Win 7 networking probs. after virus

[Appleby]

Ok this is killing me. I've spent WAY too much time on this and I'm about to nuke and pave but I figure I'll give it a whirl here and see if anyone can show me what I'm missing.

Dell Inspiron 1525 notebook, Win 7. Customer brings it in and says she can't get online. I do a basic virus clean up and the only thing found was 2 Trojans by Malwarebytes. They were both C:\Windows\svchost.exe The machine looked and performed just fine, other than the networking issue. I've run D7 and didn't find anything major and then I ran the D7 networking reepairs. Still nothing.

It pulls and IP from my router wired or wirelessly but it says "Identifying" and never gets past that. I can't ping out, I can't ping the default gateway or any other device on the network. It always pulls the same IP of 192.169.0.21, which seems a little high since they start at .10 and there are only 4-5 devices on the network. I can't ping it from another device either. I can assign a static IP and it's the same results. At one point I noticed that DHCP and another service or two were not automatically starting and they should have been. Not sure what happened, but after a million different things I've tried, they are all starting and appear to be running but the networking problem is the same.

I've uninstalled TCP and reinstalled it for the network adapters which I've seen solve the problem after a virus infection before. No help. I don't know what else to do but I've got about 4 hours in this thing and I should have nuked and paved 3.5 hours ago.

Oh and sfc /scannow found no problems.

Help please!

 

[PCX]

Have you run a full hardware diagnostics, if so, what have you run and what were the results?

Have you tried using a Live Linux CD to see if the wireless works at all?

Have you tried setting up another account to see if it is account specific? If so, then you can just run FABs and transfer their data to the new account.

 

[compnet]

I would try pulling afd.sys and tcpip.sys from a good machine

 

[16k_zx81]

I've uninstalled TCP and reinstalled it for the network adapters which I've seen solve the problem after a virus infection before. No help. I don't know what else to do but I've got about 4 hours in this thing and I should have nuked and paved 3.5 hours ago.

Help please!

OUCH! We've all been there. Dont feel bad!

Purists will hate me for this, but the first thing I do if there are networking issues on a machine post malware-removal is to run this (free, Rizonesoft Internet repair)

9/10 times it solves the issue.

On the rare occasion it doesnt I spend the time doing the diagnostics, but from a time-saving standpoint it does the basic work with a few clicks. It will allow you to at least tick off some steps. From there, you might need to spend more time (or not).

But yeah, after that I would be booting to Linux and seeing if that worked, to at least determine more about the problem.

Best of luck

 

[kevinjhaag]

Have you tried this...

http://www.technibble.com/fabar-service-scanner/

 

[mnadon]

Try running scf /scannow from a command prompt. Your file system may be in trouble.

 

[uprighttech]

Purists will hate me for this, but the first thing I do if there are networking issues on a machine post malware-removal is to run this (free, Rizonesoft Internet repair)

9/10 times it solves the issue.

Yep, Rizone works a large percentage of the time to fix networking issues for us, but we have had a few of these instances after a virus cleanup that it would not do. We had to nuke and pave a couple. Sometimes you just have to cut your loses.

 

[PaulRome]

Scan with Fabar and see what is missing. Download D7 there is a networking fix that has never failed me.

 

[gazza]

Scan with Fabar and see what is missing. Download D7 there is a networking fix that has never failed me.

I agree with running Farbar Service Scanner to see if there are any networking .sys files missing. Can you tell me what you use specifically in D7 that has never failed you?

 

[uprighttech]

Download D7 there is a networking fix that has never failed me.

Read oroginal post completely. Tried D7 networking fix with no luck.

 

[PaulRome]

Read oroginal post completely. Tried D7 networking fix with no luck.

Wow thats odd,

Try going to a restore point from before the infection.

 

[Appleby]

Thank you so much for all the replies!

Ok an update.....

Wired AND wireless connection both have this problem.

I haven't run a Linux distro, good idea. Don't have one with me at home, burning a copy of Ubuntu as we speak. Will update on that soon....

I looked at afd.sys, tcpip.sys and netbt.sys and all appeared to be legit. I did try to over write them with new copies from a working machine and they failed, saying I didn't have permission to over write them?

16k_zx81, thanks for the kind words. Never heard of "Complete Internet Repair" but that's a cool little utility! Unfortunately it didn't work this time, but I'm keeping that one for my tool kit.

Fbar log posted below.....

Tried sfc /scannow as stated in org. post and all came back fine.

Booting with Ubuntu right now.

Farbar Service Scanner Version: 16-04-2012
Ran by Buanita (administrator) on 17-04-2012 at 23:28:05
Running from "E:\"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error: Google IP is offline
Attempt to access Yahoo IP returend error: Yahoo IP is offline


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

 

[Appleby]

Ok just booted with Ubuntu, no drivers found for the wireless card but I did use wired connection and it worked perfectly. I was able to browse the internet with no problems.

Also, someone asked about this being a user account specific problem......I logged into the other user profile on the machine and found the same problem.

I tried two different restore points, one all the way back well over a month a go and the customer said this problem started a week to 10 days ago at most.

** Update. I rebooted after booting to Ubuntu and that was my 2nd restart since running the Complete Internet Repair tool. To my surprise, I noticed the wireless icon in the task bar showed it was fully connected with internet access. I quickly pulled up a command prompt and pinged Yahoo.com and it resolved to Yahoo's IP address but then timed out. I thought i was getting somewhere now! A couple minutes later the wireless icon changed to "no internet access" and I'm back to square one. I ran all the D7 networking repair tools again, reboot and "no internet access" is what Windows is telling me.

Right now as a last ditch effort, I'm uninstalling Mcafee using a removal tool just to see if that helps. I don't believe it will but I'll try anything at this point before I nuke and pave.

 

[PaulRome]

Have you gone into services to make sure everything is started?

Try running the command prompt as admin

netsh int ip reset c:\resetlog.txt
netsh winsock reset
netsh advfirewall reset

You never said if you tried system restore from before the infection?

 

[PaulRome]

You can download 3dp and install wired and wireless drivers on to the machine.

http://download.cnet.com/3DP-Net/3000-2112_4-10915115.html?part=dl-&subj=dl&tag=button

 

[Appleby]

UPDATE It's fixed!!!!!!

If you can believe it, McAfee appears to have been the (or at least a major part) problem! I don't trust AV programs built in uninstallers, so I downloaded a McAfee removal tool and it took about 10 minutes to completely remove McAfee. About 3/4 of the way through the wireless icon changed to show internet access again. So on a whim I opened Firefox and BAM I had full internet access. I closed out FF, let the removal tool finish, reboot and there ya, problem solved!

I've seen it before where the AV caused a problem like that but not quite like that. I've often found that when booted into safe mode the problem goes away when the AV is the root of the problem. I booted into safe mode several times on this one and still didn't have access.

Either way, thank you all for help and advice, I learned about some new tools and techniques form y'all so I appreciate that!

 

[PaulRome]

Cool, glad its fixed. N&P for an connection issue would really suck, sort of like McAfee.

 

[gazza]

UPDATE It's fixed!!!!!!

If you can believe it, McAfee appears to have been the (or at least a major part) problem! I don't trust AV programs built in uninstallers, so I downloaded a McAfee removal tool and it took about 10 minutes to completely remove McAfee. About 3/4 of the way through the wireless icon changed to show internet access again. So on a whim I opened Firefox and BAM I had full internet access. I closed out FF, let the removal tool finish, reboot and there ya, problem solved!

I've seen it before where the AV caused a problem like that but not quite like that. I've often found that when booted into safe mode the problem goes away when the AV is the root of the problem. I booted into safe mode several times on this one and still didn't have access.

Either way, thank you all for help and advice, I learned about some new tools and techniques form y'all so I appreciate that!

Yep good ole Mcafee? well done!

 

[PCX]

Man, I should have suggested that. I have run into this same exact issue several times. McAfee is crap. I am glad you got it fixed.

 

[Appleby]

Thanks guys I appreciate it. I thought about uninstalling it earlier but decided against it because I saw they still had over a year left on their subscription and you know how that goes....most people don't have the serial number or they don't know how to log into their McAfee account etc. I finally decided that if I nuke and pave, she was loosing McAfee either way, so I might was well try it.

This morning when I spoke with the customer, I told her the issue and she asked if I could reinstall McAfee and see if it caused the same problem again. I told her yet and to my utter shock she knew her McAfee user ID and password!!

Thanks again fellas!