WinPC Antivirus damage TCP/IP
I have Windows XP SP3 that has the trojan WinPC Antivirus
The settings look normal as far as the ip address in the TCP/IP properties. I have a static IP.
A ping, even to 127.0.0.1 returns
unable to contact IP driver, error code 2
from dos tried an IPCONFIG get error
An internal error occurred: The request is not supported.
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
I deleted the registry settings under HKEY_Current User_Softare_WinPC
also malwarebytes will not run the mbam-setup
I have symantec corporate 9.0.0.338 scan engine 81.3.0.13 updated 4-19-2009 and scanned in safe mode but found nothing.
Ran a program recommended in similar question called WinsockxpFix but did not repair.
I thank you in advance for your response.
The settings look normal as far as the ip address in the TCP/IP properties. I have a static IP.
A ping, even to 127.0.0.1 returns
unable to contact IP driver, error code 2
from dos tried an IPCONFIG get error
An internal error occurred: The request is not supported.
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
I deleted the registry settings under HKEY_Current User_Softare_WinPC
also malwarebytes will not run the mbam-setup
I have symantec corporate 9.0.0.338 scan engine 81.3.0.13 updated 4-19-2009 and scanned in safe mode but found nothing.
Ran a program recommended in similar question called WinsockxpFix but did not repair.
I thank you in advance for your response.
ASKER
If this was all that I was supposed to do:
At the command prompt, copy and paste (or type) the following command and then press ENTER:
netsh int ip reset c:\resetlog.txt
Did not fix the problem.
Log file contains only the word "completed"
also deleted the following registry values before your reply.
Recommended by http://www.2-spyware.com/remove-winpc-antivirus.html
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Control Panel\don't load "scui.cpl"
HKEY_CURRENT_USER\Control Panel\don't load "wscui.cpl"
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
The virus does not pop up anymore but still have corrupted TCPIP.
At the command prompt, copy and paste (or type) the following command and then press ENTER:
netsh int ip reset c:\resetlog.txt
Did not fix the problem.
Log file contains only the word "completed"
also deleted the following registry values before your reply.
Recommended by http://www.2-spyware.com/remove-winpc-antivirus.html
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Control Panel\don't load "scui.cpl"
HKEY_CURRENT_USER\Control Panel\don't load "wscui.cpl"
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
The virus does not pop up anymore but still have corrupted TCPIP.
sgt_best--WinsockFix and other tools
http://windowsxp.mvps.org/winsock.htm
http://windowsxp.mvps.org/winsock.htm
ASKER
I tried the WinsockFix, again...this was what I stated in my original post that did not resolve the problem.
On Show Hidden Devices in Device Manger
under Non-Plug and Play Drivers
There is an exclamation on IP Network Address Translator and TCP/IP Protocol Driver.
Both are stopped and cannot be restarted.
Both say the device is not present, is not working properly or does not have all its drivers installed. (code 24)
For the IP Network Address Translator if Start under the Driver tap is pressed the following error comes up.
The system encountered the following error while attempting to start the service.The dependency service or group failed to start.
I looked and the C:\WINDOWS\system32\driver
For the TCPIP Start is pressed under the driver tab the error comes up:
The system encountered the following error while attempting to start the service The system cannot find the file specified.
I looked and the file C:\WINDOWS\system32\driver
On Show Hidden Devices in Device Manger
under Non-Plug and Play Drivers
There is an exclamation on IP Network Address Translator and TCP/IP Protocol Driver.
Both are stopped and cannot be restarted.
Both say the device is not present, is not working properly or does not have all its drivers installed. (code 24)
For the IP Network Address Translator if Start under the Driver tap is pressed the following error comes up.
The system encountered the following error while attempting to start the service.The dependency service or group failed to start.
I looked and the C:\WINDOWS\system32\driver
For the TCPIP Start is pressed under the driver tab the error comes up:
The system encountered the following error while attempting to start the service The system cannot find the file specified.
I looked and the file C:\WINDOWS\system32\driver
sgt_best--Sorry I did not catch that you had already tried WinsockFix.
Is it possible you still have some malware on the PC?. The fact that you cannot run Malwarebytes is suspicious
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t219647.html
Run HiJackThis
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
and post the log here if you would like help in interpreting.
Otherwise here are more ideas about reestablishing the connection
http://www.howtonetworking.com/Troubleshooting/winsock2corruption0.htm
http://www.techspot.com/vb/topic108548.html (note the possibility your Firewall could be the problem)
If nothing else works, a Repair Install is always a possibility. (as is uninstalling and reinstalling XP3)
http://www.michaelstevenstech.com/XPrepairinstall.htm
In fact, in light of all the problems and error messages that might be the best, but I posted the other ideas anyway. Repair Install should not affect your personal data.
Is it possible you still have some malware on the PC?. The fact that you cannot run Malwarebytes is suspicious
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t219647.html
Run HiJackThis
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
and post the log here if you would like help in interpreting.
Otherwise here are more ideas about reestablishing the connection
http://www.howtonetworking.com/Troubleshooting/winsock2corruption0.htm
http://www.techspot.com/vb/topic108548.html (note the possibility your Firewall could be the problem)
If nothing else works, a Repair Install is always a possibility. (as is uninstalling and reinstalling XP3)
http://www.michaelstevenstech.com/XPrepairinstall.htm
In fact, in light of all the problems and error messages that might be the best, but I posted the other ideas anyway. Repair Install should not affect your personal data.
"...also malwarebytes will not run the mbam-setup..."
You are still infected. You will need to get clean before addressing the connection issue.
Try downkloading Mbam to a flash drive, but rename the file BEFORE you download it, then take it to the infected machine.
If that won't work, you could try an online scan:
http://www.bitdefender.com/scan8/ie.html
http://housecall.trendmicro.com/uk/
Or remove the hdd, slave it to another pc and then scan it for malware.
Or try Combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Make sure you disable your av before you run it. Post the log here.
You are still infected. You will need to get clean before addressing the connection issue.
Try downkloading Mbam to a flash drive, but rename the file BEFORE you download it, then take it to the infected machine.
If that won't work, you could try an online scan:
http://www.bitdefender.com/scan8/ie.html
http://housecall.trendmicro.com/uk/
Or remove the hdd, slave it to another pc and then scan it for malware.
Or try Combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Make sure you disable your av before you run it. Post the log here.
ASKER
Thanks again for your time and replies.
Just to update the status....
uninstalling / reinstalling service pack 3 did not fix the problem. If it was being suggested that XP be "uninstalled" then I didn't understand that.
I followed this from the suggested link:
http://www.howtonetworking.com/Troubleshooting/winsock2corruption6.htm
How to fix a Winsock2 corruption issue
In Registry Editor, locate the following keys, right-click each key, and then click Delete:
HKEY_LOCAL_MACHINE\System\
HKEY_LOCAL_MACHINE\System\
4. When you are prompted to confirm the deletion, click Yes.
Note Restart the computer after you delete the Winsock keys. Doing so causes the Windows XP operating system to create new shell entries for those two keys
It replaced the Winsock 2 but the Winsock is still missing.
Also changing the name of mbam-setup did work and it did install although it took about 10 minutes or longer. Would not run.
Could not get Hijack this to install.
Next step will be to scan drive in another PC.
Just to update the status....
uninstalling / reinstalling service pack 3 did not fix the problem. If it was being suggested that XP be "uninstalled" then I didn't understand that.
I followed this from the suggested link:
http://www.howtonetworking.com/Troubleshooting/winsock2corruption6.htm
How to fix a Winsock2 corruption issue
In Registry Editor, locate the following keys, right-click each key, and then click Delete:
HKEY_LOCAL_MACHINE\System\
HKEY_LOCAL_MACHINE\System\
4. When you are prompted to confirm the deletion, click Yes.
Note Restart the computer after you delete the Winsock keys. Doing so causes the Windows XP operating system to create new shell entries for those two keys
It replaced the Winsock 2 but the Winsock is still missing.
Also changing the name of mbam-setup did work and it did install although it took about 10 minutes or longer. Would not run.
Could not get Hijack this to install.
Next step will be to scan drive in another PC.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sgt_best--Whoops!! I left out the link to the reference for the manual removal instructions
http://removal-tool.com/winpc-antivirus/
http://removal-tool.com/winpc-antivirus/
ASKER
Checked the registry per http://removal-tool.com/winpc-antivirus/
had none of the suggested entries
Earlier I followed a recommended removal and took out some of the files and entries and the annoying WinPC never came back up.
Changed the name on Hijack This and it installed and ran a log file. It is attached.
hijackthis.log
had none of the suggested entries
Earlier I followed a recommended removal and took out some of the files and entries and the annoying WinPC never came back up.
Changed the name on Hijack This and it installed and ran a log file. It is attached.
hijackthis.log
sgt_best--You still have baddies
Run HiJackThis again and "fix" the following
C:\Program Files\Gamevance\gamevance3
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance3
http://www.greatis.com/appdata/d/g/gamevance32.exe.htm (note GameVance is really only Adware, and if you cannot live without it then leave it)
O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-4
Definitely remove the last.
Run HiJackThis again and "fix" the following
C:\Program Files\Gamevance\gamevance3
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance3
http://www.greatis.com/appdata/d/g/gamevance32.exe.htm (note GameVance is really only Adware, and if you cannot live without it then leave it)
O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-4
Definitely remove the last.
ASKER
The network settings could not be restored through the various options even though the rest of the PC seemed to run fine and the network settings appeared to be OK. Gave in to the reformat/reinstall.
sgt_best--Thanks for telling us what you did.
If you ran a Repair Install, ou might still consider running MBAM just to be sure all is well. But if you ran a reformat, then that probably is not needed.
If you ran a Repair Install, ou might still consider running MBAM just to be sure all is well. But if you ran a reformat, then that probably is not needed.
Jcimarron: REMOVAL-TOOL.COM?
Please people, be aware of that site. It pushes malware!
Please people, be aware of that site. It pushes malware!
fefo_33065 --
Thanks for the advice. I certainly agree that readers should not download the offered Automatic "WinPC Antivirus Removal Tool" on that site. I meant to refer to the Manual Removal procedure. I should have been clearer.
And for those who do not even want to visit the site, the manual removal info can be seen through Google's cached version of the information
http://74.125.95.132/search?q=cache:9JPzrenIuDQJ:removal-tool.com/winpc-antivirus/+winpc-antivirus&cd=7&hl=en&ct=clnk&gl=us
Thanks for the advice. I certainly agree that readers should not download the offered Automatic "WinPC Antivirus Removal Tool" on that site. I meant to refer to the Manual Removal procedure. I should have been clearer.
And for those who do not even want to visit the site, the manual removal info can be seen through Google's cached version of the information
http://74.125.95.132/search?q=cache:9JPzrenIuDQJ:removal-tool.com/winpc-antivirus/+winpc-antivirus&cd=7&hl=en&ct=clnk&gl=us
http://support.microsoft.com/kb/299357