Zeroaccess? No internet, ect.

Hello,

I am also experiencing a nasty malware problem over the past two weeks, I believe is related to zeroaccess. I have downloaded several anti-malware programs from the site to no avail. I ran bitdefender's anti-zeroaccess program, but it could not identify the problem. I plan to run ComboFix when I return home tonight and will share the log file and results as well. My machine is unable to access the internet or run system restore. I apologize if you have been seeing alot of this lately, but I'm no expert, and wanted to address my problem specifically. Please find the attached log files. Thanks in advance for your help and for providing this resource.

 

Hi and welcome to Major Geeks, Blackhand9!

Here is the thread you need to read, follow, and attach logs from first: READ & RUN ME FIRST Malware Removal Guide

 

Thanks. I will go through those post and carefully work on the machine, as time permits. Here are the updated logs from Combofix. I will keep you posted on my progress and appreciate your help and advice.

It was zeroaccess and it has proven to be the worst malware attack I have suffered. I am considereing a new machine over this, but of course want to enquire over the possibility of fixing the one I have first.

 

I have read through the post as requested, and have done my best to follow the guidelines. If I am missing something, please let me know and I will correct it. I apologize, and appreciate your help. Please find the attached logs as requested. The combofix logs may be found in previous post. If you need for me to repost please let me know.

Since my last post, I believe I have removed zeroaccess, but have no internet access (error code 720). The machines recovery drive is also inoperable. Thanks again.

 

Here are the super-anti-spyware logs, and a repost of combofix as well.

 

Just one more file that should be attached: C:\MGlogs.zip

Remember to run MGtools.exe from the root of your C: drive. Not from E: as your some of your logs suggest.

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Because I am reading your message via cell phone I did not realize you wanted me to redownload MGTools. I have redownloaded MGTools and will rescan when I return to the infected machine. I have gone ahead and attached the requested log from the previous scan as well. Thanks for the help!

 

We have to go for a big fix here because it looks like your TCP/IP stack is completely dead.

I would like you try the below.

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

When you are prompted to confirm the deletion, click Yes.
Close the Registry Editor.

Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

Once you have rebooted...
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK.
Restart your computer.
Test your Internet connectivity.

 

Success! However, I fear the machine will need more repairs. Windows firewall is disabled, windows cannot be updated, and I am having trouble updating anti-malware programs. Thank you!

 

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Ask Toolbar
• Java(TM) 6 Update 24
• Kingsoft PC Doctor 3.2.0.40

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:services [/COLOR]
PCToolsSSDMonitorSvc
Lavasoft Kernexplorer
Lbd
hpdj
SetupNTGLM7X
[COLOR="DarkRed"]:files[/COLOR]
c:\$avg
c:\documents and settings\administrator\application data\kingsoft
c:\documents and settings\administrator\local settings\application data\0st51cg8135r0vn414k37883wvijh7813
c:\documents and settings\administrator\local settings\application data\mtqktr4u2mpa0nks1ulk7p652q8l
c:\documents and settings\administrator\local settings\temp\*.tmp
c:\documents and settings\administrator\templates\0st51cg8135r0vn414k37883wvijh7813
c:\documents and settings\administrator\templates\mtqktr4u2mpa0nks1ulk7p652q8l
c:\documents and settings\all users\application data\0st51cg8135r0vn414k37883wvijh7813
c:\documents and settings\all users\application data\kingsoft
c:\documents and settings\all users\application data\krshistory
c:\documents and settings\all users\application data\lavasoft
c:\documents and settings\all users\application data\mhmjbl.dat
c:\documents and settings\all users\application data\mtqktr4u2mpa0nks1ulk7p652q8l
c:\documents and settings\all users\application data\stopzilla!
c:\documents and settings\all users\start menu\programs\kingsoft pc doctor
c:\documents and settings\all users\start menu\programs\startup\driver performer.lnk
c:\documents and settings\all users\start menu\programs\stopzilla
c:\documents and settings\networkservice\local settings\application data\asktoolbar
c:\documents and settings\networkservice\local settings\application data\microsoft\internet explorer\domstore\72wqd7v6\*.xml
c:\documents and settings\networkservice\local settings\application data\microsoft\internet explorer\domstore\frc5cogj\*.xml
c:\documents and settings\networkservice\local settings\application data\microsoft\internet explorer\domstore\pizv2jfw\*.xml
c:\documents and settings\networkservice\local settings\application data\microsoft\internet explorer\recovery\active\*.dat
c:\program files\common files\is3
c:\program files\common files\pc tools
c:\program files\free offers from freeze.com
c:\program files\kingsoft
c:\program files\lavasoft
c:\program files\stopzilla!
c:\windows\system32\-1
c:\windows\system32\drivers\lbd.sys
c:\windows\winstart.bat
xcopy "c:\documents and settings\administrator\desktop\mgtools.exe" c:\mgtools.exe /c
xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"=-
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

I tried this, but when I ran OTL my machine froze.

Between your post, I ran Combofix again with an internet connection resulting in more files being deleted. I was then able to update Superantispyware and Malwarebytes, which both found problems. The new logs are attached.

Afterwards. I was able to update Windows with only some updates appearing and being installed. I was able to install the others with Kingsoft PC Doctor (before delete). Windows Firewall now appears to be running.

I wanted to share logs before proceeding to be safe. I will wait until I hear back to do anything else.

 

There is still malware in your logs. Please try the OTL fix from Safe Mode. (How to Start your computer in Safe Mode)

Also, did you have trouble uninstalling the items I mentioned earlier? I still see AskToolBar, Java update 24 and Kingsoft PC Doctor 3.2.0.40 installed.

Please uninstall these as requested BEFORE attempting to run the OTL fix script.

 

Forgot to mention logs are from previous day. I will double check, and then attempt OTL in safe mode.

 

No problems in safe mode! Here are the requested logs.

 

Very good! Just one more minor thing and then you can perform the cleanup steps listed below.

http://img205.imageshack.us/img205/4783/regeditb.gif Open Notepad and copy everything in the code box below into it.

Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6BEB65D9-EC08-4218-8C14-C782217A7F0A}]

• File -> Save As -> Save as type: "All Files" -> File Name: fixme.reg > Save.

Now merge this into the registry by double-clicking it.
Let me know if the merge was successful or not.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!

 

No problems merging into registry. Thanks again for all of your help!

 

You're welcome