Virus infects TCP Stack IPCONFIG error

S

StreetHacker

New Member
Reaction score
0
So I have seen lots of virus infect the TCP stack.. You wont be able to get online and if you go to IPCONFIG you get a error.. This seems to be the only way to fix it..Does any1 know of a easier way to fix it?

Step #1
Full uninstall of TCP/IP
----------------------------------------------------------------------
These steps are copied from http://support.microsoft.com/kb/325356
11. Locate the Nettcpip.inf file in %winroot%\inf, and then open the file in Notepad.
12. Locate the [MS_TCPIP.PrimaryInstall] section.
13. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0x80.
14. Save the file, and then exit Notepad.
15. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
16. On the General tab, click Install, select Protocol, and then click Add.
17. In the Select Network Protocols window, click Have Disk.
18. In the Copy manufacturer's files from: text box, type c:\windows\inf, and then click OK.
19. Select Internet Protocol (TCP/IP), and then click OK.
Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.
20. Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
RESTART

succesfull uninstallation of TCP/IP will remove numerous keys from the registry including
HKLM/system/CurrentControlSet/services/tcpip
HKLM/system/CurrentControlSet/services/dhcp
HKLM/system/CurrentControlSet/services/dnscache
HKLM/system/CurrentControlSet/services/ipsec
HKLM/system/CurrentControlSet/services/policyagent
HKLM/system/CurrentControlSet/services/atmarpc
HKLM/system/CurrentControlSet/services/nla
These represent various interconnected and interdependant services.

For good measure you should delete the following keys before reinstalling TCP/IP in step #2
HKLM/system/CurrentControlSet/services/winsock
HKLM/system/CurrentControlSet/services/winsock2

Step #2
Reinstall of TCP/IP
----------------------------------------------------------------------
Following the above substep #13, replace the 0x80 back to 0xa0, this will eliminate the related "unsigned driver" error that was encountered during the uninstallation phase.

Return to "local area connection"> properties > general tab > install > Protocol > TCP/IP

You may receive an "Extended Error" failure upon trying to reinstall the TCP/IP, this is related to the installer sub-system conflicting with the security database status.

to check the integrity of the security database
esentutl /g c:\windows\security\Database\secedit.sdb

There may be a message saying database is out of date
first try the recovery option
esentutl /r c:\windows\security\Database\secedit.sdb

this did not work for me, I needed the repair option
esentutl /p c:\windows\security\Database\secedit.sdb

rerun the /g option to ensure that integrity is good and database is up to date.

Now return to the "local area network setup"
choose install > protocol > tcp/ip and try again

reboot.
worked for me.
 
i hope this works. I'm heading out to the second computer I've seen with this crap in the past few weeks and i really don't want to do a N&P.

I followed the link and it is for server 2003, i guess this should work on vista...
 
That's just the netsh reset thing isn't it? Definitely one to try first but I assumed this was for situations where that doesn't work?
 
Decided to research this fix for inclusion in D7, but ran into a snag...

11. Locate the Nettcpip.inf file in %winroot%\inf, and then open the file in Notepad.
12. Locate the [MS_TCPIP.PrimaryInstall] section.
13. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0x80.
14. Save the file, and then exit Notepad.
15. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
16. On the General tab, click Install, select Protocol, and then click Add.
17. In the Select Network Protocols window, click Have Disk.
18. In the Copy manufacturer's files from: text box, type c:\windows\inf, and then click OK.
19. Select Internet Protocol (TCP/IP), and then click OK.
Click to expand...

Check!

Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.
Click to expand...

Nope! The Uninstall button is still grayed out. So I tried installing the INF, and even restarting Windows - no joy :(

Attempted this in a VM running XP SP3... what could I be missing?!
 
FoolishTech said:
Decided to research this fix for inclusion in D7, but ran into a snag...



Check!



Nope! The Uninstall button is still grayed out. So I tried installing the INF, and even restarting Windows - no joy :(

Attempted this in a VM running XP SP3... what could I be missing?!
Click to expand...



I've ran into the same issue. So your not the only one Foolish. I've been working on a solution myself for this and create some sort of automation. If I figure out anything, I'll send it your way. I had a computer today with the issue but it had to be a quick turnaround, so I just did a N&P. Hopefully the next computer I will get more time to work on it. I'm looking forward to a completely automated fix for this. I had fixed it once but I did many things and never recorded the steps I took to get it fixed. Talk to you later.
 
kevinjhaag said:
I've ran into the same issue. So your not the only one Foolish. I've been working on a solution myself for this and create some sort of automation. If I figure out anything, I'll send it your way. I had a computer today with the issue but it had to be a quick turnaround, so I just did a N&P. Hopefully the next computer I will get more time to work on it. I'm looking forward to a completely automated fix for this. I had fixed it once but I did many things and never recorded the steps I took to get it fixed. Talk to you later.
Click to expand...

I easily automated modification of nettcpip.inf with the change, but I think the biggest problem will be getting nettcpip.inf to install.

Still, I can't even get to that step yet if the INF modification doesn't even do what it says it does. I noted the MSKB was about server 2003 and I didn't see mention of service pack level - I'm starting to wonder if this doesn't work for XP SP3...
 
i too had a brief chance to work on one of these this afternoon with some success. I followed these steps, but my uninstall was also grayed out. So i did all the other steps, ran a winsock fix for good measure, uninstalled the nic (from hardware manager) and rebooted.

Came back in and was able to get online, and all seemed to work well. However, the nic icon (network and sharing icon since this is vista) in the tray beside the clock had a red X over it. I also found that when opening the network and sharing center, it too was not properly functional, but the rest of the system worked well and we could get online. I didn't have a chance to do any other real trouble shooting, but at least got the customer back up and running.

I would love to infect a VM with this infection that kills the NIC. Anyone know where i can get it?
 
Vicenarian said:
Had this issue, easy fix:

netsh advfirewall reset
Click to expand...

Sounds like you had a similar issue but not THIS issue...

Though I haven't run across it myself yet, several threads floating around these forums with the same symptoms have ppl mention using D7 and I can only assume the reset networking interfaces button - it does your easy fix and a whole lot more, but still no love...

slaphappyprince said:
Kernel Mode has a thread where you can download them if you poke around I think.

http://www.kernelmode.info/forum/index.php
Click to expand...

I'm poking around in there now, thanks for the tip!
 
FoolishTech said:
Sounds like you had a similar issue but not THIS issue...
Click to expand...

Yeah, the symptoms sound the same...computer can't get an IP...etc...etc...

Anyway, resetting the firewall via my method worked for me. Couldn't actually reset via the Windows GUI, btw.
 
FoolishTech said:
Sounds like you had a similar issue but not THIS issue...

Though I haven't run across it myself yet, several threads floating around these forums with the same symptoms have ppl mention using D7 and I can only assume the reset networking interfaces button - it does your easy fix and a whole lot more, but still no love...



I'm poking around in there now, thanks for the tip!
Click to expand...

can you let us know if you find it so I don't have to re-poke around?!
 
Vicenarian said:
Yeah, the symptoms sound the same...computer can't get an IP...etc...etc...

Anyway, resetting the firewall via my method worked for me. Couldn't actually reset via the Windows GUI, btw.
Click to expand...

I can't say that i've tried that, but i doubt it will fix this exact problem. this problem corrupted some drivers and services. I did try a firewall reset via UVK script.
 
ZenMike said:
This is about as far as I've ever had to go, but "netsh int ip reset reset.log" has done the job so far when it's gotten that bad.

Would this not be enough for the issue you're describing?
Click to expand...

I don't believe any netsh command will actually rewrite related services entries in the registry, which is what that post on podnutz addresses...
 
You must log in or register to reply here.

Similar threads

D
[WARNING] Medusa Ransomware Attack on Milano Salon
Replies
8
Views
657
HCHTech
HCHTech
NETWizz
Access Lists
Replies
0
Views
1K
NETWizz
NETWizz
HCHTech
Permission Hell
Replies
12
Views
1K
Sky-Knight
Sky-Knight
britechguy
Comcast/Xfinity and 3rd Party Email Client Access
Replies
1
Views
457
seashore
seashore
britechguy
Recovering Everything *except* macOS from a Time Machine Backup
Replies
15
Views
4K
britechguy
britechguy
Back
Top