Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Invalid IP address after removing SECURITY PROTECTION virus PART 2


  • Please log in to reply

#1
Sesshu

Sesshu

    New Member

  • Member
  • Pip
  • 3 posts
I wasn't "allowed" to reply to the above thread name, http://www.geekstogo...otection-virus/ , and hopefully this post will add to it.

My relative has the same problem with the Security Protection Malware. I searched the net and was able to show him how to delete it (in safe mode--Networking). He was able to use the internet after that. I have some more information below. Please read the following which I got off the MicroSoft site and then my notes below:

http://answers.micro...04-9eaab2c40884

"Question

DHCP client won't start due to dependency
Applies To: Windows | Windows XP | Networking, Mail, and Getting Online
Suddenly my IBM T61 Windows XP Pro sp3 laptop will no longer connect to my Belkin router, either wired or wireless. This began after I allowed a series of Windows Updates to occur. Using ipconfig and other signs it appears that the DHCP process no longer occurs. Looking in the Device Manager Non-Plug-and-Play I could see that there was a yellow flag next to 'netBT' which is a dependency for a number of services like DHCP. Windows suggested I uninstall then reinstall the 'driver' netBT.sys. Well, it uninstalled OK but now it is off the list and without it loaded I am cut off from the network (I have a second Vista Home laptop that I am using to prowl for tech ideas). I moved a copy of netBT.sys from the Service pack 3 i386 folder into system32\drivers to replace the old one, just in case.
How to I get netBT to load and function again? I have spent many hours rebooting, enabling and disabling, and anything else that I could think of or find on Tech Boards.February 11, 2010

***
Answer SOLVED. Corrupted NetBT registry entry. HKLM\system\currentcontrolset\services\NetBT
After many hours of detective work I found the clue in the Events log through MSCONFIG. Error type 7001 means service failed to start because of a dependency (I knew that), but it went on to say "dir name or path syntax not correct". I went into the registry and used exactly the same path syntax as specified in NetBIOS "system32\DRIVERS\netBT.sys" and DHCP service started.

Jim in ArizonaFebruary 12, 2010

********

In reply to AZJim post on February 12, 2010

I had a similar event after hours of spending on why I cant pick up an IP address and not being able to start the DHCP client I came to the conclusion it must be a dependency

I did find that you need three things to be running for DHCP to work


here is the solution for me it was a matter of copying the file from a working computer and slamming into the drivers folder in system32

Symptom
DHCP Client Service may not automatically. When you attempt to start the Service manually, the following error may be displayed:

Error: Could not start the DHCP Client Service on local computer

Error 1068: The dependency service or group failed to start.

Resolution
The DHCP Client Service in Windows XP, depends on these three components:

•AFD
•NetBios over Tcpip
•TCP/IP Protocol Driver
If one of the above drivers fail to start, then the DHCP Client Service may not start.

Step I - Make sure that the three driver files are present
Open Windows Explorer and navigate to %Windir%\System32\Drivers folder. Make sure that the following files are present in the folder:

•afd.sys
•tcpip.sys
•netbt.sys
If one or more of the above driver files are missing, extract them from the Windows XP CD-ROM or from the ServicePackFiles\i386 folder, whichever is the latest version.

Step II - Verify the number of Dependencies
From other sources in the Web, I've found that installation of Norton Antivirus (NAV) adds an entry to the DHCP Service dependencies, and removing NAV does not remove the corresponding entry from the DHCP Dependencies.

To view the dependency services registered for DHCP Client Service, type the following command in Start, Run dialog:

CMD /K SC QC DHCP

Verify the output. It should be exactly as below:

[SC] GetServiceConfig SUCCESS

SERVICE_NAME: dhcp
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME : LocalSystem

If additional entries are listed under DEPENDENCIES...

If any other additional drivers or Services are mentioned in the DEPENDENCIES section, you need to remove them via the registry. Follow these steps:

•Click Start, Run and type Regedit.exe
•Navigate to the following branch:
•Backup the branch to a REG file
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Dhcp

•Double-click DependOnService value and set its data as follows:
Tcpip
Afd
NetBT

•Close Regedit.exe
Step III - Verify that the Dependency Service / components are running
Next step is to verify that the three dependency components are running. Follow the steps below:

•Click Start, Run and type DEVMGMT.MSC
•In the View menu, click Show hidden devices
•Double-click Non-Plug and Play drivers section
•Double-click the entry AFD, and click the Driver tab
•Set the Startup type to System.
•Start the service. Note down the error message if any.
•Similarly start the two other drivers namely:
•TCP/IP Protocol Driver
•NetBios over Tcpip
•Close Device Manager and restart Windows
June 29, 2010

**********
In reply to AZJim post on February 12, 2010

THANK YOU!!! Just spent a few quality hours trying to resolve this exact issue... something deleted the netbt.sys... and after finding a new copy I dropped it in system32.... which was the wrong path according to that registry key.
Changed the reg key.... and BAM.... back in Business! :)

Thank YOU!"

***

Now this is Shesshu writing (me) again.

What happened to my relative was that AVG (a security suite) noticed that something was wrong with HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ NetBT (this was the next day, after we did the fix to remove "Security Protection"). My relative moved the possibly malicious file to AVG's virus vault as suggested by the AVG prompt.

However, that removed the NetBT "folder" from the registry. He was still able to access the internet (as stated above), I presume since he had an established connection already. He browsed a bit, powered down the PC and the next day was not able to access his DSL service. He called me.

After "Googling" around I stumbled onto the MicroSoft thread (link above) and this page.

Indeed, his DHCP would not "Start". He only had 2 dependencies, AFD Networking Support Environment and TCP/IP Protocol Driver. I assumed he needed another, NetBios over Tcpip 'NetBT' (but it was missing--we found it in the Virus Vault). I told him to "restore" it, and sure enough it appeared in the registry (it had been missing from there).

He went to Control Panel\Administrative Tools\Services and DHCP was already started and running and had all 3 dependencies listed: Tcpip/Afd/NetBT.

We still had no internet access so he restarted his PC. He still was not able to connect. His DSL provider was lost and had no "real" solutions (they passed it onto his PC maker).

As a note, my relative said that .NetBT appeared in "Services" (in the registry) as well as the restored NetBT (also in Services in the registry). It is possible that .NetBT and NetBT was flagged by AVG for potential removal since the files may be corrupt. He read me the files and they appeared okay, but my knowledge in this is limited.

He went into c:\windows\system32\drivers and when he right clicked NetBT.sys AvG said the file was infected, but only the "Ignore" option was available. He "Ignored" and right clicked NetBT.sys again and was able to delete it. We saved a backup NetBT.sys from ServicePackFiles\i386 folder to desktop but when he tried to move it into the "drivers" folder, a message told him that it was already there and could not be copied (yet he saw it go into the recycle bin). I assume that when he deleted it, XP replaced it with a "good" copy. He scanned the "new" NetBT.sys driver with AVG and it was clean. He also scanned AFD.sys and tcpip.sys and they were clean.

He restarted his PC but still did not have internet access. DHCP Client was fine in services (started and automatic). He right clicked local connection (in Network Connections) and then Status. The Status was connected, but there was no Activity (no packets sent/received). Clicking on the Support Tab he saw nothing, not even AddressType: Assigned by DHCP.

I'm now trying to figure out how to make it "Assigned by DHCP" and I hope I'm on the right track. I'm still researching and any help would be appreciated. I will post any new finding. Thanks.

Edited by Sesshu, 02 September 2011 - 01:28 PM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Would like to see an OTL log per the rules of this forum.

Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.

Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Windows 7 or Vista: Right click on ComboFix and select Run As Administrator to start the program.
XP: Double click on Combofix to start the program.


* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Start, All Programs, Accessories then Command Prompt (Win 7 or Vista: Right click on Command Prompt and Run As Administrator)

Type with an Enter at the end of the line:

ipconfig /all

(What does it say about your connection?)

Ron
  • 0

#3
Sesshu

Sesshu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Ron, thanks very much for the reply. My nephew is pretty much burned out from the last 3 or so days of my trying to fix this problem for him (I live about 250 miles from him and mostly helped him over the phone). He doesn't want to go anywhere near his PC =/ His mom is going to take it to Staples (although I told her that I could attempt to fix it via these forums or get paid tech support from AVG or Microsoft). The only "fix" I can imagine Staples doing is a wipe of his OS and reinstall.

I'm pretty sure they will have problems with the reinstall as his PC is about 8 years old and the Dell drivers that came with it (CD ROM) are pretty much obsolete and new ones are hard to come by if they can indeed be gotten (we were lucky enough some years ago to get an audio driver for him when his became obsolete or corrupt--I found a site in France which I couldn't read except for the driver info).

Given all that, this is probably a blessing in disguise for him since if Staples can't fix it (and I know they won't) he'll get a nice new quad core with a pretty nice video card to replace his P4 with Nvidia 5200FX. I myslef would love to try to fix the PC via these forums with your help but I'd have to physically bring the PC to my place to do that when he gets the new one (I'm assuming he'll get a new PC). If indeed they don't ditch the old PC in a moment of frustration I'll do that since I can't let a problem go until I fix it, and this is a good one for me.

My apologies for the delay. I'll see what happens with the "fix" and try to get hold of their PC.

Thanks a lot again. It's really nice that you're helping people here and I'm following the thread I linked to above to see how that problem is resolved (and I see it's fixed--great!). That's one nasty piece of malware. Even now, if my nephew uses his PC offline he gets new infection warnings from AVG. This "thing" is hiding and breeding well. It actually chewed up AVG so that it wouldn't run (the first day when he still had internet access) and we had to download the uninstall and upgraded to the new version. I called his ISP provider and they told us to call MicroSoft so I'm not too pleased with them, but then they aren't too familiar with these sort of problems.

Edited by Sesshu, 03 September 2011 - 12:56 PM.

  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
What I think this is is a version of the rootkit called zeroaccess. It likes to replace your anti-virus with itself.
http://hijack-this.c...-av-techniques/
http://resources.inf...meware-rootkit/

AVG does not have a clue how to clean it and I would be surprised if Microsoft does either. You have to use Combofix to have any hope of fixing it.
(On google there are a lot of people who claim their product will fix it. Just send money. Pretty doubtful.)

Staples will probably wipe it and reinstall XP. The drivers should still be available on the Dell website. Hopefully they are smart enough to delete all the partitions before reinstalling.

Ron
  • 0

#5
Sesshu

Sesshu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks. Yes, I'm pretty sure they will wipe it (hopefully they can get that hard to find audio driver--the Dell site was the first place I looked a few years ago to try to find it--I think their's was outdated--I only know that whatever was there didn't work), and I just called my nephew up and left a message that Staples should delete all partions before reinstalling. Thanks for pointing that out.

I saved those links--thanks for that too. With the wipe they will no doubt do I won't be able to persue the problem. I'll know more in a few days. Regardless, I found this site, so that's good.

I'm not surprised that MicroSoft wouldn't be able to fix the problem but a bit surprised that AVG wouldn't be able to, although, looking at it realistically, a wipe is an easy way to insure the virus is gone. And again, I would have preferred to troubleshoot the problem here with you, but I don't relish trying the patience of my relatives who already made a decision.

Thank you again, Ron.

Edited by Sesshu, 03 September 2011 - 02:33 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP