Post-update problem on WinXP

A significant group of Russian users complaint that they lost internet connection and even damaged their WinXP systems after 121205-0 update: http://forum.avast.com/index.php?topic=110770

Avast signaled they have some viruses and they deleted the suspicious files. After that they lost all settings for internet connection.

I advise them to send messages to Avast support but I can’t help them with anything more substantial. I think Avast experts should pay attention to the thread.

Avast signaled they have some viruses and they deleted the suspicious files. After that they lost all settings for internet connection.
do they say what file and location of the file that was deleted?

They “aren’t sure”. One of them deleted svhost.exe and “some other files”. By the way half of the posters in the thread work in support departments of internet providers. I think they work in the same company.

And could you ask them directly in the thread? Write them in English and I’ll try to translate.

And could you ask them directly in the thread? Write them in English and I'll try to translate.
Essexboy is the expert here......i sendt him a PM

Is he here now? Emotions run high in the thread.

It was an FP on TCPIP.sys it will be corrected on the next stream update

And what should they do now? They tried to re-install Avast but as soon as they get 121205-1 update everything crashes again.

There is the option to delete or ignore … Select ignore (no action)

Edit : Although having said that I did a full scan on my XP vm and nothing was detected

Hi there. Any suggestions to assist users who actually deleted the file?

As my XP vm say 121205-1 is fine.

I have just advised the users to restore their systems and to re-install Avast. To tell the truth it was a real avalanche of complaints in the middle of the night. Sorry but I have to go to bed because it’s half past one here and I must get up at half past five.

I have the same problem on different PC in different companies, with windows xp installed. I think the reason of this situation is patched tspip.sys. By default tcpip.sys have 10 connections and with help of some utils, people patch it for exampel 100 connections, this actions i did by my self on all the computers where this problem is. One of this patcher calls Half-open_limit_fix_4.2.exe

http://www.bayareatechpros.com/wp-content/uploads/2009/10/holmt10.jpg

Lots of not original windows xp distributives have alreadypatched tcpip.sys.
When I unninstall avast and recover tcpip.sys from file c:\windows\system32\tcpip.copy network doesnt work. I steel try to find a solution, because i dont have a distrubutive of windows now with me to recover from it, i think this comands could be solve a problem
expand X:\i386\tcpip.sy_ c:\windows\system32\tcpip.sys
You make me work hard today to fix this problem, it is easy to kill my self :slight_smile: , becase I have 150 PC clients, and big mount of them already kill tcpip with avast…
p.s. your captcha make me mad, its very hard to see symbols

I can confirm this problem occurs with Windows XP systems which have a patched tcpip.sys.Multiple systems on multiple locations affected

User Obramko created a fix that can repair the damage:

Download the fix from here: http://depositfiles.com/files/jx9xqxtes

Unpack the archive, run the file fixtcpip.bat and restart your computer.

And some experienced users suggest two improvements for Avast:

  1. To set Avast by default not to delete suspicious files but to move them to the chest;

  2. Even if users choose to delete a file, a copy of it must be automatically sent to the chest.

gracias. de verdad eres el maestro yoda! xD
thank you, and the problem is solved, I was desperate to see my pc did not connect to internet

Fast download link, translated in english here:
http://www.avastantivirus.ro/suport-tehnic - Fix avast! XP NETWORK

При установлении сегодня 6.12.12 обновлений аваст на операционной системе XP выдал ошибку и подключение к интернету не происходит. Провайдер Твое TV перенаправил к Авасту, сообщив, что можно вызвать мастера. Подскажите, что делать? Санкт-Петербург.

Вы постучали не в ту дверь. Вам сюда: http://forum.avast.com/index.php?board=28.0

Problem does still occur with virusdatabase 121206-2 . Avast still finds tcpip.sys infected. The file tcpip.sys has been patched with this tool
http://www.lvllord.de/

to increase the number of maximum half-open connections.

Hope you can fix this, a lot of people with problems world-wide

3 hours troubleshooting this problem from the time I first got the alert of the rootkit in the tcpip.sys file. Because I am aware that tcpip has to do with the internet I hesitated to have Avast delete the file. I recently got FIOS installed so I thought maybe Avast was reporting a false positive as does happen at times so I ran some searches on google and the avast forum but, after reading for an hour or so, I eventually allowed Avast to delete the file and then let them reboot. But after reboot, I had no internet service and parts of Avast were disabled (web scanner and email scanner). So I did a system restore which reinstalled the tcpip.sys file and I got the Avast warning window again about it being a rootkit but I just told Avast to ignore it. I went to Avast website and got their telephone number to call (toll free) and I called customer care and the tech guy said my PC had a lot of errors and that’s why it reported that file as being a rootkit and that I could ignore it but, for $99 he would clean my PC. I declined.
Man! what a drag this was. I just download AVG and am thinking of switching.

Still a problem with virus definitions.

Last week I ran my monthly “everything” scan and this came up:

C:\WINDOWS$NtServicePackUninstall$\tcpip.sys [L] Win32:Malware-gen (0)

Notice the directory.

I’ve used the patching tool from http://www.lvllord.de/ for some years now without any problems. I remember that sometimes I’ve used other than the default values for the “half-open connections” with the tool (maybe your new virus definitions exclude only the default value used by this tool?).

My system has 19 different tcpip.sys files and only the above one is flagged.

Virus definitions: last week scan detected with 121212-0, 12.12.2012, and now: 121217-0.

Virustotal:
Avast Win32:Malware-gen 20121217
GData Win32:Malware-gen 20121217 (uses avast defs)
Ikarus Win32.Malware 20121217 (uses avast defs)
TrendMicro-HouseCall TROJ_GEN.F47V1213 20121217

Do you want me to upload the file to you somewhere? Or attach it here to this post?

EDIT: Fixed Ikarus claim. Thanks Asyn… I fast-googled earlier and misread some text I found, sorry.