Virus infects TCP Stack IPCONFIG error

Even though I've yet to see this, I'm starting to wonder if this isn't some deeply-hidden rootkit that we, in the general malware-killing business, have yet to figure out how to find and kill. Stating the obvious, maybe, but I'm wondering if Foolishtech, et al., will find this to be true once an attempt is made to fix this issue once and for all.

And then, another variant will pop up! Such is the life...
 
I look at each new virus as a challenge. I have yet to see a virus that couldn't be fixed without a N&P given enough time. The key of course is "given enough time" or money I suppose if that is your main motivation.

The latest one with the hidden partition took me about a week to figure out, but now I can fix it in about 15 minutes so I look at it as time well spent.

The hard ones also make you thankful for the ones where you can kill the process and delete the file.
 
markcuk11 said:
As anyone tried these reg keys http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Click to expand...

I just tried them on a infected computer they did not work.. Still getting same results. I have been searching for a solution but none found..... I thought maybe somewhere in GPedit to enable and highlight the uninstall button for TCPIP but after reading and searching threw it I have not found anything.... N&P is not how I work and with this it's the only thing I can think to fix it..
 
Last edited:
I have just removed the tcpip on a xp sp3 vmware test system. After changing the inf file I had to reboot to get the uninstall option.

11. Locate the Nettcpip.inf file in %winroot%\inf, and then open the file in Notepad.
12. Locate the [MS_TCPIP.PrimaryInstall] section.
13. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0x80.
14. Save the file, and then exit Notepad.
HERE I REBOOTED THE SYSTEM (WOULD NOT SHOW THE UNINSTALL OPTION UNLESS I DID THIS)
15. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
16. On the General tab, click Install, select Protocol, and then click Add.
17. In the Select Network Protocols window, click Have Disk.
18. In the Copy manufacturer's files from: text box, type c:\windows\inf, and then click OK.
19. Select Internet Protocol (TCP/IP), and then click OK.
Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.
20. Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
RESTART
 
Last edited:
Was anyone able to find a sample we can use to infect a test system and try the solution posted by our friend above?
 
papuchazo said:
Was anyone able to find a sample we can use to infect a test system and try the solution posted by our friend above?
Click to expand...

I don't have an infected machine at the moment but all the computers I have worked on with this problem have had Vista 2012 Security and Xp 2012 Security
with zeroaccess rootkit If that helps.
 
dk99 said:
I just tried them on a infected computer they did not work.. Still getting same results. I have been searching for a solution but none found..... I thought maybe somewhere in GPedit to enable and highlight the uninstall button for TCPIP but after reading and searching threw it I have not found anything.... N&P is not how I work and with this it's the only thing I can think to fix it..
Click to expand...

I take my last post back I used the reg keys from the above post on a Infected pc with xp service pack 3 machine and and it worked you also have to add the winsock reg keys restart and done.... Here are the links
Step 1 just gives a detailed report to let you know if you have the tcpip stack problem...

Step 1...http://download.bleepingcomputer.com/farbar/FSS.exe
step 2.....http://www.smartestcomputing.us.com/files/file/12-uninstall-tcpip-stack/
step 3..... http://www.smartestcomputing.us.com/files/file/9-registry-network-keys/

These steps have worked on vista also. Does not work on a xp service pack 2 system.....
 
Last edited:
dk99 said:
I take my last post back I used the reg keys from the above post on a Infected pc with xp service pack 3 machine and and it worked you also have to add the winsock reg keys restart and done.... Here are the links
Step 1 just gives a detailed report to let you know if you have the tcpip stack problem...

Step 1...http://download.bleepingcomputer.com/farbar/FSS.exe
step 2.....http://www.smartestcomputing.us.com/files/file/12-uninstall-tcpip-stack/
step 3..... http://www.smartestcomputing.us.com/...-network-keys/

These steps have worked on vista also. Does not work on a xp service pack 2 system.....
Click to expand...

Fantastic! good work
 
dk99 said:
I take my last post back I used the reg keys from the above post on a Infected pc with xp service pack 3 machine and and it worked you also have to add the winsock reg keys restart and done.... Here are the links
Step 1 just gives a detailed report to let you know if you have the tcpip stack problem...

Step 1...http://download.bleepingcomputer.com/farbar/FSS.exe
step 2.....http://www.smartestcomputing.us.com/files/file/12-uninstall-tcpip-stack/
step 3..... http://www.smartestcomputing.us.com/...-network-keys/

These steps have worked on vista also. Does not work on a xp service pack 2 system.....
Click to expand...


For Step 3, do you mean this link? The one you listed has apparently disappeared. I'm thinking this is the correct one.

http://www.smartestcomputing.us.com/files/file/9-registry-network-keys/
 
About two weeks ago, I had a business client's laptop, which was infected with XP Security 2012 and the zero.access rootkit. It wasn't until I removed the rootkit that I started having network issues similar to the ones here. Even after trying everything posted in this thread, I still had no network connectivity. I then remembered a similar issue that I'd had a few months ago, in which a repair install fixed my problem. Although I had already looked in the device manager for potential problems, I had forgotten to view the hidden devices, which is TCP/IP is located. Sure enough, there was a problem, just as with the one a few months ago. I started thinking about how the repair install could have fixed my problem and came to the conclusion that either is was a driver that it replaced during the install or a registry key it had overwritten. So, I began with the simplest of the two, which was the extraction of the TCP/IP driver from an XP Home SP3 CD and replacing using it to replace the one on the laptop. I then rebooted and was able to connect to the network.


---
I am here: http://maps.google.com/maps?ll=37.783408,-80.917835
 
AlaDes said:
About two weeks ago, I had a business client's laptop, which was infected with XP Security 2012 and the zero.access rootkit. It wasn't until I removed the rootkit that I started having network issues similar to the ones here. Even after trying everything posted in this thread, I still had no network connectivity. I then remembered a similar issue that I'd had a few months ago, in which a repair install fixed my problem. Although I had already looked in the device manager for potential problems, I had forgotten to view the hidden devices, which is TCP/IP is located. Sure enough, there was a problem, just as with the one a few months ago. I started thinking about how the repair install could have fixed my problem and came to the conclusion that either is was a driver that it replaced during the install or a registry key it had overwritten. So, I began with the simplest of the two, which was the extraction of the TCP/IP driver from an XP Home SP3 CD and replacing using it to replace the one on the laptop. I then rebooted and was able to connect to the network.
Click to expand...

Dumb question or two: Did you try SFC? Did you run TDSSKiller?

As for SFC, it wouldn't surprise me if this completely misses a corrupted tcpip.sys - especially on XP SFC seems to do pretty much NOTHING in the way of actual repair, unfortunately... I'm just wondering if you had tried it or not; if so, that just furthers my point...

Alternately I'm wondering if TDSSKiller, for example, would detect and fix the tcpip.sys driver by either "cleaning" or "replacement" - which makes me wonder if it in fact cripples the driver when "cleaning" it, or if in "replacing" it's just replacing with another infected copy.

The whole bit with these latest variants of the ZA rootkit amazes me. It seems to infect random drivers and registry entries. Some people fix the issue with success by importing one of several random reg entries for networking services (NetBT, AFD, TCPIP, IPsec, IPnat, etc.) and now you're saying a file replacement did the trick for you. Strange...
 
I came across another one of these today with the same issues as everyone else. Once everything was cleaned up I got the famous network issue, so I tried everything in this thread without any success.
What I tried next worked and maybe it will for you. This is machine is running XP -- here are the instructions:
I downloaded Windows Enabler from here: http://www.freewarefiles.com/Windows-Enabler_program_980.html

Once downloaded, unzip and run the exe it will be running by your clock -- next go in control panel, then network connections and right click your
local area connection, choose properties. In the list click to highlight
Internet Protocol (TCP/IP). The problem is that uninstall is greyed out.
To fix this click the windows enabler task tray icon once. Then click
uninstall and it becomes active. Click the windows enabler tray icon
once more to turn it off. Now click uninstall. Reboot. Go back into the
network properties and install Internet Protocol (TCP/IP) again (Do not
install Microsoft IP 6.0).

I found the above instructions on an old forum from years ago to reinstall TCP/IP and figured I would give it a shot - nothing else was working

This worked for me -- Holy Crap -- not sure if this will work for everyone but I had the same situation as everyone else and now rebooted the PC and DHCP and internet are back up and running.
 
rockhoptec said:
I came across another one of these today with the same issues as everyone else. Once everything was cleaned up I got the famous network issue, so I tried everything in this thread without any success.
What I tried next worked and maybe it will for you. This is machine is running XP -- here are the instructions:
I downloaded Windows Enabler from here: http://www.freewarefiles.com/Windows-Enabler_program_980.html

Once downloaded, unzip and run the exe it will be running by your clock -- next go in control panel, then network connections and right click your
local area connection, choose properties. In the list click to highlight
Internet Protocol (TCP/IP). The problem is that uninstall is greyed out.
To fix this click the windows enabler task tray icon once. Then click
uninstall and it becomes active. Click the windows enabler tray icon
once more to turn it off. Now click uninstall. Reboot. Go back into the
network properties and install Internet Protocol (TCP/IP) again (Do not
install Microsoft IP 6.0).

I found the above instructions on an old forum from years ago to reinstall TCP/IP and figured I would give it a shot - nothing else was working

This worked for me -- Holy Crap -- not sure if this will work for everyone but I had the same situation as everyone else and now rebooted the PC and DHCP and internet are back up and running.
Click to expand...

I've been talking to Rockhop today via email and I was struggling BIG time with another infection like this. I spent hours and was about to try a repair install and then a nuke and pave and then he found this.

I tried it and IT WORKED!!!:D:D Followed his instructions to the T and I'm back in business. I seriously spent hours trying every different possible solution I could find online and I hadn't seen this suggested exactly like this.

Just want to give a big thanks to him again and I have another machine coming in that supposedly has this infection, so I might get to try it again.
 
You must log in or register to reply here.

Similar threads

D
[WARNING] Medusa Ransomware Attack on Milano Salon
Replies
8
Views
661
HCHTech
HCHTech
NETWizz
Access Lists
Replies
0
Views
1K
NETWizz
NETWizz
HCHTech
Permission Hell
Replies
12
Views
1K
Sky-Knight
Sky-Knight
britechguy
Comcast/Xfinity and 3rd Party Email Client Access
Replies
1
Views
457
seashore
seashore
britechguy
Recovering Everything *except* macOS from a Time Machine Backup
Replies
15
Views
4K
britechguy
britechguy
Back
Top