Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot connect to internet after restarting on suggestion of Norton PowerErase.


  • Please log in to reply
15 replies to this topic

#1 Emankcin

Emankcin

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 25 April 2013 - 01:22 PM

All was well, and normal, when all of a sudden, I start getting these warnings that Norton stopped an attack. I look at it, and see that something called a zeroaccess trojan was blocked; not removed, not quarantined, blocked. All of a sudden, I find that it is taking forever for me to get to webpages, and then redirected to other pages. Meanwhile, it keeps popping up that zeroacces keeps getting blocked. I don't remember all of what I did, but at some point, Norton Powereraser comes up and says it can revert the computer back and remove the rootkits associated with the zeroaccess, so I click ok. After an agonizing hour or more (how long it took to restart, after a nearly infinite loop), the computer restarts, but now I cannot connect to the internet. Upon much research, I have learned that the zeroaccess is the culprit, that it likely came from some Adobe Flash updater (very likely), and that it the reason I cannot connect to the internet. I cannot pull back Norton, for some reason. I tried to launch it, and it goes into Norton Autofix, with the following errors: 8504, 104. Cannot resolve these, because it cannot connect to the internet. I also read something about an ipstack or something? Anyway, I have tried several things in the internet settings, to no avail. Any ideas? Likely the zeroaccess is gone, as I have read that when they are removed, they do something to prevent you from connecting. Anyway, thanks for any help that anyone might have.

 

I had talked to Norton tech support. The first guy tried to sell me something. The second walked me through some steps, all of which failed. I could not get into safe mode. He then suggested uninstalling Norton, in case that was the culprit. I could not uninstall Norton. I am running out of options here.



BC AdBot (Login to Remove)

 


#2 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 26 April 2013 - 09:36 PM

No help on this, huh?



#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:02 PM

Posted 27 April 2013 - 01:55 PM

Good evening. :)

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:

 

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

 

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 

 


So long, and thanks for all the fish.

 

 


#4 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 28 April 2013 - 01:05 PM

Farbar Service Scanner Version: 14-04-2013
Ran by Sam (administrator) on 28-04-2013 at 14:04:07
Running from "C:\Users\Sam\Desktop\test"
Windows 8  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Attempt to access Yahoo.com returned error: Yahoo.com is offline


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend: ""%ProgramFiles%\Windows Defender\MsMpEng.exe"".


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-03-18 14:47] - [2013-02-02 06:28] - 2226408 ____A (Microsoft Corporation) F4F78B7F39BD56BD0BFE4C4399398F6F

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2013-03-24 13:39] - [2013-01-28 19:08] - 1555920 ____A (Microsoft Corporation) 905601FFF40D8DA9FA82CBE77D1F5EB1

C:\Program Files\Windows Defender\MsMpEng.exe
[2013-03-24 13:39] - [2013-01-28 21:57] - 0014920 ____A (Microsoft Corporation) 473B9548568BA927ACE0B77EC208A561

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****



#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:02 PM

Posted 28 April 2013 - 03:30 PM

Please run Farbar Service Scanner again and type the following in the edit box after "Search:" - tcpip.sys

 Click Search Files button and post the log (FSS.txt) that it produces in your next reply.

 


So long, and thanks for all the fish.

 

 


#6 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 28 April 2013 - 04:54 PM

Farbar Service Scanner Version: 14-04-2013
Ran by Sam (administrator) on 28-04-2013 at 17:49:02
Windows 8  (X64)

************************************************
======== Search: "tcpip.sys" =========

C:\windows\System32\Drivers\tcpip.sys
[2013-03-18 14:47] - [2013-02-02 06:28] - 2226408 ____A (Microsoft Corporation) F4F78B7F39BD56BD0BFE4C4399398F6F

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.20652_none_0c8fc97e09318a84\tcpip.sys
[2013-04-24 22:33] - [2013-03-02 06:20] - 2225896 ____A (Microsoft Corporation) DD6E5A51D93596DF7EA5F956FDE3306D

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.20623_none_0cb1398c09185008\tcpip.sys
[2013-03-18 14:47] - [2013-02-02 05:03] - 2226408 ____A (Microsoft Corporation) 9B09D075FEC02026A6AD6D78B2CCD67F

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.20621_none_0caf38f8091a1d5a\tcpip.sys
[2013-02-19 23:32] - [2013-01-30 22:23] - 2226408 ____A (Microsoft Corporation) 9E8381CBACDA1DF81B11B6B93ECFF791

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.20521_none_0caf3712091a2033\tcpip.sys
[2013-02-22 01:13] - [2012-09-20 02:41] - 2225896 ____A (Microsoft Corporation) 165DDAA5A399C51FE9D6C056D3B9F4EB

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.16548_none_0c16fe5af00666d3\tcpip.sys
[2013-04-24 22:33] - [2013-03-02 05:59] - 2231528 ____A (Microsoft Corporation) B6D52E2C38B49A156E58FF5B9C6CA8BE

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.16518_none_0c376e1eefee1300\tcpip.sys
[2013-03-18 14:47] - [2013-02-02 06:28] - 2226408 ____A (Microsoft Corporation) F4F78B7F39BD56BD0BFE4C4399398F6F

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.16516_none_0c356d8aefefe052\tcpip.sys
[2013-02-19 23:32] - [2013-01-30 23:29] - 2226408 ____A (Microsoft Corporation) D192288CE5FB395F0BBAFDD1A8B5285D

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.16420_none_0c2499fceffd6712\tcpip.sys
[2013-02-22 01:13] - [2012-09-20 04:04] - 2225896 ____A (Microsoft Corporation) 1D644E2D0FC395A055AB1C23C3B43631

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.16384_none_0be7b9b6f02a76ed\tcpip.sys
[2012-07-26 01:26] - [2012-07-26 01:26] - 2224880 ____A (Microsoft Corporation) AF6A8D27FCABFF85DDC1D4599582B4FE

====== End Of Search ======



#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:02 PM

Posted 29 April 2013 - 03:46 PM

Good evening. :)

Access the Apps page on your PC, scroll right and locate Command Prompt
Right click it and select Run as administrator at the bottom of the screen.
Confirm this action when prompted and a Command Window should appear.
Enter the following into it: netsh int ip reset c:\resetlog.txt

Restart your computer and see if this has resolved the issue.

 

 


So long, and thanks for all the fish.

 

 


#8 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 30 April 2013 - 01:57 AM

No go... I ran another tcpip scan with the farbar. Unfortunately, it appears that my daughter stole my datastick and hid it somewhere. As soon as I find it, I will post the new log.



#9 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 30 April 2013 - 09:04 AM

Farbar Service Scanner Version: 14-04-2013
Ran by Sam (administrator) on 30-04-2013 at 02:50:59
Windows 8  (X64)

************************************************
======== Search: "tcpip.sys" =========

C:\windows\System32\Drivers\tcpip.sys
[2013-04-24 22:33] - [2013-03-02 05:59] - 2231528 ____A (Microsoft Corporation) B6D52E2C38B49A156E58FF5B9C6CA8BE

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.20652_none_0c8fc97e09318a84\tcpip.sys
[2013-04-24 22:33] - [2013-03-02 06:20] - 2225896 ____A (Microsoft Corporation) DD6E5A51D93596DF7EA5F956FDE3306D

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.20623_none_0cb1398c09185008\tcpip.sys
[2013-03-18 14:47] - [2013-02-02 05:03] - 2226408 ____A (Microsoft Corporation) 9B09D075FEC02026A6AD6D78B2CCD67F

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.20621_none_0caf38f8091a1d5a\tcpip.sys
[2013-02-19 23:32] - [2013-01-30 22:23] - 2226408 ____A (Microsoft Corporation) 9E8381CBACDA1DF81B11B6B93ECFF791

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.20521_none_0caf3712091a2033\tcpip.sys
[2013-02-22 01:13] - [2012-09-20 02:41] - 2225896 ____A (Microsoft Corporation) 165DDAA5A399C51FE9D6C056D3B9F4EB

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.16548_none_0c16fe5af00666d3\tcpip.sys
[2013-04-24 22:33] - [2013-03-02 05:59] - 2231528 ____A (Microsoft Corporation) B6D52E2C38B49A156E58FF5B9C6CA8BE

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.16518_none_0c376e1eefee1300\tcpip.sys
[2013-03-18 14:47] - [2013-02-02 06:28] - 2226408 ____A (Microsoft Corporation) F4F78B7F39BD56BD0BFE4C4399398F6F

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.16516_none_0c356d8aefefe052\tcpip.sys
[2013-02-19 23:32] - [2013-01-30 23:29] - 2226408 ____A (Microsoft Corporation) D192288CE5FB395F0BBAFDD1A8B5285D

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.16420_none_0c2499fceffd6712\tcpip.sys
[2013-02-22 01:13] - [2012-09-20 04:04] - 2225896 ____A (Microsoft Corporation) 1D644E2D0FC395A055AB1C23C3B43631

C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.2.9200.16384_none_0be7b9b6f02a76ed\tcpip.sys
[2012-07-26 01:26] - [2012-07-26 01:26] - 2224880 ____A (Microsoft Corporation) AF6A8D27FCABFF85DDC1D4599582B4FE

====== End Of Search ======



#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:02 PM

Posted 30 April 2013 - 02:37 PM

Good evening. :)

 

He then suggested uninstalling Norton, in case that was the culprit. I could not uninstall Norton.

 

Can you tell me what happened when you tried.


So long, and thanks for all the fish.

 

 


#11 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 30 April 2013 - 05:02 PM

Good evening. :)

 

He then suggested uninstalling Norton, in case that was the culprit. I could not uninstall Norton.

 

Can you tell me what happened when you tried.

I wish something spectacular.... In reality, nothing at all. When I clicked uninstall, then clicked on the NIS program, and clicked 'uninstall/change', absolutely nothing happened. I clicked it again... and again. The program won't load because the internet connection is blocked somehow. But I can't unload it either.



#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:02 PM

Posted 01 May 2013 - 02:09 PM

Good evening. :)
Follow the instructions here and see if you can get it to uninstall that way.

 


So long, and thanks for all the fish.

 

 


#13 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 02 May 2013 - 11:27 AM

Good news! (insert Farnsworth voice). My laptop is connecting to the internet again. The removal of Norton worked. Unfortunately, I am technically without virus protection for the moment. Do I reinstall? And once I reinstall, there is still that matter of the Zeroaccess... Maybe Powereraser got rid of it... but how can I know for sure? Anyway, thank you for the help so far, I am back online!



#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:02 PM

Posted 02 May 2013 - 02:39 PM

Good evening. :)

Good news is always welcome. You have a number of choices with regard to PC security, you can go with Norton again or you can opt for a free alternative, of which there are several:

 

AVG Free Edition: Available here.
avast! 4 Home Edition: Available here
AntiVir Personal Edition Classic : Available here
Microsoft Security Essentials: Available here

 

The choice is yours, but if it is any help I use the last one on both my Windows 7 and 8 systems and have had no problems with it. It really is personal choice, so take your pick and install one right away.

 

As to the infection, you'll need to pay a visit to this part of the forum and post accordingly. Make sure that you link to this thread and then whoever helps will be aware of what has gone on before. If they decide that you need "specialist" help that they cannot provide then they'll point you to another part of the forum where you should get that help.

It sounds like a lot of work, but it keeps things moving and helps to prevent a backlog of issues that are serious due to large numbers of those that turn out to be less so.


So long, and thanks for all the fish.

 

 


#15 Emankcin

Emankcin
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 02 May 2013 - 11:13 PM

So basically, to quote Cave Johnson: "I'll be honest, we're throwing science at the walls here to see what sticks. No idea what it'll do." LOL!

 

And if you get my references I keep posting and they make you smile, I am sure we'll be friends for a while! Anyway, I thank you much for your help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users