Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot access internet after rootkiz zero access removal


  • This topic is locked This topic is locked
11 replies to this topic

#1 Giantcrab

Giantcrab

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 21 December 2011 - 06:39 PM

Hello,

I followed the instructions here to remove the XP 2012 antivirus malware:

http://www.bleepingcomputer.com/virus-removal/remove-xp-antivirus-2012

However, I was having problems with MalwareBytes continually blocking various IP addresses from outgoing, so I decided to read around.

On some blog, people said that running Combofix would solve the problem, so I proceeded to do that.

It stated that there was Zero Access rootkit, and it proceeded to remove it.

But now, I cannot access the internet. Through Network connections, it says that I have a LAN connection. However, when I try to repair it, it states:

"Windows could not finish repairing the problem because the following action cannot be completed: Failed to query TCP/IP settings of the connection. Cannot proceed."

I've attached DSS and GMER logs, as well as the combofix log.

Glancing at a similar topic that was solved earlier today, I've included a log from Farbar Service Scanner.


Farbar Service Scanner
Ran by Joe Phan (administrator) on 21-12-2011 at 17:20:06
Microsoft Windows XP Home Edition Service Pack 3 (X86)
********************************************************

Internet Services:
=================
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
=================
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


File Check:
==========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-10 10:51] - [2008-04-13 13:19] - 0075264 ____A () 1DA6C0C952319F33A54C16C024FE905A

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

**** End of log ****

Attached Files

  • Attached File  ark.txt   13.45KB   2 downloads
  • Attached File  attach.txt   21.11KB   4 downloads
  • Attached File  dds.txt   17.52KB   7 downloads
  • Attached File  log.txt   19.46KB   1 downloads

Edited by farbar, 22 December 2011 - 01:40 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,722 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:22 AM

Posted 22 December 2011 - 09:06 AM

Hello Giantcrab,

Welcome to this forum. I will be assisting you.

I see you have run Combofix once. Please make sure you don't run any tool on your own until we are done.

While running the tool in the following scan you may get notification from MSE. In case MSE wanted to remove anything please don't let it at this point. There is a system file infected and we need to replace it properly.

Please delete your copy Farbar Service Scanner and download the latest Farbar Service Scanner and run it on the infected computer.

Type the following in the edit box after "Search:".

ipsec.sys

Click Search Files button and post the log (FSS.txt) it makes to your reply.

#3 Giantcrab

Giantcrab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 22 December 2011 - 12:18 PM

Thanks for the help Farbar.

Here's the FSS log:

Farbar Service Scanner
Ran by Joe Phan (administrator) on 22-12-2011 at 11:13:15
Microsoft Windows XP Service Pack 3 (X86)

************************************************
================== Search: "ipsec.sys" ===================

C:\WINDOWS\system32\drivers\ipsec.sys
[2004-08-10 10:51] - [2008-04-13 13:19] - 0075264 ____A () 1DA6C0C952319F33A54C16C024FE905A

C:\WINDOWS\ServicePackFiles\i386\ipsec.sys
[2008-09-17 09:31] - [2008-04-13 13:19] - 0075264 ____N (Microsoft Corporation) 23C74D75E36E7158768DD63D92789A91

C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys
[2009-11-21 14:08] - [2004-08-04 03:00] - 0074752 ____C (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\i386\ipsec.sys
[2007-03-18 20:41] - [2004-08-04 03:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

====== End Of Search ======

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,722 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:22 AM

Posted 22 December 2011 - 01:15 PM

  • Please download Attached File  fix.bat   190bytes   24 downloads and transfer it to infected computer.
  • Start in Safe Mode Using the F8 key:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode (not Safe Mose with networking) menu item.
    • Press the Enter key.
    • Log to your usual account.
  • Double-Click fix.bat to run it.
    A log file opens. If it reads "1 file(s) copied" it means it is good.
  • Restart to normal mode and check your internet connection. In case you don't have internet, run Farbar Service Scanner. Click Scan and post the log.


#5 Giantcrab

Giantcrab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 22 December 2011 - 01:37 PM

Oh wow, thanks! Seems like that fixed the problem.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,722 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:22 AM

Posted 22 December 2011 - 01:42 PM

Great. :thumbup2:

Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#7 Giantcrab

Giantcrab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 22 December 2011 - 01:55 PM

Didn't seem to find anything. Anything else I should run to make sure everything has been removed?

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122204

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/22/2011 12:52:56 PM
mbam-log-2011-12-22 (12-52-56).txt

Scan type: Quick scan
Objects scanned: 189151
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,722 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:22 AM

Posted 22 December 2011 - 02:16 PM

That is good.

  • Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
    • Look for "Java Platform, Standard Edition".
    • Click the "Download JRE" button to the right.
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • From the list, select your OS and Platform (32-bit or 64-bit).
    • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
    • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    • When the Java Setup - Welcome window opens, click the Install > button.
    • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
    • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
    To disable the JQS service if you don't want to use it:
    • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
    • Click Ok and reboot your computer.
  • To Clear the Java Runtime Environment (JRE) cache, do this:
    • Click Start > Settings > Control Panel.
    • Double-click the Java icon.
      -The Java Control Panel appears.
    • Click "Settings" under Temporary Internet Files.
      -The Temporary Files Settings dialog box appears.
    • Click "Delete Files".
      -The Delete Temporary Files dialog box appears.
      -There are three options on this window to clear the cache.
    • Make sure all the options are checked.
    • Click "OK" on Delete Temporary Files window.
      -Note: This deletes all the Downloaded Applications and Applets from the cache.
    • Click "OK" on Temporary Files Settings window.
    • Close the Java Control Panel.
    You can also view these instructions along with screenshots here.
Also let me know is the computer running.

#9 Giantcrab

Giantcrab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 22 December 2011 - 08:30 PM

Thanks again, everything seems to be working.

#10 Giantcrab

Giantcrab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 22 December 2011 - 11:51 PM

Hello again,

I've noticed that Malwarebytes is occasionally popping up with a message blocking access to different ip addresses. I assume there may be remnants of the virus remaining? How should I proceed?

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,722 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:22 AM

Posted 23 December 2011 - 02:09 AM

You are very welcome.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

Malwarebytes is occasionally popping up with a message blocking access to different ip addresses.

That is because when p2p programs, like Utorrent in this case, are used your computer want to connect to unknown IP addresses. That is where Malwarebytes blocks them. If you uninstall or disable p2p programs and prevent them from running, you should get no Malwarebytes pop ups.

  • It is important to uninstall ComboFix.

    Disable your antivirus temporarily, rename ComboFix to Uninstall and double-click to run it.

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.
  • You may delete any tool or log we used from your computer.
Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
  • I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.
Happy Surfing Giantcrab.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,722 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:22 AM

Posted 26 December 2011 - 08:24 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users