zeroaccess & internet connectivity

Welcome to Major Geeks!

Please attach the c:\combofix.txt log from running ComboFix. (See: HOW TO: Attach Items To Your Post )


Also follow the instructions here >> Using MGtools and run MGtools.exe. Attach the C:\MGlogs.zip file when it finishes.

 

Okay the first ComboFix log indicated that McAfee has been infected

You need to uninstall McAfee now. When we finish your cleanup, you can reinstall it then if you wish, but not before.

I'm looking thru the rest of the logs now. It seems ComboFix got most of the ZA infection.

 

Make sure that you have uninstalled McAfee as requested in my last message.

Now download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Reset Registry Permissions
  • Register System Files
  • Repair WMI
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.
Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome.

Simply put, they are ineffective at protecting themselves and your PC from many of the common forms of malware that we see in forums like this on a daily basis.


Please download MiniToolBox and save it to your desktop and run it by right clicking and selecting Run As Administrator.


Checkmark following checkboxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List IP configuration
• List Winsock Entries
• List Devices -> All
• List last 10 Event Viewer log

Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run from.

Also I have just updated MGtools again to collect some additional details on registry keys related to networking. Thus I want you to get and use the new version.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.
Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• the Results.txt log from MiniRegTool
• C:\MGlogs.zip

 

Based on your logs, it looks like you are able to connect to the internet now.

Are you having any other problems?

 

There are a bunch of required services that are not running. Let's check to see if they can be started by an easy method or not.

Click Start, All Programs, and then scoll as nessary until you see he Accessories folder and select it. You see something like below.

http://forums.majorgeeks.com/attachment.php?attachmentid=170564&thumb=1&d=1324150745

Right click on the little black icon saying Command Prompt and select Run As Administrator.

A command prompt window should open with a title of Administrator:Command Prompt. Do you get this??
If yes, continue. If not, stop and tell me.
Now enter the below commands the below into the command prompt window one at a time each followed by the enter key. Tell me EXACTLY why message you get for each.

sc start http
sc start ssdpsrv



Also a few more questions and a comment:

1. Are you trying to connect via a wireless connection or a hardwired connection?
2. Are your using VMware right now to do all of this or are you booting normally?
3. Why do you need VMware?

Comment: Drives C & D are both almost out of disk space. You really need a larger harddisk not having such small partitions! Can you free up any space to allow your PC to run more effectively?

 

Sorry about that. Got too many threads going and lost track of which OS you have.

Click Start, then Run, and type cmd into the Run box and click OK. This will bring up the command prompt.

Now enter the below commands the below into the command prompt window one at a time each followed by the enter key. Tell me EXACTLY why message you get for each.

sc start http
sc start ssdpsrv


If you don't really need VMware it may be helpful to uninstall it. It will also help free up disk space and memory.

 

Please download Farbar Service Scanner and run it on the computer with the issue. ​

• Make sure to put a check in each of the check boxes for
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

 

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :filefind
  afd.sys
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.
Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• the log from SystemLook
• C:\MGlogs.zip

 

Please download MiniRegTool.zip and unzip it.

• Run the tool.
• Copy and paste the following into the edit box:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSDPSRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSDPSRV\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV

• Check List Permissions radio button.
• Press Go button and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

Now please click Start, Run and type services.msc into the Run box and click OK. This will open up the Services form. Scroll down to the Application Layer Gateway Service service and double click on it. If the Service status: shows Stopped or Disabled, click the Start button. Does it Start? Make sure that the Startup type is set to Manual.

Now locate the IPSEC Services service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the DNS Client service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Windows Firewall/Internet Connection Sharing (ICS) service and Start it and set the Startup type to automatic, Did this Start?

Now locate the Plug and Playservice and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Workstationservice and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Serverservice and Start it and set the Startup type to Manual, Did this Start?

Now locate the Computer Browser service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the TCP/IP NetBIOS Helperservice and Start it and set the Startup type to Automatic, Did this Start?

Now locate the SSDP Discovery Serviceservice and Start it and set the Startup type to Manual, Did this Start?


Now close the above services forms and reboot your PC. After reboot, get a new log from MGtools and attach it here along with your answers to what happened while trying to start all the above services. Also remember to attach the Results.txt log from MiniRegTool

 

For the ones you indicated as already started, this was what I expected would happen when Application Layer Gateway Service was started.However based on your logs I don't think some of these really started. I will add red text to you list to show what I see that is still a problem and green text where it is okay now.. Double check yourself in services.msc and tell me what you see.

• Application Layer Gateway Service: Was stopped and I started it successfully, set to Manual. Actually did not start
• IPSEC Services: Was stopped and set to Automatic, but I couldn't start it. Agreed Not Started
• DNS Client: Already started and set to Automatic. Started
• Windows Firewall/Internet Connection Sharing (ICS): Was stopped and set to Automatic, but I couldn't start it. Agreed Not Started
• Plug and Play: Already started and set to Automatic. Started
• Workstation: Already started and set to Automatic. Started
• Server: Already started and was Automatic, I set it to Manual. Started - but please change this one to Automatic
  
• Computer Browser: Already started and set to Automatic. Started
• TCP/IP NetBIOS Helper: Already started and set to Automatic. Started
• SSDP Discovery Service: Was stopped and I started it successfully, set to Manual. Actually did not start

After changing ther Server service to be Automatic, check what you see again for Application Layer Gateway ( I may abbreviate as ALG in the future ) and also for SSDP Discovery Service ( abbreviated as SSDPSRV). Take notes and tell me later. But then reboot your PC and after reboot do the below. I want to see how many of these hold thru a reboot.


Click Start, then Run, and type cmd into the Run box and click OK. This will bring up the command prompt.
Now enter the below commands the below into the command prompt window one at a time each followed by the enter key. Tell me EXACTLY why message you get for each

netsh int ip reset reset.log
netsh winsock reset catalog


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the new C:\MGlogs.zip

 

I had a typo in the first command. It should have been

netsh int ip reset resetlog.txt

Can you run the above command now then run the below.


Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.

Let me know if it asks for the disk also take note of specifically which disk it asks for because it may make references to a certain service pack level.

 

You need a Win XP SP3 disk to repair this. Can you borrow one.

Let's get a log from a new version of MGtools just uploaded.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.
Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip

 

Thanks! The same to you.

It looks to me like you have network connectivity now! Is that a correct? Test both wired and wireless again. Your last logs were obtained while the wireless connection was being used. I would like to see one from when you connect the wired interface with wireless shutdown. Even if the wired connection is not working, this would be helpful

 

With regards to the above, does your Broadcom NetXtreme 57xx Gigabit Controller appear in Device Manager? Are there any errors indicated for it?

 

You're welcome. Yes you can give reinstalling the driver a try to see what happens. It also be that you could just delete the network card from Device Manager ( without deleting any drivers ) and then reboot and it may automatically be redetected and reinstall upon reboot as long as the files are still on your hard disk.

Happy New Year!

 

You're welcome. Excellent news.

Try Comodo Firewall.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!