Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit - no internet connection


  • This topic is locked This topic is locked
77 replies to this topic

#1 Tehyoda

Tehyoda

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 23 July 2012 - 12:34 AM

A family member of mine recently bought a new laptop, and wanted me to uninstall Zonealarm on her current one and replace it with a free Antivirus, so she could install Zonealarm on her new laptop. (She paid for it)
She also said it has been acting werid lately and asked me if I could take a look at it.
First thing I noticed was Zonealarm wasn't starting when Windows started, but I assumed something was corrupt and I was uninstalling it anyways.
Next thing I noticed was I was had no internet connection. I figured Zonealarm could be corrupt and seeing as it's a firewall, it could be causing the internet to not work.
So I uninstalled Zonealarm and installed Avast - didn't fix the internet.
Then shortly after installing Avast, Avast popped up saying it detected a rootkit. (which I can't remember the name of)
Well i've delt with rootkits before, I had avast remove it and downloaded TDSSKiller to make sure the system was clean.
TDDSKiller did not find anything else on the system. But the internet remained not working.

So anyways after that I ran all of the following scans:
Malwarebytes quick scan, Dr. Web, TDSSKiller, aswMBR
All of which, found absolutely nothing.

I believe the rootkit was removed by Avast, although i'm not 100% sure, but I'm trying to get the internet working again.
It says Unidentified network, Access: Local only. when I click on the network bars in the taskbar.
And now for the weird part...when I try to ping the router/gateway, I get this:

Pinging 192.168.1.254 with 32 bytes of data:
Reply from 192.168.1.76: Destination host unreachable.
Reply from 192.168.1.76: Destination host unreachable.
Reply from 192.168.1.76: Destination host unreachable.
Reply from 192.168.1.76: Destination host unreachable.

192.168.1.254 = router/gateway
192.168.1.76 = IP assigned to the laptop.

(Also no other computers in the house are having problems, and I tested the internet on a different network with same results)

So attached is the DDS log and GMER logs.

Hopefully someone can help me.

(Also reformatting is an extremely absolute last resort, for multiple reasons, and I would really like to know what is wrong)

UPDATE:
The internet seems to work when I connected the laptop to the gateway with an ethernet cable.
So I tried removing the wireless drivers in the device manager and letting them be reinstalled over Windows Update. Didn't resolve the issue.
I also sat through an entire boot time scan with Avast, which didn't find anything.
I tried resetting TCP/IP, resetting Winsock, and LSPFix reported no problems.
Nothing has worked so far. I am also attaching the output of the Network\Protocol section in msinfo32.

One last thing to note, is when running the command 'netsh int ip reset', everything is OK except when Resetting Echo Request, which failed with an access denied error message. (and yes I ran in an elevated command prompt)

A few more things that might help:
I can ping 127.0.0.1 just fine.
I can not ping the router as I explained above.
When I try to ping the laptop from another computer, I get all request timed out.
And when I try to ping another computer from the laptop, I get a reply from the IP assigned to the laptop, same as when I try to ping the router.

Probably the last time I'm adding more info...
When running ipconfig /release, I get this:
No operations can be performed on Local Area Connection while it has its media disconnected.
An error occurred while releasing interface Loopback Pseudo-Interface 1 : The system cannot find the file specified.

And when running ipconfig /renew, I get this:
An error occurred while renewing interface Wireless Network Connection : The operation was canceled by the user.

No operations can be performed on Local Area Connection while it has its media disconnected.
An error occurred while releasing interface Loopback Pseudo-Interface 1 : The system cannot find the file specified.

One last thing: I booted into a live Linux CD, and the wireless worked fine. So that rules out hardware failure. Which means it is fixable, and i'm determined to fix it.

Attached Files


Edited by Tehyoda, 23 July 2012 - 12:09 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:30 AM

Posted 28 July 2012 - 12:35 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/462023 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Tehyoda

Tehyoda
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 28 July 2012 - 09:22 AM

Same problem - nothing has changed.
Attached are the new DDS and GMER logs.
I actually received a BSOD when taking the DDS log the first time, so I can upload the memory dump to dropbox or something.
And I do not have the original Windows CD/DVD.

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:30 PM

Posted 31 July 2012 - 02:12 AM

Hello, and sorry for the delay. My name is Elise and I'll assist you with this issue.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Tehyoda

Tehyoda
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 31 July 2012 - 08:11 AM

No problem, glad you're here now :)


Farbar Service Scanner Version: 26-07-2012
Ran by Sharon (administrator) on 31-07-2012 at 08:08:31
Running from "E:\"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error: Google IP is offline
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Yahoo IP is offline
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:30 PM

Posted 31 July 2012 - 08:18 AM

Please download the following file and run it: http://download.bleepingcomputer.com/win-services/vista/SharedAccess.reg

You'll be asked to merge the information in the file, please confirm. When done you'll get a success message.

after that, restart your computer and let me know if the internet works.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Tehyoda

Tehyoda
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 31 July 2012 - 08:24 AM

No internet access :(

Also the Internet Connection Sharing service is still disabled.

Edited by Tehyoda, 31 July 2012 - 08:25 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:30 PM

Posted 31 July 2012 - 08:41 AM

Can you please rerun FSS and post me the new log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Tehyoda

Tehyoda
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 31 July 2012 - 08:44 AM

Farbar Service Scanner Version: 26-07-2012
Ran by Sharon (administrator) on 31-07-2012 at 08:42:27
Running from "E:\"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is offline
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Yahoo IP is unreachable
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:30 PM

Posted 31 July 2012 - 09:00 AM

Before deeper investigating this, lets make sure all rootkit remainders are deleted.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Tehyoda

Tehyoda
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 31 July 2012 - 09:14 AM

Done.

Attached Files



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:30 PM

Posted 31 July 2012 - 10:56 AM

Please rerun DDS and post me attach.txt. (no need to post dds.txt).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Tehyoda

Tehyoda
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 31 July 2012 - 11:10 AM

Done.

Attached Files



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:30 PM

Posted 31 July 2012 - 12:39 PM

Strange, I expected to see some other errors here to. Can you please verify how the internet is now and post me a new FSS log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Tehyoda

Tehyoda
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 31 July 2012 - 12:52 PM

Internet is still not working, same symptoms I described in the original post.

When I try to ping 192.168.1.254 (gateway IP), this is the output:

Reply from 192.168.1.76: Destination host unreadchable.
Request timed out.
Reply from 192.168.1.76: Destination host unreadchable.
Request timed out.
192.168.1.76 is the IP assigned to the laptop.

Attached the FSS log, although it looks as if nothing has changed.

Attached Files

  • Attached File  FSS.txt   2.23KB   2 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users