Can't connect to internet, registry files missing

Oh the pain...

I don't know what happened but slowly we started having internet connectivity issues. If we rebooted it seemed to fix it. After a few days of rebooting it every day, I had to run a Winsock XP Fix utility and reboot to fix it. Now, we can't connect at all. I first noticed that my NetBT files were missing from the registry, then noticed other files missing. I found a way to add the NetBT to the registry but now see that the netbt.sys file is missing. I'm getting in WAY over my head here. I'm just an average user and don't work with computers for a living.

Clamwin found a couple files that looked like false positives and Super Antispyware found 107 adware hits and deleted those. Still, my computer will connect to the home network but cannot pick up an IP address. Other computers can connect to the network just fine.

I'm running XP in an IBM Thinkpad with SP3. I've been staring at two computers trying to fix this but am at a loss. Please save me from having to bring it to Geeksquad! Any ideas? Thanks much.

 

I can't answer any networking problems and hope someone will get to this thread but do you have any System Restore points available before you lost connectivity altogether--that might be worth a try to eliminate the missing files problem.

 

I tried System Restore from various dates but each time got a message saying my computer was unable to reset.

 

Hi and welcome to Major Geeks, cpk!

You should probably be in the Malware Removal forum if you are still having issues. There are typically many traces of the ZeroAccess rootkit I'm guessing you were infected with which aims to break internet services among other default Windows services.

Let's do this in the meantime to gather some basic information:

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach FSS.txt to your next message. (How to attach)

 

Hi thisisu,

I wasn't sure where to put this thread but found the site while searching for solutions and came across a thread from someone who had a similar issue. That issue was posted in this forum so I thought I would start here. Feel free to move it.

Thanks for the quick reply! I'm interested in knowing what virus caused this and how it got here, if that's possible. More than anything, however, I'm interested in getting this resolved without having to wipe the hard drive clean! Here's the fss scan...

 

Need to gather a bit more information.

http://img97.imageshack.us/img97/8120/fss.gif Open Farbar Service Scanner and type in the following into the "Search:" text-field.

netbt.sys

• Then press the Search Files button.
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach FSS.txt to your next message. (How to attach)

 

FSS Netby.sys search attached...

 

It did not attach. Try again.

 

It's saying I've already attached that file in this thread. Weird. Here's the text of the file:


Farbar Service Scanner
Ran by (administrator) on 31-12-2011 at 00:01:43
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\netbt.sys is missing.
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(8) Bridge(13) BridgeMP(12) Gpc(6) IPSec(4) NetBT(6) NwlnkIpx(14) NwlnkNb(15) PSched(7) Tcpip(3) TVTPktFilter(9)
0x0E000000040000000100000002000000030000000A00000005000000060000000700000008000000090000000C0000000D0000000E0000000F000000

**** End of log ****

 

That is the initial log you attached.
Did you press the "Search Files" button? The output would be different if you did.

 

Not sure what all happened there...long day.

 

No problem.

Try the below:

Attached is fix.zip.
Inside is:

• fix.bat

Extract fix.bat to your desktop and run it by double-clicking it.
When finished a Notepad window should open and say: "1 file(s) copied"

If you received that message, then reboot your PC and test out your internet.

 

No luck. Can't renew IP address. All zeros.

 

Here is another attached file (fixme+restart.zip)

Extract the .bat file (fixme+restart.bat) onto your desktop.

Run it by double-clicking it.

It will reboot your PC

Test your internet again, if it still does not work, attach the fixme_results.txt to your next message.

 

Same result...no IP address. Here's the fixme file. Thanks for your focus in resolving this!

 

I can't move threads or edit in this forum but hopefully someone that else that can will.

It looks like you have an IP address now, but dhcp is not starting automatically. Can you post a new FFS log using the "Scan" button. Try to attach the results.

 

A help-desk friend of mine told me his goal was to have me up and running again by 2012...he gave up when UFC 141 came on.

 

What error message do you receive when you open a Command Prompt window and type in the following command:?

• net start netbt

Lol. That card didn't seem too intriguing to me. Brock Lesnar fighting should be entertaining though. I'm wanting to see Carlos Condit fight GSP :-D

 

I saw Fitch live vs. GSP at UFC 87 in Minneapolis. I have never seen a guy take a beating like he did for five rounds. He never gave up and just kept fighting. He lost tonight in 12 seconds. Bad day at work...

Hmm...no error message: "The NetBios over Tcpip service was started successfully." Up until this point, ipconfig /all would show it as disabled.

 

Correction: I just did ipconfig /all at the command prompt and it still shows Netbios over tcpip as disabled.

 

I recommend going through this thread: READ & RUN ME FIRST Malware Removal Guide

 

Combofix so far has found Rootkit.Zero Access on the tcp/ip stack...exactly what you suspected. I'll finish all the steps and post the logs. Good times...

 

Walked through all the steps and am still not able to connect to the internet. System cannot obtain an IP address. Here are the logs from the various scans. In following the ComboFix instructions it wasn't posted until the end that the Recovery Console needed to be downloaded and dropped into the program. ComboFix scanned first without the recovery info and when I added it later it automatically started another scan. I have attached both logs. The one entitled "ComboFix Log PRC" is from the scan that was performed after adding the recovery console.

 

Malwarebytes log

 

For real this time...

 

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach this file to your next message. (How to attach)

 

TDSSKiller, MBRCheck logs...

 

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\Documents and Settings\Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\000001_.tmp
[COLOR="DarkRed"]FileLook::[/COLOR]
c:\windows\system32\drivers\netbt.sys
c:\windows\system32\ieencode.dll
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Program Files\Toolbar Cleaner
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"=-
"adaware_XP"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\FixNet.bat by double-clicking it.

It will reboot your machine. Test your internet when you are back in Windows.

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Noticed some pretty big differences in your netbt registry file.

If the above does not resolve your internet issues, continue on with the below:

========WARNING========
The below is specifically for cpk's computer
Do NOT run the below if you are not cpk
Doing so may damage your PC!
========WARNING========

Attached is netbt.reg

Inside is:

• netbt.reg

Extract netbt.reg to the infected computer's desktop.

First double-click netbt.reg and allow it to merge into the registry. You should receive a successful message.

Now reboot your PC.

Once you have rebooted...

Test your internet, If it still is not working, run the C:\MGtools\FixNet.bat file by double-clicking it.

Your PC will reboot again. Once you are back in Windows, test your internet again.

If it still does not work, attach c:\MGlogs.zip as it would have been updated.

 

No luck connecting...still cannot renew IP address.

Edit: oops, just noticed your above message in between your previous post and this one. Will try it next.

 

Updated registry with your batch file, rebooted...still cannot obtain IP address.

 

http://img706.imageshack.us/img706/3941/minitoolbox.gif Please download MiniToolBox and save it to your desktop and run it.

Checkmark following checkboxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List IP configuration
• List Winsock Entries
• List Devices -> All
• List last 10 Event Viewer log

Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

 

MiniToolBox log...

 

Can you try the following:

Start -> Control Panel -> Network Connections -> Local Area Connection 3 -> Right Mouse click it and select Repair

Try the same thing with Wireless Network Connection 2

 

Local Area Connection 3: "Windows could not finish repairing the problem because the following action cannot be completed: Renewing your IP address."

Obviously have the same issue in repairing the wireless connection.

 

Ok, now try the below:

Open the Device Manager

Click the http://www.techsupportforum.com/forums/sectools/tetonbob/StartBtn.gif button. > Run - copy and paste this command in the box devmgmt.msc then click OK.

Collapse the Network Adapters list.
Right mouse click: 82566MM Gigabit Network Connection
Choose "Uninstall".
You be asked to confirm your actions, choose OK and let it uninstall.
If it asks you if you want to delete the driver software / files too, say No.
When you have done this and 82566MM Gigabit Network Connection is no longer in the Device Manager list -- Press the Scan for hardware changes button (http://img803.imageshack.us/img803/2868/scanhardware.png) or Action -> Scan for hardware changes
Allow it to reinstall your network adapter.
Reboot for changes to occur.
Test internet once you have rebooted.

 

Uninstalled and reinstalled. Can't connect, no IP address.

 

Open a command prompt window and type the following commands in the order they are posted here:
Please note that the bold red text is only information. The black text is the actual command.

• ipconfig /release
• ipconfig /flushdns
• ipconfig /renew <--- What exactly does this say?

 

"An error occurred while renewing interface Local Area Connection 4: The RPC server is unavailable."

 

http://img707.imageshack.us/img707/6703/generalxpicon.gif Download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2

If you have a 64-bit system, please download the 64 bit version from here:
SystemLook (64-bit)

• Double-click SystemLook.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

[COLOR="DarkRed"]:reg[/COLOR]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RpcEptMapper /s
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper /s
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\RpcEptMapper /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DcomLaunch /s
[COLOR="DarkRed"]:service[/COLOR]
RpcSs
RpcEptMapper
DcomLaunch
[COLOR="DarkRed"]:filefind[/COLOR]
rpcrt4.dll
secur32.dll
schannel.dll
netlogon.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

 

SystemLook log...

 

Thank you chaslang

http://img35.imageshack.us/img35/1911/miniregtool.gif Please download MiniRegTool.zip and unzip it.

• Run the tool.
• Copy and paste the following into the edit box:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBT

• Check Unlock Keys radio button.
• Press the Go button. When it says Unlock Completed, press the List Permissions radio and then press the Go button again.
• The result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run. Attach this to your next message.

 

MiniRegTool log...

 

No good, try this way:

http://img843.imageshack.us/img843/5891/erunt.gif Backup Your Registry with ERUNT first!

• Please download Erunt
• Run the setup program to install ERUNT on your computer

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Click the http://www.techsupportforum.com/forums/sectools/tetonbob/StartBtn.gif button. > Run - copy and paste this command in the box regedit then click OK.

The Registry Editor opens
Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBT

Right-mouse click the yellow folder looking icon associated with this key -> Select "Permissions..."
A new window should have opened

Look under Group or user names:
Do you see "Everyone" ?
If so, click "Everyone" so it is now highlighted.
Then look down to where it says: "Permissions for Everyone"
When you see it, put a checkmark in "Full Control"
Now Press OK
The Permissions window will close, now just exit out of the Registry Editor by clicking the [X] in the top right.

Let me know if you have any questions or if you feel that you did it correctly or if you any received errors along the way.

 

Found it just fine, no errors along the way. Put a check in "allow" next to "Full Control"...

 

Ok good

========WARNING========
The below is specifically for cpk's computer
Do NOT run the below if you are not cpk
Doing so may damage your PC!
========WARNING========

Attached is legacy_netbt.zip

Inside is:

• legacy_netbt.reg

Extract legacy_netbt.reg to the infected computer's desktop.

First double-click legacy_netbt.reg and allow it to merge into the registry. You should receive a successful message.

• If you did not, stop here and let me know.
• If you did receive a successful message, continue on with these steps:

_________________________________________________________________

Reboot your PC <-- do not skip this step

Once you have rebooted, test your internet again.

If it still is not working, run the C:\MGtools\FixNet.bat file and let it reboot your PC again.

Then test it again and attach the latest MGlogs.zip

 

legacy_netbt.reg merged just fine. Rebooted, no IP address from the LAN. Ran the FixNet batch file, rebooted, still no IP address. Attached are the latest MGlogs...