Root Kit Zero.Access in TCP/IP stack

Start by uninstalling SUPERAntiSpyware which you installed to your Desktop. You should not install programs into the Desktop folder.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes because it appears that information for your network interface card has been deleted or corrupted. Have you checked what shows in Device Manager for your Network Adapter? Does it even show or are there yellow exclamation marks?

Bergen County


Your 698 GB external WD drive may have an infected Master Boot Record. I suggest you unplug it for now.

Code:

    698 GB  [URL="file://%5C%5C.%5CPhysicalDrive1"]\\.\PhysicalDrive1[/URL]   Unknown MBR code
            SHA1: CE7DBBBEE43059700485C7835F4E1ED6D2FADB1C

 

The MBR on your external drive can probably be fixed, but if possible you should consider backing up the data that is on it before we do this. For now though, we need to focus on your other problems which are significant.


Download SubInACL.msi from Microsoft.

• Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
• Now download the below file and save it to your Desktop:
  • resetperm.cmd
• Now right click on resetperm.cmd and select Run As Administrator to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.

Once it finishes, reboot your PC.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip

 

Have you been working on a different website to try and fix your problems?
Or have you been trying to run fixes that you saw giving to other people?
If sure looks like it because you have registry info the belongs on a Vista or Win7 PC not Windows XP.

 

Then why do you have the fixserv.reg patch on your Desktop that was not given to you. It was given to a person in another thread? You should NEVER use fixes given to another person. Each fix is taylor made for that person.

 

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work completely. I expect that you will get some kind of message about not everything being added into the registry. If so, we will have to address this with another fix after changing some registry permissions.

Now so I can see how much of the above was successful, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

You're welcome.


Now please click Start, Run and type services.msc into the Run box and click OK. This will open up the Services form. Scroll down to theWindows Firewall/Internet Connections Sharing (ICS) service and double click on it. If the Service status: shows Stopped or Disabled, click the Start button. Does it Start? Make sure that the Startup type is set to Automatic.

Were you able to do the above? If yes, continue with the below, otherwise report back what happened.

Reboot your PC.


After reboot, download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

​

 

One more scan I want you to run.

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure to put a check in each of the check boxes for
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

 

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).




Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I'm going to give you the same instructions I just gave to another person having the same type problems due to this infection.

This malware has caused a lot of damage and it is really looking like there may be no easy way to fix this short of a reinstall. However, one idea I have that may be worth a try is to reinstall Win XP SP3. This is a large download ( 316 MB ) but if you can download it and get it on to this PC and run it, perhaps it may help. Download the file from the below link:

Windows XP Service Pack 3 Network Installation


Install it and then reboot your PC. After reboot, attach a new log from MGtools and tell me if you have noticed any change.

 

Well based on what happened in the other thread, don't waste your time on trying to reinstall Win XP SP3 using that link. It did nothing to cure the problem. I'm trying another idea in a different thread. I'll let you know whether to try this new idea once I get the results. In the meantime, I suggest that you try using the below scan with sfc


Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.

Let me know if it asks for the disk also take note of specifically which disk it asks for because it may make references to a certain service pack level.

 

Yes I know. I guess you were doing this before you saw message #23?

Have you tried the sfc /scannow yet from message #23?

 

So are you saying you do not have this disk to insert? If i does not indicate an SP level, it normally means an original XP disk before any SPs. Do you have one of these or can you borrow one to complete the scan properly?


Now please click Start, Run and type services.msc into the Run box and click OK. This will open up the Services form. Scroll down to the Application Layer Gateway Service service and double click on it. If the Service status: shows Stopped or Disabled, click the Start button. Does it Start? Make sure that the Startup type is set to Manual.

Now locate the IPSEC Services service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the DNS Client service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Windows Firewall/Internet Connection Sharing (ICS) service and Start it and set the Startup type to automatic, Did this Start?

Now locate the Plug and Playservice and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Workstationservice and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Serverservice and Start it and set the Startup type to Manual, Did this Start?

Now locate the Computer Browser service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the TCP/IP NetBIOS Helperservice and Start it and set the Startup type to Automatic, Did this Start?

Now locate the SSDP Discovery Serviceservice and Start it and set the Startup type to Manual, Did this Start?


You can close the Services forms now.

Now Click Start, then Run, and type cmd into the Run box and click OK. This will bring up the command prompt. Now enter the below commands the below into the command prompt window one at a time each followed by the enter key. Tell me EXACTLY why message you get for each

netsh int ip reset resetlog.txt

netsh winsock reset catalog

Now no matter what has happened above, continue to do the below.

Reboot your PC!!!!

After reboot, download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.
Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

 

Let's try the below. Follow these instruction slowly and carefully.

1. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • The above file will open in the notepad.
   • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
   • Edit 0xA0 and replace it with 0x80 (replace A with 8)
   • Under File menu click Save and close the notepad.
2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install a popup window opens.
   • Select Protocol from the list and then click Add.
   • A new window opens, click Have Disk....
   • In the browse... box type c:\windows\inf
     
   • Click OK.
   • Select Internet Protocol (TCP/IP), and then click OK.
   • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
3. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
   • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
   • Under File menu click Save and close the notepad.
4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install
   • A popup window opens. Select Protocol.
   • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
5. After restart please run Farbar Service Scanner again and save the fss.txt log to attach below.
6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
   
   Then attach the below logs:
   • C:\MGlogs.zip

 

I need the new MGlogs.zip file to continue.

 

That looks much better but the SSDPSRV service did not start as expected. As in the instructions in message # 27 for starting services, see if you can do the below now.


Now locate the SSDP Discovery Serviceservice and Start it and set the Startup type to Manual, Did this Start?


Also tell me what problems you are still having.

 

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now reboot your computer and then continue with the below.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.
Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

 

Okay so now will the below work from the Services form ?

Now locate the SSDP Discovery Serviceservice and Start it and set the Startup type to Manual, Did this Start?

 

Excellent! So now I just need to know if you are having any other malware problems before I post final instructions.

 

The backup of your data is not something I can help you with. You can attempt to repair it without backing up if you want. All I can say is that most of the time ( in the high ninety percent region ) this works without an issue, but there is always risk.

 

I would repair it. Did I ask you somewhere in this thread whether you had your Win XP Boot CD so that we can boot to the Recovery Console to fix this?

We can try simplier methods first if you do not have the CD, but if they don't work, the CD will be needed.

 

Have you ever tried setting your BIOS to boot from CD before booting from hard disk and then trying to boot up this disk?

You can see some snapshots of how to boot to the Recovery Console here:

http://pcsupport.about.com/od/fixtheproblem/ss/rconsole.htm

 

Okay. If it is not bootable, we can try other options. In fact we can even try using MBRcheck as a simple fix. It does not work too well with newer more troublesome MBR infections but it sometimes works on easier types of infections.

 

Okay that's good. Now you will need to get back into the command prompt of the Recovery Console to run a specific form of the fixmbr command. The syntax will not just be fixmbr because the device you are trying to repair is not your Window boot drive. The syntax will be like below

fixmbr \device\harddisk2

But the harddisk2 has to be the number of your external drive as seen from the Recovery Console. To find out what the drive number is you need to have the external drive plugged in while booting into the Recovery Console. Then you would run the map command to display the hard disk number for your external drive. Then use that number in the fixmbr command. For example, suppose from the map command you found the you external drive is hard disk 1. You would then use

fixmbr \device\harddisk1

This runs quickly. Then you would type exit and hit enter to reboot and then boot normally. Then rerun the MBRcheck procedure to get a new log and attach it.