MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 06-07-12, 22:49
MeitHed's Avatar
MeitHed MeitHed is offline
Specialist
 
Join Date: Dec 2005
Location: Washington
Posts: 323
Thanks: 28
Thanked 9 Times in 9 Posts
Default Trojan lodged in tcp/ip stack

Hello.

A friend asked me to have a look at his PC as he was no longer able to access the internets. Malwarebytes and super-antispyware were both semi effective in finding and cleaning some of the troublemakers, but still no net. I ran through the process, with combofix finding the tcp/ip stack thing. Rootrepeal finds only hyberfil.sys.

Logs are attached.

Thank you in advance for your time and effort.
Attached Files
File Type: zip MGlogs.zip (378.7 KB, 1 views)
File Type: log SUPERAntiSpyware Scan Log - 06-07-2012 - 15-53-28.log (14.2 KB, 3 views)
File Type: txt mbam-log-2012-06-07 (16-59-34).txt (11.4 KB, 3 views)
File Type: txt combofixlog.txt (93.2 KB, 7 views)
__________________
Want an orange?
Reply With Quote
Sponsored links
  #2  
Old 06-07-12, 22:50
MeitHed's Avatar
MeitHed MeitHed is offline
Specialist
 
Join Date: Dec 2005
Location: Washington
Posts: 323
Thanks: 28
Thanked 9 Times in 9 Posts
Default Re: Trojan lodged in tcp/ip stack

Here is the Root Repeal log
Attached Files
File Type: txt RootRepeal.txt (690 Bytes, 0 views)
__________________
Want an orange?
Reply With Quote
  #3  
Old 06-08-12, 22:13
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Trojan lodged in tcp/ip stack

You have some required Windows files that having been deleted/corrupted. Also the registry has been modified. Both of these are why you cannot access the internet.

We need to run a couple additional scans before getting started.



Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
  • Be sure to attach your log from TDSSKiller
Now please also download MBRCheck to your desktop.


See the download links under this icon
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    • Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    • Found non-standard or infected MBR.
    • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
  • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now please download Farbar Service Scanner and run it on the computer with the issue.
  • Put a check mark in each option box on the left side.
  • Click "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please attach this log to your next reply.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
MeitHed (06-09-12)
  #4  
Old 06-09-12, 09:39
MeitHed's Avatar
MeitHed MeitHed is offline
Specialist
 
Join Date: Dec 2005
Location: Washington
Posts: 323
Thanks: 28
Thanked 9 Times in 9 Posts
Default Re: Trojan lodged in tcp/ip stack

Thank you much Chaslang.

Here are the reports from those programs.
Attached Files
File Type: txt TDSSKiller.2.7.36.0_09.06.2012_07.23.59_log.txt (83.9 KB, 3 views)
File Type: txt MBRCheck_06.09.12_07.33.31.txt (9.0 KB, 2 views)
File Type: txt FSS.txt (2.0 KB, 2 views)
__________________
Want an orange?
Reply With Quote
  #5  
Old 06-09-12, 23:22
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Trojan lodged in tcp/ip stack

You're welcome.

  1. Go to Start ==> Run (or Windows key+R)
    • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
      (note that there is space after notepad)
    • The above file will open in the notepad.
    • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
    • Edit 0xA0 and replace it with 0x80 (replace A with 8)
    • Under File menu click Save and close the notepad.
  2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
    • On the General tab, click Install a popup window opens.
    • Select Protocol from the list and then click Add.
    • A new window opens, click Have Disk....
    • In the browse... box type c:\windows\inf
    • Click OK.
    • Select Internet Protocol (TCP/IP), and then click OK.
    • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
    • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
  3. Go to Start ==> Run (or Windows key+R)
    • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
      (note that there is space after notepad)
    • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
    • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
    • Under File menu click Save and close the notepad.
  4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
    • On the General tab, click Install
    • A popup window opens. Select Protocol.
    • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
    • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
  5. After restart please run Farbar Service Scanner again and save the fss.txt log to attach below.
  6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the new fss.txt log from Farbar's Service Scanner
    • C:\MGlogs.zip
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
MeitHed (06-10-12)
Sponsored links
  #6  
Old 06-10-12, 10:11
MeitHed's Avatar
MeitHed MeitHed is offline
Specialist
 
Join Date: Dec 2005
Location: Washington
Posts: 323
Thanks: 28
Thanked 9 Times in 9 Posts
Default Re: Trojan lodged in tcp/ip stack

Thank you. Logs are attached.
Attached Files
File Type: txt FSS.txt (2.0 KB, 4 views)
File Type: zip MGlogs.zip (383.9 KB, 8 views)
__________________
Want an orange?
Reply With Quote
  #7  
Old 06-10-12, 21:09
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Trojan lodged in tcp/ip stack

That looks much better. Are you still having any problems? If so, exactly what?
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
MeitHed (06-11-12)
  #8  
Old 06-11-12, 00:01
MeitHed's Avatar
MeitHed MeitHed is offline
Specialist
 
Join Date: Dec 2005
Location: Washington
Posts: 323
Thanks: 28
Thanked 9 Times in 9 Posts
Default Re: Trojan lodged in tcp/ip stack

Thanks, I am still unable to connect to the internet.

It says I am connected, but I cannot reach any websites in either IE or Chrome.
__________________
Want an orange?
Reply With Quote
  #9  
Old 06-11-12, 00:11
MeitHed's Avatar
MeitHed MeitHed is offline
Specialist
 
Join Date: Dec 2005
Location: Washington
Posts: 323
Thanks: 28
Thanked 9 Times in 9 Posts
Default Re: Trojan lodged in tcp/ip stack

Also after a restart I am getting an error:

RUNDLL
Error in C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.doo
Missing entry:RunDLLEntry
__________________
Want an orange?
Reply With Quote
  #10  
Old 06-11-12, 13:17
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Trojan lodged in tcp/ip stack

Quote:
Originally Posted by MeitHed View Post
It says I am connected, but I cannot reach any websites in either IE or Chrome.
Instread of putting www.google.com in your browser, try the IP address instead: 173.194.78.103

Does that connect you?
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
MeitHed (06-11-12)
Sponsored links
  #11  
Old 06-11-12, 13:19
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Trojan lodged in tcp/ip stack

Quote:
Originally Posted by MeitHed View Post
RUNDLL
Error in C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.doo
Missing entry:RunDLLEntry
I assume you meant LXCJtime.dll ?

This is a printer software driver issue. You may need to reinstall the software for the printer.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
MeitHed (06-11-12)
  #12  
Old 06-11-12, 15:26
MeitHed's Avatar
MeitHed MeitHed is offline
Specialist
 
Join Date: Dec 2005
Location: Washington
Posts: 323
Thanks: 28
Thanked 9 Times in 9 Posts
Default Re: Trojan lodged in tcp/ip stack

Thank you again Chaslang.

Typing in the IP Address did the trick, but I am unable to navigate beyond there.

Yes, I meant DLL.. sorry.
__________________
Want an orange?
Reply With Quote
  #13  
Old 06-11-12, 17:51
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Trojan lodged in tcp/ip stack

Please run C:\MGtools\FixNet.bat

This will run a few commands and then reboot your computer.

After your computer reboots, see if there is any changed to your ability to connect via DNS names.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
MeitHed (06-11-12)
  #14  
Old 06-11-12, 18:47
MeitHed's Avatar
MeitHed MeitHed is offline
Specialist
 
Join Date: Dec 2005
Location: Washington
Posts: 323
Thanks: 28
Thanked 9 Times in 9 Posts
Default Re: Trojan lodged in tcp/ip stack

No joy. I am still unable to connect via DNS names.

I thank you for your continued assistance.
__________________
Want an orange?
Reply With Quote
  #15  
Old 06-12-12, 00:49
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Trojan lodged in tcp/ip stack

You're welcome.


Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
  • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
  • Now select the Start Repairs tab.
  • The click the Start button.
  • Create a System Restore point if prompted.
  • On the next screen, click the Unselect All button to first deselect all repairs.
  • Now select the following repair options:
    • Reset Registry Permissions
    • Reset File Permissions
    • Register System Files
    • Repair WMI
    • Remove Policies Set By Infections
    • Repair Winsock & DNS Cache
    • Repair Proxy Settings
    • Repair Windows Updates
    • Repair MSI (Windows Installer)
  • Now on the lower right side check the box to Restart/Shutdown System When Finished
  • Then make sure the Restart System radio button is enabled.
  • Shutdown any other programs that you are running now before continuing.
  • Now click the Start button.
  • Be patient while the tool repairs the selected items.
  • It should reboot automatically when finished. If it does not then reboot yourself.

Any change for the better?
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
MeitHed (06-12-12)
Sponsored links
  #16  
Old 06-12-12, 09:45
MeitHed's Avatar
MeitHed MeitHed is offline
Specialist
 
Join Date: Dec 2005
Location: Washington
Posts: 323
Thanks: 28
Thanked 9 Times in 9 Posts
Default Re: Trojan lodged in tcp/ip stack

Quote:
Originally Posted by chaslang View Post
Any change for the better?
None.

It seems that I neglected to mention that combofix found Rootkit.Zero Access. Combofix also made it clear that the recovery console is missing.

I do not know if either of those will be useful, but though I should include the info.

Thanks again,

meiT
__________________
Want an orange?
Reply With Quote
  #17  
Old 06-12-12, 15:01
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Trojan lodged in tcp/ip stack

You're welcome.

Now download The Avenger by Swandog46, and save it to your Desktop.
See the download links under this icon
  • Extract avenger.exe from the Zip file and save it to your desktop
  • Run avenger.exe by double-clicking on it.
  • Do not change any check box options!!
  • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
Quote:
Drivers to delete:
Pdlnslea
Files to delete:
C:\WINDOWS\system32\temp.txt

Folders to delete:
c:\windows\$NtUninstallKB18546$\1083377889
c:\windows\$NtUninstallKB18546$\84975582
c:\windows\$NtUninstallKB18546$
C:\Documents and Settings\All Users\Start Menu\Programs\AVG Free Edition
C:\Documents and Settings\All Users\Application Data\Norton
C:\Documents and Settings\All Users\Application Data\NortonInstaller
  • Now click the Execute button.
  • Click Yes to the prompt to confirm you want to execute.
  • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
  • Your PC should reboot, if not, reboot it yourself.
  • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7 make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Then attach the below logs:
  • C:\avenger.txt
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
MeitHed (06-18-12)
  #18  
Old 06-18-12, 14:57
MeitHed's Avatar
MeitHed MeitHed is offline
Specialist
 
Join Date: Dec 2005
Location: Washington
Posts: 323
Thanks: 28
Thanked 9 Times in 9 Posts
Default Re: Trojan lodged in tcp/ip stack

Sorry for the delay in responding.

I ran Avenger and MGTools per your instructions, still unable to access the internet via dns.

Logs are attached.


Thank you
Attached Files
File Type: txt avenger.txt (2.7 KB, 0 views)
File Type: zip MGlogs.zip (411.6 KB, 4 views)
__________________
Want an orange?
Reply With Quote
  #19  
Old 06-20-12, 00:39
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,239
Thanks: 61
Thanked 7,613 Times in 4,098 Posts
Default Re: Trojan lodged in tcp/ip stack

Per your logs, everything is fine with your PC. Are you sure the problem is not in your router? Do you have another PC ? If so is it working okay thru the router?

If you don't have another PC and only have this one PC, what happens if you bypass your router and reboot your PC before trying to connect?
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
MeitHed (06-20-12)
  #20  
Old 06-20-12, 09:29
MeitHed's Avatar
MeitHed MeitHed is offline
Specialist
 
Join Date: Dec 2005
Location: Washington
Posts: 323
Thanks: 28
Thanked 9 Times in 9 Posts
Default Re: Trojan lodged in tcp/ip stack

That is disheartening. I have several PC's connected through the router, all of which run fine.

I am open to suggestions.

Thanks again for your time.
__________________
Want an orange?
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
TCP IP Stack is Dead. Win XP captzap Malware Removal 3 12-12-11 23:02
Stack Overflow tamarbri Software 5 04-27-10 18:35
NIC doesn't see TCP/IP stack augiedoggie Hardware 4 05-10-09 20:10
wmp bo:stack detected FAlbee Malware Removal 1 08-01-07 19:58
BO:Stack Shred666 Malware Removal 1 11-04-06 15:41


All times are GMT -5. The time now is 21:26.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger