CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

CRs temp

 
Post new topic   Reply to topic       All -> FavForums -> Journals [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
nosirrah

Security Expert
Special Response Team

Joined: Apr 19, 2006
Posts: 6301
Location: USA
MIRT MVP Premium Rootkit Responders Security Experts SRT

PostPosted: Fri Oct 20, 2006 2:38 pm    Post subject: CRs temp
Reply with quote

***Firewall Fix***

Open My computer .

Click tools , folder options , view .

Uncheck "Hide extensions for known file types ." and click apply and then ok .

Close My computer .

Right click your desktop and select new , Text Document . Open it .

Copy and paste this inside (just the green text) :

Code:
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"DependOnGroup"=hex(7):00,00
"DependOnService"=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
  6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:00002cd0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
  00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Close and save this file .

Rename it to fix4.reg


Right click your desktop and select new , Text Document . Open it .

Copy and paste this inside (just the green text) :

Code:
rundll32 setupapi,InstallHinfSection Ndi-Steelhead 132 %windir%\inf\netrass.inf


Close and save this file .

Rename it to fix1.bat


Right click your desktop and select new , Text Document . Open it .

Copy and paste this inside (just the green text) :

Code:
NETSH FIREWALL RESET


Close and save this file .

Rename it to fix2.bat


Right click your desktop and select new , Text Document . Open it .

Copy and paste this inside (just the green text) :

Code:
regsvr32 c:\windows\system32\atl.dll

regsvr32 c:\windows\system32\hnetcfg.dll


Close and save this file .

Rename it to fix3.bat


Download Winsoclfix : http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml


Double click fix4.reg and then click yes .

Reboot .

Double click fix1.bat .

Reboot .

Double click fix2.bat .

Reboot .

Double click fix3.bat . (click ok , ok)

Reboot .

Run Winsockfix .

Reboot .

Try your firewall again and report back .
Back to top
View users profile Send private message Send email
nosirrah

Security Expert
Special Response Team

Joined: Apr 19, 2006
Posts: 6301
Location: USA
MIRT MVP Premium Rootkit Responders Security Experts SRT

PostPosted: Fri Oct 20, 2006 3:26 pm    Post subject:
Reply with quote

***Registry Rebuild***
***Failed repair install/repair unavailable reset***
***Boot.ini reset***

Power down both the problem and functional system and unplug them .

Remove the hard drive from the problem system and attach it (power and data cables) to the functional system .

Plug in the functional system boot (boot into safemode in the functional system is XP Home) .

Open My Computer .

Click tools , folder options , view .

Check "Show hidden files and folders" .

Uncheck "Hide extensions of known file types" .

Uncheck "hide protected operating system files" .

Click yes , apply ok .

Open D:\ (or the drive letter for the slaved problem drive) .

Right click D:\System Volume Information and select properties .

Click Security tab .

Click Add .

Enter the name of the account you are currently logged into .

Click Check Names and then OK .

Highlight the user name you just added .

Check the box for Full Control and Allow .

Click Apply , OK .

Open D:\System Volume Information .

Open the _restore folder (if there is more than one choose the one with the most recent modified date) .

Open the RPxxx (xxx may be any number) with second to last creation date .

Open the snapshot folder .

Switch to details view and click name (this will line up the files correctly) .

Highlight the following files :

Code:
_REGISTRY_MACHINE_SAM
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_USER_.DEFAULT


Right click the high lighted files and select copy .

Close all open folders .

Open D:\WINDOWS\system32\config .

Delete every file in this folder .

Right click and select paste .

Rename the pasted files like this :

Code:
_REGISTRY_MACHINE_SAM         ---> SAM
_REGISTRY_MACHINE_SECURITY    ---> SECURITY
_REGISTRY_MACHINE_SOFTWARE    ---> SOFTWARE
_REGISTRY_MACHINE_SYSTEM      ---> SYSTEM
_REGISTRY_USER_.DEFAULT       ---> DEFAULT


Close all open folders .

Delete the following file :

D:\boot.ini .

Create a new new text document and open it .

If the problem drive's home system is XP Home , paste the following text into the text document (just the green text) :

Code:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect


If the problem drive's home system is XP Pro , paste the following text into the text document (just the green text) :

Code:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional Edition" /noexecute=optin /fastdetect


Close and save the changes .

Rename the text document to boot.ini .

Cut and paste this file into D:\ .

Shut down and unplug the system .

Reattach the problem drive to its home system .

Reattempt the repair install .
Back to top
View users profile Send private message Send email
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Journals All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
93ppm 0.304s (0.038s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer