Rootkit.boot.sst.b

Good morning,

I have a client that somehow got this virus on there computer. I will detail the steps in what I have done to get to the point I'm at right now. With the virus on the machine before I did anything to the system. I was not able to access the internet and when tried to boot the system up in normal mode before the icons came on the screen the system would reboot instantly. I can get the system in safe mode but no internet access.

The steps I have done. Ran combofix in safe mode but it locked up while deleting files. Tried to run it again and it keeps coming up with the message rootkit.zeroaccess it gets about stage 48 and that's it no further. Couldn't run malwarebytes are superantispyware. Ran Tddskiller and it detected the rootkit.boot.sst.b upon reading several webpages about the virus I decided to try the gpart method to get rid of the partition I was able to remove a 7mb partition off the harddrive and now I can get the system in normal mode but still have no internet access. I have tried winsock fix, I have tried a dns flush, When I do an ipconfig /release it will release the ip address when I try to renew the ip address I get the message cannot connect to the RPC server.  Ran malwarebytes in normal mode with updated rule set and it cameback as no threats were found.

I'm running combofix now in safe mode with networking support I have completly removed webroot secure anywhere which failed at detecting and removing this virus. If combofix completes this time I'll be able to upload a log file. Everytime I run combofix it keeps saying that a rootkit.zeroaccess has been found and needs to reboot my machine currently 20 minutes in and it is a step 19. Any suggestions on what I can do to get rid of this virus and get the internet working again. Also I would perfer a method that does not involve formatting and reinstalling since the clients computer I'm working on it has software on it that currently they cannot find the cds for and it would cost a lot of money to update to the latest version and they won't send them a cd are send them the exe file because the software is EOL.

Thank you for any help in getting this resolved.
thinktechsolutionsAsked:
Who is Participating?
 
Scott ThompsonComputer Technician / OwnerCommented:
Sounds like your TCP/IP stack might be corrupted.  Let's see if there is an issue in Device Manager.

open up command prompt as Administrator.  Type the following command

set devmgr_show_nonpresent_devices=1

start devmgmt.msc

Click on View and show hidden devices.

Do you see any exclamation marks in the Network Adapters, or any non plug n play that have issues?
0
 
thinktechsolutionsAuthor Commented:
Ok combofix finished this time the log files for combofix and rkill and tddskiller below
ComboFix.txt
TDSSKiller.2.6.20.0-28.08.2012-2.txt
0
 
Thomas Zucker-ScharffSolution GuideCommented:
I'm not a combofix reader so I won't attempt that.  I have dealt with more than a few rootkits and recommend that you read my article on rootkits and rootkit removal along with reviews fo more than several free antirootkit tools.

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html

Also, have you tried using RogueKiller before doing a scan with malwarebytes (no reboot in between)?  Check out this article by younghv on that:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
thinktechsolutionsAuthor Commented:
Ok I'm pretty sure this virus is gone but I still don't have access to the internet. Need some serious help getting internet working any suggestions thank you
0
 
thinktechsolutionsAuthor Commented:
Here is what I'm getting when I run the network diagnostics


Last diagnostic run time: 08/29/12 16:35:18 WinSock Diagnostic
WinSock status

info Error attmpting to validate the Winsock base providers: 2
error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
info Redirecting user to support call
 


Network Adapter Diagnostic
Network location detection

info Network location could not be detected
action User input required: Select network location
info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection, Device=Broadcom NetXtreme Gigabit Ethernet for hp, MediaType=LAN, SubMediaType=LAN
info Ethernet connection selected
Network adapter status

info Network connection status: Connected
 


HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved  
warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved  
warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved  
warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved  
warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved  
warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved  
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
error Could not make an FTP connection.
0
 
Thebl0bCommented:
1. I would ping the loopback address to confirm if TCP/IP is corrupted or not.
2. Run SFC /Scannow. - SFC will indicate if there is an issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.