• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1603
  • Last Modified:

WinPC Antivirus damage TCP/IP

I have Windows XP SP3 that has the trojan WinPC Antivirus
The settings look normal as far as the ip address in the TCP/IP properties. I have a static IP.

A ping, even to 127.0.0.1 returns

unable to contact IP driver, error code 2

from dos tried an IPCONFIG get error
An internal error occurred:  The request is not supported.
Please contact Microsoft Product Support Services for further help.
Additional information:  Unable to query host name.

I deleted the registry settings under HKEY_Current User_Softare_WinPC

also malwarebytes will not run the mbam-setup

I have symantec corporate 9.0.0.338 scan engine 81.3.0.13 updated 4-19-2009 and scanned in safe mode but found nothing.

Ran a program recommended in similar question called WinsockxpFix but did not repair.

I thank you in advance for your response.
0
sgt_best
Asked:
sgt_best
1 Solution
 
speshalystCommented:
looks like your TCP stack has been corrupted.. use netsh to reset it ..
http://support.microsoft.com/kb/299357 
0
 
sgt_bestAuthor Commented:
If this was all that I was supposed to do:

At the command prompt, copy and paste (or type) the following command and then press ENTER:
netsh int ip reset c:\resetlog.txt

Did not fix the problem.
Log file contains only the word "completed"

also deleted the following registry values before your reply.
Recommended by http://www.2-spyware.com/remove-winpc-antivirus.html


HKEY_CURRENT_USER\Software\WinPC Antivirus
HKEY_CURRENT_USER\Control Panel\don't load "scui.cpl"
HKEY_CURRENT_USER\Control Panel\don't load "wscui.cpl"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "sysav"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusDisableNotify" => 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallDisableNotify" => 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "UpdatesDisableNotify" => 1

The virus does not pop up anymore but still have corrupted TCPIP.
0
 
jcimarronCommented:
sgt_best--WinsockFix and other tools
http://windowsxp.mvps.org/winsock.htm
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
sgt_bestAuthor Commented:
I tried the WinsockFix, again...this was what I stated in my original post that did not resolve the problem.

On Show Hidden Devices in Device Manger
under Non-Plug and Play Drivers
There is an exclamation on IP Network Address Translator and TCP/IP Protocol Driver.
Both are stopped and cannot be restarted.
Both say the device is not present, is not working properly or does not have all its drivers installed. (code 24)

For the IP Network Address Translator if Start under the Driver tap is pressed the following error comes up.
The system encountered the following error while attempting to start the service.The dependency service or group failed to start.
I looked and the C:\WINDOWS\system32\drivers\IPNat.sys is there.

For the TCPIP Start is pressed under the driver tab the error comes up:
The system encountered the following error while attempting to start the service  The system cannot find the file specified.
I looked and the file C:\WINDOWS\system32\drivers\Tcpip.sys is there.
0
 
jcimarronCommented:
sgt_best--Sorry I did not catch that you had already tried WinsockFix.
Is it possible you still have some malware on the PC?.  The fact that you cannot run Malwarebytes is suspicious
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t219647.html
Run HiJackThis
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
and post the log here if you would like help in interpreting.
Otherwise here are more ideas about reestablishing the connection
http://www.howtonetworking.com/Troubleshooting/winsock2corruption0.htm
http://www.techspot.com/vb/topic108548.html  (note the possibility your Firewall could be the problem)

If nothing else works, a Repair Install is always a possibility.  (as is uninstalling and reinstalling XP3)
http://www.michaelstevenstech.com/XPrepairinstall.htm
In fact, in light of all the problems and error messages that might be the best, but I posted the other ideas anyway.  Repair Install should not affect your personal data.
0
 
phototropicCommented:
"...also malwarebytes will not run the mbam-setup..."
You are still infected.  You will need to get clean before addressing the connection issue.
Try downkloading Mbam to a flash drive, but rename the file BEFORE you download it, then take it to the infected machine.  
If that won't work, you could try an online scan:

http://www.bitdefender.com/scan8/ie.html
http://housecall.trendmicro.com/uk/

Or remove the hdd, slave it to another pc and then scan it for malware.

Or try Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Make sure you disable your av before you run it. Post the log here.

 
0
 
sgt_bestAuthor Commented:
Thanks again for your time and replies.
Just to update the status....
uninstalling / reinstalling service pack 3 did not fix the problem.  If it was being suggested that XP be "uninstalled" then I didn't understand that.  

I followed this from the suggested link:
http://www.howtonetworking.com/Troubleshooting/winsock2corruption6.htm
How to fix a Winsock2 corruption issue
 
In Registry Editor, locate the following keys, right-click each key, and then click Delete:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
4.       When you are prompted to confirm the deletion, click Yes.

Note Restart the computer after you delete the Winsock keys. Doing so causes the Windows XP operating system to create new shell entries for those two keys

It replaced the Winsock 2 but the Winsock is still missing.

Also changing the name of mbam-setup did work and it did install although it took about 10 minutes or longer.  Would not run.

Could not get Hijack this to install.

Next step will be to scan drive in another PC.
0
 
jcimarronCommented:
sgt_best--It certainly sounds like you are infected.  Can you run MBAM and/or HiJackThis from Safe Mode?  What about ComboFix?
In your first post you said you had trojan WinPC Antivirus.  I do not know how you determined that or if you feel you removed it, but here are instructions for manual removal (see the section "Manual Removal of WinPC Antivirus").  I am not sure I trust the site well enough to suggest you use the removal tool  and scans offered.
P.S. Sorry, "uninstalling and reinstalling XP3" above should have read "SP3", which it seems you already had removed.
P.P.S.  I think you should run at least a Repair Install or probably better yet a full reformat.  In the case of the latter, hope you have a backup of your personal data.
P.P.P.S  I would think using the infected hard drive in another PC would subject the other PC to risk of infection.
0
 
jcimarronCommented:
sgt_best--Whoops!!  I left out the link to the reference for the manual removal instructions
http://removal-tool.com/winpc-antivirus/
0
 
sgt_bestAuthor Commented:
Checked the registry per  http://removal-tool.com/winpc-antivirus/
had none of the suggested entries
Earlier I followed a recommended removal and took out some of the files and entries and the annoying WinPC never came back up.

Changed the name on Hijack This and it installed and ran a log file.  It is attached.


hijackthis.log
0
 
jcimarronCommented:
sgt_best--You still have baddies
Run HiJackThis again and "fix" the following
C:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe  http://www.file.net/process/gamevance32.exe.html
http://www.greatis.com/appdata/d/g/gamevance32.exe.htm  (note GameVance is really only Adware, and if you cannot live without it then leave it)
O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll See this reference about the last http://www.bleepingcomputer.com/virus-removal/remove-winpc-defender#files
Definitely remove the last.

0
 
sgt_bestAuthor Commented:
The network settings could not be restored through the various options even though the rest of the PC seemed to run fine and the network settings appeared to be OK.  Gave in to the reformat/reinstall.
0
 
jcimarronCommented:
sgt_best--Thanks for telling us what you did.  
If you ran a Repair Install, ou might still consider running MBAM just to be sure all is well.  But if you ran a reformat, then that probably is not needed.
0
 
fefo_33065Commented:
Jcimarron: REMOVAL-TOOL.COM?
Please people, be aware of that site. It pushes malware!
0
 
jcimarronCommented:
fefo_33065 --
Thanks for the advice.  I certainly agree that readers should not download the offered Automatic "WinPC Antivirus Removal Tool" on that site.  I meant to refer to the Manual Removal procedure.  I should have been clearer.
And for those who do not even want to visit the site, the manual removal info can be seen through Google's cached version of the information
http://74.125.95.132/search?q=cache:9JPzrenIuDQJ:removal-tool.com/winpc-antivirus/+winpc-antivirus&cd=7&hl=en&ct=clnk&gl=us
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now