:37.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger