just got this from avast - tcpip.sys and few other system files moved to quarantine. avast can’t fix teh problem and remowe the trojan. my network stopped working because of this.
any suggestions how to get rid of this?
Hi follow the instructions in this thread and attach the logs http://forum.avast.com/index.php?topic=53253.0
thanks, will try this and give feedback
Avast will keep the malware at bay - but you will need a manual fix
ok here we go:
- malwarebyte’s anti-malware found nothing
- OTL log attached
and here we go again:
-
extras OTL log attached
-
aswMBR log:
aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
Run date: 2012-01-02 21:38:07
21:38:07.906 OS Version: Windows 5.1.2600 Dodatek Service Pack 2
21:38:07.906 Number of processors: 2 586 0x6B01
21:38:07.906 ComputerName: EWA-C38BAE9518E UserName: ewa
21:38:09.281 Initialize success
21:38:09.546 AVAST engine defs: 11122000
21:38:41.203 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
21:38:41.203 Disk 0 Vendor: WDC_WD2500AAJS-00VTA0 01.01B01 Size: 238475MB BusType: 3
21:38:41.234 Disk 0 MBR read successfully
21:38:41.234 Disk 0 MBR scan
21:38:41.250 Disk 0 Windows XP default MBR code
21:38:41.265 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
21:38:41.265 Disk 0 scanning sectors +488376000
21:38:41.359 Disk 0 scanning C:\WINDOWS\system32\drivers
21:38:46.187 Service scanning
21:38:47.078 Modules scanning
21:38:51.765 Disk 0 trace - called modules:
21:38:51.796 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:38:51.796 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x84aeaab8]
21:38:51.812 3 CLASSPNP.SYS[f74dd05b] → nt!IofCallDriver → \Device\00000068[0x84b67f18]
21:38:51.828 5 ACPI.sys[f7372620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x84b7d940]
21:38:52.828 AVAST engine scan C:\WINDOWS
21:38:57.406 AVAST engine scan C:\WINDOWS\system32
21:40:11.437 AVAST engine scan C:\WINDOWS\system32\drivers
21:40:20.953 AVAST engine scan C:\Documents and Settings\ewa
21:43:25.437 AVAST engine scan C:\Documents and Settings\All Users
21:52:12.203 Scan finished successfully
21:54:34.765 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\ewa\Pulpit\MBR.dat”
21:54:34.781 The log file has been saved successfully to “C:\Documents and Settings\ewa\Pulpit\aswMBR.txt”
- farbar service log:
Farbar Service Scanner
Ran by ewa (administrator) on 02-01-2012 at 21:56:37
Microsoft Windows XP Professional Dodatek Service Pack 2 (X86)
Boot Mode: Normal
Internet Services:
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
Tcpip Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of Tcpip. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of Tcpip. The value does not exist.
Connection Status:
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors
Windows Firewall:
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
Firewall Disabled Policy:
File Check:
C:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-04 00:43] - [2004-08-04 00:43] - 0110592 ____A (Microsoft Corporation) 94B49F2D487A7D4A79B3E96B6D5685B0
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-03 23:14] - [2004-08-03 23:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B
Attention! C:\WINDOWS\system32\Drivers\tcpip.sys is missing.
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-03 23:14] - [2004-08-03 23:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-04 00:43] - [2004-08-04 00:43] - 0045568 ____A (Microsoft Corporation) F61C204EBCAA1D6B5FB5DFE7034741F3
C:\WINDOWS\system32\ipnathlp.dll
[2004-08-04 00:44] - [2004-08-04 00:44] - 0331264 ____A (Microsoft Corporation) DDC87ADF808D192A5212CC8A1E7F8E87
C:\WINDOWS\system32\netman.dll
[2004-08-04 00:44] - [2004-08-04 00:44] - 0198144 ____A (Microsoft Corporation) 3E7B6583269BC118720D0020B03CC71E
C:\WINDOWS\system32\wbem\WMIsvc.dll
[2008-03-05 12:46] - [2004-08-04 00:44] - 0145408 ____A (Microsoft Corporation) 482435B2A2DE8E06C83C3B1EB3237C2C
C:\WINDOWS\system32\svchost.exe
[2004-08-04 00:44] - [2004-08-04 00:44] - 0014336 ____A (Microsoft Corporation) BA98327E90022DBD6EE76490E0622E2E
C:\WINDOWS\system32\rpcss.dll
[2004-08-04 00:44] - [2004-08-04 00:44] - 0395776 ____A (Microsoft Corporation) 346E5B19FC986FE7185A0C2C43593722
C:\WINDOWS\system32\services.exe
[2004-08-04 00:44] - [2004-08-04 00:44] - 0108544 ____A (Microsoft Corporation) 3DA8D964D2CC12EF8E8C342471A37917
Extra List:
aswTdi(9) Gpc(3) IPSec(5) NetBT(6) PSched(7)
0x0B0000000500000001000000020000000300000004000000090000000600000007000000080000000A0000000B000000
IpSec Tag value is correct.
**** End of log ****
in the meantime I found this, it looks kind of suspicious though. so I will not try this at the moment.
http://www.fasterpccleanclean.com/remove-trojan-win32-patched
No do not try that - this appears to be a new variant as the usual markers are missing
You also have a missing file which will need replacing along with the registry entry
Tcpip Service is not running. Checking service configuration: Checking Start type: Attention! Unable to retrieve start type of Tcpip. The value does not exist. Checking ImagePath: Attention! Unable to retrieve ImagePath of Tcpip. The value does not exist.
First I will run Combofix, this will then be followed by a search for the missing file
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
SEARCH
Re-run OTL
Download OTL to your Desktop
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
Tcpip.*
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tcpip /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U*.* /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
combofix log
and OTL log - just one, this time no “extra” log was produced
Combofix replaced it for us ;D
What are the current problems ?
same as before no network
ipconfig says:
Windows IP Configuration
An internal error occurred: the request is not supported.
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
(in Polish as I have a Polish system installed)
and OTL log - just one, this time no "extra" log was producedIt only does it at first run...so normal
after running Combofix…it sometimes help to reboot twice!
I have just completed one similar to this so lets start looking
Open Services…
Start > Run > Type: services.msc > Click OK
Scroll down to and double click DNS Client
Set to Automatic under Startup type
Click the Apply button
Click the Start button
When it starts click OK
Repeat for DHCP Client.
And repeat for Remote Procedure Call (RPC).
When done, close Services.
Try the connection again
NO JOY
Now please go to Device Manager
On the view tab click to show hidden devices
Is there is any warning on the Auxilliary Function driver - (Non plug and play devices click the arrow.)
See my screenshot please
THEN
Please copy all in the below quote box:
@echo off echo Please post back the %SystemDrive%\MyNICDetails.txt on your next reply echo. echo CheckMyNIC by AdvancedSetup >%SystemDrive%\MyNICDetails.txt echo ... >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc dhcp >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex dhcp >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc TCPIP >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex TCPIP >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc Afd >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex Afd >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc NetBT >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex NetBT >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc NetBIOS >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex NetBIOS >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc Lmhosts >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex Lmhosts >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc Dnscache >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex Dnscache >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc PolicyAgent >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex PolicyAgent >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc Nla >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex Nla >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc lanmanserver >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex lanmanserver >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc IPSEC >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex IPSEC >>%SystemDrive%\MyNICDetails.txt cmd /c sc qc RPCSS >>%SystemDrive%\MyNICDetails.txt cmd /c sc queryex RPCSS >>%SystemDrive%\MyNICDetails.txt pauseSave in Notepad as "MyNICDetails.bat" with the quote marks. Save as type All Files to Desktop. Once saved transfer to the infected computer's Desktop. Click the file and post back the text file it produces please.
The text file will be located here: C:\MyNICDetails.txt
hi there,
I can’t go through the first step already. I got this error message:
System error 1075 has occurred.
The dependency service does not exist or has been marked for deletion.
btw. my wifi security is set to connect only with specific MAC addresses. as I run ipconfig /all to check if the MAC address is ok, this is what I get:
An internal error occurred: the request is not supported.
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
so I figure out it can’t connect to wifi because the router cannot identify PC by the MAC address.
I thought this might be important.
wifi itself is working fine as I have no problems connecting with other devices.
Did the batch file run… As the malware appears to have disrupted all your net registry entries
Could you start a command prompt
Start > Run > Cmd
then type in the following one line at a time pressing enter after each
net stop winmgmt
ren %windir%\System32\Wbem\Repository Repository_old
net start winmgmt
rundll32 wbemupgd, UpgradeRepository
cd /d %windir%\system32\wbem
for %i in (.dll) do RegSvr32 -s %i
for %i in (.exe) do %i /RegServer
I did it but the net still doesn’t work