Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot connect to Internet after removing virus


  • Please log in to reply
9 replies to this topic

#1 Kevinnh

Kevinnh

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 25 November 2011 - 01:19 PM

I recently got hit with Cloud AV 12 and was unable to get connected back to the internet after. I think i was able to remove all remnants of the virus. I followed one of the threads on here and did as many of the steps as i could to make sure there were no other problems. Thread : http://www.bleepingcomputer.com/forums/topic426157.html

I uploaded my system.bak at 4:23p EST yesterday.

SystemLook 30.07.11 by jpshortstuff
Log created at 13:40 on 24/11/2011 by KevinN
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\AFD]
"DisplayName"="AFD"
"Description"="AFD Networking Support Environment"
"Group"="TDI"
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"
"Start"= 0x0000000001 (1)
"Type"= 0x0000000001 (1)
"ErrorControl"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\AFD\Parameters]

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\AFD\Security]

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\AFD\Enum]


-= EOF =-

This was my system look file for afd.sys.

I tried to use the fix that you used for SeanR, but it did not work so i used Erunt to restore back to the previous.

Any help is appreciated. Thanks

Kevin

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:20 AM

Posted 25 November 2011 - 01:29 PM

Please do NOT copy fixes that were created for other users, they may do more damage than good when used on another system!

Lets have a look at all internet related services and files.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Check "Include All Files" option.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 Kevinnh

Kevinnh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 25 November 2011 - 02:02 PM

Thanks for the information. I will keep that in mind from now on.

Farbar Service Scanner
Ran by KevinN (administrator) on 25-11-2011 at 11:59:44
Microsoft Windows XP Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Unable to retrieve start type of NetBt. The value might not exist.
Unable to retrieve ImagePath of NetBt. The value might not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys is missing.
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to Google returned error: Google site is unreachable
Attempt to yahoo returend error: Yahoo site is unreachable

**** End of log ****

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:20 AM

Posted 25 November 2011 - 02:07 PM

Hi again, the NetBT service is missing here.

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT
  • Please download Erunt
  • Run the setup program to install ERUNT on your computer
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


Please click Start > run. type notepad and press enter. Copy paste the following text into Notepad and save it as Fixme.reg to your desktop
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000006
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6e,00,65,00,74,00,62,00,74,00,2e,\
  00,73,00,79,00,73,00,00,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Linkage]
"OtherDependencies"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"Bind"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,\
  00,69,00,70,00,5f,00,7b,00,45,00,36,00,44,00,33,00,31,00,34,00,43,00,43,00,\
  2d,00,39,00,43,00,31,00,35,00,2d,00,34,00,35,00,46,00,46,00,2d,00,39,00,41,\
  00,39,00,43,00,2d,00,46,00,35,00,32,00,34,00,35,00,42,00,41,00,36,00,45,00,\
  41,00,42,00,37,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,\
  00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,31,00,35,00,37,00,34,00,42,00,\
  36,00,36,00,36,00,2d,00,39,00,34,00,30,00,45,00,2d,00,34,00,41,00,41,00,31,\
  00,2d,00,38,00,45,00,33,00,42,00,2d,00,33,00,31,00,30,00,32,00,44,00,44,00,\
  33,00,39,00,42,00,42,00,43,00,31,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,\
  00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,41,00,32,00,\
  37,00,34,00,44,00,35,00,42,00,38,00,2d,00,36,00,34,00,42,00,46,00,2d,00,34,\
  00,41,00,46,00,34,00,2d,00,39,00,43,00,45,00,31,00,2d,00,43,00,38,00,37,00,\
  34,00,35,00,31,00,31,00,38,00,41,00,35,00,36,00,32,00,7d,00,00,00,00,00
"Route"=hex(7):22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,45,\
  00,36,00,44,00,33,00,31,00,34,00,43,00,43,00,2d,00,39,00,43,00,31,00,35,00,\
  2d,00,34,00,35,00,46,00,46,00,2d,00,39,00,41,00,39,00,43,00,2d,00,46,00,35,\
  00,32,00,34,00,35,00,42,00,41,00,36,00,45,00,41,00,42,00,37,00,7d,00,22,00,\
  00,00,22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,4e,00,64,00,69,\
  00,73,00,57,00,61,00,6e,00,49,00,70,00,22,00,00,00,00,00
"Export"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,\
  00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,45,00,36,00,\
  44,00,33,00,31,00,34,00,43,00,43,00,2d,00,39,00,43,00,31,00,35,00,2d,00,34,\
  00,35,00,46,00,46,00,2d,00,39,00,41,00,39,00,43,00,2d,00,46,00,35,00,32,00,\
  34,00,35,00,42,00,41,00,36,00,45,00,41,00,42,00,37,00,7d,00,00,00,5c,00,44,\
  00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,\
  54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,31,00,35,00,37,00,34,00,42,00,36,\
  00,36,00,36,00,2d,00,39,00,34,00,30,00,45,00,2d,00,34,00,41,00,41,00,31,00,\
  2d,00,38,00,45,00,33,00,42,00,2d,00,33,00,31,00,30,00,32,00,44,00,44,00,33,\
  00,39,00,42,00,42,00,43,00,31,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,\
  63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,\
  00,70,00,5f,00,7b,00,41,00,32,00,37,00,34,00,44,00,35,00,42,00,38,00,2d,00,\
  36,00,34,00,42,00,46,00,2d,00,34,00,41,00,46,00,34,00,2d,00,39,00,43,00,45,\
  00,31,00,2d,00,43,00,38,00,37,00,34,00,35,00,31,00,31,00,38,00,41,00,35,00,\
  36,00,32,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="\\Device\\"
"EnableLMHOSTS"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{1574B666-940E-4AA1-8E3B-3102DD39BBC1}]
"NameServerList"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{A274D5B8-64BF-4AF4-9CE1-C8745118A562}]
"NameServerList"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{E6D314CC-9C15-45FF-9A9C-F5245BA6EAB7}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000
"DhcpNameServerList"=hex(7):31,00,39,00,32,00,2e,00,31,00,36,00,38,00,2e,00,31,\
  00,33,00,33,00,2e,00,32,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Security]
"Security"=hex:01,00,14,80,e8,00,00,00,f4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,b8,00,08,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
  02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,\
  00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,14,\
  00,40,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,40,00,00,00,\
  01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,2c,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Enum]
"0"="Root\\LEGACY_NETBT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Exit Notepad and double click on Fixme.reg to run it. You'll be asked to confirm, click Yes. When finished restart your computer and let me know if the internet works now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Kevinnh

Kevinnh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 25 November 2011 - 02:34 PM

The internet connection is still showing as trying to acquire address. I copied everything exactly in the box and it confirmed as adding everything into the registry. When i ran FSS.exe it still shows as netbt.sys as missing.

Does this mean that there are some remants of the virus?

Kevin

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:20 AM

Posted 25 November 2011 - 03:00 PM

Sorry, that is my bad, we fixed the service, but I completely forgot about the file.

Please run Farbar Service Scanner.
Type the following in the edit box after "Search:".

netbt.sys

Click Search Files button and post the log (FSS.txt) it makes to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 Kevinnh

Kevinnh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 25 November 2011 - 03:09 PM

Farbar Service Scanner
Ran by KevinN (administrator) on 25-11-2011 at 13:05:58
Microsoft Windows XP Service Pack 3 (X86)

************************************************
================== Search: netbt.sys ===================

C:\WINDOWS\system32\dllcache\netbt.sys
[2008-04-14 05:00] - [2008-04-14 05:00] - 0162816 ___AC (Microsoft Corporation) 74B2B2F5BEA5E9A3DC021D685551BD3D

====== End Of Search ======

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:20 AM

Posted 25 November 2011 - 03:20 PM

Please navigate to this file: C:\WINDOWS\system32\dllcache\netbt.sys <-- right click and select Copy.
Navigate to c:\windows\system32\drivers, right click in an empty space in that folder and select Paste.

Then restart your computer and see if the internet works.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 Kevinnh

Kevinnh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 25 November 2011 - 03:46 PM

It took me a minute to figure out where that folder was with it being hidden. Thanks alot, everything is working again!

Kevin

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:20 AM

Posted 26 November 2011 - 03:47 AM

Sorry, I was a bit in a hurry (have spent the biggest part of yesterday without power at home), I should have included instructions for that. Glad to hear it works fine now. :)

Please let me know if you have any other problem.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users