Tidserv Activity 2

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Re: Tidserv Activity 2

Post by rich_hilton on Fri Dec 23, 2011 6:57 am

Hi Dave
It seems that with your very knowledgeable help we might be getting somewhere. I ran combofix as you instructed then sysprotantirootkit and its log is pasted below.
The system seems to be behaving well - no messages and only one blue screen on Tuesday. None since.
Best regards
Clive
==============================================
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: spas.sys
Service Name: ---
Module Base: F751A000
Module End: F760D000
Hidden: Yes

Module Name: SYMDS.SYS
Service Name: SymDS
Module Base: F7415000
Module End: F746C000
Hidden: Yes

Module Name: SYMEFA.SYS
Service Name: SymEFA
Module Base: F7322000
Module End: F7403000
Hidden: Yes

Module Name: Combo-Fix.sys
Service Name: ---
Module Base: F769E000
Module End: F76AD000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\a2uvq3yu.SYS
Service Name: ---
Module Base: F6BF0000
Module End: F6C29000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F555E000
Module End: F5576000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7B70000
Module End: F7B72000
Hidden: Yes

Module Name: \??\C:\ComboFix\catchme.sys
Service Name: catchme
Module Base: BA581000
Module End: BA589000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: F7BE4000
Module End: F7BE6000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAlertResumeThread
Address: 8679A008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAlertThread
Address: 86750A30
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAllocateVirtualMemory
Address: 86738D40
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAssignProcessToJobObject
Address: 867750F8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwConnectPort
Address: 86ADA628
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateKey
Address: F5910980
Driver Base: F58FA000
Driver End: F5920000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwCreateMutant
Address: 867A2120
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateSymbolicLinkObject
Address: 867C5100
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: 86777998
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDebugActiveProcess
Address: 867751B8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteKey
Address: F5910C00
Driver Base: F58FA000
Driver End: F5920000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwDeleteValueKey
Address: F5910F10
Driver Base: F58FA000
Driver End: F5920000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwDuplicateObject
Address: 86AA3918
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwEnumerateKey
Address: F7533DA4
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwEnumerateValueKey
Address: F7534132
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwFreeVirtualMemory
Address: 8679BB50
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateAnonymousToken
Address: 867A2008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateThread
Address: 8679A110
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwLoadDriver
Address: 86817820
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwMapViewOfSection
Address: 867B29A0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenEvent
Address: 867BE008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenKey
Address: F751B0C0
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwOpenProcess
Address: 86734718
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcessToken
Address: 867B15F8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenSection
Address: 867BE050
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: 867B20E8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwProtectVirtualMemory
Address: 867C5008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwQueryKey
Address: F753420A
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwQueryValueKey
Address: F753408A
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwResumeThread
Address: 86738138
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetContextThread
Address: 867A3050
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetInformationProcess
Address: 867A3130
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetSystemInformation
Address: 8677E0F0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: F5911160
Driver Base: F58FA000
Driver End: F5920000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwSuspendProcess
Address: 867BE130
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSuspendThread
Address: 86757068
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: 86753708
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateThread
Address: 86757148
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwUnmapViewOfSection
Address: 867B28E0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwWriteVirtualMemory
Address: 86738C50
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************

rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by Superdave on Fri Dec 23, 2011 7:20 pm

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
[You must be registered and logged in to see this link.]
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83161
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Sat Dec 24, 2011 1:13 am

Hi Dave
Unfortunately I can no longrer connect my desktop to the internet. I have Cisco's Network Magic installed on all of my machines and following its trouble shooting guide (plus sometimes actually having to unscrew thecoax cable from the Comcast cable modem) has always got me out of trouble before. The Desktop is connected by Ethernet as is my wife's desktop which is still working fine so I am at a bit of a loss to know what to do next. The fault seemed to occur after a run of SAS. I'm currently uninstalling the Realtek Ethernet driver and rebooting - it just found the Ethernet hardware after reboot so let's hope that works. Now I have to reboot again to satisfy "the software that supports your hardware" - I suppose that means Network Magic or maybe the driver?? Isn't this fun??
While I'm waiting for the 2nd reboot I have a question - how the hell do you know all this stuff - is this your day job too or just a (very serious) hobby?
OH lovely! - now Network Magic and IE tools can't detect the Ethernet Adapter even though it shows OK under Device Manager. I don't seem to have any good software for probing network Adapters - any suggestions?
I can download stuff on my laptop which is what I am using to communicate with you and the rest of the world.
Best regards
Clive

rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by Superdave on Sat Dec 24, 2011 7:48 pm

how the hell do you know all this stuff - is this your day job too or just a (very serious) hobby?
Over three years of training on-line. This is just a hobby. I couldn't get rich doing this for a living as everything is free.

Please download [You must be registered and logged in to see this link.] to Desktop and run it.



Checkmark the following boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • List content of Hosts
  • List IP Configuration
  • Lst Last 10 Event Viewer Errors
  • List Users, Partitions and Memory Size

Click Go and copy/paste the log (Result.txt) into your next post. .

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83161
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Sun Dec 25, 2011 8:15 pm

Dear Dave
I just came online to thank you for all your help and wish you a very Merry Christmas - didn't expect a note from you on Christmas Eve!
Thanks very much!
Clearly you are not in this for the money - it's nice to communicate with someone who might be even more altruistic than I am - that's a rarity.
I'll do as you suggest with the MiniToolBox
Have a great Christmas Day.
Cheers
Clive

rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by Superdave on Sun Dec 25, 2011 8:30 pm

[You must be registered and logged in to see this link.] wrote:Dear Dave
I just came online to thank you for all your help and wish you a very Merry Christmas - didn't expect a note from you on Christmas Eve!
Thanks very much!
Clearly you are not in this for the money - it's nice to communicate with someone who might be even more altruistic than I am - that's a rarity.
I'll do as you suggest with the MiniToolBox
Have a great Christmas Day.
Cheers
Clive
Malware never takes a holiday and neither do I. Merry Christmas.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83161
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Mon Dec 26, 2011 9:07 pm

Hi Dave
Here's the result of the MiniToolKit run.
I noticed this in the Result:-
========================================
Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT
========================================
I believe NetBT was spotted by one of the antivirus/Antispy applications as containing a Trojan and may have been erased or quarantined.
Is that possible and possibly the reason my networks adapter isn't working????
In a previous communication I said :-
======================================
Hi Dave
I could only run ComboFix
It discovered that Rootkit.ZeroAccess had inserted itself into the tcp/ip stack and attempted to fix it.
======================================
That sounds very suspect too! Might have stuffed up the tcp/ip communication.
Best regards
Clive


MiniToolBox by Farbar
Ran by Clive (administrator) on 26-12-2011 at 11:41:13
Microsoft Windows XP Home Edition Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration




========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Realtek RTL8139 Family PCI Fast Ethernet NIC = Local Area Connection 3 (Connected)
1394 Net Adapter = 1394 Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip



popd
# End of interface IP configuration




Windows IP Configuration



Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/24/2011 11:28:23 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x042c22c8.
Processing media-specific event for [explorer.exe!ws!]

Error: (12/23/2011 04:31:42 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [explorer.exe!ws!]

Error: (12/22/2011 00:11:29 PM) (Source: Application Error) (User: )
Description: Fault bucket 1272456061.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (12/22/2011 00:11:27 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x676c8062.
Processing media-specific event for [explorer.exe!ws!]

Error: (12/22/2011 10:33:34 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot unload your registry file. The memory used by the registry has not been freed. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. If this problem persists, contact your administrator.


DETAIL - Insufficient system resources exist to complete the requested service.

Error: (12/21/2011 07:56:09 PM) (Source: Application Error) (User: )
Description: Fault bucket 862106380.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (12/21/2011 07:55:57 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x05d522c8.
Processing media-specific event for [explorer.exe!ws!]

Error: (12/21/2011 06:03:27 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: with error: This operation returned because the timeout period expired.

Error: (12/21/2011 05:34:59 PM) (Source: SENS) (User: )
Description: Event System Win32 Error: No service is operating at the destination network endpoint on the remote system.

ServiceStart(): SensInitialize() failed

Error: (12/21/2011 05:33:04 PM) (Source: MySQL) (User: )
Description: Aborting


System errors:
=============
Error: (12/26/2011 04:30:53 AM) (Source: DCOM) (User: SYSTEM)
Description: The server {4EB61BAC-A3B6-4760-9581-655041EF4D69} did not register with DCOM within the required timeout.

Error: (12/26/2011 04:30:25 AM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: The Symantec Eraser Service service failed to start due to the following error:
%%1053

Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Symantec Eraser Service service to connect.

Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT

Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the following nonexistent service: NetBT

Error: (12/25/2011 08:40:41 PM) (Source: DCOM) (User: SYSTEM)
Description: The server {4EB61BAC-A3B6-4760-9581-655041EF4D69} did not register with DCOM within the required timeout.

Error: (12/25/2011 08:40:02 PM) (Source: Service Control Manager) (User: )
Description: The Symantec Eraser Service service failed to start due to the following error:
%%1053

Error: (12/25/2011 08:40:02 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Symantec Eraser Service service to connect.

Error: (12/25/2011 08:40:02 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT


Microsoft Office Sessions:
=========================
Error: (12/24/2011 11:28:23 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512unknown0.0.0.0042c22c8

Error: (12/23/2011 04:31:42 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.55120.0.0.000000000

Error: (12/22/2011 00:11:29 PM) (Source: Application Error)(User: )
Description: 1272456061

Error: (12/22/2011 00:11:27 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512unknown0.0.0.0676c8062

Error: (12/22/2011 10:33:34 AM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: Insufficient system resources exist to complete the requested service.

Error: (12/21/2011 07:56:09 PM) (Source: Application Error)(User: )
Description: 862106380

Error: (12/21/2011 07:55:57 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512unknown0.0.0.005d522c8

Error: (12/21/2011 06:03:27 PM) (Source: crypt32)(User: )
Description: [You must be registered and logged in to see this link.] operation returned because the timeout period expired.

Error: (12/21/2011 05:34:59 PM) (Source: SENS)(User: )
Description: Event System Win32 Error: No service is operating at the destination network endpoint on the remote system.

ServiceStart(): SensInitialize() failed

Error: (12/21/2011 05:33:04 PM) (Source: MySQL)(User: )
Description: Aborting


========================= Memory info: ===================================

Percentage of memory in use: 31%
Total physical RAM: 1023.53 MB
Available physical RAM: 700.3 MB
Total Pagefile: 2461.45 MB
Available Pagefile: 1752.55 MB
Total Virtual: 2047.88 MB
Available Virtual: 1973.26 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:322.27 GB) (Free:43.81 GB) NTFS
3 Drive d: () (Fixed) (Total:143.49 GB) (Free:11.64 GB) NTFS
7 Drive h: (DRV2_VOL2) (Fixed) (Total:97.62 GB) (Free:0.83 GB) NTFS
8 Drive i: (DRV2_VOL1) (Fixed) (Total:14.16 GB) (Free:1.52 GB) FAT32
9 Drive j: (FreeAgent Drive) (Fixed) (Total:1397.26 GB) (Free:0.05 GB) NTFS
10 Drive k: (FreeAgent Drive) (Fixed) (Total:698.64 GB) (Free:70.45 GB) NTFS
11 Drive l: () (Removable) (Total:7.45 GB) (Free:0.08 GB) FAT32
12 Drive m: (Iomega HDD) (Fixed) (Total:1863.01 GB) (Free:732.77 GB) NTFS

========================= Users: ========================================

User accounts for \\CB-SONY-DESKTOP

Administrator ASPNET Clive
Guest HelpAssistant SUPPORT_388945a0


**** End of log ****

rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by Superdave on Tue Dec 27, 2011 1:31 am

Please download [You must be registered and logged in to see this link.] and run it on the computer with the issue.

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83161
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Tue Dec 27, 2011 7:02 am

Hi Dave
Here is the result of the Farbar scan.
Registry keys missing
Best regards
Clive
++++++++++++++++++++++++++++++++++++++++
Farbar Service Scanner
Ran by Clive (administrator) on 26-12-2011 at 22:10:18
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by Superdave on Tue Dec 27, 2011 7:05 pm

Please run FSS again. It would appear that some of the log is missing.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83161
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Wed Dec 28, 2011 4:49 am

Hi Dave
I checked all the boxes this time.
Cheers
Clive
==========================================
Farbar Service Scanner
Ran by Clive (administrator) on 27-12-2011 at 20:43:38
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) PSched(7) RFCOMM(9) SYMTDI(8) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000

**** End of log ****

rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by Superdave on Wed Dec 28, 2011 7:36 pm

Following steps involve registry editing. Please create new restore point before proceeding!!!

How to:
XP - [You must be registered and logged in to see this link.]
Vista and Seven - [You must be registered and logged in to see this link.]

Download XP.zip file from here: [You must be registered and logged in to see this link.]
Unzip the file.
You'll find six files inside.
Right click on afd.reg file, click "Merge".
Allow registry merge.
Restart computer and see if internet works.

If not ask please post fresh Farbar Service Scanner log.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83161
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Thu Dec 29, 2011 3:25 am

Hi Dave
Sorry - that didn't work.
I was interrupted for a long time and forgot to create a restore point - fortunately nothing seemed to crash and I have created one now.
It seems like the NetBt is the problem??? As I said earlier I think it got clobbered by one of the AV/AS applications which found a trojan in it. I found this link which sounds like my problem to me but it horrifies me how much effort seems to be involved in rectifying it!
Whaddayathink? ( I'm an Aussie - but have lived for nearly 15 years about 20 miles North of the Golden Gate bridge.

[You must be registered and logged in to see this link.]

Below is the new Farber log
All the best.
Clive
=====================================
Farbar Service Scanner
Ran by Clive (administrator) on 28-12-2011 at 18:45:53
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) PSched(7) RFCOMM(9) SYMTDI(8) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000

**** End of log ****

rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Thu Dec 29, 2011 3:52 am

Hello again Dave
I've looked at my registry and the entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT
is missing.
I have obtained a copy of NetBt.reg (see below) from the ChristOwles link in my last post. What, if anything, should I do with it?
Can I merge it with the registry as we did before?
=========================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000006
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6e,00,65,00,74,00,62,00,74,00,2e,\
00,73,00,79,00,73,00,00,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Linkage]
"OtherDependencies"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"Bind"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,\
00,69,00,70,00,5f,00,7b,00,34,00,38,00,43,00,35,00,37,00,43,00,39,00,44,00,\
2d,00,38,00,41,00,41,00,34,00,2d,00,34,00,37,00,44,00,45,00,2d,00,41,00,36,\
00,45,00,37,00,2d,00,38,00,35,00,39,00,46,00,30,00,35,00,44,00,44,00,39,00,\
30,00,43,00,34,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,\
00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,36,00,38,00,38,00,33,00,36,00,\
34,00,45,00,32,00,2d,00,43,00,35,00,44,00,43,00,2d,00,34,00,45,00,41,00,32,\
00,2d,00,41,00,30,00,30,00,46,00,2d,00,44,00,32,00,38,00,38,00,43,00,31,00,\
45,00,35,00,33,00,33,00,35,00,41,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,\
00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,30,00,38,00,\
30,00,39,00,41,00,38,00,43,00,30,00,2d,00,38,00,46,00,35,00,44,00,2d,00,34,\
00,37,00,30,00,46,00,2d,00,38,00,44,00,30,00,44,00,2d,00,30,00,45,00,33,00,\
35,00,37,00,31,00,33,00,33,00,31,00,30,00,36,00,37,00,7d,00,00,00,5c,00,44,\
00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,\
7b,00,41,00,44,00,33,00,37,00,39,00,30,00,32,00,33,00,2d,00,33,00,33,00,45,\
00,32,00,2d,00,34,00,32,00,42,00,41,00,2d,00,39,00,33,00,39,00,39,00,2d,00,\
43,00,44,00,38,00,31,00,43,00,45,00,30,00,46,00,45,00,30,00,33,00,38,00,7d,\
00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,\
69,00,70,00,5f,00,7b,00,46,00,44,00,31,00,36,00,36,00,38,00,34,00,37,00,2d,\
00,37,00,42,00,31,00,30,00,2d,00,34,00,35,00,45,00,33,00,2d,00,41,00,41,00,\
35,00,31,00,2d,00,38,00,37,00,32,00,33,00,44,00,39,00,41,00,30,00,34,00,31,\
00,31,00,33,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,\
54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,42,00,30,00,43,00,39,00,35,00,33,\
00,41,00,34,00,2d,00,42,00,45,00,31,00,35,00,2d,00,34,00,41,00,39,00,46,00,\
2d,00,39,00,31,00,34,00,31,00,2d,00,34,00,31,00,45,00,39,00,45,00,46,00,36,\
00,33,00,35,00,45,00,31,00,36,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,\
63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,32,00,30,00,44,\
00,42,00,36,00,35,00,31,00,31,00,2d,00,30,00,39,00,43,00,44,00,2d,00,34,00,\
45,00,37,00,39,00,2d,00,41,00,43,00,38,00,31,00,2d,00,42,00,35,00,41,00,30,\
00,38,00,33,00,45,00,43,00,41,00,33,00,31,00,36,00,7d,00,00,00,5c,00,44,00,\
65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,\
00,45,00,44,00,35,00,45,00,42,00,33,00,35,00,42,00,2d,00,32,00,37,00,30,00,\
44,00,2d,00,34,00,34,00,32,00,46,00,2d,00,39,00,42,00,35,00,41,00,2d,00,32,\
00,45,00,38,00,45,00,30,00,45,00,38,00,32,00,37,00,44,00,32,00,44,00,7d,00,\
00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,69,\
00,70,00,5f,00,7b,00,43,00,36,00,39,00,45,00,46,00,36,00,30,00,39,00,2d,00,\
46,00,35,00,36,00,35,00,2d,00,34,00,43,00,45,00,42,00,2d,00,42,00,34,00,37,\
00,44,00,2d,00,37,00,31,00,44,00,42,00,39,00,33,00,45,00,41,00,31,00,39,00,\
43,00,46,00,7d,00,00,00,00,00
"Route"=hex(7):22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,34,\
00,38,00,43,00,35,00,37,00,43,00,39,00,44,00,2d,00,38,00,41,00,41,00,34,00,\
2d,00,34,00,37,00,44,00,45,00,2d,00,41,00,36,00,45,00,37,00,2d,00,38,00,35,\
00,39,00,46,00,30,00,35,00,44,00,44,00,39,00,30,00,43,00,34,00,7d,00,22,00,\
00,00,22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,36,00,38,\
00,38,00,33,00,36,00,34,00,45,00,32,00,2d,00,43,00,35,00,44,00,43,00,2d,00,\
34,00,45,00,41,00,32,00,2d,00,41,00,30,00,30,00,46,00,2d,00,44,00,32,00,38,\
00,38,00,43,00,31,00,45,00,35,00,33,00,33,00,35,00,41,00,7d,00,22,00,00,00,\
22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,30,00,38,00,30,\
00,39,00,41,00,38,00,43,00,30,00,2d,00,38,00,46,00,35,00,44,00,2d,00,34,00,\
37,00,30,00,46,00,2d,00,38,00,44,00,30,00,44,00,2d,00,30,00,45,00,33,00,35,\
00,37,00,31,00,33,00,33,00,31,00,30,00,36,00,37,00,7d,00,22,00,00,00,22,00,\
54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,41,00,44,00,33,00,37,\
00,39,00,30,00,32,00,33,00,2d,00,33,00,33,00,45,00,32,00,2d,00,34,00,32,00,\
42,00,41,00,2d,00,39,00,33,00,39,00,39,00,2d,00,43,00,44,00,38,00,31,00,43,\
00,45,00,30,00,46,00,45,00,30,00,33,00,38,00,7d,00,22,00,00,00,22,00,54,00,\
63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,46,00,44,00,31,00,36,00,36,\
00,38,00,34,00,37,00,2d,00,37,00,42,00,31,00,30,00,2d,00,34,00,35,00,45,00,\
33,00,2d,00,41,00,41,00,35,00,31,00,2d,00,38,00,37,00,32,00,33,00,44,00,39,\
00,41,00,30,00,34,00,31,00,31,00,33,00,7d,00,22,00,00,00,22,00,54,00,63,00,\
70,00,69,00,70,00,22,00,20,00,22,00,7b,00,42,00,30,00,43,00,39,00,35,00,33,\
00,41,00,34,00,2d,00,42,00,45,00,31,00,35,00,2d,00,34,00,41,00,39,00,46,00,\
2d,00,39,00,31,00,34,00,31,00,2d,00,34,00,31,00,45,00,39,00,45,00,46,00,36,\
00,33,00,35,00,45,00,31,00,36,00,7d,00,22,00,00,00,22,00,54,00,63,00,70,00,\
69,00,70,00,22,00,20,00,22,00,7b,00,32,00,30,00,44,00,42,00,36,00,35,00,31,\
00,31,00,2d,00,30,00,39,00,43,00,44,00,2d,00,34,00,45,00,37,00,39,00,2d,00,\
41,00,43,00,38,00,31,00,2d,00,42,00,35,00,41,00,30,00,38,00,33,00,45,00,43,\
00,41,00,33,00,31,00,36,00,7d,00,22,00,00,00,22,00,54,00,63,00,70,00,69,00,\
70,00,22,00,20,00,22,00,4e,00,64,00,69,00,73,00,57,00,61,00,6e,00,49,00,70,\
00,22,00,00,00,00,00
"Export"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,\
00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,34,00,38,00,\
43,00,35,00,37,00,43,00,39,00,44,00,2d,00,38,00,41,00,41,00,34,00,2d,00,34,\
00,37,00,44,00,45,00,2d,00,41,00,36,00,45,00,37,00,2d,00,38,00,35,00,39,00,\
46,00,30,00,35,00,44,00,44,00,39,00,30,00,43,00,34,00,7d,00,00,00,5c,00,44,\
00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,\
54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,36,00,38,00,38,00,33,00,36,00,34,\
00,45,00,32,00,2d,00,43,00,35,00,44,00,43,00,2d,00,34,00,45,00,41,00,32,00,\
2d,00,41,00,30,00,30,00,46,00,2d,00,44,00,32,00,38,00,38,00,43,00,31,00,45,\
00,35,00,33,00,33,00,35,00,41,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,\
63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,\
00,70,00,5f,00,7b,00,30,00,38,00,30,00,39,00,41,00,38,00,43,00,30,00,2d,00,\
38,00,46,00,35,00,44,00,2d,00,34,00,37,00,30,00,46,00,2d,00,38,00,44,00,30,\
00,44,00,2d,00,30,00,45,00,33,00,35,00,37,00,31,00,33,00,33,00,31,00,30,00,\
36,00,37,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,\
00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,\
41,00,44,00,33,00,37,00,39,00,30,00,32,00,33,00,2d,00,33,00,33,00,45,00,32,\
00,2d,00,34,00,32,00,42,00,41,00,2d,00,39,00,33,00,39,00,39,00,2d,00,43,00,\
44,00,38,00,31,00,43,00,45,00,30,00,46,00,45,00,30,00,33,00,38,00,7d,00,00,\
00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,\
54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,46,00,44,00,31,00,36,\
00,36,00,38,00,34,00,37,00,2d,00,37,00,42,00,31,00,30,00,2d,00,34,00,35,00,\
45,00,33,00,2d,00,41,00,41,00,35,00,31,00,2d,00,38,00,37,00,32,00,33,00,44,\
00,39,00,41,00,30,00,34,00,31,00,31,00,33,00,7d,00,00,00,5c,00,44,00,65,00,\
76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,\
00,70,00,69,00,70,00,5f,00,7b,00,42,00,30,00,43,00,39,00,35,00,33,00,41,00,\
34,00,2d,00,42,00,45,00,31,00,35,00,2d,00,34,00,41,00,39,00,46,00,2d,00,39,\
00,31,00,34,00,31,00,2d,00,34,00,31,00,45,00,39,00,45,00,46,00,36,00,33,00,\
35,00,45,00,31,00,36,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,\
00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,\
5f,00,7b,00,32,00,30,00,44,00,42,00,36,00,35,00,31,00,31,00,2d,00,30,00,39,\
00,43,00,44,00,2d,00,34,00,45,00,37,00,39,00,2d,00,41,00,43,00,38,00,31,00,\
2d,00,42,00,35,00,41,00,30,00,38,00,33,00,45,00,43,00,41,00,33,00,31,00,36,\
00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,\
74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,45,00,44,\
00,35,00,45,00,42,00,33,00,35,00,42,00,2d,00,32,00,37,00,30,00,44,00,2d,00,\
34,00,34,00,32,00,46,00,2d,00,39,00,42,00,35,00,41,00,2d,00,32,00,45,00,38,\
00,45,00,30,00,45,00,38,00,32,00,37,00,44,00,32,00,44,00,7d,00,00,00,5c,00,\
44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,\
00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,43,00,36,00,39,00,45,00,46,00,\
36,00,30,00,39,00,2d,00,46,00,35,00,36,00,35,00,2d,00,34,00,43,00,45,00,42,\
00,2d,00,42,00,34,00,37,00,44,00,2d,00,37,00,31,00,44,00,42,00,39,00,33,00,\
45,00,41,00,31,00,39,00,43,00,46,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="\\Device\\"
"EnableLMHOSTS"=dword:00000001
"DhcpNodeType"=dword:00000008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Security]
"Security"=hex:01,00,14,80,e8,00,00,00,f4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,b8,00,08,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,\
00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,14,\
00,40,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,40,00,00,00,\
01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,\
00,00,05,20,00,00,00,2c,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Enum]
"0"="Root\\LEGACY_NETBT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by Superdave on Thu Dec 29, 2011 7:09 pm

Can I merge it with the registry as we did before?

Please try these first.

Download [You must be registered and logged in to see this link.] to fix broken LSP chain for XP (if needed).

  • Double click on WinsockXPFix.
  • Click Fix.

************************************************
Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83161
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by Superdave on Fri Dec 30, 2011 12:03 am

Please ignore the two instructions I posted in my previous post and try the following.

The following steps involve registry editing. Please create new restore point before proceeding!!!

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.

Download XP.zip file from here: [You must be registered and logged in to see this link.]
Unzip the file.
You'll find six files inside.
Right click on Legacy_netbt.reg file, click "Merge".
Allow registry merge.

Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.
Restart computer.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83161
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Fri Dec 30, 2011 1:04 am

Hi Dave
I just saw your new 4:03 PM message as I tried to post mine below.
Please have a look at what I've said and I'll have a look at yours.
Cheers
CB
============================
Hi Dave
Well I tried that and have not seen any joy.
I installed a USB wireless stick and it seems to communicate with the router just fine but no internet connection. Farbar says still no NetBt (do we really need that?).
I can't continue this much longer - I need to be able to use my desktop for certain tasks that I've been unable to do for 3 weeks.
I'm thinking of writing an DriveImage XML .xml image from 2009 back onto the C drive and using that as a starting point to rebuild or maybe just use the Sony system restore disks????
But the PCPIP seems to be the only problem?
How close are we do you think?
What about the Windows Recovery option on bootup?
Best regards
Clive
========================================
Latest Farbar output:-


Farbar Service Scanner
Ran by Clive (administrator) on 29-12-2011 at 16:45:13
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) PSched(7) RFCOMM(9) SYMTDI(8) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000

**** End of log ****

rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by Superdave on Fri Dec 30, 2011 1:40 am

do we really need that?).

Yes. This what the latest infections does. It removes necessary registry keys. If you follow my latest set of instructions, I'm sure it will fix the problem.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83161
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Fri Dec 30, 2011 2:01 am

Hi Dave
I tried your 4:03PM suggestion but still no joy. The Legacy_NetBt key exists (here's the entry :- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBT) and the entries inside of it look reasonable compared to the Legacy_NetBios key which I understand serves a similar function). But the FSS output below says that the NetBt registry key can't be opened????
Maybe this Network Diagnostics for Windows XP (courtesy of IE) holds the answer to someone aho understands what it's trying to say. However, your 11:09 post which I followed looked like it should have fixed that shouldn't it?
Regards
CB
P.S. I took the Dlink DWA130 USB wireless Stick out before running this. Note also that the 1394 is just a connection to an external HDD.
=================================================
Last diagnostic run time: 12/29/11 17:42:08 WinSock Diagnostic
WinSock status

info Error attmpting to validate the Winsock base providers: 2
error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
info Redirecting user to support call



Network Adapter Diagnostic
Network location detection

info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection 3, Device=Realtek RTL8139 Family PCI Fast Ethernet NIC, MediaType=LAN, SubMediaType=LAN
info Network connection: Name=1394 Connection, Device=1394 Net Adapter, MediaType=LAN, SubMediaType=1394
info Ethernet connection selected
Network adapter status

info Network connection status: Connected



HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn FTP (Passive): Error 12007 connecting to [You must be registered and logged in to see this link.] The server name or address could not be resolved
warn HTTP: Error 12007 connecting to [You must be registered and logged in to see this link.] The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to [You must be registered and logged in to see this link.] The server name or address could not be resolved
warn FTP (Active): Error 12007 connecting to [You must be registered and logged in to see this link.] The server name or address could not be resolved
warn HTTP: Error 12007 connecting to [You must be registered and logged in to see this link.] The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to [You must be registered and logged in to see this link.] The server name or address could not be resolved
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
error Could not make an FTP connection.
=================================================
====================================================
Farbar Service Scanner
Ran by Clive (administrator) on 29-12-2011 at 17:29:49
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) PSched(7) RFCOMM(9) SYMTDI(8) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000

**** End of log ****

rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by Superdave on Fri Dec 30, 2011 2:13 am

But the FSS output below says that the NetBt registry key can't be opened????

Did you do this first part?
Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.


Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83161
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Fri Dec 30, 2011 2:16 am

Yes - and all the rest of it as well

rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Fri Dec 30, 2011 2:18 am

I'm as sure as I can be that I followed all the instructions today to the letter.

rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by Superdave on Fri Dec 30, 2011 7:03 pm

Will you please try that fix again. It is supposed to fix your connection problem

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83161
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Sat Dec 31, 2011 2:13 am

Hi Dave
Well I went carefully through that process again and still FSS says Unable to open NetBt registry key.
I have screen shots of the process as I actioned it but don't see any way to send them to you. Sometimes there is a file attachment box here sometimes not??? Not one here right now.
FSS complained that there was an Autolt Error on Line 2443 when I ran it "Error: Variable used without being declared" so I downloaded FSS.exe afresh from the link you gave me and used the new version but still got the same error. Cheez this is painful - I never could understand when I heard that some people just dumped their virus-laden computers and went and bought a new one - now I do! In fact, although I still want to get this machine back in its right mind, I've decided that it is time to replace it as my main desktop after nearly nine years - It's amazing , given the grunty work I do on it like SolidWorks and Mefisto microwave models, that it has lasted me as well as it has. I have, very reluctantly, sprung for a new machine which is being built as I write (I hope).
Best regards
Clive
P.S. I should probably mentioned previously that the XP machine has not been booting cleanly for several years since I had a hard drive crash and replaced it with a new HDD and wrote the old (DriveImage XML) image back to the new drive. It kinda worked but I have to hit F2 as it is booting and then boot from within the BIOS. The boot order is correct. After - I'm afraid to say it really - 51 years dealing with computers on a daily basis I have always been able to troubleshoot things that aren't right and get myself out of trouble but this time - no!) Yeah! 51 years! I'll be 73 in February - am I the oldest geek in the world? I'm surely not. But I'll swear to you I am not making any errors. Not Ga Ga yet!


==================================================
Farbar Service Scanner
Ran by Clive (administrator) on 30-12-2011 at 17:35:25
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Sat Dec 31, 2011 2:51 am

Hi Again Dave
I found this advice on [You must be registered and logged in to see this link.]
================================================
You have missing/corrupted two registry keys.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - [You must be registered and logged in to see this link.]
Vista and Seven - [You must be registered and logged in to see this link.]

Download XP.zip file from here: [You must be registered and logged in to see this link.]
Unzip the file.
You'll find several files inside.
Right click on netbt.reg file, click "Merge".
Allow registry merge.

Then....

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.
Go back to files you download in previous step.
Double-click LEGACY_netbt.reg and confirm the prompt.
Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.
============================================

So I followed it (note that includes the action
"Right click on netbt.reg file, click "Merge".
Allow registry merge."
which we hadn't been doing.

Now FSS gives:-
===============================================
Farbar Service Scanner
Ran by Clive (administrator) on 30-12-2011 at 18:39:28
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable
=================================================
So it's not complaining about being unable to open the registry key NetBt anymore - though it still isn't connecting to the internet. However, maybe if I do my tricks with unplugging the router and cable modem it might fetch an IP address and work OK ( when my wife doesn't need the internet for her real estate transactions going on now).
Any other thoughts?
Best regards
Clive



rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by rich_hilton on Sat Dec 31, 2011 7:02 am

Hi Dave
Well the good news is that, when I uninstalled and reinstalled my Ethernet adapter, I could then talk to the web. (The Device Manager previously indicated all was well with the Ethernet adapter but I thought I should do the uninstall/reinstall to make sure and - voila!)
So now the question is "in what order would you suggest I should run SAS and MBAM and whatever else to ensure (as far as possible) that I can use financial software like Quicken safely?"
Thanks again so much for your help.
Is there a useful tutorial on all this stuff?
Best regards
Clive

rich_hilton
Novice
Novice

Posts Posts : 30
Joined Joined : 2011-12-13
OS OS : XP and Vista
Points Points : 18618
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Tidserv Activity 2

Post by Superdave on Sat Dec 31, 2011 5:32 pm

So now the question is "in what order would you suggest I should run SAS and MBAM
It really doesn't matter.
Is there a useful tutorial on all this stuff?
You might be able to find something by googling.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
[You must be registered and logged in to see this link.]
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83161
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum