After SAS run, removal causes internet not to work.

[xxsilk109xx]

A customer came in today and dropped off a computer that he had ran an SAS scan on, it removed the following entries. Once removed he cant get on internet.

what SAS removed:
Application Version : 4.55.1000

Core Rules Database Version : 7396
Trace Rules Database Version: 5208

Scan type : Quick Scan
Total Scan Time : 00:08:23

Memory items scanned : 633
Memory threats detected : 0
Registry items scanned : 1610
Registry threats detected : 4
File items scanned : 5272
File threats detected : 564

System.BrokenFileAssociation
HKCR\.exe

Trojan.DNS-Changer (Hi-Jacked DNS)
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS#NAMESERVER
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS#NAMESERVER
HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS#NAMESERVER


When I try to get an ipconfig /all, i get:
Windows IP configuration

An internal error occured: Access is denied

Additional Information: Unable to open registry key for tcpip



I have tried running winsock fix, checked all the regular settings through IE, etc. however I have noticed that it does not see internet explorer installed for some reason...

Not really sure what to make of this registry error and how to fix it. I have restored what SAS did and it still does not work..

any suggestions?

 

[MobileTechie]

Check the permissions on the reg key involved?

 

[xxsilk109xx]

permissions seem fine.

when I view the key in question
under currentcontrolset2
i see
93.188.165.111, 93.188.160.151

not sure if that means anything...but

 

[xxsilk109xx]

I have also done a repair install and it did not fix it either...

 

[iisjman07]

To reinstall and reset the TCP/IP stack (Internet Protocol) to its original state as same as when the operating system was installed in Windows XP and Windows 2003, simply use the following command in command prompt shell. A log file name must be specified where actions taken by netsh will be recorded on newly created or appended if already existed file..

netsh int ip reset [ log_file_name ]

Example:

netsh int ip reset resetlog.txt

For Windows Vista, things work a little different due to introduction of UAC (Guide: Disable UAC). Use this guide to perform a reinstalling of TCP/IP protocol in Vista:

Click on Start button.
Type Cmd in the Start Search text box.
Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
Type netsh int ip reset in the Command Prompt shell, and then press the Enter key.
Restart the computer.

The command will remove all user configured settings on TCP/IP stack and return it to original default state by rewriting pertinent registry keys that are used by the Internet Protocol (TCP/IP) stack to achieve the same result as the removal and the reinstallation of the protocol. The registry keys affected are:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\

and

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP\Parameters\

Use this command to reset TCP/IP

 

[xxsilk109xx]

just tried that netsh command exactly as specified. appeared to complete but I am still in the same boat..

 

[xxsilk109xx]

got it figured out. I finally got combofix to run and it deleted a few things and fixed it!

good ol combofix

 

[Xander]

permissions seem fine.

when I view the key in question
under currentcontrolset2
i see
93.188.165.111, 93.188.160.151

not sure if that means anything ...but

Googled the first number and found this on another forum (non-tech) where the fellow was posting his MBAM log:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{634C5C88-E162-413F-8A14-FD972F859D06}\NameServer (Trojan.DNSChanger) -> Bad: (93.188.165.111,93.188.160.151) Good: () -> Quarantined and deleted successfully.