PDA

View Full Version : No internet after AVG scan, how to fix remotely


ell
06-26-2009, 06:10 PM
Hi, I have a remote customer who performed a AVG scan on his pc last night and now he has no internet (surprise). I had him reset his DSL modem and check with AT&T first to make sure modem is fine, can't ping yahoo, modem is working fine, ipconfig/release,renew didn't help, system restore fails, disabled firewall and avg, still no go. He has xp, any ideas? I'm going to have him do netsh int ip reset reset.log and netsh winsock reset catalog when he calls back, anything else I could have him try?

ZenMike
06-26-2009, 06:48 PM
Hi, I have a remote customer who performed a AVG scan on his pc last night and now he has no internet (surprise). I had him reset his DSL modem and check with AT&T first to make sure modem is fine, can't ping yahoo, modem is working fine, ipconfig/release,renew didn't help, system restore fails, disabled firewall and avg, still no go. He has xp, any ideas? I'm going to have him do netsh int ip reset reset.logand netsh winsock reset catalog when he calls back, anything else I could have him try?

Does the connection report itself as Connected?
Does ipconfig /all look correct? DNS?
Can he ping 127.0.0.1? His own IP? His gateway IP? The DNS servers?

ell
06-26-2009, 07:19 PM
Does the connection report itself as Connected?
Does ipconfig /all look correct? DNS?
Can he ping 127.0.0.1? His own IP? His gateway IP? The DNS servers?

AT&T support found no issue with their connection to his modem, his ip address looked ok, everything says hes connected except IE, tried using his usb aircard, that didn't work either.

PatrickB
06-26-2009, 07:49 PM
What file did AVG quarantine? It may have had a false postive against a piece of system software.

-- Patrick B.

ell
06-26-2009, 07:57 PM
What file did AVG quarantine? It may have had a false postive against a piece of system software.

-- Patrick B.

thats possible, he couldn't really explain what files they were, he just said he had it "fix" them. I wonder if I can somehow "unquarantine" them if they are not deleted.

seedubya
06-26-2009, 08:00 PM
thats possible, he couldn't really explain what files they were, he just said he had it "fix" them. I wonder if I can somehow "unquarantine" them if they are not deleted.

Yes you can. Double-click on the system area icon, go to the History menu, down to Virus Vault, find the file you want to restore, right click and choose Restore

ell
06-26-2009, 08:04 PM
Yes you can. Double-click on the system area icon, go to the History menu, down to Virus Vault, find the file you want to restore, right click and choose Restore

thanks, I have avira, haven't used avg in a while, I may send your txt to his blackberry! hope that does it if the winsock fix doesn't!

ell
06-26-2009, 08:50 PM
Yes you can. Double-click on the system area icon, go to the History menu, down to Virus Vault, find the file you want to restore, right click and choose Restore

ok, I unquarantined the only thing that wasn't a cookie or temp file, that didn't work, BUT I had him reset the winsock and I am now able to connect remotely! BUT IE, Safari & Firefox all are unable to connect, so now I'm running GMER!

ZenMike
06-28-2009, 09:45 PM
This is not the same incident you described in here (http://www.technibble.com/forums/showthread.php?t=7442) is it?

How did this turn out?

ell
06-28-2009, 11:52 PM
This is not the same incident you described in here (http://www.technibble.com/forums/showthread.php?t=7442) is it?

How did this turn out?

Ha! yes it is, really had me scrambling for answers, I went digging for a root kit, but it was completely clean. I never did determine the exact startup program that I disabled that caused all the browsers to not connect. I'm thinking something blocking the port, because I was able to connect to him with my remote prgm after I had him do a windsock fix. Startups he had included a usb aircard adapter with a AT&T prgm for that and a blackberry desktop, roxio. I left the blackberry prgm starting, but I doubt that was it, I think I have disabled that one before in startups with no effect, I'm almost wondering if it was related to Roxio somehow. I could've spend more time to try and pinpoint it but I had already made a %$& out of myself so I just let it go and let them all start at boot except for the few usual safe disables (reader,quicktime,msg,etc)....but I'm still wondering...(hate that):confused:

ell
06-29-2009, 03:59 PM
agh, customer called again, no internet, this is driving me crazy, GMER didn't find a rootkit, enabled all normal startups, should I uninstall all his other network connections? I had him uninstall AVG. He has a VPN, ipod connections, anybody help?

iladelf
06-29-2009, 05:19 PM
This may be a stretch, but is it possible there are leftover AV/firewalls interfering? I found a computer the other day that had AVG 7.5 on it; once uninstalled, found leftovers of both McAfee and Norton 360! Once removed, internet worked fine. Must've been some leftover firewall garbage.

PatrickB
06-29-2009, 05:52 PM
If you believe it is a leftover security product, see Bryce's list of removal tools to thoroughly remove it/them:

http://www.technibble.com/repair-tool-of-the-week-antivirus-removal-tools/


Also, NirSoft's RegScanner is oustanding for finding groups of defunct entries in the Registry by keyword:

http://www.nirsoft.net/utils/regscanner.html

-- Patrick B.

iptech
06-29-2009, 05:58 PM
This may be a stretch, but is it possible there are leftover AV/firewalls interfering? I found a computer the other day that had AVG 7.5 on it; once uninstalled, found leftovers of both McAfee and Norton 360! Once removed, internet worked fine. Must've been some leftover firewall garbage.Agree, I've had examples where the Internet connection has suddenly stopped working, curiously on one POP3/SMTP email worked OK though. In both cases it was Norton Internet Security that caused the problem. Run the uninstall tool for the suspected software and reinstall or replace with an alternative product.

ell
06-29-2009, 06:19 PM
Agree, I've had examples where the Internet connection has suddenly stopped working, curiously on one POP3/SMTP email worked OK though. In both cases it was Norton Internet Security that caused the problem. Run the uninstall tool for the suspected software and reinstall or replace with an alternative product.

I already ran the norton removal tool the first time I had troubles, now I cannot even get connected to him remotely to do anything, last time I had him perform a netsh int ip reset reset.log and netsh winsock reset catalog and that at least got my remote service in, but still no browsers working, this is so bad, I had him uninstall AVG, but that didn't help. I left him this morning running sfc, he at least has a sp2 cd, I doubt that will help, but its buying me some time. I have to call him back soon. anybody know any other commands I can give him to help?

PatrickB
06-29-2009, 07:29 PM
<shrug> With no connectivity and limited time, you could have the customer throw one or more of these at it:

Right-Click the network connection and select "Repair"

Rename the Hosts file

Use OpenDNS.com DNS servers instead of the defaults or whatever is in use now. A bad guy may have taken over the DNS.

Delete and re-add tcp/ip protocol to the network connection.

Perform a Repair install

-- Patrick B.

ell
06-29-2009, 08:29 PM
<shrug> With no connectivity and limited time, you could have the customer throw one or more of these at it:

Right-Click the network connection and select "Repair"

Rename the Hosts file

Use OpenDNS.com DNS servers instead of the defaults or whatever is in use now. A bad guy may have taken over the DNS.

Delete and re-add tcp/ip protocol to the network connection.

Perform a Repair install

-- Patrick B.

Well, nothing worked, crap going to do a repair install first, I told him over the phone how to burn backups of his stuff. Anybody know if a Dell Latitude d610 has a partition for a nondestructive reinstall?

ell
06-29-2009, 11:30 PM
This kills me, when my customer called AT&T two days ago they told him he would have to login to the modem with his new password to connect to the net, he never did nor did he tell me!!!! I finally logged into the modem and reset it again and asked him for his password, thats when he told me, typed it in and presto, internet! geeeeez:rolleyes:

PatrickB
06-30-2009, 02:26 AM
I'm glad to hear the customer's connected again. But wait. How did you get connected to his computer yesterday? You had him run the Netsh command and got connected for a while. How did that work if his DSL modem needed a new password?

-- Patrick B.

ell
06-30-2009, 03:24 AM
I'm glad to hear the customer's connected again. But wait. How did you get connected to his computer yesterday? You had him run the Netsh command and got connected for a while. How did that work if his DSL modem needed a new password?

-- Patrick B.

good question!? I tried so many things blindly giving him commands over the phone, flushed dns, ip release/renew, etc. at this point I just don't know!! I did have him totally shut down the laptop and restart twice to be sure he was still connected, and I ran avg remover and installed Avira. It just worked today when I reset the modem?!

MSgherzi
06-30-2009, 03:58 AM
What file did AVG quarantine? It may have had a false postive against a piece of system software.

-- Patrick B.

I second that. If it happened after AVG, then it might have quarantined (or worse, deleted) something in his WINDOWS folder or something else that a virus attached itself onto that is crucial to system operation.

AVG is a clue because it happened after that. I'd trace that source first.

Also, like other have mentioned, see if there are traces of another application. If somehow possible, I'd have him either install Revo Uninstaller or just take a look at Add/Remove programs and even Program Files to see if anything like Norton of McAfee exists. One time I had a computer like this and once I ran the removers everything worked fine.

ell
06-30-2009, 11:38 AM
I second that. If it happened after AVG, then it might have quarantined (or worse, deleted) something in his WINDOWS folder or something else that a virus attached itself onto that is crucial to system operation.

AVG is a clue because it happened after that. I'd trace that source first.

Also, like other have mentioned, see if there are traces of another application. If somehow possible, I'd have him either install Revo Uninstaller or just take a look at Add/Remove programs and even Program Files to see if anything like Norton of McAfee exists. One time I had a computer like this and once I ran the removers everything worked fine.

I did go into the quarantine vault and restore the one questionable file, it didn't make any difference. He did confide in me yesterday that he had had both norton & McAfee on at one time, so I should have run a mcAfee cleanup too besides the norton. I'm thinking he did some self-diagnosis on Sun to try and fix it himself, like resetting the modem again, that would explain why I couldn't even get on remotely. He did say he set "something" to defaults, I'm thinking it was IE, I showed him how to do that on Sat. Hes happy at least, thankfully he was a very patient fellow, and not afraid to take instruction, hes off to Europe with it soon!

ell
06-30-2009, 08:06 PM
Just for future reference, and for anybody else with the same issue, I just read on another board about someone having the same mysterious internet connection problem. He found it to be his AT&T aircard communications manager. This was one of my customers startup programs, I did disable it in the end.

Jake77444
07-09-2009, 06:22 AM
I'm glad to hear the customer's connected again. But wait. How did you get connected to his computer yesterday? You had him run the Netsh command and got connected for a while. How did that work if his DSL modem needed a new password?

-- Patrick B.

Probably just a coincidence. ATT uses PPPoE but will still authenticate with an incorrect password except it will pull a trapped page typically. Meaning it will pull a valid WAN IP but the DNS it pulls will force it to re-route to a trapped page. Sometimes you can still remote into these WAN IP addresses since it is just a DNS re-route.

Did the IP address you remote into happen to begin with 99.142.xxx.xxx?

Normally the customer should still be able to ping the outside but not browse and also he should get the trapped page that says "ATT has found a problem with your modem"

Sounds like the customer may of had multiple issues.

Wish I saw this post sooner would of tried to point you in the right direction.

ell
07-09-2009, 12:15 PM
Probably just a coincidence. ATT uses PPPoE but will still authenticate with an incorrect password except it will pull a trapped page typically. Meaning it will pull a valid WAN IP but the DNS it pulls will force it to re-route to a trapped page. Sometimes you can still remote into these WAN IP addresses since it is just a DNS re-route.

Did the IP address you remote into happen to begin with 99.142.xxx.xxx?

Normally the customer should still be able to ping the outside but not browse and also he should get the trapped page that says "ATT has found a problem with your modem"

Sounds like the customer may of had multiple issues.

Wish I saw this post sooner would of tried to point you in the right direction.

I'm pretty convinced it was a modem issue after my first repair. Everything was working fine then suddenly the next day it wasn't. He did say he did something with it, but couldn't really say what, I think it was the password issue, who knows, just not thrilled it had to be a remote job I couldn't just stop over and fix! Although a trip to Florida would have been nice!

PatrickB
07-09-2009, 01:08 PM
Thank you for the insight Jake. I have not seen that issue and did not know an incorrect password would still give you an IP but redirect to a Modem-Issue page.

Do you know if that is on all of the att/yahoo domains, like sbcglobal.net, or just on att.net?

-- Patrick B.

anonymous Mac Tech
07-09-2009, 06:41 PM
Happens with Comcast as well. The inside term is walledgarden. Happens also when the MAC address of the equipment doesn't match their account. Just a phone call to ISP can get it cleared. Usually takes about 5 minutes. In some rare cases can take over 24 hours or more. But in those cases I just told customers to pick up a new modem from ISP if its a rented modem and they are in a pinch.

Jake77444
07-13-2009, 04:17 AM
Thank you for the insight Jake. I have not seen that issue and did not know an incorrect password would still give you an IP but redirect to a Modem-Issue page.

Do you know if that is on all of the att/yahoo domains, like sbcglobal.net, or just on att.net?

-- Patrick B.

Yes this will happen with any valid att domain in the modem whether it be att.net, sbcglobal.net, ameritech.net, ect.

If the domain portion of the username is spelled incorrectly the PPPoE session will be rejected and you will not pull a WAN IP.

As said above this is referred to as "walled garden". While in the walled garden you would only be able to browse to the att registration site.