Avast WEBforum
Other => Viruses and worms => Topic started by: RoughDobermann on September 24, 2011, 01:56:57 AM
-
Hi All:
According to Avast, my work laptop is infected by a "rootkit" named:
1264341053:3266290612.exe
c:windows/1264341053:3266290612.exe
I take the prescribed action (Delete) and schedule a boot scan (as suggested) and the little bugger is right back. Nasty stuff.
Any ideas?
-
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and start your own new topic and attach the logs there, not in the LOGS topic.
It is almost 1:20am in the UK and it is likely to be tomorrow morning when a malware removal specialist can take a look at it. So if you can get on with the process and that will give them something when they do get on-line.
-
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and start your own new topic and attach the logs there, not in the LOGS topic.
It is almost 1:20am in the UK and it is likely to be tomorrow morning when a malware removal specialist can take a look at it. So if you can get on with the process and that will give them something when they do get on-line.
Thanks, but here's a problem: This bug apparently won't let me run Malwarebyte's AntiMalware. The Quick Scan runs for a few seconds and then the program closes. If I try again, a warning comes up that says something like "Program can't be found." If I re-install MBAM, it runs again just like before. Same thing with HiJack This.
-
Same thing with HiJack This.
HijackThis is not very good...run OTL from the link David posted
-
Hi that is the zero access bootkit. I will first need to remove the ads from the bad boy and then run to kill
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
Hi that is the zero access bootkit. I will first need to remove the ads from the bad boy and then run to kill
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
Thanks! I'm doing the scan now. A Microsoft Error Reporting box came up during the scan. It looks a little different than a "normal" MS error report. Normal?
-
I guess just attach both files? Feel kind of creepy doing this...
-
Extras
-
OK here we go
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = F3 86 F3 16 DA E5 B2 4F B9 1B 4D 35 BC 14 40 03 [binary data]
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = F3 86 F3 16 DA E5 B2 4F B9 1B 4D 35 BC 14 40 03 [binary data]
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = F3 86 F3 16 DA E5 B2 4F B9 1B 4D 35 BC 14 40 03 [binary data]
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = F3 86 F3 16 DA E5 B2 4F B9 1B 4D 35 BC 14 40 03 [binary data]
IE - HKU\S-1-5-21-1235142616-1400411301-3882759376-1006\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = F3 86 F3 16 DA E5 B2 4F B9 1B 4D 35 BC 14 40 03 [binary data]
[2011/09/24 06:14:33 | 000,000,000 | ---- | M] () -- C:\WINDOWS\1264341053
@Alternate Data Stream - 784 bytes -> C:\WINDOWS\1264341053:3266290612.exe
:Reg
[HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-21-1235142616-1400411301-3882759376-1006\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
When you download the following programme you must save it to your desktop renamed as svchost
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://"http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216")
- Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
(http://img.photobucket.com/albums/v706/ried7/RC1.png)
- Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/RC2-1.png)
- Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
In my eagerness to fix this (leave tomorrow for a week business trip), I followed the advice of a "friend" who had me run TDSSKiller.exe. It apparently found the bug (I have sound again) and no longer have the problem I mentioned in the first post, but I have neither wired not WiFi internet (limited/no connection).
Sorry.
Should I still do what you mention above or do another OTL scan?
-
The problem with TDSKiller is that it does not see the mwsock infection as well
Run the OTL fix followed by combofix and that may re-instate the connection - if not I will look at manually fixing it
-
The problem with TDSKiller is that it does not see the mwsock infection as well
Run the OTL fix followed by combofix and that may re-instate the connection - if not I will look at manually fixing it
Okay, will do. But, since I don't have access to the Interwebs on the laptop (but do on this PC), can I just download Combofix onto a thumb drive and place it on the laptops desktop (per instructions). And, what if when I run Combofix and it has to get on the Internet to download the Windows Recovery thing?
-
We have the technology ;D
***************************************************
Download ComboFix from one of these locations:
Link 1 (http://www.infospyware.net/antimalware/combofix)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Go to Microsoft's website => http://support.microsoft.com/kb/310994 (http://support.microsoft.com/kb/310994)
Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
Note: If you have SP3, use the SP2 package.
---------------------------------------------------------------------
Transfer all files you just downloaded, to the desktop of the infected computer.
--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif)
- Drag the setup package onto ComboFix.exe and drop it.
- Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)
- At the next prompt, click 'Yes' to run the full ComboFix scan.
- When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
-
Okay, here's the Quick Scan log from OTL.
-
We have the technology ;D
***************************************************
Download ComboFix from one of these locations:
Link 1 (http://www.infospyware.net/antimalware/combofix)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Go to Microsoft's website => http://support.microsoft.com/kb/310994 (http://support.microsoft.com/kb/310994)
Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
Note: If you have SP3, use the SP2 package.
---------------------------------------------------------------------
Transfer all files you just downloaded, to the desktop of the infected computer.
--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif)
- Drag the setup package onto ComboFix.exe and drop it.
- Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)
- At the next prompt, click 'Yes' to run the full ComboFix scan.
- When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
Heh. Fantastic! I will do so.
BTW, I was born and raised in Essex. I live in Colorado now, though.
-
Subtle difference in climate I should imagine ;D
-
Subtle difference in climate I should imagine ;D
Yes, 330+ days of sunshine was hard to get used to! ;D
-
Should I run ComboFix now?
-
Yes please ;D
-
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
This is the problem - alas TDSSKiller is not yet up to removing the complete zero access
-
Still rename Combofix to svchost?
-
No requirement now as the main bad boy has gone
-
I still have Symantec Antivirus Corporate running, but don't see a way to end/disable it in the client or taskbar. How do I disable it? The link on the previous page to help with this is dead.
-
Uninstallers for Security Software
http://thewebatom.net/uninstallers/security-software/
-
Is there a way to just stop/disable it rather than uninstalling it? This a work machine.
-
Run combofix but do not allow Norton to quarantine or stop any files running ;D
-
Run combofix but do not allow Norton to quarantine or stop any files running ;D
Is it going to "tell" me if it tries that? Honestly, I've never seen Symantec (Norton?) do anything. I didn't even know it was installed! :P
-
Yes there may be notifications - just click ignore
-
Yes there may be notifications - just click ignore
Okay, Combofix ran and produced this report. I still don't have Internet access, however.
-
Yes there may be notifications - just click ignore
Okay, Combofix ran and produced this report. I still don't have Internet access, however.
I had to fix this same rootkit. If I remember correctly Combofix tells you to run it again if you don't have internet access. You can also try a repair install.
-
OK that killed the rest - lets now look at the internet
First we will try the easy route, then CF if that should fail
Download and transfer winsockXP fix to the poorly system and then run http://majorgeeks.com/WinSock_XP_Fix_d4372.html
-
OK that killed the rest - lets now look at the internet
First we will try the easy route, then CF if that should fail
Download and transfer winsockXP fix to the poorly system and then run http://majorgeeks.com/WinSock_XP_Fix_d4372.html
Okay, I ran that and rebooted. Still no access (limited/no connectivity)
-
OK next we will reset the TCPIP using a MS fixit
Download the fixit on this page (Press the button about one third the way down to download it) - transfer to the other system and then run http://support.microsoft.com/kb/299357
-
OK next we will reset the TCPIP using a MS fixit
Download the fixit on this page (Press the button about one third the way down to download it) - transfer to the other system and then run http://support.microsoft.com/kb/299357
Okay, I did that, rebooted but still no connectivity.
-
Lets see if the main file is present
Run OTL with this script please
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
mswsock.*
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT
-
Lets see if the main file is present
Run OTL with this script please
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
mswsock.*
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT
And then Run Scan or Quick Scan?
-
I did Run Scan (sorry, running out of time) and have the new log. Attach it?
-
OK the file is in the right location - what is the exact error you get when you try to connect ?
-
OK the file is in the right location - what is the exact error you get when you try to connect ?
The Ethernet icon has a yellow exclamation point and states "Limited or no connectivity." Same with WiFi icon.
When I open IE, it states: Internet Explorer cannot display the webpage. And there's a Diagnose Connection Problems button.
-
When you press the diagnose problems what does it report ?
Re-run Combofix to see if that resolves the problem
-
After that we will need to reset both drivers
-
When you press the diagnose problems what does it report ?
Re-run Combofix to see if that resolves the problem
It said something about Winsock. Running Combofix again
-
Ran COmbofix again. Log attached.
-
Hmm yet we have repaired the winsock
OK could you go to control panel
System devices
Look for a yellow exclamation mark
Is there one next to the network adapter ?
If so select the ethernet one (Yukon)
Right click and select uninstall
Reboot and windows will reload the driver for that
Does the ethernet now work
-
Hmm yet we have repaired the winsock
OK could you go to control panel
System devices
Look for a yellow exclamation mark
Is there one next to the network adapter ?
If so select the ethernet one (Yukon)
Right click and select uninstall
Reboot and windows will reload the driver for that
Does the ethernet now work
No, nothing next to it.
-
I uninstalled the Ethernet adapter and scanned for changes. Found it, installed it and it is acquiring an address. I presume it will fail.
-
The eternal optimist
-
Heh. It's still looking (and I've got to leave for the airport in 1 hour). Bah!
-
OK one further quick shot
Go to control panel > Internet Options
Select the connections tab
Select LAN settings
Ensure acquire DNS automatically is ticke d
-
OK one further quick shot
Go to control panel > Internet Options
Select the connections tab
Select LAN settings
Ensure acquire DNS automatically is ticke d
It was wasn't checked. I checked it, rebooted and it's still searching for an address.
-
And, STILL searching for an address. WTH?
-
OK
As I am on windows 7 which is slightly different
Could you follow the steps on this page http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ClientConfig.html
Start here Click Start -> Control Panel -> Network Connections
-
OK
As I am on windows 7 which is slightly different
Could you follow the steps on this page http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ClientConfig.html
Start here Click Start -> Control Panel -> Network Connections
Followed with no success. Setup to obtain IP automatically (DHCP)
-
Here's what Windows says when I click on the Diagnose Connection Problems button:
Windows has detected a problem with the Winsock provider catalog on this computer. THis catalog allows programs to communicate with this computer across the network. Would you like Windows to reset the catalog to the default configuration?
-
Select yes
-
Select yes
I did. Reboot and still looking for an IP address.
-
Back on ground now. Any additional help would be great. Still trying to acquire address.
-
OK lets try the system services next
Open Services...
Start > Run > Type: services.msc > Click OK
Scroll down to and double click DNS Client
Set to Automatic under Startup type
Click the Apply button
Click the Start button
When it starts click OK
Repeat for DHCP Client.
And repeat for Remote Procedure Call (RPC).
When done, close Services.
Try the connection again
-
Interesting. Dns and the other were both auto and started. Dhcp was auto bit stopped. Started it and the following error popped up;
Could not start the dhcp client service on local computer.
Error 1075. The dependency service does not exist or has been marked for deletion.
Plz forgive typos. On phone now
-
OK what I think is that TDSSKiller deleted the netbt file - lets find a copy and then move it
OK run OTL and run the following script as I need to check the dependency files
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
afd.*
tcpip.*
netbt.*
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT
-
OK what I think is that TDSSKiller deleted the netbt file - lets find a copy and then move it
OK run OTL and run the following script as I need to check the dependency files
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
afd.*
tcpip.*
netbt.*
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT
Thanks essexboy. Log attached. I'm sending this from a hotel PC, so the fewer things I have to attach from now on would be best! I look forward to your next reply.
-
Once this has run give the net a try again
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Files
ipconfig /flushdns /c
C:\WINDOWS\system32\drivers\netbt.sys|C:\WINDOWS\ServicePackFiles\i386\netbt.sys /replace
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Ok I did that. Will have to find a machine with Internet access to post log.
-
Log attached. Did I see that you are going to be unavailable soon!?
-
Log attached. Did I see that you are going to be unavailable soon!?
I had to re-write (not copy and paste) the above since I was doing it from me phone. I just copied the above and can paste into my laptop.
Run OTL again?
-
Yes I am off on a weeks holiday wednesday night
Well all the right files are in the right place... Next step is to remove all elements of Norton in case the firewall reactived and blocked you
Download the Norton removal tool from here and then uninstall the reamins of Norton https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?lg=english&ct=united+states&docid=20080710133834EN&product=home&version=1&pvid=f-home
-
Yes I am off on a weeks holiday wednesday night
Well all the right files are in the right place... Next step is to remove all elements of Norton in case the firewall reactived and blocked you
Download the Norton removal tool from here and then uninstall the reamins of Norton https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?lg=english&ct=united+states&docid=20080710133834EN&product=home&version=1&pvid=f-home
Which one/link do I select?
-
This one I believe https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20080828154508EN&lg=english&ct=united+states&product=home&version=1&pvid=f-home&entsrc=redirect_pubweb
-
This one I believe https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20080828154508EN&lg=english&ct=united+states&product=home&version=1&pvid=f-home&entsrc=redirect_pubweb
It's asking me to uninstall Symantec through Add/Remove. That is asking for a password I don't have.
-
I checked to see if DHCP client would start. It won't. Same error as before.
-
Could you go to this page http://support.microsoft.com/kb/915162
It will ask you to enter the registry this is a brief synopsis - what I would like to know is, are there any additional entries apart from the three mentioned ?
1.Click Start, click Run, type regedit in the Open box, and then click OK.
2.In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp
3.Right-click the DependOnService entry, and then click Modify.
4. In the Value data box, delete the service that is described in the event that appears in the "Symptoms" section.
Note Typically, the only services that are in the DependOnService entry are the following services:
■Tcpip
■Afd
■NetBt
5. Close Registry Editor, and then restart the computer.
-
No, there are just those three entries, but NetBt is listed as "NetBT" not "NetBt"
-
Not sure if this matters, but the first entry (default) is (value not set)
-
I wonder if this a permissions problem as that is one of the zero access symptoms
Download this tool from here and install http://www.tweaking.com/content/page/windows_repair_all_in_one.html
Start the programme and go through steps one to four, or if time is short then select start repairs
Select the advanced option
Place a tick in reset registry permissions only
Then click start - reboot on completion
-
Okay did that. Still no internet
-
OK this does not appear to make any sense so I will do some deeper research
-
Under the Dependencies tab in DHCP Client Properties, I now have:
AFD
TCP/IP Protocol Driver
But no NetBT
-
Could you type the following in the run box pleae and let me know what the output is
CMD /K SC QC DHCP
It should be this
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: dhcp
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME : LocalSystem
-
There is no data listed under DependOnGroup. No idea if that is helpful!
-
Yes mine is the same
-
Darn this is where I could do with an XP machine so that I could export that set of registry entries for you
Now do the following
Click Start, Run and type DEVMGMT.MSC
In the View menu, click Show hidden devices
Double-click Non-Plug and Play drivers section
Double-click the entry AFD, and click the Driver tab
Set the Startup type to System.
Start the service. Note down the error message if any.
Similarly start the two other drivers namely:
TCP/IP Protocol Driver
NetBios over Tcpip
Close Device Manager and restart Windows.
Then run Regedit via the run key
Navigate to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Dhcp
Right click the DependOnService select modify (shot 1)
Ensure that in the box that shows that you have the following entries (or add them) (shot 2 )
-
Afd and tcip both started. There is no entry for netbios under dm, nonplugandplay! It's not there!
-
Is the registry entry the one in your post if so I will export mine (XP Pro SP3) ?
See image extract of the key on my system.
-
I looked for netbt.sys under windows/system32/drivers and it IS there. Shod I go to another xp machine copy it's netbt file and put it on mine? There's a win 7 mChine downstairs
-
Yes mine looks identical
-
Aye the file is there and it is a good copy, that was the one I replaced earlier
Go to control panel
Open the Network Connections folder.
Right click the local area network connection and click Properties.
Double click Internet Protocol (TCP/IP).
Click Advanced.
Click WINS.
Click the Enable NetBIOS Over TCP/IP button.
-
Ok enabled netbios on both LAN and wireless connections. Rebooted and no Internet. Netbt not shown under dependencies
-
@ essexboy
I have that enabled, part of the default setting, see image and works fine on my system.
-
OK back into the registry to ensure that the path is set correctly
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT
check that the image path is set at system32\drivers\netbt.sys
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS]
check that the image path is set at system32\drivers\netbios.sys
-
That worked, mostly! Netbios still seems funny. Dns works but not for wins resolution?
-
Sheesh well that took some following to find a partial resolution
OK what appears to be the current problem ?
-
My IT guy followed your advice and saw that the registry entry for NetBios (?) was COMPLETELY empty. He did something and I am now fully operational again! I cannot thank you enough, essexboy!
Enjoy your holiday!
-
Well that took some digging back through the possible failure areas ;D
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave: