Trojan lodged in tcp/ip stack

[MeitHed]

Hello.

A friend asked me to have a look at his PC as he was no longer able to access the internets. Malwarebytes and super-antispyware were both semi effective in finding and cleaning some of the troublemakers, but still no net. I ran through the process, with combofix finding the tcp/ip stack thing. Rootrepeal finds only hyberfil.sys.

Logs are attached.

Thank you in advance for your time and effort.

[MeitHed]

Here is the Root Repeal log

[chaslang]

You have some required Windows files that having been deleted/corrupted. Also the registry has been modified. Both of these are why you cannot access the internet.

We need to run a couple additional scans before getting started.



Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Now please also download MBRCheck to your desktop.


See the download links under this icon

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now please download Farbar Service Scanner and run it on the computer with the issue.

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

[MeitHed]

Thank you much Chaslang.

Here are the reports from those programs.

[chaslang]

You're welcome.

1. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • The above file will open in the notepad.
   • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
   • Edit 0xA0 and replace it with 0x80 (replace A with 8)
   • Under File menu click Save and close the notepad.
2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install a popup window opens.
   • Select Protocol from the list and then click Add.
   • A new window opens, click Have Disk....
   • In the browse... box type c:\windows\inf
     
   • Click OK.
   • Select Internet Protocol (TCP/IP), and then click OK.
   • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
3. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
   • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
   • Under File menu click Save and close the notepad.
4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install
   • A popup window opens. Select Protocol.
   • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
5. After restart please run Farbar Service Scanner again and save the fss.txt log to attach below.
6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
   
   
   Then attach the below logs:
   • the new fss.txt log from Farbar's Service Scanner
   • C:\MGlogs.zip

[MeitHed]

Thank you. Logs are attached.

[chaslang]

That looks much better. Are you still having any problems? If so, exactly what?

[MeitHed]

Thanks, I am still unable to connect to the internet.

It says I am connected, but I cannot reach any websites in either IE or Chrome.

[MeitHed]

Also after a restart I am getting an error:

RUNDLL
Error in C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.doo
Missing entry:RunDLLEntry

[chaslang]

Quote:

Originally Posted by MeitHed

It says I am connected, but I cannot reach any websites in either IE or Chrome.

Instread of putting www.google.com in your browser, try the IP address instead: 173.194.78.103

Does that connect you?

[chaslang]

Quote:

Originally Posted by MeitHed

RUNDLL
Error in C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.doo
Missing entry:RunDLLEntry

I assume you meant LXCJtime.dll ?

This is a printer software driver issue. You may need to reinstall the software for the printer.

[MeitHed]

Thank you again Chaslang.

Typing in the IP Address did the trick, but I am unable to navigate beyond there.

Yes, I meant DLL.. sorry.

[chaslang]

Please run C:\MGtools\FixNet.bat

This will run a few commands and then reboot your computer.

After your computer reboots, see if there is any changed to your ability to connect via DNS names.

[MeitHed]

No joy. I am still unable to connect via DNS names.

I thank you for your continued assistance.

[chaslang]

You're welcome.


Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Repair MSI (Windows Installer)
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished. If it does not then reboot yourself.

Any change for the better?

[MeitHed]

Quote:

Originally Posted by chaslang

Any change for the better?

None.

It seems that I neglected to mention that combofix found Rootkit.Zero Access. Combofix also made it clear that the recovery console is missing.

I do not know if either of those will be useful, but though I should include the info.

Thanks again,

meiT

[chaslang]

You're welcome.

Now download The Avenger by Swandog46, and save it to your Desktop.
See the download links under this icon

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Quote:

Drivers to delete:
Pdlnslea
Files to delete:
C:\WINDOWS\system32\temp.txt

Folders to delete:
c:\windows\$NtUninstallKB18546$\1083377889
c:\windows\$NtUninstallKB18546$\84975582
c:\windows\$NtUninstallKB18546$
C:\Documents and Settings\All Users\Start Menu\Programs\AVG Free Edition
C:\Documents and Settings\All Users\Application Data\Norton
C:\Documents and Settings\All Users\Application Data\NortonInstaller

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7 make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[MeitHed]

Sorry for the delay in responding.

I ran Avenger and MGTools per your instructions, still unable to access the internet via dns.

Logs are attached.


Thank you

[chaslang]

Per your logs, everything is fine with your PC. Are you sure the problem is not in your router? Do you have another PC ? If so is it working okay thru the router?

If you don't have another PC and only have this one PC, what happens if you bypass your router and reboot your PC before trying to connect?

[MeitHed]

That is disheartening. I have several PC's connected through the router, all of which run fine.

I am open to suggestions.

Thanks again for your time.