After getting rid of trojans, can't connect with wireless

Discussion in 'Computer Security' started by tripwire45, Sep 14, 2008.

  1. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    I get the feeling this is more of a virus/malware issue than a networking issue, but it's hard to be sure. Let me explain.

    My son (he's 22, so you'd think he'd know better) was playing some sort of free online game. He'd played it for awhile so figured it was harmless. Then suddenly, various popups started happening on his computer. He's running Windows XP Pro on an HP laptop. He had both an expired version of Norton running and AVG Free 7.5. He couldn't even open them to try a scan. The processes would die when he tried. He asked me to take a look.

    Whatever he had, it had really hosed his laptop. I tried going back to a Restore Point before all this occurred, but that failed, regardless of the date I tried.

    I tried doing an online scan but although I could connect to the internet and surf, I couldn't open up any websites related to virus scans or security at all. I copied AVG Free 8.0 from one of my other computers onto a thumb drive and used that to put the installer onto his laptop and install the program.

    It installed successfully and updated the antivirus defs, but when I started the scan, the program suddenly had no active components. I closed the program but was unable to reopen it.

    Finally, I rebooted into Safe Mode and was able to successfully start a scan with AVG. It ran on the command line and a long list of trojans started being located and being placed in the virus vault. I went to bed before the scan was complete.

    When I woke up the next morning, the laptop was gone from my office, so I figured my son took it and all was well. I asked him about it later, and he told me it seemed fine except that it had "no or limited connectivity to the network".

    I spent a good deal of time yesterday trying to get him connected wirelessly but to no avail. I turned off the Windows firewall of course, tried repairing the connection and every other troubleshooting trick I could think of. I can connect to the wireless access point (which is my wee little home server), but can't get an IP address via DHCP.

    I tried again this morning. I turned off AVG, thinking it might have something to do with it, but that didn't change anything. I rebooted the server to see if the wireless service itself had died, but nada tostada. I hardcoded the wireless connection to give it an IP address, subnet mask and DNS server address. It said it had a full connection and initially could ping the server and another node on the network. It *couldn't* ping the DSL modem or the internet. Subsequently, it couldn't even ping the server or another network node, even though the systray icon said it was connected.

    I suspect that there are still "critters" onboard that are causing a problem, so I'm running another AVG scan to start with. Can you think of anything else (and I know my troubleshooting description isn't complete) that I could do?

    Thanks.
     
    Certifications: A+ and Network+
  2. NightWalker

    NightWalker Gigabyte Poster

    1,172
    25
    92
    More AV scans is a must, sounds like it got some backdoor app that downloaded more stuff on to it. I would also try resetting the TCP/IP stack it you are having problems networking it.

    http://support.microsoft.com/kb/299357

    Make sure the Wireless Zero Configuration service is running afterwards, before you try and connect to your WLAN (and the firewall is off while you troubleshoot like you did earlier).
     
    Certifications: A+, Network+, MCP, MCSA:M 2003, ITIL v3 Foundation
  3. MLP

    MLP Kilobyte Poster

    305
    19
    59
    Hi

    Apologies if this is stuff you have already tried, but have you considered taking the HDD out and placing it in a caddy? Then you can connect it via USB to another machine (Ensuring that the machine i fully patched, has valid AV, and as an extra precaution, has been booted into safe mode.). Then perform a full scan on the drive. As an extra measure, if you have a Mac or a linux machine, plug it into that. Clam AV works on Linux, and I'm sure I once used a version of Clam AV on a Mac before.

    If this isn't possible, try going into msconfig, and seeing what items are set to run on boot. Also, try services.msc, and see if there is anything suspicious looking going on in there.

    I've had some success with Windows Defender lately for getting rid of some nasty spyware lately.

    Hope this helps somehow.

    Maria
     
    Certifications: HND Computing
  4. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Had a similar issue with a customers laptop a while back, removed the spyware but could not get a reliable connection to the network.

    Ended up doing a repair install of the OS and it fixed the problem.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  5. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    James, can you get Internet connectivity using a *wired* connection?

    If not, i suspect your Winsock has been messed up.

    You can use one of these programs to fix it..

    http://www.snapfiles.com/get/winsockxpfix.html

    http://www.cexx.org/lspfix.htm

     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  6. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Thought you had something, Pete. I tried to connect the laptop using a wired connection and got the same problem. Downloaded and installed the recommended winsock repair utility. The wired connection came up like a dream. So did several pop ups of the malware persuasion. Disabled the wired nic and enabled the wireless. Alas...same problem. :(
     
    Certifications: A+ and Network+
  7. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    try re-installing the wireless adapter drivers and software maybe.. then i would do a repair as Sparky suggested.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  8. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    Back vital data
    Format and reinstall
    Better safe than sorry
     
  9. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Thanks, Sparky, Pete, and Mr. C. That's the plan at this point, but not tonight. Between rebuilding a website for a non-profit (I volunteered) and my son's laptop, I've been sitting in front of a computer all afternoon (I did yard work this morning). Time to unwind before bed by watching the Bourne Ultimatum. :wink:
     
    Certifications: A+ and Network+
  10. neutralhills

    neutralhills Kilobyte Poster

    366
    28
    64
    Trip, I had this exact problem two weeks ago. What worked for me was:

    1. Install and run UnHackMe 4.8. Let it remove what it finds that isn't an obvious false positive. There are probably some leftover rootkit bits to knock out.

    2. Run the latest version of Combofix from bleepingcomputer.com

    3. Reset the TCIP/IP stack if connectivity problem has not corrected:
    http://support.microsoft.com/kb/299357

    If all this doesn't work, you can try the Winsock XP Fix util:

    http://www.watchingthenet.com/repai...ork-settings-with-winsock-xp-fix-utility.html

    Hope this helps
     
    Certifications: Lots.
    WIP: Upgrading MS certs
  11. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    I tried the Winsock XP Fix app and it had limited results.

    Part of the problem after I reconnected to the Internet via a hard wire was that I can no longer boot into Safe Mode. I get a black screen and none of the anti-virus scanners work now in normal mode. I'll give it a shot when I get the time which probably won't be until tomorrow now. Also waiting to see what my job situation is going to turn out like tomorrow, so I'm a little distracted.

    Thanks for the tips, Sean.
     
    Certifications: A+ and Network+
  12. neutralhills

    neutralhills Kilobyte Poster

    366
    28
    64
    Dude. What you're describing is just ugly.

    Thoughts...

    UnHackMe is still worth a try. I'd consider following it up with a Windows Repair from the install CD and not a rebuild from scratch, if only because I know how limited your time is and how much of a pain in the arse it will be to reconfigure the system to your preferences.

    That and having to blow away and reinstall from scratch feels like losing to me. :-(
     
    Certifications: Lots.
    WIP: Upgrading MS certs
  13. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Me too. Actually, I don't think full install CDs come with Windows computers anymore. I think all you get is a Repair CD, so doing a full (legal) install isn't an option (alas). I told my son last night that the repair CD (assuming he can find it) is the option of last resort and that's pretty much where we are at this point.

    I also told him it's times like these that make me really love being a Linux user. :wink:
     
    Certifications: A+ and Network+
  14. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Yeah, I feel the same way. But that's really the only way to be sure, these days. It ain't like the old days where we could doctor the registry and pry out the virus by hand... :(
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  15. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Actually, that's the age that you believe you're bulletproof - that "things happen to everyone else, but not me". :D
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  16. neutralhills

    neutralhills Kilobyte Poster

    366
    28
    64
    I can't for the life of me understand why anyone buys a computer that only comes with a factory restore option and not valid Windows installation media. Dell still gives out Windows install disks, which is one of the reasons I like them so much.
     
    Certifications: Lots.
    WIP: Upgrading MS certs
  17. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Update: There *is* no reinstall or repair media. Apparently HP in its wisdom has set up a separate partition on the hard drive where the user can access all of the relevant software. I haven't tried accessing it yet but thought I'd give you all a "heads up" in case you had any comments I should be aware of up front. I can see how this would be an advantage for people who might lose or throw away their reinstall/repair media, but if the computer is truly hosed, accessing material on the hard drive might not be a viable option. Just my initial thoughts. I'll let you know how things go when I actually get the time to check out my son's laptop again.
     
    Certifications: A+ and Network+
  18. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,624
    117
    224
    Usually for these type of recovery systems there are instructions for making your own CDs. My experience is that most people ignore this until they are in trouble, when it is too late!

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  19. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    In other words, what you're saying is that my son should have accessed this information up front and made the CDs ahead of time...true? :rolleyes:
     
    Certifications: A+ and Network+
  20. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    If asked, HP will usually provide recovery media, but they'll likely charge you for it.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.