I have done a few scans to remove a virus from one of our computers. Malwarebytes, combofix, and tdsskiller to be exact. After the removal, the computer connects to the internet, but cannot identify the connection. This is a laptop, and this is on both the wired and wireless.
I have ran Complete Internet Repair, which is a utility that does all the conventional network fixes; repair hosts, winsock, etc. I also ran Tweaking.com Windows Repair utility, which repairs a large amount of windows issues. I also ran a SFC scan twice. The first did some repairs, and the second came back clean. I still think its some sort of registry entry or windows file that is causing the issue. Any help is greatly appreciated.
Have you checked the hosts file and the proxy settings?
Restore to last week? Sometime prior to the virus?
Can you explain "cannot identify the connection" ? This could mean many things.
Trying a system restore now.
In windows 7, in the network and sharing center, the connecting is on "Identifying", meaning it is stuck on pulling DNS.
TDSS and Virut are nasty. About 90% of the time I will have to reinstall windows.
You have one last ditch effort to try thou: Ripping out the tcpip components.
Which you cant do in anything easily after XP.
so for Vista and windows 7, you can try this:
So, try going to your NIC adapter properties, and UNcheck Internet Protocol Version 4 tcpipv4.. Infact, UNCHECK ALL THE COMPONENTS.
this will totally make your system unstable. You need to reboot.
Once rebooted (with no IP components loaded), then you need to UNINSTALL your nic. Not DISABLE, UNINSTALL!. r-click in device manager and UNINSTALL. iff possible, then physically remove it.
Power back on and try to turn off the nic in BIOS. We want to load windows back up without ANY networking card (and write out new registry settings). So you should end up back in windows, with NO NIC installed or seen by the system.
Now, power back on and enable/reinsert your NIC. Windows will pick up on it and say "Oh, you inserted a network card, I should install the TCPIP stack because i dont have it, and you need it"
Hopefully, by getting the system to go from a non-networked install to a networked machine, will sometimes overwrite whatever has been fouled up.
Works about %10-20 percent of the time. Do not skip a step. Remember, you must boot up at least once without any networking hardware installed at all.
XP is easier, because you can actually go into Add Remove Programs and rip out the windows networking components themeselves, and just reboot. But not Vista/7
When it is saying Identifying, it could be trying to pull an IP address. Are you able to manually add an IP address and DNS IP?
run a command and flush all dns entries also chck and see if a proxy was setup in ie
Some weeks ago I've had a similar issue, ping to IP address works well, but can't connect using DNS names, no matter wired, wireless, even installing a new ethernet card.
The computer was XP, but what i need to do was disable IPSEC service, after that all runs ok.
Try resetting IE (Internet Options>Advanced>reset...) also try using chrome or firefox... this will determine if it is a corrupted IE component.
Jan 29, 2013 at 9:16 UTC
Can you post a hijack this log please.
I usually reimage machines that otherwise would take more then 30-45min to cleanup. Not always can you permanently remove the virus or traces of it and more then likely you have already spent more time cleaning it then reimaging the pc. Unless there is something specific on this pc that will literally take you hours to setup post reimage, I say wipe it and start fresh.
It may be as simple as checking your DNS routes.
Did you try from cmd.exe - "route print"
If nothing's getting through there has likely been a poisoned route set as static in there, or gateway removed, or something unhelpful.
Maybe try manually setting the DNS server to point to one of Google's (188.8.131.52), in case it's having trouble automatically establishing a DNS server. If it works from there, perhaps look at the machine's ability to find the DNS server via IP. Maybe point it directly to your DNS server rather than let it find the information itself.
Jan 31, 2013 at 5:44 UTC
While running into this problem with customers, the basic symptoms were no DNS or Limited or no connectivity.
In order to fix the problem you will have to check if you have afd.sys in your C:\windows\system32\drivers/. If you do, check whether the date was modified. I like to check the time-stamp in case Combofix changed it.
If you do have afd.sys most likely it is infected.
There is another tool that you can use to verify this, Farbar System Scanner (FSS) , donwload it, run it and select the internet services and run a scan. However if you are not 100% sure that you are clean select the rest of the scans.
The output will look something like this.
afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.
Checking LEGACY_afd: Attention! Unable to open LEGACY_afd registry key. The key does not exist.
Right there you see the main problem as to why the DNS is not working on your computer. Quickly search for a new afd.sys within your system and replace the one located in c:\windows\system32\drivers\ , you can use FSS to scan for an afd.sys file from another location. If Windows does not let you replace the afd.sys file you will have to do it in Safe Mode.
Next as stated in the following forum post by Broni from Smartest Computing, you will have to modify the registry. You can copy the registry from a working computer or download the Keys from Smartest Computing Downloads located here.
Follow the instructions on that post and that will get your DNS working again.
If you get a permission problem when merging the Legacy_AFD, make sure you read the Broni's instructions on how to allow your user to change the permissions. For Windows 7, I used the following
Quoting Broni, the author of the post,
Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Owner tab select the entry starting with you user name, example: Farbar(Farbar-PC\Farbar)
Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.
As stated by the author of the post, after doing the above you will be able to merge Legacy_AFD.
Even thought that post is old, it works like a charm, we were able to fix 5 computers today, all of them were Windows 7.