Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Limited/No Connectivity following virus removal


  • Please log in to reply
12 replies to this topic

#1 Xardas

Xardas

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 31 December 2011 - 01:07 AM

Hello,

I am currently running Windows XP Home SP3. The antivirus I use is Symantec Antivirus provided by my school. This computer had an infection of the "sp security 2012" and win32.zaccess variety. Using several tools including manual removal from the registry and manual deletion of the virus files as well as tdsskiller, rkill and combofix I removed (I believe) the virus.

My current problem is that this computer is unable to connect to the internet in any manner, whether it be wirelessly or by ethernet. I received the "limited or no connectivity" error.

When I run ipconfig /all, it shows an ip address of 0.0.0.0 and a subnet mask of 0.0.0.0.

My assumption is that the virus took some drivers with it or something. Unfortunately, if I need a windows xp cd, I am out of luck as I have no idea where that old thing is.

When I attempt to release my ip address, I receive the error "IP Address for this connection has already been released".
When I attempt to renew my ip address via the ipconfig /renew command, I receive the error "The RPC server is unavailable".

I tried manually uninstalling/reinstalling tcp/ip protocol (and I think I did so correctly) and still I get the same error.

I have tried the winsock fix and dialafix. Winsock changed nothing, dialafix gave me an error message that was meaningless to me (I can rerun it and post the error if this would help).

I noticed also in the status of my internet connection, 0 packets are sent and 0 received.

I am okay with computers, but this is proving beyond my capabilities. Any help you could offer would be most appreciated.
If you require any additional information or scans I would be more than happy to provide them.

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:25 AM

Posted 31 December 2011 - 01:53 AM

Hello Xardas -

Please download Farbar Service Scanner and run it on the computer with the issue
  • .
    Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
Press "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Thank You -



#3 Xardas

Xardas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 31 December 2011 - 03:08 PM

Wow, thank you for the very quick reply! What follows is my log:

Farbar Service Scanner
Ran by Steve (administrator) on 31-12-2011 at 15:06:50
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
===========
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
Checking ServiceDll: Attention! Unable to open BITS registry key. The service key does not exist.
Checking LEGACY_BITS: Attention! Unable to open LEGACY_BITS\0000 registry key. The key does not exist.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\netbt.sys is missing.
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(11) Gpc(3) IPSec(13) NetBT(14) PSched(7) SYMTDI(10) Tcpip(12)
0x0E0000000D00000005000000010000000200000003000000040000000A000000060000000700000008000000090000000B0000000C0000000E000000


**** End of log ****

#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:25 AM

Posted 31 December 2011 - 04:46 PM

Attention! C:\WINDOWS\system32\Drivers\netbt.sys is missing.

Here is one solution - - -
start->run->regedit > HKLM/System/CurrentControlSet/Services/> Set "Start" tag equal to 2

Another is to run sfc /scannow and click OK -
Place the XP CD in the drive and let it try to find / replace the file.

Good luck -

Edited by noknojon, 31 December 2011 - 04:48 PM.


#5 Xardas

Xardas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 31 December 2011 - 05:12 PM

Attention! C:\WINDOWS\system32\Drivers\netbt.sys is missing.

Here is one solution - - -
start->run->regedit > HKLM/System/CurrentControlSet/Services/> Set "Start" tag equal to 2

Another is to run sfc /scannow and click OK -
Place the XP CD in the drive and let it try to find / replace the file.

Good luck -


Ill have to see if my family can find the cd, I'm a long ways from home. I'm having trouble trying your regedit fix, I get to hklm/system/currentcontrolset/services and am unable to find the thing I am supposed to change. I must be missing something. The services folder contains a lot of subfolders, but does not itself contain any registry keys other than (default) reg_sz (value not set).

#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,411 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:25 PM

Posted 31 December 2011 - 05:16 PM

FWIW: The first step, before any advisement to a member to perform even the simplest registry edit...is to instruct/advise the member to back up the registry.

Louis

#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:25 AM

Posted 31 December 2011 - 05:49 PM

Thank you Louis - Sorry -

I shall look for another idea that may not need the CD unless Hamluis has another idea -
If you can find another Windows XP Home CD, that will do -

Thank You -

Edited by noknojon, 31 December 2011 - 05:54 PM.


#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:25 AM

Posted 31 December 2011 - 06:27 PM

To check if the file is still listed (but not extracted or corrupted) these directions may help you without a CD -

You can extract individual files from the cabinet files to replace missing or corrupted files. To extract information from a .cab file in Windows XP:
This should not require the system backup as above (that I forgot), as you are only looking for an existing file in i386 -

Click Start > Run > type msconfig.

Click OK.

Click Expand File.

In the File to restore box, type the name of the file that you want to restore. (netbt.)

In the Restore from box, type the path to the Windows XP .cab file from which you want to restore the file,
or click Browse From to locate the Windows XP .cab file (you may find NetBT inside C:\WINDOWS\ServicePackFiles\i386)

In the Save file in box, type the path to which you want the new file extracted, or click Browse To to locate the folder that you want. (should be C:\WINDOWS\system32\drivers).

Click Expand.

In the System Configuration Utility dialog box, click OK. If you are prompted to restart the computer, click Restart.

Thank You -
NOTE:
It never hurts to always perform regular backups of your system, just in case of this type of problem -


#9 Xardas

Xardas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 01 January 2012 - 11:40 AM

I tried the msconfig / expand file fix you mentioned, my problem still is not resolved. I would be happy to try the registry fix if you can give me more information, either the key you are referencing does not exist on my machine or I was not skilled enough to find it.

I also gained access to a windows xp cd. I had already tried running sfc /scannow and found a ton of files that needed to be replaced but since I did not have the cd at the time I had to skip them all. This time, when I ran sfc /scannow it never brought up the window that asks where it should get the replacement files from, but the xp cd was in the tray. I don't know if it automatically found them in the drive and replaced them or if those files were all set to "skip" now, but regardless it did not resolve my problem.

Just to clarify, the cd I would want is the exact same as the cd one would use to install windows xp, correct?

Once again, thank you for your time and effort.

#10 hamluis

hamluis

    Moderator


  • Moderator
  • 55,411 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:25 PM

Posted 01 January 2012 - 12:03 PM

FWIW: When running the sfc /scannow command...files found wanting are replaced on the spot from the disk. If a file is not found or is unable to be read from the CD, then a box will popup. If the scan proceeds without any popups, you may consider all found situations resolved by the scan.

I hate it when I see "a Windows XP CD" because...not all CDs are created equal. The CD required to run the sfc /scannow command correctly is a "Microsoft Genuine XP CD", not a recovery/restore or other CD which has been provided by a system manufacturer (HP, Lenovo, Dell, etc.). Included in the list of "nots" would also be any CD derived from burning an illegal, possibly malicious download of XP.

For reference purposes, How To Use Sfc.exe To Repair System Files - http://www.bleepingcomputer.com/forums/topic43051.html .

System manufacturer and model?

Louis

#11 Xardas

Xardas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 15 January 2012 - 11:31 AM

Hamluis,

I tried to locate the i386 folder on my computer but it does not exist. I had it show all hidden files and folders and did a search for the folder and nothing came up. The cd I used was from the internet, as my family was unable to find the cd (if they manage to find it, it will be a windows xp home sp2 cd made by dell). I still have the same problems as I did when I started. Is there any hope that I will salvage this computer or should I just give up at this point?

#12 hamluis

hamluis

    Moderator


  • Moderator
  • 55,411 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:25 PM

Posted 15 January 2012 - 12:07 PM

Let's just wait for input by those more knowledgeable than I happen to be.

I've never had a virus problem and my connectivity issues are usually resolved by resetting the router, checking connections, etc.

<<When I run ipconfig /all, it shows an ip address of 0.0.0.0 and a subnet mask of 0.0.0.0.>>

That would have prompted me to set the connection up anew, from the beginning...it's obvious that the connection is not properly set up now and DHCP is not working properly.

Patience, please :).

Louis

#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:25 PM

Posted 15 January 2012 - 12:07 PM

Launch farbar service scanner again and type

netbt.sys in the BOX and click on search files

Post the generated log

Lets see if it finds the file in dllcache folder

Good luck

Edited by narenxp, 15 January 2012 - 12:08 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users