Windows xp will only connect to the internet in safe mode w/ networking

footfootfoot · 08-16-2012, 02:15 PM

I've checked the router and modem, tried disabling norton 360, did a rootkit scan and system scan, got zeroaccess out of there, but still no dice.

WTF? any help from the gurus would be appreciated.

BigV · 08-16-2012, 02:32 PM

so...

Are you trying to get it to connect to the internet in normal mode? Are there other things it's not doing properly? Presuming this *is* the case, what is it doing when you start normally? What kinds of errors are being reported?

mbpark · 08-16-2012, 03:56 PM

Open up a Command Prompt (start -> all programs -> accessories -> command prompt) and enter in the following:

netsh winsock reset

hit enter after that.

That resets the network stack.

footfootfoot · 08-16-2012, 04:34 PM

Quote:

Originally Posted by mbpark

Open up a Command Prompt (start -> all programs -> accessories -> command prompt) and enter in the following:

netsh winsock reset

hit enter after that.

That resets the network stack.

That reset the network stack, but still no connection.
I get
"Windows could not finish repairing the problem because the following action cannot be completed: Renewing your IP address"

Checked network adapters
did a few safemode system restores to a week ago, and ran NPE,

I'm not seeing tcp/ipv4. I'm only seeing tcp/ipv6 and tcp/ip. not sure if that is relevant.

mbpark · 08-16-2012, 09:30 PM

Can you run ipconfig /all from a command prompt in safe mode and tell me the IP?

footfootfoot · 08-17-2012, 11:35 AM

IP address 0.0.0.0
subnet mask 0.0.0.0
IP Address fe::213:72ff:fec4:99c2%4

I ran ipconfig last night as administrator and got this variant

fe::213:72ff:fec4:99c2%5

I managed to remove zeroaccess!inf2 and zeroaccess!kmem, and reinstalled all my drivers. I first tried to drag the file (netbt.sys) into the trash, but it would re-appear seconds later. I tried over writing it and the same thing would happen. I tried delete on boot and it would be back. finally, I managed to remove it and as far as I could tell all its friends while in safe mode. I ran norton scan again and it showed up as all clean, I used search everything to check the drives and none of the files remained. it seems all clear now as far as zeroaccess is concerned.

Still having connectivity issues though.

footfootfoot · 08-17-2012, 11:47 AM

Also still getting the can't connect to RPC, I went an made sure autoconnect was checked.

Cyber Wolf · 08-17-2012, 11:57 AM

What happens when you try this in Safe Mode:
From the command prompt type:
ipconfig /renew then hit enter
ipconfig /flushdns then hit enter

Also, are using a dynamic (supplied by your ISP and changes every time you restart your machine) or a static (always the same, all the time) configuration for your IP?

footfootfoot · 08-17-2012, 03:16 PM

Quote:

Originally Posted by Cyber Wolf

What happens when you try this in Safe Mode:
From the command prompt type:
ipconfig /renew then hit enter
ipconfig /flushdns then hit enter

Also, are using a dynamic (supplied by your ISP and changes every time you restart your machine) or a static (always the same, all the time) configuration for your IP?

nothing except >
Windows IP Configuration.

lately when I have been using cmd prompt nothing at all has been happening...

I'm about to try a system repair.

tw · 08-17-2012, 04:46 PM

Quote:

Originally Posted by footfootfoot

lately when I have been using cmd prompt nothing at all has been happening...

Do not change anything until important facts are obtained. Fixing without identifying the problem can exponentially complicate the problem.

ISO defines three relevant layers of communication. Start by defining what is happening at the lowest level (especially since IPCONFIG reported that as a potential defect).

An ethernet cable terminates at the computer and at the router. On the computer receptacle should be some lights. As the cord is disconnected, what happens to those lights. Repeat the same test on the router end. These lights will be on the front panel. Report those lights (and router model).

NIC's computer must talk with the router's computer. Those lights are reporting a conversation that you otherwise never see or know about. Are NIC and router computers talking? Do they talk both in Safe modem and when booted normally?

Next, go to Device Manager (obtained via Computer Management or Control Panel or Help). What is reported for the Network Adapters?

Do not try to change drivers by deleting software. First delete the device in Device Manager. And reboot. Or use Device Manager to Update Driver. But do not do that yet. First collect facts.

Helpful would be the manufacturer and model of that computer. Some manufacturers provide comprehensive hardware diagnostics to immediately solve such problems without all this sweat and confusion. Since Windows only tries to work around problems. But diagnostics seek to identify hardware problems even before you know the problem exists.

A diagnostic may also be available from the NIC manufacturer.

All this is about defining the first layer as good or bad. If the NIC appears good, then go back to Device Manager to update what should have been a perfectly good driver. Reboot. And report back what IPCONFIG /ALL reports.

footfootfoot · 08-18-2012, 09:15 AM

I went out on a limb and just did a system repair and now everything is fine and the machine is running as fast as lighting.

Thanks for everyone's input and help.

fuck zeroaccess

tw · 08-18-2012, 05:20 PM

Who / what is zeroaccess?

BrianR · 08-19-2012, 11:40 AM

a Trojan of some note. Wiki has a good primer on it.

xoxoxoBruce · 08-19-2012, 04:02 PM

Good grief.

Quote:

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

more

orthodoc · 08-19-2012, 04:38 PM

Good grief is right. Any word on whether Macs are affected?

08-16-2012, 02:15 PM	#1
footfootfoot To shreds, you say? Join Date: Aug 2004 Location: in the house and on the street-how many, many feet we meet! Posts: 18,449	Windows xp will only connect to the internet in safe mode w/ networking I've checked the router and modem, tried disabling norton 360, did a rootkit scan and system scan, got zeroaccess out of there, but still no dice. WTF? any help from the gurus would be appreciated. __________________ The internet is a hateful stew of vomit you can never take completely seriously. - Her Fobs

08-16-2012, 02:32 PM	#2
BigV Goon Squad Leader Join Date: Nov 2004 Location: Seattle Posts: 27,063	so... Are you trying to get it to connect to the internet in normal mode? Are there other things it's not doing properly? Presuming this is the case, what is it doing when you start normally? What kinds of errors are being reported? __________________ Be Just and Fear Not.

08-16-2012, 03:56 PM	#3
mbpark Lecturer Join Date: Jan 2001 Location: Carmel, Indiana Posts: 761	Did you try the following? Open up a Command Prompt (start -> all programs -> accessories -> command prompt) and enter in the following: netsh winsock reset hit enter after that. That resets the network stack.

08-16-2012, 09:30 PM	#5
mbpark Lecturer Join Date: Jan 2001 Location: Carmel, Indiana Posts: 761	can you run ipconfig /all from safe mode? Can you run ipconfig /all from a command prompt in safe mode and tell me the IP?

08-17-2012, 11:35 AM	#6
footfootfoot To shreds, you say? Join Date: Aug 2004 Location: in the house and on the street-how many, many feet we meet! Posts: 18,449	IP address 0.0.0.0 subnet mask 0.0.0.0 IP Address fe::213:72ff:fec4:99c2%4 I ran ipconfig last night as administrator and got this variant fe::213:72ff:fec4:99c2%5 I managed to remove zeroaccess!inf2 and zeroaccess!kmem, and reinstalled all my drivers. I first tried to drag the file (netbt.sys) into the trash, but it would re-appear seconds later. I tried over writing it and the same thing would happen. I tried delete on boot and it would be back. finally, I managed to remove it and as far as I could tell all its friends while in safe mode. I ran norton scan again and it showed up as all clean, I used search everything to check the drives and none of the files remained. it seems all clear now as far as zeroaccess is concerned. Still having connectivity issues though. __________________ The internet is a hateful stew of vomit you can never take completely seriously. - Her Fobs Last edited by footfootfoot; 08-17-2012 at 11:42 AM.

08-17-2012, 11:47 AM	#7
footfootfoot To shreds, you say? Join Date: Aug 2004 Location: in the house and on the street-how many, many feet we meet! Posts: 18,449	Also still getting the can't connect to RPC, I went an made sure autoconnect was checked. __________________ The internet is a hateful stew of vomit you can never take completely seriously. - Her Fobs

08-17-2012, 11:57 AM	#8
Cyber Wolf As stable as a ring of PU-239 Join Date: Jun 2004 Location: On a huge rock covered in water, highly advanced moss and 7 billion parasites Posts: 1,264	What happens when you try this in Safe Mode: From the command prompt type: ipconfig /renew then hit enter ipconfig /flushdns then hit enter Also, are using a dynamic (supplied by your ISP and changes every time you restart your machine) or a static (always the same, all the time) configuration for your IP? __________________ "I don't see what's so triffic about creating people as people and then getting' upset 'cos they act like people." ~Adam Young, Good Omens "I don't see why it matters what is written. Not when it's about people. It can always be crossed out." ~Adam Young, Good Omens

08-18-2012, 09:15 AM	#11
footfootfoot To shreds, you say? Join Date: Aug 2004 Location: in the house and on the street-how many, many feet we meet! Posts: 18,449	I went out on a limb and just did a system repair and now everything is fine and the machine is running as fast as lighting. Thanks for everyone's input and help. fuck zeroaccess __________________ The internet is a hateful stew of vomit you can never take completely seriously. - Her Fobs

08-18-2012, 05:20 PM	#12
tw Read? I only know how to write. Join Date: Jan 2001 Posts: 11,933	Who / what is zeroaccess?

08-19-2012, 11:40 AM	#13
BrianR Cleverly disguised as a responsible adult Join Date: Jan 2001 Location: Dallas, TX Posts: 3,338	a Trojan of some note. Wiki has a good primer on it. __________________ Never be afraid to tell the world who you are. -- Anonymous

08-19-2012, 04:38 PM	#15
orthodoc Not Suspicious, Merely Canadian Join Date: Oct 2006 Posts: 3,774	Good grief is right. Any word on whether Macs are affected? __________________ The greatness of a nation and its moral progress can be judged by the way its animals are treated. - Ghandi

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)