Virus infects TCP Stack IPCONFIG error

[Appleby]

Update:

I stopped by customer's place and picked up an infected machine tonight and showed no obvious signs of infection other than IE not opening (still won't?) but they said they'd had something pop up that sounded like the 2012 fake av. I went ahead and started working on it in my home office and after Malwarebytes scanned and removed a couple trojans I had the same Ipconfig/TCP problem. I followed RockHop's instructions again and BAM it worked. Back up and online like a charm! Thanks again!

Now I've got to figure out this IE instant crash problem....

 

[AlaDes]

Dumb question or two: Did you try SFC? Did you run TDSSKiller?

Yep, ran both of them. As a matter of fact, I ran SFC twice and got the same message about inserting an XP Pro CD when it should have been a Home CD, but knowing about this common problem I just inserted Home and went on about my business. As far as TDDSKiller, I ran it probably four or five times and it never once detected the zero.access rootkit. It wasn't until I ran Combofix on it that it picked it up. Once it was done with cleaning it up, I had no internet access.

As for SFC, it wouldn't surprise me if this completely misses a corrupted tcpip.sys - especially on XP SFC seems to do pretty much NOTHING in the way of actual repair, unfortunately... I'm just wondering if you had tried it or not; if so, that just furthers my point...

Alternately I'm wondering if TDSSKiller, for example, would detect and fix the tcpip.sys driver by either "cleaning" or "replacement" - which makes me wonder if it in fact cripples the driver when "cleaning" it, or if in "replacing" it's just replacing with another infected copy.

The whole bit with these latest variants of the ZA rootkit amazes me. It seems to infect random drivers and registry entries. Some people fix the issue with success by importing one of several random reg entries for networking services (NetBT, AFD, TCPIP, IPsec, IPnat, etc.) and now you're saying a file replacement did the trick for you. Strange...

On this particular system, I did do a lot of research and found out that yes, some varients of the zero.access rootkit does do exactly what you are thinking it does: infects random driver files. I can't for the life of me remember the search terms I used in google or the site I found all the information on this particular rootkit, but it does seem like a pretty nasty little bugger.
Now, on a few other machines, including one I have in the shop now, I have ran into a problem of where the Vista Security 2012 messes with the networking drivers. In just about all cases I've had so far, the LAN works fine locally and on the internet but the WLAN is only able to get local access until I reinstall the networking drivers. And usually simply uninstalling the driver in the device manager does not always work. Most of the time I have to download the drivers from the manufacturer's support site and install over top of the existing drivers.
I feel as if all these 2012 fake AVs are creating a majority of the problems. The reason I say this is that just about on every machine I've worked on has had networking issues only after removing them. I even had my brother's girlfriend get reinfected with what looked and acted like the same XP 2012 variant, but the first infection didn't mess with the networking after it was removed, while the second one did. I know this may sound wierd, but the second one allowed her to access the internet through IE once, when I walked her through downloading SuperAntispyware, but when she went to access it a second time to download Teamviewer, it blocked it. It's kind of like they are learning all on their own! lol

 

[markcuk11]

I came across another one of these today with the same issues as everyone else. Once everything was cleaned up I got the famous network issue, so I tried everything in this thread without any success.
What I tried next worked and maybe it will for you. This is machine is running XP -- here are the instructions:
I downloaded Windows Enabler from here: http://www.freewarefiles.com/Windows-Enabler_program_980.html

Once downloaded, unzip and run the exe it will be running by your clock -- next go in control panel, then network connections and right click your
local area connection, choose properties. In the list click to highlight
Internet Protocol (TCP/IP). The problem is that uninstall is greyed out.
To fix this click the windows enabler task tray icon once. Then click
uninstall and it becomes active. Click the windows enabler tray icon
once more to turn it off. Now click uninstall. Reboot. Go back into the
network properties and install Internet Protocol (TCP/IP) again (Do not
install Microsoft IP 6.0).

I found the above instructions on an old forum from years ago to reinstall TCP/IP and figured I would give it a shot - nothing else was working

This worked for me -- Holy Crap -- not sure if this will work for everyone but I had the same situation as everyone else and now rebooted the PC and DHCP and internet are back up and running.

This works fine i forgot to enable it when I first tried it

 

[rellison]

I came across another one of these today with the same issues as everyone else. Once everything was cleaned up I got the famous network issue, so I tried everything in this thread without any success.
What I tried next worked and maybe it will for you. This is machine is running XP -- here are the instructions:
I downloaded Windows Enabler from here: http://www.freewarefiles.com/Windows-Enabler_program_980.html

Once downloaded, unzip and run the exe it will be running by your clock -- next go in control panel, then network connections and right click your
local area connection, choose properties. In the list click to highlight
Internet Protocol (TCP/IP). The problem is that uninstall is greyed out.
To fix this click the windows enabler task tray icon once. Then click
uninstall and it becomes active. Click the windows enabler tray icon
once more to turn it off. Now click uninstall. Reboot. Go back into the
network properties and install Internet Protocol (TCP/IP) again (Do not
install Microsoft IP 6.0).

I found the above instructions on an old forum from years ago to reinstall TCP/IP and figured I would give it a shot - nothing else was working

This worked for me -- Holy Crap -- not sure if this will work for everyone but I had the same situation as everyone else and now rebooted the PC and DHCP and internet are back up and running.

I used this today on 2 computers that had all the exact issues and it worked great. Had network connectivity on the first try. The only thing i did differently was after uninstalling the TCP/IP protocol I ran CCleaner and cleaned the registry of all the junk. And then I reinstalled the protocol after a reboot...

 

[StreetHacker]

Had a couple more computers in looks like tdskiller took care of the virus in the tcpip.sys with the cure option..didn't take out the network..don't know if I just ot lucky but so far so good..mabe kaspersky updated there tool to deal with the infection now. Let me know if any other people are haveing luck.

 

[dk99]

I don't know about you guys but my experiance with this rootkit I have noticed that it infects different files each time I see it but with the same result.

 

[OldSchoolPC]

That I'd pass along my experience with this. I had more than one instance this week of the zero.access rootkit. Running combofix does do a great job of removing the rootkit, as other programs seem oblivious. It's like, how do you guys (antimalware) not see that IE or Firefox are being redirected? In that regard, Malwarebytes realtime scanner does block the actual redirection, but does nothing for removal. So, anyway, it seems that the latest version of combofix does a good job of removing it, and fixing the damage after it's complete. It takes a reboot and 2nd run, but it works. Anybody else had success with combofix being the cure-all for this particular lil' nasty?

 

[StreetHacker]

Just ran SAS it picked it up removed it to but killed Internet.. Any1 make a fix to reset IPSEC or whatever file it screws up? (in my case it was ipsec.sys I think that was the name of it)

 

[kaiser715]

I've been beating my head against the wall all night on the zeroaccess TCP/network problems. I've had a slew of them in the past week, 14 since monday a week ago. For the system tonight, nothing at all has worked...went thru everything in the book (well, everything on TN, and that google could lead me to).

Finally, tried some stuff again that I had already tried, really didn't want to do a Nuke.

This worked, same process as has been posted here: (but again, didn't work the 1st go round, but did on a subsequent try)...

I just hope these stay fixed.



Go to Start ==> Run (or Windows key+R)

Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
(note that there is space after notepad)
The above file will open in the notepad.
Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
Edit 0xA0 and replace it with 0x80 (replace A with 8)
Under File menu click Save and close the notepad.

Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.

On the General tab, click Install a popup window opens.
Select Protocol from the list and then click Add.
A new window opens, click Have Disk....
In the browse... box type c:\windows\inf
Click OK.
Select Internet Protocol (TCP/IP), and then click OK.
On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.

Go to Start ==> Run (or Windows key+R)

Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
(note that there is space after notepad)
A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
Edit 0x80 and replace it with 0xA0 (replace 8 with A)
Under File menu click Save and close the notepad.

Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.

On the General tab, click Install
A popup window opens. Select Protocol.
A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.

 

[StreetHacker]

Yah that solution will work ONLY if ipsec is infected (I think thats the file) if its not the 1 that is infected it wont work =(

 

[pcman2010]

Thanks Rockhoptec fix worked!! I fixed a laptop last night with this problem. It seems that this is the latest strain of trojan's coming out that overwrite the network sys files.

 

[NBCS]

Great info, thanks! I'll be sure to use this information with the next machine that comes in with this problem.

 

[papuchazo]

I have tried EVERYTHING in this thread. I still have pages being redirected on chrome/ie. The was infected with PC CLEANERS virus and the redirecting of pages is the only thing left on the machine. I'm trying hard not to N&P.

 

[thecompu-doctor]

have you tried any bootable rescue disk/av scanners? If so, which ones?

if you run mbrscanner, does it report an infected or altered mbr?

 

[papuchazo]

have you tried any bootable rescue disk/av scanners? If so, which ones?

if you run mbrscanner, does it report an infected or altered mbr?

I was able to fix the redirect issue by fully uninstalling the network driver and reinstalling. I tried all types of scanners and nothing was being picked up. These new viruses in the past weeks have been a pain.