It's my first time actually posting here, but your guides and forums have helped me remove a couple nasties in the past, so I'll start off by saying thanks.
Initial Problem / Background
About a week ago, my wife's laptop (running XP Pro SP2) got infected with some malware while she browsing. I've cleaned malware off systems in the past, but this one was particularly nasty... browser redirect issues, Symantec Antivirus was disabled, Malwarebytes Antimalware was disabled and new installs all failed (scans would stop and the executable would then be set with permissions such that I couldn't use it anymore), and when you rebooted the system it threw an error related to Symantec and a corrupted Winsock. When What it boiled down to: she'd been infected by a ZeroAccess rootkit. So, in summary: it's a Windows XP Professional SP2 (32-bit) system that was infected by ZeroAccess rootkit about 1 week ago.
Efforts to fix it since then
Using this website, MajorGeeks, and some other Google searches I read up what I could and started working to clean it off. I did numerous things, but the major ones I can remember include:
- looking through HJT reports
- running TDSSKiller (which found ZeroAccess rookit and removed it...but it just kept coming back after rebooting...this now reports clean)
- Kapsersky Virus Removal tool (which found some infected files and removed them...now reports a clean scan)
- ran ComboFix (it found netbt.sys to be infected, removed it and replaced it...it reports clean now)
- finally got SuperAntiSpyware to run...it reports clean now
- finally got Malwarebytes Antimalware run...it reports clean now
- ran WinsockXPFix
- ran "netsh winsock reset" in a command window
- Symantec AV reports clean now
Current Status and Problem
It appears that the ZeroAccess rootkit has been cleaned from the system...but it left the system with a seemingly corrupt network stack or driver file(s). I have no internet access nor even any LAN access.
When I try to connect via hardwire to my router, the laptop gets stuck on "Acquiring network address" and just sits there. Through some debugging, I found that the DHCP service wasn't running and couldn't be started because the "TCP/IP NetBIOS Helper" service won't start. When I go under Device Manager and click "Show hidden devices", the only device in the entire tree that's showing any problems is "NetBios over tcpip" which shows a yellow caution flag. Under properties for that device, when I click "Start" it throws an error: "The system encountered the following error while attempting to start the service: The file name, directory name, or volume label syntax is incorrect." I've looked in C:\Windows\system32\drivers\ at netbt.sys and it appears to have the same timestamp as the rest of the drivers and the filesize seems to match the "correct filesize" indicated by Google searches.
Also, this may be unrelated or it may not be: Symantec AV occasionally pops up a yellow box in the bottom right of the screen saying "Symantec Auto-protect is disabled". I know the ZeroAccess rootkit messed with Symantec...but I'm afraid the most recent virus definitions got corrupted as well, because the update was attempted pretty much at the same time that the infection occurred. I'm left Symantec on the system for now but I know it may need to be removed and reinstalled (or a new and different AV installed.
So, my request:
- Does it seem like the ZeroAccess rookit has indeed been cleaned off?
- Any feedback on how I can fix the NetBIOS issues and thus restore network access?
- Any thoughts on the Symantec AV issue?
Many thanks, in advance, for your assistance. I've spent hours trying to fix this but this one has me licked it seems.
DDS and GMER logs are attached. I have logs from ComboFix, TDSSkiller, Malwarebytes Antimalware, SuperAntiSpyware, RootRepeal, MGtools, and others if requested.