HELP I have a rootkit / virus

Hi guys, sorry this is my first ever "post" and I really have no idea what to do.

My laptop suddenly stopped connecting to the Internet, indeed it no longer connects to my network full stop.

I asked for a full AVAST scan at boot, which found some items but did not restore connection.
https://picasaweb.google.com/lh/photo/9GGQZgJNwZp5uneXNhaxitMTjNZETYmyPJy0liipFm0?feat=directlink
Inserted image from PICASA (or at least I tried to).
https://picasaweb.google.com/lh/photo/9GGQZgJNwZp5uneXNhaxitMTjNZETYmyPJy0liipFm0?feat=directlink

I tried the usual repair on my connection but neither the WiFi or the LAN can be repaired. I then tried netsh winsock reset catalog and netsh int ip reset reset.log - again no help.

So I downloaded and ran MalwareBytes and SuperAntiSpyware which found and removed some items (I will attach the logs as soon as I can - no LAN access).

Then I noticed that my AVAST was reporting an error Avast! Will not be able to protect mail/news (error 10050) and could not be fixed. Then my Windows firewall was off and could not be restarted.

I'm working my way through the Malware Removal guide and COMBOFIX reported Rootkit.ZeroAccess and I followed what it said. After a while I got a BSOD and the laptop rebooted. So I ran it again and it finished and removed some files. I then tried running WinsockxpFix.exe and rebooted but still no TCP/IP.

I have manually entered 192.168.0.22 255.255.255.0 192.168.0.1 (and 192.168.0.1 for DNS server ) and I can now ping my router and PC, but again no Internet.

Then I reinstalled AVAST - same problem, error 10050.

I checked my Events Log and found two "interesting" errors.
Event Type: Error
Event Source: WMPNetworkSvc
Event Category: None
Event ID: 14336
Date: 11/21/2011
Time: 3:39:31 PM
User: N/A
Computer: LENOVO-42A45BC3
Description:
Service 'WMPNetworkSvc' did not start correctly because IUPnPDeviceFinder::StartAsyncFind(MediaRenderer) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7003
Date: 11/17/2011
Time: 1:29:55 PM
User: N/A
Computer: LENOVO-42A45BC3
Description:
The Network Location Awareness (NLA) service depends on the following nonexistent service: Afd

Will attach more logs as soon as I can copy them over to this PC.

HELP

 

Hi and welcome to Major Geeks, tripoll

The loss of internet after being infected by Max++/Sirefef/ZeroAccess is a common characteristic of the rootkit.

In order for me to help you restore the internet I need you first go through the steps outlined in this thread: READ & RUN ME FIRST Malware Removal Guide

 

Hi thisisu

Thanks for the fast response.

I have got as far as running COMBOFIX on the XP Malware Removal page.
Everything is a bit slow as I have to download to my PC, transfer to CD and then load it on the "broken" laptop.
I will get an USB stick, when the shops open today, so I can transfer and post the logs.

 

Hi again thisisu.

Here are all the logs attached (I hope).
I could not find the SAS log but it only found a few cookies.
I ran it after MalwareBytes as it was already on the laptop.

 

This is outdated.

Please update to v1.51.2.1300 and then run a Quick Scan.
Then attach that log.

 

I see the issues with your internet. I will have a better understanding of how to get your internet restored once you complete the below set of instructions.

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 24 (outdated)

http://img716.imageshack.us/img716/4756/msmsg.gif Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

http://img38.imageshack.us/img38/7284/yse.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Shut down your protection software now to avoid possible conflicts.
Note: This is actually Trend Micro HiJackThis - v2.0.4
Choose Do a system scan only and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

http://img839.imageshack.us/img839/3005/combofixicon.gif Now we need to make use of ComboFix...

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\Documents and Settings\TonyR\advfn
[COLOR="DarkRed"]File::[/COLOR]
C:\Documents and Settings\TonyR\Local Settings\Temp\tmp4E.tmp
C:\Documents and Settings\TonyR\Local Settings\Temp\tmp69.tmp
C:\Documents and Settings\TonyR\Local Settings\Temp\JET67C3.tmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0003]-[p01].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0011]-[p01].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p01].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p02].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p03].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p04].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0031]-[p01].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0031]-[p02].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p06].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p05].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p07].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p16].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p15].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p14].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p17].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p12].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p11].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p10].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p13].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p25].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p24].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p22].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p21].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p20].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p23].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p09].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p08].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p19].bmp
C:\Documents and Settings\TonyR\Local Settings\Application Data\[j0016]-[p18].bmp
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Documents and Settings\TonyR\Local Settings\Application Data\{9A51B9F7-E6AF-4C55-9C1E-E02A701F9C0C}
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"iTunesHelper"=-
"HP Software Update"=-
"Adobe Acrobat Speed Launcher"=-
"Adobe ARM"=-

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Please read and complete the following: Use MSconfig to setup for Normal Startup Mode

Once you have rebooted...

http://dus.x10.mx/canned/otlicon.gifPlease download OTL by Old Timer to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  ipsec.sys
  netbt.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\netbt
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\ipsec
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

http://img51.imageshack.us/img51/6489/javaicon.gif Now install the current version of Sun Java from: Sun Java Runtime Environment

http://img822.imageshack.us/img822/6835/baticon.gif Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Note: This will automatically update all the logs inside MGlogs.zip

 

Hi again Thisisu

Removed Java

Downloaded MessengerDisable.exe and copied over to laptop – then run.
I selected ONLY Uninstall Windows Messenger, but the option above was also selected when I did that?

Ran C:\MGtools\analyse.exe and fixed O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

Created CFScript.txt and copied to laptop
Had to click I Agree then it warned me no recovery console – but as I can’t connect to the Internet…
The laptop rebooted after a while and ComboFix started again.
Waiting for it to finish the report.

Downloaded OTL – had a warning from AVG Trojan horse Agent3.AXVV which I ignored as you told me to download it.

Loads of errors and I had to reboot the downloading PC, then turn off AVG to copy it to my USB stick.
Created an OTL.TXT file with your text and copied to USB stick.

I thought I better check with you about the warning on OTL before I run it?

ComboFix log just finished attaching logs now.

 

Yes it's a false positive -- It's safe to run. Just disable AVG for the time being.

 

Hi thisisu

And once again thanks for your amazing help.
I've no idea what "we" are doing but it feels great!

Here are the final 2 logs attached.
I had an error message pop up during C:\MGtools\GetLogs.bat
---------------------------
HijackThis
---------------------------
Please help us improve HijackThis by reporting this error

Click 'Yes' to submit

Error Details:

An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)
Error #5 - Invalid procedure call or argument

Windows version: Windows NT 5.01.2600
MSIE version: 8.0.6001.18702
HijackThis version: 2.0.4
---------------------------
Yes No

I had to click NO as no Internet connection - YET!

 

========WARNING========
The below is specifically for tripoll's computer
Do NOT run the below if you are not tripoll
Doing so may damage your PC!
========WARNING========

Attached is fixme.zip

Inside is:

• afd.reg
• netbt.reg
• fixme.bat

Extract all 3 files onto your desktop.

Now double-click afd.reg and allow it to merge into the registry. You receive a "successful" message.
Now do the same with netbt.reg. You should receive the "successful" message again.

Now reboot your PC!

Once you have rebooted your PC...

Run the fixme.bat file on the desktop by double-clicking it. Attach the fixme_results.txt log file it produces on your desktop. (How to attach items to your post)

Test your internet. If you still have problems connecting, proceed with the below as well:

http://dus.x10.mx/canned/otlicon.gifNow we need to make use of OTL...

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
  [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
  [COLOR="DarkRed"]:files[/COLOR]
  ipconfig /all /c
  netsh int ip reset resetlog.txt /c
  netsh winsock reset /c
  ipconfig /flushdns /c
  xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
  xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
  xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
  xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptyflash]
  [resethosts]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Now test your internet.

 

Hi again thisisu

I ran the two REG files and rebooted, immediately started to get LAN activity.
After I had run the fixme.bat the network icon came in and AVAST reported that it had updated. All the AVAST options are now on, which I could not do before and even Windows Firewall is running again.

"AM I CLEAN?"

I did not do the new OTL, is that OK?

May I just say that your help has been amazing and so fast.
How on earth did you look at all those logs so quickly?
Another one, fixme_results.txt, attached.

You have saved me from resetting my laptop to factory defaults with all the work required to get it back to how it was. I had already backed up my data as I expected that I would have to do a reset.

Thank you very much for your help.

 

:cool

Yes, all of your logs are clean.

Yes that's fine. It was only intended to be used if you were still having issues.

Thank you
Reading the logs used to take me a long time :-D I guess I've grown accustomed to them now

Glad to hear I could help. Surf safely!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

Done all that and everything seems OK.
I can finally see other PCs and access the Internet.
Everything is running smoothly.

I've just updated and ran MalwareBytes - clean.
Now running CCleaner and Auslogic Defrag.

If only I knew where we picked it up?

Thanks again for all your help.

 

No problem. Surf safely