Root kit zero access tcp/ip stack

Hello. I ran combo fix and it advised "a root kit has inserted it's self between tcp/ip stack".

After it rebooted I can not access the internet.

I have the original scan log from the scan.

Yahoo opens but shows "No server found"

Ran an mbr check and shows a problem, I have that log as well.

One other thing. When I tried to run ip config i get the following message:
An internal error occured. The request is not supported. Unable to query host name.

I'm running windows XP SP2.

Appreciate any assistance.

Thank you.

 

Hello and welcome to Major Geeks, spaceace7

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

http://img194.imageshack.us/img194/4930/combofix.gif Also attach the log from when you ran ComboFix.
It should be at c:\ComboFix.txt (How to attach)

 

Thank you. I have attached the two OTL logs and the TDSS file for review.

If needed I also have all the "Read and run" files if needed.
-Super Anti Spyware log
- MBamlog
-Combofix log
-RR log
-Mg log zip

Not sure if you need the original combofix log that discovered the root kit that started my issue but i have it as well if it did not attach to my original post. Let me know if you require any of these logs.

Thank you for your assistance.

 

Hello

Yes please attach all of these.

Do this as well:

http://img196.imageshack.us/img196/3557/tdsskiller.gif Re-scan with TDSSKiller with the parameters you used before.
This time if TDSS File System appears, delete it!
Then attach the latest TDSSKiller log. (How to attach)

 

Sorry

Here is the Read and run combo fix log/050412 and the original combo fix log that was part of the original root kit problem 050312.

Thank you.

 

Read and run logs..

Will rerun tdss and repost as requested...

Thanks

 

Deleted TDSS system founf in scan.

log attached.

 

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 20

I would prefer if you ran this fix while in Safe Mode for the highest chance of success.
See: How to start your computer in Safe mode

Attached is OTLfix.txt
Download and save this to your desktop.


http://img205.imageshack.us/img205/1894/otl.gif Now reopen OTL
Then drag OTLfix.txt into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
You should see a bunch of text transferred over into the text-field.
Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
The fix will need a reboot. Allow the PC to reboot into Normal Mode.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

_______________

Check to see if the internet is working after you have run that fix. If it is, stop here and let me know.
If it still is not working, then proceed with these following steps:


Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

When you are prompted to confirm the deletion, click Yes.
Close the Registry Editor.

Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

Once you have rebooted...
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK.
Restart your computer.
Test your Internet connectivity.

___________________

Do this regardless if internet is working or not!!

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Internet working... Thank you!!

Attached files as requested.

Please advise if further action is needed...

Really appreciate your help.!!

 

Nice.
Are you experiencing any problems with missing shortcuts on the desktop and startmenu?
If so, continue with these instructions below
Otherwise, let me know what issues you are experiencing, if any.

http://img194.imageshack.us/img194/4930/combofix.gif Dequarantine using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

DeQuarantine::
C:\Qoobox\Quarantine\C\Documents and Settings\Kevin Roberts\Local Settings\Temp\smtmp
Quit::

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\DeQuarantine.txt
Attach this log to your next message. (How to attach)

__

http://img189.imageshack.us/img189/2827/unhide.gif Now download unhide.exe to your desktop.

• Now run unhide.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• Be patient as the tool runs.
• Did this restore the missing (hidden) shortcuts?
• Attach the unhide.txt file on your desktop. (How to attach)

 

Here are additional steps I would recommend doing, not malware related though:

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from here.

Your latest logs are clean but let me know if you are still having malware related issues.

 

Thanks again. Dont see any missing icons at this point so I wont run the combo fix text.

Did run the messenger kill and updated Java.

Is there any specific fixes I can take for "blocking" the zero root kit in the future? I know XP is old so there may not be but I'd like to keep this from happening in the future.

Thanks

 

You're welcome.

Read the "How to Protect yourself from malware!" link at the bottom of these cleanup steps.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe