Zero Access Rottkit

Mypc is infectedby Zero Access as it is reported by ComboFix, i run several tool but every time i run Combofix they report that i have the Zero Access rootkit as of that the pc cant access internet because the dns dont work so i setup a proxy server to my other pc so my av's can update here is my mgtools logs

 

Update

after MBAM & SAS & Combofix seems to be the fire


running one more time combofix and then try to see if the DNS problem persist

 

I think i am clean from rootkits

but DNS not working see this olso
local net working well but the dns not if ,i use my proxy i can navigate


Netbios over tcp not working

http://i2.lulzimg.com/1dd14a3387.png

i attach my new logs

 

i think i fixed the netbios over tcpip i find the registry(under services) and the adapter guid is wrong so i search on tcpip for the corect one and i changed every one, the service started but no DNS aaaaaaaaaaaaaa

 

Hi and welcome to Major Geeks, madsheep!

You need to attach the rest of the logs from the Windows XP Malware Removal/Cleaning Procedure thread first.

Also please stop changing things on your own as many of those changes will not match up accordingly in the logs you've already provided.

I'd like you to also complete the below:

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach FSS.txt to your next message. (How to attach)

 

SAS in next post

 

SUPERAntiSpyware log & Mglogs

 

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
c:\documents and settings\Owner\Application Data\FixZeroAccess
C:\7028v53
C:\WINDOWS\$NtUninstallKB2584146$
C:\WINDOWS\$NtUninstallKB2585542$
C:\WINDOWS\$NtUninstallKB2598479$
C:\WINDOWS\$NtUninstallKB2603381$
C:\WINDOWS\$NtUninstallKB2618451$
C:\WINDOWS\$NtUninstallKB2619339$
C:\WINDOWS\$NtUninstallKB2620712$
C:\WINDOWS\$NtUninstallKB2624667$
C:\WINDOWS\$NtUninstallKB2631813$
C:\WINDOWS\$NtUninstallKB2633171$
C:\WINDOWS\$NtUninstallKB2633952$
C:\WINDOWS\$NtUninstallKB2639417$
C:\WINDOWS\$NtUninstallKB2646524$
C:\WINDOWS\$NtUninstallKB917422$
C:\WINDOWS\$NtUninstallKB918899$
[COLOR="DarkRed"]Domains::[/COLOR]
[COLOR="DarkRed"]Driver::[/COLOR]
33716
MEMSWEEP2
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\33716.sys
c:\windows\system32\1A.tmp
C:\aawsepersonal.exe
C:\WINDOWS\system32\dds_trash_log.cmd
c:\program files\Common Files\AskToolbarInstaller.exe
[COLOR="DarkRed"]FileLook::[/COLOR]
c:\windows\system32\userinit.exe
c:\windows\system32\mswsock.dll
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Program Files\Sophos
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Put your computer back into Normal Startup Mode and reboot before proceeding to the next step. See >> Use MSconfig to setup for Normal Startup Mode

Turn off your proxy settings for these next steps:

Open the Device Manager

Click the http://www.techsupportforum.com/forums/sectools/tetonbob/StartBtn.gif button. > Run - copy and paste this command in the box devmgmt.msc then click OK.

Collapse the Network Adapters list.
Right mouse click: Realtek RTL8169/8110 Family Gigabit Ethernet NIC
Choose "Uninstall".
You be asked to confirm your actions, choose OK and let it uninstall.
If it asks you if you want to delete the driver software / files too, say No.
When you have done this and Realtek RTL8169/8110 Family Gigabit Ethernet NIC is no longer in the Device Manager list -- Press the Scan for hardware changes button (http://img803.imageshack.us/img803/2868/scanhardware.png) or Action -> Scan for hardware changes
Allow it to reinstall your network adapter.
Reboot for changes to occur.
Test internet once you have rebooted.

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Disable/Remove Windows Messenger - OK
Fixing items using ComboFix - Norman Boot freeze
Fixing items using ComboFix - Safe Mode Ok
Realtek RTL8169/8110 Family Gigabit Ethernet NIC - OK
Still no access to dns
logs attached

 

It just looks like you aren't able to connect via HTTP. Is this is the problem you are experiencing? I'd like to remove the remaining traces of the proxy server below:

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
uInternet Settings,ProxyServer = 192.168.2.2:8080
TCP: DhcpNameServer = 192.168.2.1
[COLOR="DarkRed"]Domains::[/COLOR]
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yik0618u.default\
FF - prefs.js: network.proxy.ftp - 192.168.2.2
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - 192.168.2.2
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 192.168.2.2
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 192.168.2.2
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_USERS\S-1-5-21-784495058-1036359152-3525247100-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run c:\MGtools\FixNet.bat
This will reboot your PC.

Once the PC has been rebooted...

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

i am running your test/fix right now. the problem is that i cannot resolve the host names ip work well if for example type in command prompt "ping google.com" i dont get the ip of google as i should

 

ComboFix - ok
FixNet - termination window with counter for reboot (ok?)

No internet, basically i have internet but as i said before something not working properly and i can only navigate with ip. i used proxy to navigate normally

also nslookup work and i get the ip

also logs attached

 

http://img834.imageshack.us/img834/2930/fixiticon.gif Please download Microsoft Fix it 50203 to your desktop.

• Double-click it to run.
• Reboot when asked to.

 

done nothing changed...

as i see the programs on add/remove i see that i can remove sp3 so i am thinking if it is good idea to remove and reinstall it?? i read somewhere that fixes the dns problems

 

Yes, that would have been my next suggestion. Go ahead and reinstall SP3.

 

back on sp2 ping sees the light again
installing sp3 if everything works you can close this thread w8 for a final post

 

Cool

Sometimes just that FixIt Tool alone will do the trick.

There have been times where reinstalling SP3 does NOT work but the FixIt tool does, go figure

 

After SP3, if everything is working as it should, here are the final steps:

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

SP3 installed ok
Internet is ok
Combofix uninstalled and all extra tools except from mbam and sas

Tomorrow i will install the rest of the windows updates thanks for your help! :cool

 

You're welcome