TCPIP removed due to virus

[mgwb]

System running windows XP Pro. Using IE, was getting redirected from google to sites that were not the correct sites. Microsoft Security Essentials detected an instance of "Alureon.H". The files infected were removed but unfortunately it was the following:

driver: Tcpip
file: c:\windows\system32\drivers\tcpip.sys
regkey: HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\Tcpip
safeboot: HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\Tcpip
service: Tcpip

Now there is no network activity at all. I have replaced the tcpip.sys file with ones from working systems as well as from an XP Pro CD but still getting error message stating: "Failed to query TCP/IP settings of the connection. Cannot proceed." whenever I try to repair the network connections for the computer. I am showing no IP address and IP config will not work either. I get the error: "An internal error occurred: The request is not supported. Additional information: Unable to query host name."

I have used some suggestions I found online such as "ipfix", "winsockFix", as well as using a Microsoft autofix exe to reset the TCPIP settings.

I am still stuck with the same error after all of that. I have run Malwarebytes to check for anything else that might be around on the system but its coming up clean. Anyone have any ideas or suggestions? I would greatly appreciate it. Thank you.

 

[mgwb]

Update

I was able to get the network connection to work by uninstalling and reinstalling the driver. I should have done that first but I was stuck on thinking it was a software problem. I am still unable to browse the internet. I am able to access the modem and I can ping websites like yahoo by their ip address. I cannot however ping anything by name or even browse by ip address. Just thought Id add this info in case anyone reads and can offer me more info. Thank you.

 

[tlcscousin]

Have you looked at services and ensured DNS Client is started?
When you issue the command (from command prompt) ipconfig /all do you have any entries for DNS servers?

 

[mgwb]

Thanks for your response. Yes the DNS service is started and so is the DHCP client. Whenever I try to run any IPconfig command I get the same error message as mentioned above. So Im not sure where to start first, trying to fix the DNS issue or the ipconfig issue or if its all just related to something else.

 

[tlcscousin]

With the XP Pro cd in the drive you can run
sfc /scannow
This should look for any changed windows files and replace them if missing.

You can also with the XP cd in the cd drive replace the tcpip.sys file (if cd drive is a different letter than D make the appropriate drive letter change)
Start
Run
CMD
CD D:
expand D:\I386\TCPIP.SY_ C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS

 

[mgwb]

unfortunately i dont have the original CD. This is for a work computer and the group that orignally set it up is long gone. I am the person in charge of fixing any issues now so I scrounge up whatever tools i can find. I do have a windows xp Pro CD that was burned but its not bootable and it was burned wrong so the system doesnt recognize it. Also, there is an I386 folder on the C: drive with all of the files from the CD so I was able to expand the tcpip.sy_ file previously with no results. I read somewhere online where it stated that you could change the source path in the registry to look at the hard drive instead of the CD for these files but i havent gotten that to work yet. i can get out to the router so I know im getting somewhere, just stuck right now. Thanks for your help

 

[linney]

Have you tried the Winsock Fix again since reinstalling the Driver?

WinXP Connectivity Issues
faq779-4625


Have you tried Microsoft Security Essentials and using the History Tab to restore what it removed to cause your problem. You could then run Malwarebytes' Anti-Malware and see if it does a better job of removing any malware. You could even try System restore to get back before you lost Internet.



Help with browser hijacker

http://www.tek-tips.com/viewthread.cfm?qid=1567508

 

[mgwb]

The files were removed so I cant restore them. I have since replaced the tcpip.sys file and through hours of work have come to the conclusion that the problem is that the DHCP service gets stuck "starting". It wont stop and it wont start. I changed it to a manual startup and it just gets stuck again whenever i try to start it. I get an error code that its not responding in a timely manner.

 

[tlcscousin]

http://support.microsoft.com/kb/915162

Explains fixing the DHCP service which involves a registry edit.

http://windowsxp.mvps.org/dhcp.htm

This one describes the 3 dependencies needed for the DHCP service.

 

[GrimR]

I am the person in charge of fixing any issues" without a XP CD, how you going to do that?

"conclusion that the problem is that the DHCP service gets stuck "starting" what does eventvwr say?

What other files got deleted, was ipconfig one of them or is the environment variables path incorrect?
Are there entries in your hosts file redirecting you?

Did you try resetting IE, Internet Options -> Advanced -> Reset? or

http://www.thewindowsclub.com/repair-internet-explorer-with-fix-ie-utility

Have you tried a anti virus boot CD e.g.

http://www.avg.com/us-en/avg-rescue-cd

Do any of these work
Start -> Run cmd /k Path
Start -> Run cmd /k c:\windows\system32\ipconfig /all
Start -> Run notepad C:\WINDOWS\system32\drivers\etc\hosts
Are there strange installed apps in Add/Remove programs?

Have you run hijack this?

http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

Is there anything strange loading from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Explorer
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Explorer\userinit



MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP

 

[linney]

Is it one of those awful computers with a hidden recovery partition and no available XP CD? Or can you borrow a XP Professional CD and boot from that and run a repair install.
You would need to know your own Product Key number to use in any such repair.

Repairing windows by running it over itself. You will lose all your windows updates but your files will be untouched.

How to Perform an In-Place Upgrade (Reinstallation) of Windows XP (Q315341)

http://support.microsoft.com/kb/315341/en-us

 

[Tatertot45]

Sounds to me like the TCP/IP stack got hosed. have you tried resetting the TCP/IP stack? try these links to get it fixed...

http://support.microsoft.com/kb/299357

or

http://forums.techguy.org/networking/520244-unable-query-host-name.html

 

[mgwb]

Thank you for all of your suggestions. I had tried all of that but had no luck. I did get it fixed though. I ended up removing the drivers and reinstalling them, physically pulling the card out, and then running the network setup wizard and that seemed to work. But honestly I did so much stuff to it that I read throughout the web that it may have been any of those things that fixed it. Im just glad I got it back up. I ended up getting a bunch of viruses on my laptop while looking for the answers to fix the desktop. Looks like Im changing antivirus programs. Thanks again for the help. I hope this post will help anyone else who has the same problem. Thank you.

 

[linney]

Do you do your surfing on your laptop (in XP?) as an Administrative user rather than a Limited User? That (using the lesser user) is the best way to protect your machine in my opinion.

Another trap when surfing for answers is to stay away from the "guaranteed to fix all errors" type of links and things that shout out "download me" if you know what I mean.