rootkit.zero access and no internet connection

Hello

Recently my home computer started having issues and i noticed that mywebsearch was installed. I ran Malwarebyes Anti-malware and it detected a lot of issues as well as a rootkit. After it resolved the issues i noticed that my internet connection wasn't working anymore. I've had issues in the past and so i ran Combofix which 98% of the time has fixed any problems i might have. It ran and popped up with a warning that it had found Rootkit.ZeroAccess installed in the tcp/ip stack. It finished running and reported that it had removed more issues but after restart i still have no internet connection. I've run combofix many times as well as malwarebytes since then and even though their reports are now coming back clean i still have no internet connection.

So here i am looking for help. attached are the logs. If you would like me to try and find earlier logs of malwarebyes or combofix i can search for them. These are the most recent logs.

Thanks

Rustin

 

bump

 

Hello Rustin,

You only delay yourself when you bump your own thread. Threads are worked from oldest to newest. Suggested reading: Don't Bump! It Only Hurts You!

__

You're next now so I am reviewing your logs.

 

http://img805.imageshack.us/img805/9659/rktigzy.gif Use ProxyFix in RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Fix Proxy button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)

__

Reboot and test for internet connection.

__

If that didn't work, you can try this too:

http://img205.imageshack.us/img205/4783/regeditb.gif Open Notepad and copy everything in the code box below into it.

Code:

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-

• File -> Save As -> Save as type: "All Files" -> File Name: fixme.reg > Save.

Now merge this into the registry by double-clicking it.
Let me know if the merge was successful or not. If successful, reboot and test for internet connection.

 

Thanks for getting back to me and sorry about the bump earlier.

Alright i used the proxyfix in RogueKiller. It ran and completed, but after rebooting i still don't have internet.

I then ran the fixme.reg and it was added to the registry successfully but still after rebooting i don't have internet.

the log is attached.

 

Open the Device Manager

• Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • devmgmt.msc
• Now press ENTER

• Collapse the Network Adapters list.
• Right mouse click: Intel(R) 82562V 10/100 Network Connection
• Choose "Uninstall".
• You be asked to confirm your actions, choose OK and let it uninstall.
• If it asks you if you want to delete the driver software / files too, say No.
• When you have done this and Intel(R) 82562V 10/100 Network Connection is no longer in the Device Manager list -- Press the Scan for hardware changes button (http://img803.imageshack.us/img803/2868/scanhardware.png) or Action -> Scan for hardware changes
• Allow it to reinstall your network adapter.
• Reboot for changes to occur.
• Test internet once you have rebooted.

__

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)

 

Thanks again

uninstalled and reinstalled the network driver, rebooted and still no internet

Here is the log from the farbar scanner

 

Ok, it sounds the TCP/IP stack is completely broken.

Try this next as it should work:

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

When you are prompted to confirm the deletion, click Yes.
Close the Registry Editor.

Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

Once you have rebooted...
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK.
Restart your computer.
Test your Internet connectivity.

 

Alright i deleted the winsock items in the registry and made the following change

[MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80

Rebooted the computer, reinstalled the network protocol and still no internet.

Was i supposed to change the Characteristic back to 0xA0?

 

Did you complete all the steps? Because you are not supposed to reboot right after changing 0xA0 with 0x80.

We want it to be 0xA0, however, 0x80 works too. Point is to toggle it just so Uninstall button becomes available.

 

There may be a conflict with McAfee as well. I recommend uninstalling it through Add/Remove Programs and then download the following from a computer with working internet: MCPR.exe and transferring it to the computer with issues and executing it. It is McAfee's uninstall tool so we remove as many traces of McAfee as possible.

Very important that this trace from Device Manager is uninstalled as well: McAfee Core NDIS Intermediate Filter Miniport - (Network Adapters)

Going to bed soon, keep me posted whenever you can.

 

Okay so i uninstalled mcafee from the control panel, downloaded MCPr.exe and ran it to further uninstall mcafee. Yet as i opened the device manager to remove the miniport that you had suggested i noticed that Intel(R) 82562v 10/100 Network connection under Network adapters had an x over it. Right clicked it and it said that it was disabled. I was able to enable it and then tested the internet connection and now everything is working!

 

I'm glad to hear that

Go to this folder using Windows Explorer: C:\Documents and Settings\Rusnic\Templates

From this folder, delete the following files:

1. 1363166623
2. 2843495555
3. 2e32xr4i06f831
4. 400741w6k882c553r402d6vsh0q1
5. 6l06kf7v14v033
6. 7x16sp6q23q361
7. 82n6u1y5v2x4155u05qfmjh637ph4uoluj8
8. 8s71vs8v15a532
9. VH56DJI7u87yo

__

Close Explorer

__

Uninstall these programs via Add/Remove Programs:

• Browser Address Error Redirector
• Java(TM) 6 Update 24 (outdated)

__


http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Any remaining issues?

 

deleted and uninstalled.

Internet is working fine.

 

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Coupon Printer for Windows
• CouponBar

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

__

Download the attachment and extract both files onto your desktop.
Run each of them one at a time by double-clicking them and allowing them execute / merge into registry.

__

Reboot (very important)

__

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

I removed the coupon stuff, removed the windoows messenger, ran the registry files and rebooted

Here is the log

 

Use Windows Explorer to find and delete these files:

• C:\Documents and Settings\Rudy\Templates\7d2f06o35nhdm3kjnu6u6h0di58uv6566861rt
• C:\Documents and Settings\Rudy\Local Settings\Application Data\7d2f06o35nhdm3kjnu6u6h0di58uv6566861rt
• C:\Documents and Settings\Rusnic\Local Settings\Application Data\VH56DJI7u87yo
• C:\Documents and Settings\Rusnic\Local Settings\Application Data\8s71vs8v15a532

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe