Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed XP Security virus now no ip address?


  • Please log in to reply
25 replies to this topic

#1 talee

talee

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 10 January 2012 - 05:18 PM

So I followed the guide here to remove the fake XP Security virus and/or google redirecting junk, and ran malwarebytes. All seems to be removed, but now I cannot connect to Internet and after some research, I found that my IP address is 0.0.0 and I cannot seem to renew or release it. States RPC server unavailable. Did I do something wrong? Not that great with the technical stuff, but can follow directions. Thanks!

Edited by Budapest, 11 January 2012 - 06:06 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest


BC AdBot (Login to Remove)

 


#2 talee

talee
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 11 January 2012 - 09:33 AM

Nobody can help?? Hmm. Off to do more research I suppose.....

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 11 January 2012 - 06:06 PM

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 talee

talee
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 11 January 2012 - 06:55 PM

Thanks for the response. Sorry, looks like I was in the wrong place. Here are my results:

Farbar Service Scanner
Ran by Steve (administrator) on 11-01-2012 at 17:49:10
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking LEGACY_wuauserv: Attention! Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\netbt.sys is missing.
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Bridge(9) BridgeMP(8) Gpc(3) IPSec(5) mfetdi2k(28) NetBT(6) PSched(7) Tcpip(4)
0x1C00000005000000010000000200000003000000040000001C0000001B0000001A000000190000001800000017000000160000001500000014000000130000001200000011000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000


**** End of log ****

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 11 January 2012 - 07:04 PM

Please re-run the FSS tool. Type the following in the edit box after "Search:".

netbt.sys

Click Search Files button. Post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 talee

talee
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 11 January 2012 - 07:16 PM

Farbar Service Scanner
Ran by Steve (administrator) on 11-01-2012 at 18:10:04
Microsoft Windows XP Service Pack 3 (X86)

************************************************
================== Search: "netbt.sys" ===================

C:\WINDOWS\ServicePackFiles\i386\netbt.sys
[2004-08-04 00:14] - [2008-04-13 13:21] - 0162816 ____N (Microsoft Corporation) 74B2B2F5BEA5E9A3DC021D685551BD3D

C:\WINDOWS\$NtUninstallKB824105$\netbt.sys
[2003-09-04 06:25] - [2002-08-29 06:00] - 0157056 ____C (Microsoft Corporation) D96F3BC5A6E7452B0E3275B560DC8528

C:\WINDOWS\$NtServicePackUninstall$\netbt.sys
[2008-09-28 07:40] - [2004-08-04 00:14] - 0162816 ____C (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

====== End Of Search ======

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 11 January 2012 - 07:24 PM

Copy this file:

C:\WINDOWS\ServicePackFiles\i386\netbt.sys

And paste it here:

C:\WINDOWS\system32\Drivers

Reboot and post a new FSS log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 talee

talee
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 11 January 2012 - 08:53 PM

Farbar Service Scanner
Ran by Steve (administrator) on 11-01-2012 at 19:39:46
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking LEGACY_wuauserv: Attention! Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Bridge(9) BridgeMP(8) Gpc(3) IPSec(5) mfetdi2k(28) NetBT(6) PSched(7) Tcpip(4)
0x1C00000005000000010000000200000003000000040000001C0000001B0000001A000000190000001800000017000000160000001500000014000000130000001200000011000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000


**** End of log ****

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 11 January 2012 - 10:01 PM

Can you access the internet now?

Run this Microsoft Fixit:

http://support.microsoft.com/mats/windows_firewall_diagnostic/en-us

Then post a new FSS log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 talee

talee
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 11 January 2012 - 10:42 PM

I can! You are awesome!

I ran the firewall fixit, but it couldn't change anything because I believe our McAfee firewall is on, so I didn't think you needed another scan, however let me know if you do. Things seem to be good to go from what I can tell so far.

I really can't thank you enough. So very glad I found this site!

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 11 January 2012 - 10:52 PM

Is your Windows update working? The FSS log suggests it is not.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 talee

talee
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 12 January 2012 - 10:22 AM

I guess I'm not sure....my Automatic Updates is on and when I check under Add or Remove Programs it looks like the last update was in December, but then when I go to Windows Update under Start menu, it searches and says the website has encountered a problem and cannot be displayed. It's asking me to download a new Windows Update program? However, I didn't see XP with Service Pack 3 in the supported list. ? It's an older computer, so maybe that's affecting it?

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 12 January 2012 - 05:15 PM

The next fix we are going to do involves editing the registry. With any fix like this you should create a new restore point and backup the registry first. For backing up the registry I like to use ERUNT.

Open notepad, copy and paste the text below into notepad and save the file as update.reg. Then double-click the the update.reg file to merge it into the registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Automatic Updates"
"ObjectName"="LocalSystem"
"Description"="Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters]
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,75,00,\
  61,00,75,00,73,00,65,00,72,00,76,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum]
"0"="Root\\LEGACY_WUAUSERV\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Then reboot and post a new FSS log.

Edited by Budapest, 12 January 2012 - 05:16 PM.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 BushPilot

BushPilot

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 12 January 2012 - 07:08 PM

Try this:

CMD as administrator.

Type: "netsh winsock reset" without quotations and hit enter. Don't restart the machine yet.

Open "Network and Sharing Center".
Select "Internet Options"
Select "Advanced tab"
Reset everything that you see to default.
Now restart the machine and see if you have connectivity. This has often worked for me.

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 12 January 2012 - 07:11 PM

Now restart the machine and see if you have connectivity. This has often worked for me.

Connectivity has already been restored. The remaining issue is with Windows Update.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users