Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get online after ZeroAccess! removal


  • This topic is locked This topic is locked
17 replies to this topic

#1 cart0181

cart0181

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 14 October 2011 - 06:55 PM

Hello all! I believe this is my first post requesting help with a virus removal here on the forums. First I just want to THANK YOU for being here, and all the hard work you do. It is amazing! :guitar:

So, on to the problem itself. The title pretty much speaks for itself. I have to admit I used Combofix under my own supervision because I fancy myself an amateur malware remover type guy. Hereafter, I will be enrolling in the official course here on BleepingComputer. Until then, I will be humbled to receive some assistance. TIA

The problem is well documented. Evidently Combofix will occasionally remove/heal the ZeroAccess! (aka Sirefef B, aka Max++) rootkit, but it will not repair some of the damage or changes to the registry it caused. Apparently what this rootkit does is it infects a random system driver. In my case I believe it was the netbt.sys driver, but I will leave that determination to the experts. All I know is the computer can't get online and the TCP/IP NetBIOS Helper service won't start (nor will the DHCP Client service), due to the "Netbios over tcpip" system component missing from the dependencies tab (and Device Manager). Trying to start either of these services produces "Error 1075: The dependency service does not exist or has been marked for deletion."

The logs are attached. Thank you very much for your time!

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:05 PM

Posted 14 October 2011 - 08:06 PM

Hi, and :welcome:

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in


    netsvcs
    set /c
    /md5start
    UXTHEME.DLL
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    ipsec.sys
    Userinit.exe
    Explorer.exe
    Winlogon.exe
    Regedit.exe
    SCLWAPI.dll
    /md5stop
    %SYSTEMDRIVE%\*.*
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of the OTL.txt file and attach the Extras.Txt, if any, in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 14 October 2011 - 08:40 PM

Thanks for the quick response!! :jawdrop:

Here's the log. There was no Extras.txt.

[attachment=109240:OTL.Txt]

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:05 PM

Posted 14 October 2011 - 09:07 PM

Most network services are missing. Seems to be a registry issue. Download the enclosed folder.

Save and extract its contents to the desktop. Once extracted, open the folder and click on the MyXPNicQuey.bat file. It should produce a report in the root directory, C:\, labeled, MyNICDetails.txt. Post its contents in your next reply.

Check if there a Restore Point prior to the date of the onset.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 14 October 2011 - 09:39 PM

The earliest restore point is from October 6th. I cannot confirm if that is before the infection or not. Thanks again for this help, I hope we can get this fixed.
[attachment=109243:MyNICDetails.txt]

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:05 PM

Posted 15 October 2011 - 09:35 AM

Right click on the following file and select Edit. Post its contents in a reply.

C:\Documents and Settings\cindy johnson\Desktop\NetBT.reg

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    NetBT.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Edited by JSntgRvr, 15 October 2011 - 09:40 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 15 October 2011 - 10:57 AM

I had moved a copy of netbt.sys from the DLLCACHE folder to the DRIVERS folder because I noticed it was missing. I also attempted to repair the registry entries myself, but I was unsuccessful. I created the NetBT.reg file myself. I attached both files as you had requested.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:05 PM

Posted 15 October 2011 - 02:03 PM

The regfix is much more than that. Remove the NetBT.reg from your computer.

Download the enclosed file: [attachment=109291:Netbt.zip]

Save and extract its contents to the desktop. Once extracted open the folder and click on the new Netbt.reg file. Select Yes when prompted to merge the file into the registry.

Restart the computer and test.

Edited by JSntgRvr, 15 October 2011 - 02:11 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 15 October 2011 - 03:58 PM

Wooohoooo!!! :clapping: Houston, we have ignition! I am writing this from the previously broken machine. :busy:

I know I have some Windows Updates pending and I need to reinstall anti-virus software. Anything else I should do first?

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:05 PM

Posted 15 October 2011 - 05:09 PM

I will recommend AVAST as an antivirus. Install the program and perform a full scan. Let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 15 October 2011 - 08:52 PM

Okay, I installed Avast, updated to latest definitions. Ran the Full Scan with log report enabled. Once completed, I kept the default option to "move to chest." Then it asked me to reboot the computer and perform a "boot time scan." The computer is currently working on that. I attached the report. I will let you know when the boot-time scan completes and post the log for that as well. Thanks again for your continued support. I'm so glad we can get online again. I was also glad to know you recommend Avast. I prefer that to AVG myself also.

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:05 PM

Posted 15 October 2011 - 09:05 PM

:thumbup2:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 16 October 2011 - 10:09 AM

Okay, I finally have the results of the boot-time scan. Sorry for the delay. Is there anything else I should do?

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:05 PM

Posted 16 October 2011 - 01:08 PM

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 16 October 2011 - 02:08 PM

It seems to be doing great! :) I checked for Windows Updates and there are no high priority updates available. I will continue to test a little more and see how it goes. Do I need to remove any tools or anything? Specifically, do I need to run "combofix /uninstall"?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users