TCP/IP protocol Drivers

[McGold]

Dear All,
This could be simple but the fact is I've hit a wall
My Dell Optilex 780 desktop running Win 7 pro SP1 was hit by a malware(pc performance and stability analysis report)I managed to remove this spyware through editing and deleting the registry entries listed below:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<random>.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<random>"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = 0'

I also deleted some files that had random charecter names that were suspected to be malware files.

The Machine is quite stable after these actions except that there is this exclamation mark on the network icon, after checking services, all the relevant services are started only two crucial are not running: TCP/IP netbios helper and DHCP client. upon checking their dependancies all dependency services are started except TCP/IP protocol Drivers, these drivers are not services so how do i get to start/run them?

 

[BadBigBen]

Reinstall and reset TCP/IP (Internet Protocol) for Windows 7 (32 and 64):

Click on Start button.
Click on Accessories.
Right click on Command Prompt and select Run as Administrator.
Type netsh int IP reset C:\resetlog.txt in the Command Prompt shell, and then press the Enter key. Do not restart computer.
Type winsock reset in the Command Prompt shell, and then press the Enter key.
Restart the computer.

You'll find a log with the changes in C:\resetlog.txt.

or try the FIX-IT from MS:

How to reset Internet Protocol (TCP/IP)

http://support.microsoft.com/kb/299357

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[McGold]

Thanks Ben for taking your time to help out...
however it was the 5th time i did that...I am even thinking of reparing win 7, what do you think?

 

[vacunita]

Have you run the System File Checker see if it can repair the missing files:

Open an elevated command prompt and run:
sfc /scannow

Alternatively, you could run the Windows 7 installation Disc over the current installation to repair any files, documents and applications will be untouched, or you could even yes do a repair to see if that fixes things.

----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Behind the Web, Tips and Tricks for Web Development.

http://behindtheweb.blogspot.com/

 

[BadBigBen]

ok, Phil mentions SFC and that is good, but should be done after you have checked your system thoroughly...

Download MBAM and SuperAntiSpyware (free versions will do), then run both on the (ex)infected machine, delete anything they find...

download CCleaner and have it mop up unneeded files (temps and logs etc.), run a registry scan and clean up...

MBAM

http://www.malwarebytes.org/products/malwarebytes_free

SuperAntiSpyWare

http://www.superantispyware.com/

CCleaner

http://www.piriform.com/

PS: the following registry entries probably should be reinstated:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0' SET THIS TO 1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no' SET THIS TO yes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes' SET THIS TO no
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = 0'



Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[McGold]

Thanks Phil and Ben once again
Yesterday I ran SFC /Scannow command up to 78% then this messege "Windows Resource Protection could not perform the requested operation" however i created a logfile for sfc and this is what it says:

"2011-07-14 15:46:27, Info CSI 0000015e [SR] Cannot repair member file [l:14{7}]"afd.sys" of Microsoft-Windows-Winsock-Core, Version = 6.1.7601.17603, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file cannot be checked"

for some funny reason MBAM and SuperAntiSpyware do not run after installation. I get this error messege for both programmes: "Windows cannot access the specified device, path, or file. you may not have the appropriate permissions to access the item" yet i have logged as Administrator and I ran the AntiSpyware as Administrator.

Unfortunately I cannot download CCleaner at the present moment.

 

[linney]

Have you tried running the System File Checker with any Anti Virus software disabled to see if it will then complete?

Will things like MBAM and SuperAntiSpyware run from within Safe Mode? Will they run if you change the name of the actual .exe file to something else? Will they run if you create another user and test with that? Have you tried uninstalling them and reinstalling them?

Sometimes lists of application.exe get placed in this Key as a way of preventing certain .exe from running, or causing them to start the malware .exe instead. Windows itself will place mainly .dlls and one or two ,exe in there, so you should check with a non-virused Windows for comparison before assuming your Key has been altered. A good clue to trouble is when you see anti virus, or other security tools listed in there.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Using Image File Execution options as an Attack Vector on Windows

http://silverstr.ufies.org/blog/archives/000809.html

Malware may also have disabled the main executable for Anti Virus Software from running. Please check out the registry here:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun and see if it has any good .exes in it. If so, delete it.




Are there any Backups available?


How to analyze the log file entries that the Microsoft Windows Resource Checker (SFC.exe) program generates in Windows Vista

http://support.microsoft.com/kb/928228#appliesto

 

[McGold]

Thank you guyz thank you so much for all contributions, nexttime i now know what to do.

Unfortunately nothing helped, i had to uninstall SP1 and repair windows and all is well. thank you once again. regards.

however i still have another problem i would like to bring to your attention but i put it in a proper forum.