Posted on 2012-08-29
Last Modified: 2013-11-22
Good morning,

I have a client that somehow got this virus on there computer. I will detail the steps in what I have done to get to the point I'm at right now. With the virus on the machine before I did anything to the system. I was not able to access the internet and when tried to boot the system up in normal mode before the icons came on the screen the system would reboot instantly. I can get the system in safe mode but no internet access.

The steps I have done. Ran combofix in safe mode but it locked up while deleting files. Tried to run it again and it keeps coming up with the message rootkit.zeroaccess it gets about stage 48 and that's it no further. Couldn't run malwarebytes are superantispyware. Ran Tddskiller and it detected the rootkit.boot.sst.b upon reading several webpages about the virus I decided to try the gpart method to get rid of the partition I was able to remove a 7mb partition off the harddrive and now I can get the system in normal mode but still have no internet access. I have tried winsock fix, I have tried a dns flush, When I do an ipconfig /release it will release the ip address when I try to renew the ip address I get the message cannot connect to the RPC server.  Ran malwarebytes in normal mode with updated rule set and it cameback as no threats were found.

I'm running combofix now in safe mode with networking support I have completly removed webroot secure anywhere which failed at detecting and removing this virus. If combofix completes this time I'll be able to upload a log file. Everytime I run combofix it keeps saying that a rootkit.zeroaccess has been found and needs to reboot my machine currently 20 minutes in and it is a step 19. Any suggestions on what I can do to get rid of this virus and get the internet working again. Also I would perfer a method that does not involve formatting and reinstalling since the clients computer I'm working on it has software on it that currently they cannot find the cds for and it would cost a lot of money to update to the latest version and they won't send them a cd are send them the exe file because the software is EOL.

Thank you for any help in getting this resolved.
Question by:thinktechsolutions

    Author Comment

    Ok combofix finished this time the log files for combofix and rkill and tddskiller below
    LVL 26

    Expert Comment

    by:Thomas Zucker-Scharff
    I'm not a combofix reader so I won't attempt that.  I have dealt with more than a few rootkits and recommend that you read my article on rootkits and rootkit removal along with reviews fo more than several free antirootkit tools.

    Also, have you tried using RogueKiller before doing a scan with malwarebytes (no reboot in between)?  Check out this article by younghv on that:

    Author Comment

    Ok I'm pretty sure this virus is gone but I still don't have access to the internet. Need some serious help getting internet working any suggestions thank you

    Author Comment

    Here is what I'm getting when I run the network diagnostics

    Last diagnostic run time: 08/29/12 16:35:18 WinSock Diagnostic
    WinSock status

    info Error attmpting to validate the Winsock base providers: 2
    error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
    info Redirecting user to support call

    Network Adapter Diagnostic
    Network location detection

    info Network location could not be detected
    action User input required: Select network location
    info Using home Internet connection
    Network adapter identification

    info Network connection: Name=Local Area Connection, Device=Broadcom NetXtreme Gigabit Ethernet for hp, MediaType=LAN, SubMediaType=LAN
    info Ethernet connection selected
    Network adapter status

    info Network connection status: Connected

    HTTP, HTTPS, FTP Diagnostic
    HTTP, HTTPS, FTP connectivity

    warn HTTP: Error 12007 connecting to The server name or address could not be resolved  
    warn HTTPS: Error 12007 connecting to The server name or address could not be resolved  
    warn FTP (Passive): Error 12007 connecting to The server name or address could not be resolved  
    warn HTTP: Error 12007 connecting to The server name or address could not be resolved  
    warn HTTPS: Error 12007 connecting to The server name or address could not be resolved  
    warn FTP (Active): Error 12007 connecting to The server name or address could not be resolved  
    error Could not make an HTTP connection.
    error Could not make an HTTPS connection.
    error Could not make an FTP connection.
    LVL 8

    Accepted Solution

    Sounds like your TCP/IP stack might be corrupted.  Let's see if there is an issue in Device Manager.

    open up command prompt as Administrator.  Type the following command

    set devmgr_show_nonpresent_devices=1

    start devmgmt.msc

    Click on View and show hidden devices.

    Do you see any exclamation marks in the Network Adapters, or any non plug n play that have issues?

    Expert Comment

    1. I would ping the loopback address to confirm if TCP/IP is corrupted or not.
    2. Run SFC /Scannow. - SFC will indicate if there is an issue.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now