Registry Editing like copying keys

Hrmm, was disappointed with my last post as it got only one reply. A thank you to that person.
I have completely killed the malware systemfix in a friends computer. I could not find anything online about the aftermath of the cleaning though. The laptop no longer has any non plug and play drivers to connect to the internet. I also do not have my backups disks for Windows XP and neither does he.
So I come across this idea that perhaps I can copy from the registry of my computer those keys for the drivers and transfer it to his computer? Is this possible?
Please help and thank you for any time and details.

 

Sounds like you were infected with a Max++/Sirefef/ZeroAccess rootkit too. This is typically bundled with the System Fix FakeAV you mentioned in your post.

To answer your question: Yes you can use the registry to restart the service, but you have to very careful on which key you are exporting as it has to be the same Windows OS and same service pack before you merge it into the infected computer. If it's not a clean copy for that specific OS and SP, it will not work and you cannot expect it to restart the specified service.

Can you run this tool so we have some sort of idea what problems you have:

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

Check "Include All Files" option.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please attach FSS.txt to your next message. (How to attach)

 

Thanks for the quick reply. I will do what needs to be done so stay with the post. Thanks again

 

Farbar Service Scanner
Ran by MIS (administrator) on 27-11-2011 at 20:40:18
Microsoft Windows XP Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open IpSec registry key. The service might not exist.
Checking ImagePath: Attention! Unable to open IpSec registry key. The service might not exist.

The above is for his computer. The bottom is mine

Farbar Service Scanner
Ran by Idealist (administrator) on 27-11-2011 at 20:43:19
Microsoft Windows XP Service Pack 3 (X86)
********************************************************

Service Check:
==============

File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

**** End of log ****

 

Ok since both computers are Windows XP SP3, you can use the below:

========WARNING========
The below is specifically for ExcitedNewbie's computer
Do NOT run the below if you are not ExcitedNewbie
Doing so may damage your PC!
========WARNING========

Attached is fixme.zip

Inside is:

• ipsec_xp_sp3.reg
• fixme+restart.bat

Extract both files to the infected computer's desktop.

First double-click ipsec_xp_sp3.reg and allow it to merge into the registry. You should receive a successful message.

Now reboot your PC.

Once you have rebooted...

Test your internet, If it still is not working, run the fixme+restart.bat file by double-clicking it.
Your PC will reboot again. Once you are back in Windows, test your internet again.

If it still does not work, attach the fixme_results.txt file the .bat file created.

 

Thanks I will do that and reply back with the results.

 

Here are the results of the fixme you sent.

Windows IP Configuration



An internal error occurred: The request is not supported.



Please contact Microsoft Product Support Services for further help.



Additional information: Unable to query host name.



Windows IP Configuration



An internal error occurred: The request is not supported.



Please contact Microsoft Product Support Services for further help.



Additional information: Unable to query host name.



Windows IP Configuration



An internal error occurred: The request is not supported.



Please contact Microsoft Product Support Services for further help.



Additional information: Unable to query host name.



Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.



Windows IP Configuration



An internal error occurred: The request is not supported.



Please contact Microsoft Product Support Services for further help.



Additional information: Unable to query host name.



Windows IP Configuration



An internal error occurred: The request is not supported.



Please contact Microsoft Product Support Services for further help.



Additional information: Unable to query host name.



Windows IP Configuration



An internal error occurred: The request is not supported.



Please contact Microsoft Product Support Services for further help.



Additional information: Unable to query host name.



Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.

 

I would like you try the below.

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

When you are prompted to confirm the deletion, click Yes.
Close the Registry Editor.

Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

Once you have rebooted...
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK.
Restart your computer.
Test your Internet connectivity.

 

Haha, this is fun innit? I thank you for your help. I'm learning and see what happens after this.

 

cool:cool

 

YES, SUCCESS. Thank you thisisu, you were helpful and admirably patient. :cry:cry

 

No problem. Surf safely!

 

Thank you thisisu - I had exactly the same problem and working through the steps in your last post fully fixed them.

My PC got infected with Cloud AV 2012 and a zero access rootkit. After AntiVir moved ipsec.sys to the quarantine and I deleted all files that I could associate with the virus, I couldn't get online any more.

Really appreciate your help!

 

You're welcome.
I / We appreciate you creating an account just to show your gratitude. :major

 

Thank you!!! I had to repair a Windows XP computer for a co-worker AFTER he had removed "something". After 4 hours of searching the web, your answer worked great!!!

 

http://www.runemasterstudios.com/graemlins/images/thumbsup.gif You're welcome