ZeroAccess Infection - Internet Access Broken

Discussion in 'malware problems & news' started by TrueCitrus, Aug 18, 2011.

Thread Status:
Not open for further replies.
  1. TrueCitrus

    TrueCitrus Registered Member

    Joined:
    Aug 18, 2011
    Posts:
    3
    I was/am infected with the ZeroAccess rootkit.

    I noticed that something was wrong when I was getting my Google search results redirected to bugus sites.

    I ran TDSSkiller but it immediately terminated after I ran a scan.

    I could not get Combofix to run either.
    I tried this in both normal mode/safe mode with networking.

    I was able to get the software to run in Safe mode.

    Combofix alerted me that I was infected with the ZeroAccess rootkit and that it is difficult to remove. It also mentioned to me that the ZeroAccess rootkit infects the TCP/IP stack.

    After running Combofix and restarting the machine I am no longer able to access the internet.

    I tried running Combofix again but it did not solve the issue.

    I tried deleting my NIC from the device manager and that did not help.

    I also reset the TCP/IP stack and Winsock but that did not help either.

    Upon start-up I get WSA Socket Errors 10050 and 10038.

    I am really out of ideas... I don't want to reformat.

    Is it possible I'm still infected after running Combofix?
     
  2. cm1971

    cm1971 Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    727
    A lot of those rootkits change the proxy settings. Go to control panel and then Internet Options and click the connections tab. There is a button called "Lan settings". Click that and make sure they did not change your proxy settings.
     
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  4. cm1971

    cm1971 Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    727
    You can mess a computer up using Combofix if you don't know what you are doing.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yup.

    I suggest hitmanpro.
     
  6. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Scan with one of the many bootable Antivirus Rescue CD's. Here are some examples.

    1. Avira Rescue System
    2. Kaspersky Rescue Disk 10
    3. Dr.Web LiveCD (Slow scan speed)
     
  7. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    207
    This is why its a good idea to have a clean system image available. Many of these rootkits are near impossible to repair and still have a usable system afterwards. :(
     
  8. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    :thumb: :thumb: :)
     
  9. TrueCitrus

    TrueCitrus Registered Member

    Joined:
    Aug 18, 2011
    Posts:
    3
    I should have ben more clear.
    I am not getting an from DHCP anymore. Windows reports limited to no connectivity.
     
  10. cm1971

    cm1971 Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    727
    I would run Avira and Kaspersky rescue disc and see if they find something Combofix missed.
     
  11. NodKiller

    NodKiller Registered Member

    Joined:
    Feb 13, 2009
    Posts:
    19
  12. Spysnake

    Spysnake Registered Member

    Joined:
    Apr 11, 2009
    Posts:
    187
    To be honest, you really should consider reformat. It could save you time, and at the same time, it could give you a peace of mind.
     
  13. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
  14. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I would "wipe" (zero write to all hard drive sectors) and then do a "full format" just to have a "Peace of Mind".
     
  15. cm1971

    cm1971 Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    727
    Yes and even better would be if he had an image to go back to.
     
  16. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    TrueCitrus,
    Just curious, what was running in realtime, securitywise when the infection took place?
     
  17. TrueCitrus

    TrueCitrus Registered Member

    Joined:
    Aug 18, 2011
    Posts:
    3
    Symantc Endpoint Protection
     
  18. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    I second that!
     
Loading...
Thread Status:
Not open for further replies.