Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium



Posted on 2012-08-29
Medium Priority
Last Modified: 2013-11-22
Good morning,

I have a client that somehow got this virus on there computer. I will detail the steps in what I have done to get to the point I'm at right now. With the virus on the machine before I did anything to the system. I was not able to access the internet and when tried to boot the system up in normal mode before the icons came on the screen the system would reboot instantly. I can get the system in safe mode but no internet access.

The steps I have done. Ran combofix in safe mode but it locked up while deleting files. Tried to run it again and it keeps coming up with the message rootkit.zeroaccess it gets about stage 48 and that's it no further. Couldn't run malwarebytes are superantispyware. Ran Tddskiller and it detected the rootkit.boot.sst.b upon reading several webpages about the virus I decided to try the gpart method to get rid of the partition I was able to remove a 7mb partition off the harddrive and now I can get the system in normal mode but still have no internet access. I have tried winsock fix, I have tried a dns flush, When I do an ipconfig /release it will release the ip address when I try to renew the ip address I get the message cannot connect to the RPC server.  Ran malwarebytes in normal mode with updated rule set and it cameback as no threats were found.

I'm running combofix now in safe mode with networking support I have completly removed webroot secure anywhere which failed at detecting and removing this virus. If combofix completes this time I'll be able to upload a log file. Everytime I run combofix it keeps saying that a rootkit.zeroaccess has been found and needs to reboot my machine currently 20 minutes in and it is a step 19. Any suggestions on what I can do to get rid of this virus and get the internet working again. Also I would perfer a method that does not involve formatting and reinstalling since the clients computer I'm working on it has software on it that currently they cannot find the cds for and it would cost a lot of money to update to the latest version and they won't send them a cd are send them the exe file because the software is EOL.

Thank you for any help in getting this resolved.
Question by:thinktechsolutions

Author Comment

ID: 38345681
Ok combofix finished this time the log files for combofix and rkill and tddskiller below
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 38345716
I'm not a combofix reader so I won't attempt that.  I have dealt with more than a few rootkits and recommend that you read my article on rootkits and rootkit removal along with reviews fo more than several free antirootkit tools.


Also, have you tried using RogueKiller before doing a scan with malwarebytes (no reboot in between)?  Check out this article by younghv on that:


Author Comment

ID: 38347239
Ok I'm pretty sure this virus is gone but I still don't have access to the internet. Need some serious help getting internet working any suggestions thank you
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 38347654
Here is what I'm getting when I run the network diagnostics

Last diagnostic run time: 08/29/12 16:35:18 WinSock Diagnostic
WinSock status

info Error attmpting to validate the Winsock base providers: 2
error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
info Redirecting user to support call

Network Adapter Diagnostic
Network location detection

info Network location could not be detected
action User input required: Select network location
info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection, Device=Broadcom NetXtreme Gigabit Ethernet for hp, MediaType=LAN, SubMediaType=LAN
info Ethernet connection selected
Network adapter status

info Network connection status: Connected

HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved  
warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved  
warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved  
warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved  
warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved  
warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved  
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
error Could not make an FTP connection.

Accepted Solution

Scott Thompson earned 1500 total points
ID: 38380301
Sounds like your TCP/IP stack might be corrupted.  Let's see if there is an issue in Device Manager.

open up command prompt as Administrator.  Type the following command

set devmgr_show_nonpresent_devices=1

start devmgmt.msc

Click on View and show hidden devices.

Do you see any exclamation marks in the Network Adapters, or any non plug n play that have issues?

Expert Comment

ID: 38408118
1. I would ping the loopback address to confirm if TCP/IP is corrupted or not.
2. Run SFC /Scannow. - SFC will indicate if there is an issue.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question