BleepingComputer.com: Cannot connect to Internet after removing virus

I recently got hit with Cloud AV 12 and was unable to get connected back to the internet after. I think i was able to remove all remnants of the virus. I followed one of the threads on here and did as many of the steps as i could to make sure there were no other problems. Thread : http://www.bleepingcomputer.com/forums/topic426157.html

I uploaded my system.bak at 4:23p EST yesterday.

SystemLook 30.07.11 by jpshortstuff
Log created at 13:40 on 24/11/2011 by KevinN
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\AFD]
"DisplayName"="AFD"
"Description"="AFD Networking Support Environment"
"Group"="TDI"
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"
"Start"= 0x0000000001 (1)
"Type"= 0x0000000001 (1)
"ErrorControl"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\AFD\Parameters]

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\AFD\Security]

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\AFD\Enum]


-= EOF =-

This was my system look file for afd.sys.

I tried to use the fix that you used for SeanR, but it did not work so i used Erunt to restore back to the previous.

Any help is appreciated. Thanks

Kevin

Please do NOT copy fixes that were created for other users, they may do more damage than good when used on another system!

Lets have a look at all internet related services and files.

Please download Farbar Service Scanner and run it on the computer with the issue.

• Check "Include All Files" option.
  
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.

Thanks for the information. I will keep that in mind from now on.

Farbar Service Scanner
Ran by KevinN (administrator) on 25-11-2011 at 11:59:44
Microsoft Windows XP Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Unable to retrieve start type of NetBt. The value might not exist.
Unable to retrieve ImagePath of NetBt. The value might not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys is missing.
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to Google returned error: Google site is unreachable
Attempt to yahoo returend error: Yahoo site is unreachable

**** End of log ****

Hi again, the NetBT service is missing here.

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT

• Please download Erunt
  
• Run the setup program to install ERUNT on your computer

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


Please click Start > run. type notepad and press enter. Copy paste the following text into Notepad and save it as Fixme.reg to your desktop

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000006
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6e,00,65,00,74,00,62,00,74,00,2e,\
  00,73,00,79,00,73,00,00,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Linkage]
"OtherDependencies"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"Bind"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,\
  00,69,00,70,00,5f,00,7b,00,45,00,36,00,44,00,33,00,31,00,34,00,43,00,43,00,\
  2d,00,39,00,43,00,31,00,35,00,2d,00,34,00,35,00,46,00,46,00,2d,00,39,00,41,\
  00,39,00,43,00,2d,00,46,00,35,00,32,00,34,00,35,00,42,00,41,00,36,00,45,00,\
  41,00,42,00,37,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,\
  00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,31,00,35,00,37,00,34,00,42,00,\
  36,00,36,00,36,00,2d,00,39,00,34,00,30,00,45,00,2d,00,34,00,41,00,41,00,31,\
  00,2d,00,38,00,45,00,33,00,42,00,2d,00,33,00,31,00,30,00,32,00,44,00,44,00,\
  33,00,39,00,42,00,42,00,43,00,31,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,\
  00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,41,00,32,00,\
  37,00,34,00,44,00,35,00,42,00,38,00,2d,00,36,00,34,00,42,00,46,00,2d,00,34,\
  00,41,00,46,00,34,00,2d,00,39,00,43,00,45,00,31,00,2d,00,43,00,38,00,37,00,\
  34,00,35,00,31,00,31,00,38,00,41,00,35,00,36,00,32,00,7d,00,00,00,00,00
"Route"=hex(7):22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,45,\
  00,36,00,44,00,33,00,31,00,34,00,43,00,43,00,2d,00,39,00,43,00,31,00,35,00,\
  2d,00,34,00,35,00,46,00,46,00,2d,00,39,00,41,00,39,00,43,00,2d,00,46,00,35,\
  00,32,00,34,00,35,00,42,00,41,00,36,00,45,00,41,00,42,00,37,00,7d,00,22,00,\
  00,00,22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,4e,00,64,00,69,\
  00,73,00,57,00,61,00,6e,00,49,00,70,00,22,00,00,00,00,00
"Export"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,\
  00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,45,00,36,00,\
  44,00,33,00,31,00,34,00,43,00,43,00,2d,00,39,00,43,00,31,00,35,00,2d,00,34,\
  00,35,00,46,00,46,00,2d,00,39,00,41,00,39,00,43,00,2d,00,46,00,35,00,32,00,\
  34,00,35,00,42,00,41,00,36,00,45,00,41,00,42,00,37,00,7d,00,00,00,5c,00,44,\
  00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,\
  54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,31,00,35,00,37,00,34,00,42,00,36,\
  00,36,00,36,00,2d,00,39,00,34,00,30,00,45,00,2d,00,34,00,41,00,41,00,31,00,\
  2d,00,38,00,45,00,33,00,42,00,2d,00,33,00,31,00,30,00,32,00,44,00,44,00,33,\
  00,39,00,42,00,42,00,43,00,31,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,\
  63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,\
  00,70,00,5f,00,7b,00,41,00,32,00,37,00,34,00,44,00,35,00,42,00,38,00,2d,00,\
  36,00,34,00,42,00,46,00,2d,00,34,00,41,00,46,00,34,00,2d,00,39,00,43,00,45,\
  00,31,00,2d,00,43,00,38,00,37,00,34,00,35,00,31,00,31,00,38,00,41,00,35,00,\
  36,00,32,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="\\Device\\"
"EnableLMHOSTS"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{1574B666-940E-4AA1-8E3B-3102DD39BBC1}]
"NameServerList"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{A274D5B8-64BF-4AF4-9CE1-C8745118A562}]
"NameServerList"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{E6D314CC-9C15-45FF-9A9C-F5245BA6EAB7}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000
"DhcpNameServerList"=hex(7):31,00,39,00,32,00,2e,00,31,00,36,00,38,00,2e,00,31,\
  00,33,00,33,00,2e,00,32,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Security]
"Security"=hex:01,00,14,80,e8,00,00,00,f4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,b8,00,08,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
  02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,\
  00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,14,\
  00,40,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,40,00,00,00,\
  01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,2c,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Enum]
"0"="Root\\LEGACY_NETBT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Exit Notepad and double click on Fixme.reg to run it. You'll be asked to confirm, click Yes. When finished restart your computer and let me know if the internet works now.

The internet connection is still showing as trying to acquire address. I copied everything exactly in the box and it confirmed as adding everything into the registry. When i ran FSS.exe it still shows as netbt.sys as missing.

Does this mean that there are some remants of the virus?

Kevin

Sorry, that is my bad, we fixed the service, but I completely forgot about the file.

Please run Farbar Service Scanner.
Type the following in the edit box after "Search:".

netbt.sys

Click Search Files button and post the log (FSS.txt) it makes to your reply.

Farbar Service Scanner
Ran by KevinN (administrator) on 25-11-2011 at 13:05:58
Microsoft Windows XP Service Pack 3 (X86)

************************************************
================== Search: netbt.sys ===================

C:\WINDOWS\system32\dllcache\netbt.sys
[2008-04-14 05:00] - [2008-04-14 05:00] - 0162816 ___AC (Microsoft Corporation) 74B2B2F5BEA5E9A3DC021D685551BD3D

====== End Of Search ======

Please navigate to this file: C:\WINDOWS\system32\dllcache\netbt.sys <-- right click and select Copy.
Navigate to c:\windows\system32\drivers, right click in an empty space in that folder and select Paste.

Then restart your computer and see if the internet works.

It took me a minute to figure out where that folder was with it being hidden. Thanks alot, everything is working again!

Kevin

Sorry, I was a bit in a hurry (have spent the biggest part of yesterday without power at home), I should have included instructions for that. Glad to hear it works fine now.

Please let me know if you have any other problem.