Root Kit Zero.Access - Can't connect to internet

Welcome to Major Geeks!

It is never a good idea to follow instructions given to another person. You could do more harm then good because instructions given to each user a taylored to be for their PC and their version of Windows. While in the end similar or the same instructions could wind up being given to you, this is done after properly reviewing logs from your PC to decide which steps/instructions are appropriate at the time. Sometimes the order of what is followed is very important. For examp[le, trying to apply a registry patch or reinstalling something, prior to actually removing all malware could result in no change or possibly even making things worse.


Please follow the instructions in the below link so we can get all the information required to fix your specific problems.

READ & RUN ME FIRST. Malware Removal Guide

 

Why not ?

 

Okay first we need to save a new registry patch to your Desktop.

Copy the bold text below to notepad. Save it as fixIPSec.reg to your desktop. Be sure the "Save as" type is set to "all files". Once you have saved it don't do anything else with it right now. Just move on to the next instructions.

Now please click Start, and type regedit into the Run box and click OK. This should open the Windows Registry Editor should open up.


Now follow the below instructions for changing permissions for registry keys using Regedit.

• First navigate to the below registry key and have it selected
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPSEC\0000\Control
• Then right click on this key and select Permissions
• Then on the Permissions for Control for click the Add button
• In the Enter the object names to select box type Everyone and click the Check Names button which should cause the Everyone text to be approved and underlined
• Then click the OK button which returns you to the Permissions for Control form
• Make sure you select Everyone from the upper list, and then in the Permissions form Everyone box, select Full Control and see if it allows you to click the Apply button.
• Then click OK to control this Permissions for Control form
• Now on the Registry Editor menu, clic File and select Import.
• Navigate to the fixIPSec.reg file we saved to your Desktop and select it and click OK ( double clicking on the file should also auto select it to import )
• Did it import without an error message?
  • If not, then stop and tell me
  • If yes, then continue.

Reboot your PC and after reboot continue.

Now please click Start, Run and type services.msc into the Run box and click OK. This will open up the Services form. Scroll down to the Application Layer Gateway Service service and double click on it. If the Service status: shows Stopped or Disabled, click the Start button. Does it Start? Make sure that the Startup type is set to Manual.

Now locate the IPSEC Services service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the DNS Client service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Windows Firewall/Internet Connection Sharing (ICS) service and Start it and set the Startup type to automatic, Did this Start?

Now locate the TCP/IP NetBIOS Helperservice and Start it and set the Startup type to Automatic, Did this Start?

Now locate the SSDP Discovery Serviceservice and Start it and set the Startup type to Manual, Did this Start?


You can close the Services forms now.

Now Click Start, then Run, and type cmd into the Run box and click OK. This will bring up the command prompt. Now enter the below commands the below into the command prompt window one at a time each followed by the enter key. Tell me EXACTLY why message you get for each

netsh int ip reset resetlog.txt


No matter what happens above, continue on to get the below new log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

 

Yes continue with my other instructions now.

 

Is this a company owned PC? If yes, are there any company applied restrictions to priviledges on this PC. I see some unexpected settings in the registry and need to be sure whether they are due to your own/companies doing or if it is due to malware.

I see that you have Altera and Xilinx for FPGA development and also OrCad. Before we do anything else, I strongly recommend that you backup all of your important data for the work you are doing with these tools and also backup any other important data.

The infection you have is very nasty and makes lots of changes to your PCs registry. Many services are currently broken and while we have been successful at fixing quite a few of these infections already, it does involved some risk and you may even already damage to some of these tools.

I am working on the next stage of your fixes, but I want to be sure you have backed up important data.

 

You're welcome.

Okay first we need to save a new registry patch to your Desktop.

Copy the bold text below to notepad. Save it as fixserv.reg to your desktop. Be sure the "Save as" type is set to "all files". Once you have saved it don't do anything else with it right now. Just move on to the next instructions.

Now please click Start, and type regedit into the Run box and click OK. This should open the Windows Registry Editor should open up.



Now follow the below instructions for changing permissions for registry keys using Regedit.

• First navigate to the below registry key and have it selected
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Tcpip\0000\Control
• Then right click on this key and select Permissions
• Then on the Permissions for Control for click the Add button
• In the Enter the object names to select box type Everyone and click the Check Names button which should cause the Everyone text to be approved and underlined
• Then click the OK button which returns you to the Permissions for Control form
• Make sure you select Everyone from the upper list, and then in the Permissions form Everyone box, select Full Control and see if it allows you to click the Apply button.
• Then click OK to control this Permissions for Control form
• Repeat the above permissions type change for the below registry key
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHCP\0000\Control
• After you get both of the above registry key permissions changed, continue with the below.
• Now on the Registry Editor menu, click File and select Import.
• Navigate to the fixserv.reg file we saved to your Desktop and select it and click OK ( double clicking on the file should also auto select it to import )
• Did it import without an error message?
  • If not, then stop and tell me
  • If yes, then continue.

Reboot your PC and after reboot continue.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

The above is not likely to be the complete fix for your problems. We will have more to do inorder to attempt to repair all the damage this infection did to your registy.

 

Okay then change the permissions on \0000 and continue.

 

1. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • The above file will open in the notepad.
   • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
   • Edit 0xA0 and replace it with 0x80 (replace A with 8)
   • Under File menu click Save and close the notepad.
2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install a popup window opens.
   • Select Protocol from the list and then click Add.
   • A new window opens, click Have Disk....
   • In the browse... box type c:\windows\inf
     
   • Click OK.
   • Select Internet Protocol (TCP/IP), and then click OK.
   • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
3. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
   • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
   • Under File menu click Save and close the notepad.
4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install
   • A popup window opens. Select Protocol.
   • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
5. After restart please run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
6. Then attach the below logs:
   • C:\MGlogs.zip

 

Yes that fixed a bunch of problems with your services.

You won't be able to based on your logs as you interface seems to be disconnected. Do you have the cable to your network adapter plugged in or did you disconnected it?

If it is plugged in, the you should try opening Device Manager and deleting the below adapter but do not tell it to delete the driver files when asked

Intel(R) 82566DC Gigabit Network Connection

Then reboot your PC, upon reboot, it should hopefully find the hardware again and reuse the drivers we did not delete.

If the above all works then we will need to see another new log.

Please run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

Yes! It should always be connected unless we ask you to disconnect it. Otherwise it makes how we interpret what we see in the logs misleading.

 

Yes, it looks good now.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome and thanks! Enjoy your New Year malware free.