Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stuck on Acquiring Network Address


  • Please log in to reply
8 replies to this topic

#1 jkim0930

jkim0930

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 03 December 2011 - 06:00 PM

Hi all,

Hoping to get some help here as I have been without internet connection for almost a week now!

About a week ago I was infected with some serious viruses that MalwareBytes was not picking up. I downloaded AVG Antivirus 2012 which seemed to find and fix everything, but after restarting I noticed my internet connection had been lost. This computer is directly connected with the ethernet cord and my other computer which is connected via wifi has no issues. The status is stuck at "acquiring network address" and my IP is at 0.0.0.0.

One thing I did notice was during the AVG scan that found and fixed my computer, it mentioned that my netbt.sys file was infected with the Trojan Horse Agent_r.ATS.

After doing a bunch of searches for similar issues I've tried using winsockfix, lspfix, and still have had no luck. My DHCP and TCP/IP are enabled.

I'm not very tech-savvy so I would really appreciate some step by step guidance to help me get back online!! Thanks so much in advance!

Edited by hamluis, 03 December 2011 - 06:26 PM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:25 PM

Posted 03 December 2011 - 11:05 PM

Welcome aboard Posted Image

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Check "Include All Files" option.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 jkim0930

jkim0930
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 04 December 2011 - 11:26 AM

Hello! Here you go:

Farbar Service Scanner
Ran by Administrator (administrator) on 04-12-2011 at 11:24:04
Microsoft Windows XP Service Pack 2 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of NetBt. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of NetBt. The value does not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2006-02-27 21:00] - [2006-02-27 21:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2006-02-27 21:00] - [2009-02-09 05:01] - 0401408 ____A (Microsoft Corporation) 24B5D53B9ACCC1E2EDCF0A878D6659D4

C:\WINDOWS\system32\services.exe
[2006-02-27 21:00] - [2009-02-06 05:22] - 0110592 ____A (Microsoft Corporation) 4712531AB7A01B7EE059853CA17D39BD

C:\WINDOWS\system32\dhcpcsvc.dll
[2006-02-27 21:00] - [2005-03-11 20:01] - 0111104 ____A (Microsoft Corporation) FD4527B1552BD1E93C22E664EB0BD4EB

C:\WINDOWS\system32\Drivers\afd.sys
[2006-02-27 21:00] - [2008-08-14 04:51] - 0138368 ____A (Microsoft Corporation) 55E6E1C51B6D30E54335750955453702

C:\WINDOWS\system32\Drivers\netbt.sys
[2006-02-27 21:00] - [2006-02-28 02:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-02-27 21:00] - [2008-06-20 05:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9

C:\WINDOWS\system32\Drivers\ipsec.sys
[2006-02-27 21:00] - [2006-02-27 21:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2006-02-27 21:00] - [2006-02-27 21:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D


Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:25 PM

Posted 04 December 2011 - 01:24 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:
    :reg
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 jkim0930

jkim0930
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 04 December 2011 - 11:47 PM

Here you go:

SystemLook 30.07.11 by jpshortstuff
Log created at 23:45 on 04/12/2011 by Administrator
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt]
"Tag"= 0x0000000057 (87)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Linkage]
"Bind"="\Device\Tcpip_{F5030DEE-D5AD-4D6B-8C16-31E8EEBAA78F} \Device\Tcpip_{866CDCA3-310D-435A-83E8-71E3389D5BA9} \Device\Tcpip_{AAC2D6EA-2FB9-42A6-8999-0EF445AB4E5A}"
"Route"=""Tcpip" "{F5030DEE-D5AD-4D6B-8C16-31E8EEBAA78F}" "Tcpip" "NdisWanIp""
"Export"="\Device\NetBT_Tcpip_{F5030DEE-D5AD-4D6B-8C16-31E8EEBAA78F} \Device\NetBT_Tcpip_{866CDCA3-310D-435A-83E8-71E3389D5BA9} \Device\NetBT_Tcpip_{AAC2D6EA-2FB9-42A6-8999-0EF445AB4E5A}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters]
"BcastNameQueryCount"= 0x0000000003 (3)
"BcastQueryTimeout"= 0x00000002ee (750)
"CacheTimeout"= 0x00000927c0 (600000)
"NameServerPort"= 0x0000000089 (137)
"NameSrvQueryCount"= 0x0000000003 (3)
"NameSrvQueryTimeout"= 0x00000005dc (1500)
"NbProvider"="_tcp"
"SessionKeepAlive"= 0x000036ee80 (3600000)
"Size/Small/Medium/Large"= 0x0000000001 (1)
"TransportBindName"="\Device\"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Enum]
"0"="Root\LEGACY_NETBT\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)


-= EOF =-

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:25 PM

Posted 05 December 2011 - 12:00 AM

It looks like this key has been "edited" by the infection.

Following steps involve registry editing. Please create new restore point before proceeding!!!

Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find three files inside.
Right click on netbt.reg file, click "Merge".
Allow registry merge.
Restart computer and see if internet works.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 jkim0930

jkim0930
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 06 December 2011 - 06:51 PM

Thank you SOOO MUCH! Problem is fixed and internet is working fine :clapping:

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:25 PM

Posted 06 December 2011 - 09:04 PM

Cool beans :)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 vw242

vw242

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 08 December 2011 - 11:04 AM

Worked for me when I got xp 2012 virus. Ran rkill, combofix, mbam and SAS then when I started up
the next day no connection. Thank you so much!

Edited by vw242, 08 December 2011 - 11:05 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users