Malware clears IP address

Discussion in 'Virus Information' started by Newell White, Apr 22, 2010.

  1. Newell White

    Newell White Guest

    I have several XP SP3 machines on our W2k3 AD network which have been
    infected with something which

    (a) Disables the DHCP client
    (b) Sets IP address and net mask to 0.0.0.0
    (c) Disables search for files in explorer
    (d) Cause MBAM to halt with a run-time error which refers to an invalid .ocx
    file which is not present on machines which can run MBAM

    I can't see anything obvious with Autoruns.exe, and McAfee Corporate
    anti-virus finds nothing.

    Does this sound familiar?
     
    Newell White, Apr 22, 2010
    #1
    1. Advertisements

  2. From: "Newell White" <>

    | I have several XP SP3 machines on our W2k3 AD network which have been
    | infected with something which

    | (a) Disables the DHCP client
    | (b) Sets IP address and net mask to 0.0.0.0
    | (c) Disables search for files in explorer
    | (d) Cause MBAM to halt with a run-time error which refers to an invalid .ocx
    | file which is not present on machines which can run MBAM

    | I can't see anything obvious with Autoruns.exe, and McAfee Corporate
    | anti-virus finds nothing.

    | Does this sound familiar?

    Nope, sounds like a DHCP issue.

    As for the MBAM issue (and I assume you are a corporate customer) post about your problem
    in the Malwarebytes' forums...
    http://forums.malwarebytes.org
     
    David H. Lipman, Apr 22, 2010
    #2
    1. Advertisements

  3. Newell White

    Newell White Guest

    How does a DHCP failure explain the refusal to search for files in Windows
    Explorer?

    Further investigation shows that most services are not running.
    Trying to start the DHCP client service results in
    'Error 193: 0xc3'
     
    Newell White, Apr 22, 2010
    #3
  4. Could this be a symptom of svchost.exe being quarantined or deleted by
    McAfee?
     
    FromTheRafters, Apr 22, 2010
    #4
  5. From: "FromTheRafters" <erratic @nomail.afraid.org>

    | Could this be a symptom of svchost.exe being quarantined or deleted by
    | McAfee?

    Could very well be as SVCHOST is the Sefver Daemon of NT Services and thus the OS is hosed
    if he had used the affected 5598 DAT file.
     
    David H. Lipman, Apr 22, 2010
    #5
  6. Newell White

    Newell White Guest

    You are so right.

    Fortunately we do not use epo (resource hog and potential single point
    failure). Our machines contact McAfee at random times. Any which did so
    between 13:30 and 18:00 British Summer Time got hit.

    This worked as a cure:

    1) Exclude C:\Windows from on-access and start-up scans in McAfee (roll back
    updates doesn't work without svchost.exe).

    2) Use DOS copy command to restore system32\svchost from
    ServicePackFiles\i386.

    3) Restart and roll back the 5958 update in McAfee.

    I suspect many more McAfee clients were screwed, but have not yet been able
    to get on the web and squeal, as with epo all their hosts will be locked out
    from LAN and Internet!
     
    Newell White, Apr 23, 2010
    #6
  7. True, and the symptoms may be fairly widely variable depending upon
    individual system configurations.
     
    FromTheRafters, Apr 23, 2010
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.