WinPC Antivirus damage TCP/IP

Posted on 2009-04-23
Last Modified: 2012-05-06
I have Windows XP SP3 that has the trojan WinPC Antivirus
The settings look normal as far as the ip address in the TCP/IP properties. I have a static IP.

A ping, even to returns

unable to contact IP driver, error code 2

from dos tried an IPCONFIG get error
An internal error occurred:  The request is not supported.
Please contact Microsoft Product Support Services for further help.
Additional information:  Unable to query host name.

I deleted the registry settings under HKEY_Current User_Softare_WinPC

also malwarebytes will not run the mbam-setup

I have symantec corporate scan engine updated 4-19-2009 and scanned in safe mode but found nothing.

Ran a program recommended in similar question called WinsockxpFix but did not repair.

I thank you in advance for your response.
Question by:sgt_best
    LVL 16

    Expert Comment

    looks like your TCP stack has been corrupted.. use netsh to reset it ..
    LVL 3

    Author Comment

    If this was all that I was supposed to do:

    At the command prompt, copy and paste (or type) the following command and then press ENTER:
    netsh int ip reset c:\resetlog.txt

    Did not fix the problem.
    Log file contains only the word "completed"

    also deleted the following registry values before your reply.
    Recommended by

    HKEY_CURRENT_USER\Software\WinPC Antivirus
    HKEY_CURRENT_USER\Control Panel\don't load "scui.cpl"
    HKEY_CURRENT_USER\Control Panel\don't load "wscui.cpl"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "sysav"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusDisableNotify" => 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallDisableNotify" => 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "UpdatesDisableNotify" => 1

    The virus does not pop up anymore but still have corrupted TCPIP.
    LVL 50

    Expert Comment

    sgt_best--WinsockFix and other tools
    LVL 3

    Author Comment

    I tried the WinsockFix, again...this was what I stated in my original post that did not resolve the problem.

    On Show Hidden Devices in Device Manger
    under Non-Plug and Play Drivers
    There is an exclamation on IP Network Address Translator and TCP/IP Protocol Driver.
    Both are stopped and cannot be restarted.
    Both say the device is not present, is not working properly or does not have all its drivers installed. (code 24)

    For the IP Network Address Translator if Start under the Driver tap is pressed the following error comes up.
    The system encountered the following error while attempting to start the service.The dependency service or group failed to start.
    I looked and the C:\WINDOWS\system32\drivers\IPNat.sys is there.

    For the TCPIP Start is pressed under the driver tab the error comes up:
    The system encountered the following error while attempting to start the service  The system cannot find the file specified.
    I looked and the file C:\WINDOWS\system32\drivers\Tcpip.sys is there.
    LVL 50

    Expert Comment

    sgt_best--Sorry I did not catch that you had already tried WinsockFix.
    Is it possible you still have some malware on the PC?.  The fact that you cannot run Malwarebytes is suspicious
    Run HiJackThis
    and post the log here if you would like help in interpreting.
    Otherwise here are more ideas about reestablishing the connection  (note the possibility your Firewall could be the problem)

    If nothing else works, a Repair Install is always a possibility.  (as is uninstalling and reinstalling XP3)
    In fact, in light of all the problems and error messages that might be the best, but I posted the other ideas anyway.  Repair Install should not affect your personal data.
    LVL 23

    Expert Comment

    "...also malwarebytes will not run the mbam-setup..."
    You are still infected.  You will need to get clean before addressing the connection issue.
    Try downkloading Mbam to a flash drive, but rename the file BEFORE you download it, then take it to the infected machine.  
    If that won't work, you could try an online scan:

    Or remove the hdd, slave it to another pc and then scan it for malware.

    Or try Combofix:

    Make sure you disable your av before you run it. Post the log here.

    LVL 3

    Author Comment

    Thanks again for your time and replies.
    Just to update the status....
    uninstalling / reinstalling service pack 3 did not fix the problem.  If it was being suggested that XP be "uninstalled" then I didn't understand that.  

    I followed this from the suggested link:
    How to fix a Winsock2 corruption issue
    In Registry Editor, locate the following keys, right-click each key, and then click Delete:
    4.       When you are prompted to confirm the deletion, click Yes.

    Note Restart the computer after you delete the Winsock keys. Doing so causes the Windows XP operating system to create new shell entries for those two keys

    It replaced the Winsock 2 but the Winsock is still missing.

    Also changing the name of mbam-setup did work and it did install although it took about 10 minutes or longer.  Would not run.

    Could not get Hijack this to install.

    Next step will be to scan drive in another PC.
    LVL 50

    Accepted Solution

    sgt_best--It certainly sounds like you are infected.  Can you run MBAM and/or HiJackThis from Safe Mode?  What about ComboFix?
    In your first post you said you had trojan WinPC Antivirus.  I do not know how you determined that or if you feel you removed it, but here are instructions for manual removal (see the section "Manual Removal of WinPC Antivirus").  I am not sure I trust the site well enough to suggest you use the removal tool  and scans offered.
    P.S. Sorry, "uninstalling and reinstalling XP3" above should have read "SP3", which it seems you already had removed.
    P.P.S.  I think you should run at least a Repair Install or probably better yet a full reformat.  In the case of the latter, hope you have a backup of your personal data.
    P.P.P.S  I would think using the infected hard drive in another PC would subject the other PC to risk of infection.
    LVL 50

    Expert Comment

    sgt_best--Whoops!!  I left out the link to the reference for the manual removal instructions
    LVL 3

    Author Comment

    Checked the registry per
    had none of the suggested entries
    Earlier I followed a recommended removal and took out some of the files and entries and the annoying WinPC never came back up.

    Changed the name on Hijack This and it installed and ran a log file.  It is attached.

    LVL 50

    Expert Comment

    sgt_best--You still have baddies
    Run HiJackThis again and "fix" the following
    C:\Program Files\Gamevance\gamevance32.exe
    O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe  (note GameVance is really only Adware, and if you cannot live without it then leave it)
    O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll See this reference about the last
    Definitely remove the last.

    LVL 3

    Author Closing Comment

    The network settings could not be restored through the various options even though the rest of the PC seemed to run fine and the network settings appeared to be OK.  Gave in to the reformat/reinstall.
    LVL 50

    Expert Comment

    sgt_best--Thanks for telling us what you did.  
    If you ran a Repair Install, ou might still consider running MBAM just to be sure all is well.  But if you ran a reformat, then that probably is not needed.
    LVL 7

    Expert Comment

    Jcimarron: REMOVAL-TOOL.COM?
    Please people, be aware of that site. It pushes malware!
    LVL 50

    Expert Comment

    fefo_33065 --
    Thanks for the advice.  I certainly agree that readers should not download the offered Automatic "WinPC Antivirus Removal Tool" on that site.  I meant to refer to the Manual Removal procedure.  I should have been clearer.
    And for those who do not even want to visit the site, the manual removal info can be seen through Google's cached version of the information

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article ( first and run the tool TDSSKiller ( to get rid of the infection. Once done, and if the …
    cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now