thinktechsolutions
asked on
Rootkit.boot.sst.b
Good morning,
I have a client that somehow got this virus on there computer. I will detail the steps in what I have done to get to the point I'm at right now. With the virus on the machine before I did anything to the system. I was not able to access the internet and when tried to boot the system up in normal mode before the icons came on the screen the system would reboot instantly. I can get the system in safe mode but no internet access.
The steps I have done. Ran combofix in safe mode but it locked up while deleting files. Tried to run it again and it keeps coming up with the message rootkit.zeroaccess it gets about stage 48 and that's it no further. Couldn't run malwarebytes are superantispyware. Ran Tddskiller and it detected the rootkit.boot.sst.b upon reading several webpages about the virus I decided to try the gpart method to get rid of the partition I was able to remove a 7mb partition off the harddrive and now I can get the system in normal mode but still have no internet access. I have tried winsock fix, I have tried a dns flush, When I do an ipconfig /release it will release the ip address when I try to renew the ip address I get the message cannot connect to the RPC server. Ran malwarebytes in normal mode with updated rule set and it cameback as no threats were found.
I'm running combofix now in safe mode with networking support I have completly removed webroot secure anywhere which failed at detecting and removing this virus. If combofix completes this time I'll be able to upload a log file. Everytime I run combofix it keeps saying that a rootkit.zeroaccess has been found and needs to reboot my machine currently 20 minutes in and it is a step 19. Any suggestions on what I can do to get rid of this virus and get the internet working again. Also I would perfer a method that does not involve formatting and reinstalling since the clients computer I'm working on it has software on it that currently they cannot find the cds for and it would cost a lot of money to update to the latest version and they won't send them a cd are send them the exe file because the software is EOL.
Thank you for any help in getting this resolved.
I have a client that somehow got this virus on there computer. I will detail the steps in what I have done to get to the point I'm at right now. With the virus on the machine before I did anything to the system. I was not able to access the internet and when tried to boot the system up in normal mode before the icons came on the screen the system would reboot instantly. I can get the system in safe mode but no internet access.
The steps I have done. Ran combofix in safe mode but it locked up while deleting files. Tried to run it again and it keeps coming up with the message rootkit.zeroaccess it gets about stage 48 and that's it no further. Couldn't run malwarebytes are superantispyware. Ran Tddskiller and it detected the rootkit.boot.sst.b upon reading several webpages about the virus I decided to try the gpart method to get rid of the partition I was able to remove a 7mb partition off the harddrive and now I can get the system in normal mode but still have no internet access. I have tried winsock fix, I have tried a dns flush, When I do an ipconfig /release it will release the ip address when I try to renew the ip address I get the message cannot connect to the RPC server. Ran malwarebytes in normal mode with updated rule set and it cameback as no threats were found.
I'm running combofix now in safe mode with networking support I have completly removed webroot secure anywhere which failed at detecting and removing this virus. If combofix completes this time I'll be able to upload a log file. Everytime I run combofix it keeps saying that a rootkit.zeroaccess has been found and needs to reboot my machine currently 20 minutes in and it is a step 19. Any suggestions on what I can do to get rid of this virus and get the internet working again. Also I would perfer a method that does not involve formatting and reinstalling since the clients computer I'm working on it has software on it that currently they cannot find the cds for and it would cost a lot of money to update to the latest version and they won't send them a cd are send them the exe file because the software is EOL.
Thank you for any help in getting this resolved.
I'm not a combofix reader so I won't attempt that. I have dealt with more than a few rootkits and recommend that you read my article on rootkits and rootkit removal along with reviews fo more than several free antirootkit tools.
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html
Also, have you tried using RogueKiller before doing a scan with malwarebytes (no reboot in between)? Check out this article by younghv on that:
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html
Also, have you tried using RogueKiller before doing a scan with malwarebytes (no reboot in between)? Check out this article by younghv on that:
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html
ASKER
Ok I'm pretty sure this virus is gone but I still don't have access to the internet. Need some serious help getting internet working any suggestions thank you
ASKER
Here is what I'm getting when I run the network diagnostics
Last diagnostic run time: 08/29/12 16:35:18 WinSock Diagnostic
WinSock status
info Error attmpting to validate the Winsock base providers: 2
error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
info Redirecting user to support call
Network Adapter Diagnostic
Network location detection
info Network location could not be detected
action User input required: Select network location
info Using home Internet connection
Network adapter identification
info Network connection: Name=Local Area Connection, Device=Broadcom NetXtreme Gigabit Ethernet for hp, MediaType=LAN, SubMediaType=LAN
info Ethernet connection selected
Network adapter status
info Network connection status: Connected
HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity
warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved
warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
error Could not make an FTP connection.
Last diagnostic run time: 08/29/12 16:35:18 WinSock Diagnostic
WinSock status
info Error attmpting to validate the Winsock base providers: 2
error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
info Redirecting user to support call
Network Adapter Diagnostic
Network location detection
info Network location could not be detected
action User input required: Select network location
info Using home Internet connection
Network adapter identification
info Network connection: Name=Local Area Connection, Device=Broadcom NetXtreme Gigabit Ethernet for hp, MediaType=LAN, SubMediaType=LAN
info Ethernet connection selected
Network adapter status
info Network connection status: Connected
HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity
warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved
warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
error Could not make an FTP connection.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1. I would ping the loopback address to confirm if TCP/IP is corrupted or not.
2. Run SFC /Scannow. - SFC will indicate if there is an issue.
2. Run SFC /Scannow. - SFC will indicate if there is an issue.
ASKER
ComboFix.txt
TDSSKiller.2.6.20.0-28.08.2012-2.txt