"No" Net access - ZeroAccess found / deleted

Acer Aspire one V1.03
Windows XP Home Edition Service Pack 3 (build 2600)
2 GB memory - because that's the max for this system architecture.

Booting in Normal Mode doesn't allow access to the internet with anything but surprisingly SeaMonkey browser is still able to connect just fine.

So I tried Firefox, and that doesn't even OPEN. It starts a process that's visible in task manager, but doesn't use any cpu cycles. VERY strange.

Other odd behaviour is my cursor frequently "jumping" to different parts of a sentence that I'm typing, some programs being abnormally slow, hanging, not closing either with [x] or ending the process in Task Manager, mouse clicks don't always register the first time or two, opening or changing directories is SLOW.

I've also gotten a popup message that something is trying to trick SeaMonkey into accepting insecure updates.

When I boot into Safe Mode, I can access the internet just fine and it seems that the browsers I've tried all work, and I can update the XYZ-ware scanners as well.

I had run a scan and it popped up a lot of hits for ZeroAccess in $NTUninstall directories, and I deleted and rebooted.

After that I tried to follow the full Malware Removal guide - had some problems getting some of the programs to work properly to generate log files, save them in the right format, or even switch directories to save them all in one place. Had to copy them manually and rename to .txt format.

 

Rogue Killer scans:

Sorry this is all a hot mess - IRL has been a thermonuclear mess.

 

I did read the instruction page for MWB AW - but there was no "export to txt" blue button to click. I can reboot into Safe Mode if you want, to see if that helps any.

Hit Man Pro started, but could not connect to the internet during its 5 minute try, then aborted - no special windows or modes started, no special options were available.

 

It detected a bunch of PUPs - prefs.js files.

 

Glad you don't see any malware - although from reading about this Zeroaccess, it seems like it's "removal" was all too easy. Hopefully it was THAT easy.

msconfig run and set to normal (haven't rebooted yet)
Farbar run and files attached.

Looks like I ought to sift and purge whatever accumulated junk is on here as well - I personally use Open Office, so torching that MS crapware really won't affect my life

I'm sure this might be material for a post in a different forum section, but:

It seems that GeekBuddy thing got installed with Comodo at some point - I'd like to remove them both and try using something installed clean, and after removing installed applications, I'm guessing I should clean the registry to remove any orphaned entries.

 

I believe it was Rogue Killer. See RKreport_SCN_10272015_171834.txt, it has some entries such as:

{snip}
"vendors": [
"ZeroAccess"
],
"status_choice": 2,
"processed": [
{
"type": 2,
"name": "$NtUninstallKB2079403$",
"path_expanded": "C:\\WINDOWS\\$NtUninstallKB2079403$",
"path_compressed": "%SystemRoot%\\$NtUninstallKB2079403$",
{snip}

 

Rogue Killer seemed to run ok, and the scan log is attached.

Hope it's the correct one.

 

or it will be once it's actually attached. [facepalm]

 

ADW wouldn't run - guess it needs network access, so I rebooted into safe mode and it ran successfully.
Tried to get Revo uninstaller from your link - it wouldn't work, and I don't know where it went on this laptop, but I used to have it - nice tool.
JRT ran and then stopped/shutdown - and didn't create any log that I could find. :confused

mswsock.dll does exist - version 5.1.2600.5625 created on 3/11/09

 

Thanks chaslang. That would be excellent if it never got on my machine in the first place.
Any ideas what line of analysis I ought to be pursuing to determine why SeaMonkey works and nothing else can access the network?

I tried lspfix a while back, and that killed everything, and I had to go back to a restore point.
There's a winsockxpfix as well - but I'm hesitant to try it.

If it works in Safe Mode, is it a driver issue of some sort?

 

I ran that tool in safe mode without networking as per the instructions it gives.
It didn't have a "Repair winsock & DNS cache" option.
rebooted - still no connection when I tried Opera.

It DOES have a "Fix Network" option - same/equivalent thing?
The tool suggests it be run twice anyway - check that box this time around?

I can see how a bad winsock path variable could contribute to a problem - it's been a long time since I've amended the path. Advise if I should fix that, and probably HOW I should fix that.

I suppose the issue with Hosts should be addressed.

I'm not sure what the IP address lease issue is about - it's still curious that ONE browser works, and everything else doesn't Why would one application be able to access the string of things needed to get from the laptop, out the wireless internal modem, through the router, and out the gateway - but everything else sits dead in the water?

Thanks so much for your patience and continued assistance.

 

OK,
I deleted Comodo firewall with Revo - figured I might as well do that before anything else tried to fix the system, lest uninstalling broke it again...

I then ran MicrosoftFixit50267.msi, then ran the windows repair tool again with the fix network checked.
Rebooted, that seems to have rectified [most of] the problem, as Opera is able to load the Google home page.

Thank you both, Kestrel13! and chaslang for the invaluable help.

What should I do now to follow through?

 

Also, the MS Update window pops up asking is I want to install updates.
I was under the impression that XP is "no longer supported", so I likely had auto updates turned off. Should I install these updates? (Belarc Advisor had a long list of missing security updates in its output)

 

MG tools was run, and so was FRST. Logs attached.

 

arg. I did run both of those and they both seem to working just fine.

 

Yep.
Avant
SeaMonkey
Firefox
Opera (both versions)
Internet Exploder
Slim Browser
Qupzilla
Safari
HitmanPro
Malwarebytes
Spybot
Irfanview
FormatFactory
Skype

All access the network and seems to operate as normally as anything ever does.

ADW crashed when I tried to run it - see attached crop of screenshot.

Haven't tried to do the windows updates, but I figure if it's finding they exist, then that "works" too.

 

Yes - it's always pretty good when things all run more or less the way they ought to.
I ran FRST - and it ran for a while and then crashed. See attached.
Should I just try to run it again?

 

OK,
Ran FRST, it ran fine, then rebooted.
Malware bytes ran
Rogue Killer updated to 10.11.4.0
As this was done through Opera, AdBlock plugin installed itself. Interesting.
HitmanPro ran, then deleted some junk after I activated the 30 day trial.


Logs attached.

 

Good morning to you, Kestrel13!

I did indeed let it remove the several .js files that it found this time.

I didn't do it the first time around because I was running several scans, and I wasn't told to remove anything, so I didn't as per the general malware removal instructions.

 

So far so good. I appreciate all the help you and chaslang have given over the past several days, and am glad that it seems to not have been an actual malware-related problem.

Is there anything I need to do now to make sure everything is ok?
If ADW and JRT suddenly stopped working, is there something that still needs to be addressed?

Also, I'm sure I ought to be running something other than XP's Windows firewall since I nuked comodo.

 

I ran JRT and it ran without an error, then disappeared and I don't see a log anywhere.

ADW would not run due to an error, so I thought I'd reinstall it.
The installation file popped up a window saying it was outdated version, and I should download an updated version.

Clicking OK opened Opera to a URL that redirected to
https://toolslib.net/downloads/viewdownload/1-adwcleaner/

Seemed pretty sketchy to me, so I stopped there.

 

Re-downloaded ADW installation file. Interestingly enough - the last one "deleted itself" when I hit [OK]. Disturbing.
ADW ran in Safe mode, but still gave a popup saying it was outdated. This time I hit cancel, and it proceeded to run.
Log file attached.

JRT would not run in safe mode. Couldn't make a restore point.
Runs in normal mode, but just disappears without explanation.
Output to the CMD screen shows some file permission issues.

All other programs seem to run normally. I tried running everything from resource-intensive or network-intensive programs to simple programs from '80's and '90's that require Dosbox. :cool

PovRay
Paint.Net
IrfanView
Audacity
ISISDraw
ChemDraw
ChemWindow
OpenOffice
InkScape
ChemSketch
OpenSCAD
Arduino
FreeCAD
Blender
GIMP
BitPim

Various games

 

Yes, thanks.
After that I'll head over to the software section and see about firewall software and other stuff.
Thanks a lot for keeping this little old laptop running.

The disposition of the old one is a Tale Of Woe such as to make reality Stranger and More Terrifying than Fiction.

 

Thanks again.
Should I do whatever pending XP updates are in the toolbar?
I'm just asking, because M$ tends to "fix" things like a bull fixes things in a china shop <cough> Skype </cough>.