After getting rid of trojans, can't connect with wireless

**tripwire45** · #1 14-Sep-2008, 06:45 PM

I get the feeling this is more of a virus/malware issue than a networking issue, but it's hard to be sure. Let me explain.

My son (he's 22, so you'd think he'd know better) was playing some sort of free online game. He'd played it for awhile so figured it was harmless. Then suddenly, various popups started happening on his computer. He's running Windows XP Pro on an HP laptop. He had both an expired version of Norton running and AVG Free 7.5. He couldn't even open them to try a scan. The processes would die when he tried. He asked me to take a look.

Whatever he had, it had really hosed his laptop. I tried going back to a Restore Point before all this occurred, but that failed, regardless of the date I tried.

I tried doing an online scan but although I could connect to the internet and surf, I couldn't open up any websites related to virus scans or security at all. I copied AVG Free 8.0 from one of my other computers onto a thumb drive and used that to put the installer onto his laptop and install the program.

It installed successfully and updated the antivirus defs, but when I started the scan, the program suddenly had no active components. I closed the program but was unable to reopen it.

Finally, I rebooted into Safe Mode and was able to successfully start a scan with AVG. It ran on the command line and a long list of trojans started being located and being placed in the virus vault. I went to bed before the scan was complete.

When I woke up the next morning, the laptop was gone from my office, so I figured my son took it and all was well. I asked him about it later, and he told me it seemed fine except that it had "no or limited connectivity to the network".

I spent a good deal of time yesterday trying to get him connected wirelessly but to no avail. I turned off the Windows firewall of course, tried repairing the connection and every other troubleshooting trick I could think of. I can connect to the wireless access point (which is my wee little home server), but can't get an IP address via DHCP.

I tried again this morning. I turned off AVG, thinking it might have something to do with it, but that didn't change anything. I rebooted the server to see if the wireless service itself had died, but nada tostada. I hardcoded the wireless connection to give it an IP address, subnet mask and DNS server address. It said it had a full connection and initially could ping the server and another node on the network. It *couldn't* ping the DSL modem or the internet. Subsequently, it couldn't even ping the server or another network node, even though the systray icon said it was connected.

I suspect that there are still "critters" onboard that are causing a problem, so I'm running another AVG scan to start with. Can you think of anything else (and I know my troubleshooting description isn't complete) that I could do?

Thanks.

NightWalker · #2 14-Sep-2008, 06:58 PM

More AV scans is a must, sounds like it got some backdoor app that downloaded more stuff on to it. I would also try resetting the TCP/IP stack it you are having problems networking it.

http://support.microsoft.com/kb/299357

Make sure the Wireless Zero Configuration service is running afterwards, before you try and connect to your WLAN (and the firewall is off while you troubleshoot like you did earlier).

MLP · #3 14-Sep-2008, 07:02 PM

Hi

Apologies if this is stuff you have already tried, but have you considered taking the HDD out and placing it in a caddy? Then you can connect it via USB to another machine (Ensuring that the machine i fully patched, has valid AV, and as an extra precaution, has been booted into safe mode.). Then perform a full scan on the drive. As an extra measure, if you have a Mac or a linux machine, plug it into that. Clam AV works on Linux, and I'm sure I once used a version of Clam AV on a Mac before.

If this isn't possible, try going into msconfig, and seeing what items are set to run on boot. Also, try services.msc, and see if there is anything suspicious looking going on in there.

I've had some success with Windows Defender lately for getting rid of some nasty spyware lately.

Hope this helps somehow.

Maria

**Sparky** · #4 14-Sep-2008, 08:59 PM

Had a similar issue with a customers laptop a while back, removed the spyware but could not get a reliable connection to the network.

Ended up doing a repair install of the OS and it fixed the problem.

**Bluerinse** · #5 14-Sep-2008, 10:27 PM

James, can you get Internet connectivity using a *wired* connection?

If not, i suspect your Winsock has been messed up.

You can use one of these programs to fix it..

http://www.snapfiles.com/get/winsockxpfix.html

http://www.cexx.org/lspfix.htm

Quote:

“

LSP-Fix is a free Windows utility to repair a loss of Internet access associated with certain types of software. This type of software, known as a Layered Service Provider or LSP, typically handles low-level Internet-related tasks, and data is passed through a chain of these programs on its way to and from the Internet. However, due to bugs in the LSP software or deletion of the software, this chain can get broken, causing the Internet connection to become inaccessible.
Unfortunately, problematic LSP software, including malware/spyware, is sometimes quietly installed by unrelated products such as file-sharing programs, sneaking onto a system unannounced. In fact, in many cases, the user does not know of its existence until something goes wrong, and he/she can no longer access Web sites. Historically, New.net* (NEWDOTNET) and WebHancer* (often bundled with file-sharing utilities, DVD player software, and other free downloads) have been the worst offenders, but the problem can be caused by any improperly-written Layered Service Provider software, or the deletion of any LSP program's files. LSP-Fix repairs the LSP chain by removing the entries left behind when LSP software is removed by hand (or when errors in the software itself break the LSP chain), and removing any gaps in the chain.

”

**tripwire45** · #6 15-Sep-2008, 02:26 AM

Thought you had something, Pete. I tried to connect the laptop using a wired connection and got the same problem. Downloaded and installed the recommended winsock repair utility. The wired connection came up like a dream. So did several pop ups of the malware persuasion. Disabled the wired nic and enabled the wireless. Alas...same problem.

**Bluerinse** · #7 15-Sep-2008, 02:40 AM

try re-installing the wireless adapter drivers and software maybe.. then i would do a repair as Sparky suggested.

**Mr.Cheeks** · #8 15-Sep-2008, 02:54 AM

Back vital data
Format and reinstall
Better safe than sorry

**tripwire45** · #9 15-Sep-2008, 02:57 AM

Thanks, Sparky, Pete, and Mr. C. That's the plan at this point, but not tonight. Between rebuilding a website for a non-profit (I volunteered) and my son's laptop, I've been sitting in front of a computer all afternoon (I did yard work this morning). Time to unwind before bed by watching the Bourne Ultimatum.

neutralhills · #10 15-Sep-2008, 03:53 AM

Trip, I had this exact problem two weeks ago. What worked for me was:

1. Install and run UnHackMe 4.8. Let it remove what it finds that isn't an obvious false positive. There are probably some leftover rootkit bits to knock out.

2. Run the latest version of Combofix from bleepingcomputer.com

3. Reset the TCIP/IP stack if connectivity problem has not corrected:
http://support.microsoft.com/kb/299357

If all this doesn't work, you can try the Winsock XP Fix util:

http://www.watchingthenet.com/repair...x-utility.html

Hope this helps

**tripwire45** · #11 15-Sep-2008, 05:05 AM

I tried the Winsock XP Fix app and it had limited results.

Part of the problem after I reconnected to the Internet via a hard wire was that I can no longer boot into Safe Mode. I get a black screen and none of the anti-virus scanners work now in normal mode. I'll give it a shot when I get the time which probably won't be until tomorrow now. Also waiting to see what my job situation is going to turn out like tomorrow, so I'm a little distracted.

Thanks for the tips, Sean.

neutralhills · #12 15-Sep-2008, 06:18 AM

Dude. What you're describing is just ugly.

Thoughts...

UnHackMe is still worth a try. I'd consider following it up with a Windows Repair from the install CD and not a rebuild from scratch, if only because I know how limited your time is and how much of a pain in the arse it will be to reconfigure the system to your preferences.

That and having to blow away and reinstall from scratch feels like losing to me. :-(

**tripwire45** · #13 15-Sep-2008, 01:11 PM

Me too. Actually, I don't think full install CDs come with Windows computers anymore. I think all you get is a Repair CD, so doing a full (legal) install isn't an option (alas). I told my son last night that the repair CD (assuming he can find it) is the option of last resort and that's pretty much where we are at this point.

I also told him it's times like these that make me really love being a Linux user.

**BosonMichael** · #14 15-Sep-2008, 04:53 PM

Quote:

“

Originally Posted by neutralhills

That and having to blow away and reinstall from scratch feels like losing to me. :-(

”

Yeah, I feel the same way. But that's really the only way to be sure, these days. It ain't like the old days where we could doctor the registry and pry out the virus by hand...