IRC/BackDoor.Flood problem

[aaronjonmartin]

Guys any help with the following problem would be greatly appreciated.

We have recently had broadband installed and AVG picked up a virus called IRC/BackDoor.Flood, it warned me that the two infected files (SCRIPT.INI and SECURE~1.BAT) could not be healed and had been moved to the virus vault. My friend advised me to remove these files from the system altogether so i did. However when I rebooted my machine i had no internet connection and i checked ipconfig and i was not recieving an IP address from our router. It took some playing around but I managed to figure out that if i go into lan connection properties then properties of tcp/ip and change it from obtain an ip address automatically to a made up ip close the window then go through the process again but this time setting it back to obtain an ip address automatically then right clicking the lan connection and selecting repair i manage to get an ip address and internet connectivity is restored, however i have to do this everytime i reboot. It is very irritating and i was wondering if anybody can suggest a solution to this, i have tried unistalling/reinstalling my network card and i have also updated its drivers. Thanks for any help/suggestions in advance.

Aaron

"It's so much easier to suggest solutions when you don't know too much about the problem."
Malcolm Forbes (1919 - 1990)

 

[bcastner]

Repair your Winsock service. This utility wil make it fairly paineless:

http://members.shaw.ca/techcd/VB_Projects/WinsockFix.zip

You do want to set afterwards the TCP/IP property sheet to "Obtain an IP address automaticly."

 

[aaronjonmartin]

bcastner,

Thanks for your post i appreciate the help, however i ran the fix you posted and it hasnt fixed the problem im still having to go through the process of giving a "dummy" ip address then switching back to obtain automatically and repairing the connection. Any ideas?

Thanks again

Aaron

"It's so much easier to suggest solutions when you don't know too much about the problem."
Malcolm Forbes (1919 - 1990)

 

[bcastner]

When you have it configured so that it works, create a netsh dump that you can use in a batch file on startup.

See:

http://www.petri.co.il/configure_tcp_ip_from_cmd.htm

It sounds like you are working around some residual side of the virus, so keep your virus definitions up-to-date and hopefully a complete removal will be possible.

If you like, run Hijack This! and post the results here. There may be some entry that is causing this that can be identified and removed.

http://www.spywareinfo.com/articles/hijacked/#removal

 

[pflan]

Hi there,

If I read your post right your TCP/IP properties do not appear functioning properly after reboot and you have have to play with the settings to get a connection. It appears to be a problem with TCP/IP and this is something you can try if the winsock solution didn't work,

http://support.microsoft.com/?kbid=299357

This will in essence reinstall TCP/IP for Win xp.

Hope this helps,

Paul.

 

[bcastner]

pflan,

The WinsockFix.zip utility recommended earlier does the steps of the MS KB link you provided, including the registry changes (the "fix" does 22 additional registry replacements) and a Netsh int ip reset resetlog.txt.

The issue I think is that a second Winsock provider has been added to the workstation. Netsh or the Winsock registry keys for the MS Winsock service will not touch these directly.

What he can do is to preserve the state of the Winsock and TCP/Ip configuration in time with a Netsh dump, and then restore that working configuration. This affects all four aspects of the TCP/Ip service, rather than just the Winsock and IP sides.

Ideally the alternate Winsock service provider can be removed from the workstation at some point.

Best,
Bill