Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 12-22-2011, 12:45 AM
StreetHacker StreetHacker is offline
 
Join Date: Feb 2010
Posts: 26
StreetHacker is an unknown quantity at this point
Default Virus infects TCP Stack IPCONFIG error

So I have seen lots of virus infect the TCP stack.. You wont be able to get online and if you go to IPCONFIG you get a error.. This seems to be the only way to fix it..Does any1 know of a easier way to fix it?

Step #1
Full uninstall of TCP/IP
----------------------------------------------------------------------
These steps are copied from http://support.microsoft.com/kb/325356
11. Locate the Nettcpip.inf file in %winroot%\inf, and then open the file in Notepad.
12. Locate the [MS_TCPIP.PrimaryInstall] section.
13. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0x80.
14. Save the file, and then exit Notepad.
15. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
16. On the General tab, click Install, select Protocol, and then click Add.
17. In the Select Network Protocols window, click Have Disk.
18. In the Copy manufacturer's files from: text box, type c:\windows\inf, and then click OK.
19. Select Internet Protocol (TCP/IP), and then click OK.
Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.
20. Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
RESTART

succesfull uninstallation of TCP/IP will remove numerous keys from the registry including
HKLM/system/CurrentControlSet/services/tcpip
HKLM/system/CurrentControlSet/services/dhcp
HKLM/system/CurrentControlSet/services/dnscache
HKLM/system/CurrentControlSet/services/ipsec
HKLM/system/CurrentControlSet/services/policyagent
HKLM/system/CurrentControlSet/services/atmarpc
HKLM/system/CurrentControlSet/services/nla
These represent various interconnected and interdependant services.

For good measure you should delete the following keys before reinstalling TCP/IP in step #2
HKLM/system/CurrentControlSet/services/winsock
HKLM/system/CurrentControlSet/services/winsock2

Step #2
Reinstall of TCP/IP
----------------------------------------------------------------------
Following the above substep #13, replace the 0x80 back to 0xa0, this will eliminate the related "unsigned driver" error that was encountered during the uninstallation phase.

Return to "local area connection"> properties > general tab > install > Protocol > TCP/IP

You may receive an "Extended Error" failure upon trying to reinstall the TCP/IP, this is related to the installer sub-system conflicting with the security database status.

to check the integrity of the security database
esentutl /g c:\windows\security\Database\secedit.sdb

There may be a message saying database is out of date
first try the recovery option
esentutl /r c:\windows\security\Database\secedit.sdb

this did not work for me, I needed the repair option
esentutl /p c:\windows\security\Database\secedit.sdb

rerun the /g option to ensure that integrity is good and database is up to date.

Now return to the "local area network setup"
choose install > protocol > tcp/ip and try again

reboot.
worked for me.
Reply With Quote
  #2  
Old 12-22-2011, 03:40 PM
thecompu-doctor's Avatar
thecompu-doctor thecompu-doctor is online now
 
Join Date: Oct 2009
Posts: 201
thecompu-doctor is an unknown quantity at this point
Default

i hope this works. I'm heading out to the second computer I've seen with this crap in the past few weeks and i really don't want to do a N&P.

I followed the link and it is for server 2003, i guess this should work on vista...
__________________
Kevin Boynton
Chief of Computer Medicine
The Computer Doctor of Richmond
www.richmondcomputerdoctor.com
Reply With Quote
  #3  
Old 12-22-2011, 04:13 PM
markcuk11 markcuk11 is offline
 
Join Date: Nov 2011
Location: manchester
Posts: 163
markcuk11 will become famous soon enough
Default

will this do it http://support.microsoft.com/kb/299357
Reply With Quote
  #4  
Old 12-22-2011, 04:26 PM
MobileTechie's Avatar
MobileTechie MobileTechie is offline
 
Join Date: Oct 2009
Location: UK
Posts: 4,358
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

That's just the netsh reset thing isn't it? Definitely one to try first but I assumed this was for situations where that doesn't work?
Reply With Quote
  #5  
Old 12-26-2011, 03:27 PM
ZenMike ZenMike is offline
 
Join Date: Sep 2008
Posts: 229
ZenMike is on a distinguished road
Default

Quote:
Originally Posted by markcuk11 View Post
This is about as far as I've ever had to go, but "netsh int ip reset reset.log" has done the job so far when it's gotten that bad.

Would this not be enough for the issue you're describing?
__________________
Cloud Hosting in Wyomissing, PA
Reply With Quote
  #6  
Old 12-26-2011, 03:44 PM
FoolishTech's Avatar
FoolishTech FoolishTech is offline
 
Join Date: Aug 2010
Location: Manteo, NC (USA)
Posts: 2,757
FoolishTech is a jewel in the roughFoolishTech is a jewel in the roughFoolishTech is a jewel in the rough
Default

Quote:
Originally Posted by ZenMike View Post
This is about as far as I've ever had to go, but "netsh int ip reset reset.log" has done the job so far when it's gotten that bad.

Would this not be enough for the issue you're describing?
I don't believe any netsh command will actually rewrite related services entries in the registry, which is what that post on podnutz addresses...
__________________


Author of d7 & d7II, and TONS of other FREE PC technician's tools. www.FoolishIT.com

Author of CryptoPrevent - Crypto/Malware prevention for any OS.

Latest free tool: dBug - Neutralize malware preventing you from running removal tools.

NEW d7II single technician pricing!
Reply With Quote
  #7  
Old 12-27-2011, 03:31 AM
trapped's Avatar
trapped trapped is offline
 
Join Date: Sep 2009
Location: Elk Grove, CA
Posts: 350
trapped is an unknown quantity at this point
Send a message via MSN to trapped Send a message via Yahoo to trapped
Default

I was able to fix one of these successfully, but it has been about a month so I am a bit fuzzy. Basically, this thread was the basis for finding the solution, http://answers.microsoft.com/en-us/w...4-9eaab2c40884.
__________________


Get a Geek. Get it Done.

Computer, Networking, and Home Theater installation, service and repair in the Greater Sacramento, CA Region.

http://www.thecomputergeeks.com
Reply With Quote
  #8  
Old 12-22-2011, 07:52 PM
FoolishTech's Avatar
FoolishTech FoolishTech is offline
 
Join Date: Aug 2010
Location: Manteo, NC (USA)
Posts: 2,757
FoolishTech is a jewel in the roughFoolishTech is a jewel in the roughFoolishTech is a jewel in the rough
Default

Decided to research this fix for inclusion in D7, but ran into a snag...

Quote:
11. Locate the Nettcpip.inf file in %winroot%\inf, and then open the file in Notepad.
12. Locate the [MS_TCPIP.PrimaryInstall] section.
13. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0x80.
14. Save the file, and then exit Notepad.
15. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
16. On the General tab, click Install, select Protocol, and then click Add.
17. In the Select Network Protocols window, click Have Disk.
18. In the Copy manufacturer's files from: text box, type c:\windows\inf, and then click OK.
19. Select Internet Protocol (TCP/IP), and then click OK.
Check!

Quote:
Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.
Nope! The Uninstall button is still grayed out. So I tried installing the INF, and even restarting Windows - no joy

Attempted this in a VM running XP SP3... what could I be missing?!
__________________


Author of d7 & d7II, and TONS of other FREE PC technician's tools. www.FoolishIT.com

Author of CryptoPrevent - Crypto/Malware prevention for any OS.

Latest free tool: dBug - Neutralize malware preventing you from running removal tools.

NEW d7II single technician pricing!
Reply With Quote
  #9  
Old 12-22-2011, 09:32 PM
markcuk11 markcuk11 is offline
 
Join Date: Nov 2011
Location: manchester
Posts: 163
markcuk11 will become famous soon enough
Default

You could try windows enabler
Reply With Quote
  #10  
Old 12-23-2011, 02:16 AM
kevinjhaag kevinjhaag is offline
 
Join Date: Jan 2009
Location: Michigan
Posts: 505
kevinjhaag is on a distinguished road
Default

Quote:
Originally Posted by FoolishTech View Post
Decided to research this fix for inclusion in D7, but ran into a snag...



Check!



Nope! The Uninstall button is still grayed out. So I tried installing the INF, and even restarting Windows - no joy

Attempted this in a VM running XP SP3... what could I be missing?!


I've ran into the same issue. So your not the only one Foolish. I've been working on a solution myself for this and create some sort of automation. If I figure out anything, I'll send it your way. I had a computer today with the issue but it had to be a quick turnaround, so I just did a N&P. Hopefully the next computer I will get more time to work on it. I'm looking forward to a completely automated fix for this. I had fixed it once but I did many things and never recorded the steps I took to get it fixed. Talk to you later.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:08 PM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.