Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fixed rootkit.zeroaccess with combofix but now no internet.


  • Please log in to reply
13 replies to this topic

#1 keithgmccall

keithgmccall

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 13 December 2011 - 11:22 PM

I recently got a virus while trying to watch a tv show online. It wouldn't let me do anything. I was finally able to start and run combofix in safe mode. It told me that I had the rootkit.zero access. It was able to get rid of it and my computer is running normally except that I am not able to connect to the internet. When I click repair it says it cant renew the ip address. I tried to ipconfig /renew in the cmd prompt, but it says that the RPC server is unavailable. I have checked to make sure that the rpc service is set to automatic and running. I am using my brothers computer for now. Is there anything that I can do to fix it? Please let me know as soon as possible. I work until 9 every night so I can respond then.

Thanks,
Keith McCall

Edited by hamluis, 14 December 2011 - 06:06 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 PM

Posted 14 December 2011 - 06:59 PM

Welcome aboard Posted Image

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure "Include All Files" option remains checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 keithgmccall

keithgmccall
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 16 December 2011 - 12:22 AM

OK, I ran the scan and here are the results.


Farbar Service Scanner
Ran by Keith (administrator) on 16-12-2011 at 00:12:05
Microsoft Windows XP Professional Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of NetBt. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of NetBt. The value does not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****

'
I tried to manually start the Dhcp service and it said, "Error 1075: The dependency service does not exist or has been marked for deletion."
I could not find the NetBt service, but I assume it would say about the same thing.

Thanks for the help,
Keith

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 PM

Posted 16 December 2011 - 12:24 AM

It looks like you have registry key missing.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:
    :reg
    HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 keithgmccall

keithgmccall
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 16 December 2011 - 12:38 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 12:36 on 16/12/2011 by Keith
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt]
(No values found)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt\Linkage]
"Bind"="\Device\Tcpip6_{13846061-7CEE-45CC-A086-0F015414286E} \Device\Tcpip6_{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F} \Device\Tcpip6_{09AFA526-0086-4121-8B8F-D9E23F8788EE} \Device\Tcpip6_{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45} \Device\Tcpip6_{FF3BC068-04FE-4693-808E-C706A08B09A1} \Device\Tcpip6_{D934E722-C421-41E5-BA70-DF1DD1313817} \Device\Tcpip6_{8148D92B-5CE0-4632-A54A-468A6E444DC5} \Device\Tcpip6_{D012BA9F-3500-452A-8ADA-37B3540FB7EF} \Device\Tcpip_{8148D92B-5CE0-4632-A54A-468A6E444DC5} \Device\Tcpip_{D934E722-C421-41E5-BA70-DF1DD1313817} \Device\Tcpip_{FF3BC068-04FE-4693-808E-C706A08B09A1} \Device\Tcpip_{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45} \Device\Tcpip_{09AFA526-0086-4121-8B8F-D9E23F8788EE} \Device\Tcpip_{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F} \Device\Tcpip_{3F5C0F90-8629-46FE-AD82-7EF6B835D64B} \Device\Tcpip_{13846061-7CEE-45CC-A086-0F015414286E} \Device\Tcpip_{EA219350-B25F-4304-B0A7-CA6C15D25C3F} \Device\Tcpip_{C8FB8631-14EB-4BD0-9EBA-74664FE3AF1E} \Device\Tcpip_{1716F9AB-7C7B-442D-904F-8F754170F934} \Device
"Route"=""Tcpip6" "{13846061-7CEE-45CC-A086-0F015414286E}" "Tcpip6" "{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F}" "Tcpip6" "{09AFA526-0086-4121-8B8F-D9E23F8788EE}" "Tcpip6" "{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45}" "Tcpip6" "{FF3BC068-04FE-4693-808E-C706A08B09A1}" "Tcpip6" "{D934E722-C421-41E5-BA70-DF1DD1313817}" "Tcpip6" "{8148D92B-5CE0-4632-A54A-468A6E444DC5}" "Tcpip6" "{D012BA9F-3500-452A-8ADA-37B3540FB7EF}" "Tcpip" "{8148D92B-5CE0-4632-A54A-468A6E444DC5}" "Tcpip" "{D934E722-C421-41E5-BA70-DF1DD1313817}" "Tcpip" "{FF3BC068-04FE-4693-808E-C706A08B09A1}" "Tcpip" "{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45}" "Tcpip" "{09AFA526-0086-4121-8B8F-D9E23F8788EE}" "Tcpip" "{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F}" "Tcpip" "{3F5C0F90-8629-46FE-AD82-7EF6B835D64B}" "Tcpip" "{13846061-7CEE-45CC-A086-0F015414286E}" "Tcpip" "NdisWanIp""
"Export"="\Device\NetBT_Tcpip6_{13846061-7CEE-45CC-A086-0F015414286E} \Device\NetBT_Tcpip6_{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F} \Device\NetBT_Tcpip6_{09AFA526-0086-4121-8B8F-D9E23F8788EE} \Device\NetBT_Tcpip6_{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45} \Device\NetBT_Tcpip6_{FF3BC068-04FE-4693-808E-C706A08B09A1} \Device\NetBT_Tcpip6_{D934E722-C421-41E5-BA70-DF1DD1313817} \Device\NetBT_Tcpip6_{8148D92B-5CE0-4632-A54A-468A6E444DC5} \Device\NetBT_Tcpip6_{D012BA9F-3500-452A-8ADA-37B3540FB7EF} \Device\NetBT_Tcpip_{8148D92B-5CE0-4632-A54A-468A6E444DC5} \Device\NetBT_Tcpip_{D934E722-C421-41E5-BA70-DF1DD1313817} \Device\NetBT_Tcpip_{FF3BC068-04FE-4693-808E-C706A08B09A1} \Device\NetBT_Tcpip_{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45} \Device\NetBT_Tcpip_{09AFA526-0086-4121-8B8F-D9E23F8788EE} \Device\NetBT_Tcpip_{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F} \Device\NetBT_Tcpip_{3F5C0F90-8629-46FE-AD82-7EF6B835D64B} \Device\NetBT_Tcpip_{13846061-7CEE-45CC-A086-0F015414286E} \Device\NetBT_Tcpip_{EA219350-B25F-4304-B0A7-CA6C15D25C3F} \Device\Net

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt\Parameters]
"TransportBindName"="\Device\"
"BcastNameQueryCount"= 0x0000000003 (3)
"BcastQueryTimeout"= 0x00000002ee (750)
"CacheTimeout"= 0x00000927c0 (600000)
"NameServerPort"= 0x0000000089 (137)
"NameSrvQueryCount"= 0x0000000003 (3)
"NameSrvQueryTimeout"= 0x00000005dc (1500)
"NbProvider"="_tcp"
"SessionKeepAlive"= 0x000036ee80 (3600000)
"Size/Small/Medium/Large"= 0x0000000001 (1)
"EnableLMHOSTS"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt\Parameters\Interfaces]
(No values found)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt\Parameters\Interfaces\Tcpip_{09AFA526-0086-4121-8B8F-D9E23F8788EE}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt\Parameters\Interfaces\Tcpip_{13846061-7CEE-45CC-A086-0F015414286E}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt\Parameters\Interfaces\Tcpip_{3F5C0F90-8629-46FE-AD82-7EF6B835D64B}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt\Parameters\Interfaces\Tcpip_{8148D92B-5CE0-4632-A54A-468A6E444DC5}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt\Parameters\Interfaces\Tcpip_{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt\Parameters\Interfaces\Tcpip_{D934E722-C421-41E5-BA70-DF1DD1313817}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt\Parameters\Interfaces\Tcpip_{FF3BC068-04FE-4693-808E-C706A08B09A1}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt\Parameters\Interfaces\Tcpip_{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\netbt\Enum]
"0"="Root\LEGACY_NETBT\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)


-= EOF =-

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 PM

Posted 16 December 2011 - 07:36 PM

Yeah it has been edited by the infection.

Following steps involve registry editing. Please create new restore point before proceeding!!!

Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find six files inside.
Right click on netbt.reg file, click "Merge".
Allow registry merge.
Restart computer and see if internet works.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 keithgmccall

keithgmccall
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 16 December 2011 - 10:30 PM

The internet still didn't work. It seemed like the xp thing didn't do anything because it still couldn't find the netbt. i ran fss again so that you could see if it changed anything.


Farbar Service Scanner
Ran by Keith (administrator) on 16-12-2011 at 22:27:26
Microsoft Windows XP Professional Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of NetBt. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of NetBt. The value does not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 PM

Posted 16 December 2011 - 10:36 PM

If you're 100% sure you followed my instructions correctly your computer may be still infected and the infection keeps playing with that registry key.

Post new System Look log (same script as in my reply #4)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 keithgmccall

keithgmccall
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 16 December 2011 - 10:43 PM

Farbar Service Scanner
Ran by Keith (administrator) on 16-12-2011 at 22:27:26
Microsoft Windows XP Professional Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of NetBt. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of NetBt. The value does not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 PM

Posted 16 December 2011 - 10:48 PM

No, System Look (my reply #4).

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 keithgmccall

keithgmccall
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 16 December 2011 - 10:59 PM

Sorry, I ran the scan, but then posted the wrong thing.

SystemLook 30.07.11 by jpshortstuff
Log created at 22:42 on 16/12/2011 by Keith
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\netbt]
(No values found)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\netbt\Linkage]
"Bind"="\Device\Tcpip6_{13846061-7CEE-45CC-A086-0F015414286E} \Device\Tcpip6_{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F} \Device\Tcpip6_{09AFA526-0086-4121-8B8F-D9E23F8788EE} \Device\Tcpip6_{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45} \Device\Tcpip6_{FF3BC068-04FE-4693-808E-C706A08B09A1} \Device\Tcpip6_{D934E722-C421-41E5-BA70-DF1DD1313817} \Device\Tcpip6_{8148D92B-5CE0-4632-A54A-468A6E444DC5} \Device\Tcpip6_{D012BA9F-3500-452A-8ADA-37B3540FB7EF} \Device\Tcpip_{8148D92B-5CE0-4632-A54A-468A6E444DC5} \Device\Tcpip_{D934E722-C421-41E5-BA70-DF1DD1313817} \Device\Tcpip_{FF3BC068-04FE-4693-808E-C706A08B09A1} \Device\Tcpip_{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45} \Device\Tcpip_{09AFA526-0086-4121-8B8F-D9E23F8788EE} \Device\Tcpip_{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F} \Device\Tcpip_{3F5C0F90-8629-46FE-AD82-7EF6B835D64B} \Device\Tcpip_{13846061-7CEE-45CC-A086-0F015414286E} \Device\Tcpip_{EA219350-B25F-4304-B0A7-CA6C15D25C3F} \Device\Tcpip_{C8FB8631-14EB-4BD0-9EBA-74664FE3AF1E} \Device\Tcpip_{1716F9AB-7C7B-442D-904F-8F754170F934} \Device
"Route"=""Tcpip6" "{13846061-7CEE-45CC-A086-0F015414286E}" "Tcpip6" "{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F}" "Tcpip6" "{09AFA526-0086-4121-8B8F-D9E23F8788EE}" "Tcpip6" "{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45}" "Tcpip6" "{FF3BC068-04FE-4693-808E-C706A08B09A1}" "Tcpip6" "{D934E722-C421-41E5-BA70-DF1DD1313817}" "Tcpip6" "{8148D92B-5CE0-4632-A54A-468A6E444DC5}" "Tcpip6" "{D012BA9F-3500-452A-8ADA-37B3540FB7EF}" "Tcpip" "{8148D92B-5CE0-4632-A54A-468A6E444DC5}" "Tcpip" "{D934E722-C421-41E5-BA70-DF1DD1313817}" "Tcpip" "{FF3BC068-04FE-4693-808E-C706A08B09A1}" "Tcpip" "{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45}" "Tcpip" "{09AFA526-0086-4121-8B8F-D9E23F8788EE}" "Tcpip" "{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F}" "Tcpip" "{3F5C0F90-8629-46FE-AD82-7EF6B835D64B}" "Tcpip" "{13846061-7CEE-45CC-A086-0F015414286E}" "Tcpip" "NdisWanIp""
"Export"="\Device\NetBT_Tcpip6_{13846061-7CEE-45CC-A086-0F015414286E} \Device\NetBT_Tcpip6_{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F} \Device\NetBT_Tcpip6_{09AFA526-0086-4121-8B8F-D9E23F8788EE} \Device\NetBT_Tcpip6_{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45} \Device\NetBT_Tcpip6_{FF3BC068-04FE-4693-808E-C706A08B09A1} \Device\NetBT_Tcpip6_{D934E722-C421-41E5-BA70-DF1DD1313817} \Device\NetBT_Tcpip6_{8148D92B-5CE0-4632-A54A-468A6E444DC5} \Device\NetBT_Tcpip6_{D012BA9F-3500-452A-8ADA-37B3540FB7EF} \Device\NetBT_Tcpip_{8148D92B-5CE0-4632-A54A-468A6E444DC5} \Device\NetBT_Tcpip_{D934E722-C421-41E5-BA70-DF1DD1313817} \Device\NetBT_Tcpip_{FF3BC068-04FE-4693-808E-C706A08B09A1} \Device\NetBT_Tcpip_{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45} \Device\NetBT_Tcpip_{09AFA526-0086-4121-8B8F-D9E23F8788EE} \Device\NetBT_Tcpip_{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F} \Device\NetBT_Tcpip_{3F5C0F90-8629-46FE-AD82-7EF6B835D64B} \Device\NetBT_Tcpip_{13846061-7CEE-45CC-A086-0F015414286E} \Device\NetBT_Tcpip_{EA219350-B25F-4304-B0A7-CA6C15D25C3F} \Device\Net

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\netbt\Parameters]
"TransportBindName"="\Device\"
"BcastNameQueryCount"= 0x0000000003 (3)
"BcastQueryTimeout"= 0x00000002ee (750)
"CacheTimeout"= 0x00000927c0 (600000)
"NameServerPort"= 0x0000000089 (137)
"NameSrvQueryCount"= 0x0000000003 (3)
"NameSrvQueryTimeout"= 0x00000005dc (1500)
"NbProvider"="_tcp"
"SessionKeepAlive"= 0x000036ee80 (3600000)
"Size/Small/Medium/Large"= 0x0000000001 (1)
"EnableLMHOSTS"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\netbt\Parameters\Interfaces]
(No values found)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\netbt\Parameters\Interfaces\Tcpip_{09AFA526-0086-4121-8B8F-D9E23F8788EE}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\netbt\Parameters\Interfaces\Tcpip_{13846061-7CEE-45CC-A086-0F015414286E}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\netbt\Parameters\Interfaces\Tcpip_{3F5C0F90-8629-46FE-AD82-7EF6B835D64B}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\netbt\Parameters\Interfaces\Tcpip_{8148D92B-5CE0-4632-A54A-468A6E444DC5}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\netbt\Parameters\Interfaces\Tcpip_{8F47F14F-C0D3-476C-9C43-E09B9AD97F7F}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\netbt\Parameters\Interfaces\Tcpip_{D934E722-C421-41E5-BA70-DF1DD1313817}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\netbt\Parameters\Interfaces\Tcpip_{FF3BC068-04FE-4693-808E-C706A08B09A1}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\netbt\Parameters\Interfaces\Tcpip_{FF581FA2-3E39-4587-BC96-F3A4E2FBBA45}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\netbt\Enum]
"0"="Root\LEGACY_NETBT\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)


-= EOF =-

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 PM

Posted 16 December 2011 - 11:03 PM

You must be still infected.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 jsw30143

jsw30143

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:30143
  • Local time:01:12 AM

Posted 24 December 2011 - 05:19 AM

I had the exact same issue and finally booted from my windows disk, chose the repair option, reloaded windows and now everything is fine.

#14 www.osisecurity.com.

www.osisecurity.com.

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sydney, Australia
  • Local time:03:12 PM

Posted 02 March 2012 - 01:23 AM

I had the same problem. I fixed it by:

Reboot into the Microsoft Windows Recovery Console, then (where D:\ is the Windows install CD-ROM or Service Pack);

expand d:\i386\ipsec.sy_ c:\Windows\system32\drivers\ipsec.sys
expand D:\i386\dnsapi.dl_ C:\Windows\system32\dnsapi.dll
expand D:\i386\dnsrslvr.dl_ C:\Windows\system32\dnsrslvr.dll

More info can be found at http://www.osisecurity.com.au/blog/zeroaccess-rootkit-sirefef-no-internet-connectivity-dns ... but it worked for me without repairing or reinstalling Windows. I'd be interested to hear if this helps anyone else.

Cheers,
-Patrick




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users