Join the Community! Creating your account only takes a few minutes.
Join Now

Hello

I have done a few scans to remove a virus from one of our computers. Malwarebytes, combofix, and tdsskiller to be exact. After the removal, the computer connects to the internet, but cannot identify the connection. This is a laptop, and this is on both the wired and wireless.

I have ran Complete Internet Repair, which is a utility that does all the conventional network fixes; repair hosts, winsock, etc. I also ran Tweaking.com Windows Repair utility, which repairs a large amount of windows issues. I also ran a SFC scan twice. The first did some repairs, and the second came back clean. I still think its some sort of registry entry or windows file that is causing the issue. Any help is greatly appreciated.

 

18 Replies

· · ·
_Justin_
Ghost Chili
OP
_Justin_ Jan 29, 2013 at 7:27 UTC

Have you checked the hosts file and the proxy settings?

1
· · ·
hamilt16
Anaheim
OP
hamilt16 Jan 29, 2013 at 7:30 UTC

Yes. Everything seems to be in order

0
· · ·
JediTechSupport
Cayenne
OP
Best Answer
JediTechSupport Jan 29, 2013 at 7:30 UTC

Restore to last week? Sometime prior to the virus?

0
· · ·
JediTechSupport
Cayenne
OP
JediTechSupport Jan 29, 2013 at 7:31 UTC

System restore that is

0
· · ·
TimS777
Serrano
OP
TimS777 Jan 29, 2013 at 7:35 UTC

Can you explain "cannot identify the connection" ? This could mean many things.

0
· · ·
hamilt16
Anaheim
OP
hamilt16 Jan 29, 2013 at 7:43 UTC

Trying a system restore now.

In windows 7, in the network and sharing center, the connecting is on "Identifying", meaning it is stuck on pulling DNS.

0
· · ·
Galen in Laguna
Thai Pepper
OP
Galen in Laguna Jan 29, 2013 at 7:56 UTC

TDSS and Virut are nasty. About 90% of the time I will have to reinstall windows.

You have one last ditch effort to try thou: Ripping out the tcpip components.

Which you cant do in anything easily after XP.

so for Vista and windows 7, you can try this:

So, try going to your NIC adapter properties, and UNcheck Internet Protocol Version 4 tcpipv4.. Infact, UNCHECK ALL THE COMPONENTS.

this will totally make your system unstable. You need to reboot.

Once rebooted (with no IP components loaded), then you need to UNINSTALL your nic. Not DISABLE, UNINSTALL!. r-click in device manager and UNINSTALL. iff possible, then physically remove it.

Now SHUTDOWN.

Power back on and try to turn off the nic in BIOS. We want to load windows back up without ANY networking card (and write out new registry settings). So you should end up back in windows, with NO NIC installed or seen by the system.

Shutdown.

Now, power back on and enable/reinsert your NIC. Windows will pick up on it and say "Oh, you inserted a network card, I should install the TCPIP stack because i dont have it, and you need it"

Hopefully, by getting the system to go from a non-networked install to a networked machine, will sometimes overwrite whatever has been fouled up.

Works about %10-20 percent of the time. Do not skip a step. Remember, you must boot up at least once without any networking hardware installed at all.

XP is easier, because you can actually go into Add Remove Programs and rip out the windows networking components themeselves, and just reboot. But not Vista/7

1
· · ·
DTMAN
Sonora
OP
DTMAN Jan 29, 2013 at 7:59 UTC

When it is saying Identifying, it could be trying to pull an IP address. Are you able to manually add an IP address and DNS IP?

0
· · ·
_Justin_
Ghost Chili
OP
_Justin_ Jan 29, 2013 at 8:08 UTC

Does it work when you use a static IP?

1
· · ·
Joe2233
Serrano
OP
Joe2233 Jan 29, 2013 at 8:12 UTC

run a command and flush all dns entries also chck and see if a proxy was setup in ie

0
· · ·
Juanjo Lopez
Poblano
OP
Juanjo Lopez Jan 29, 2013 at 9:00 UTC

Some weeks ago I've had a similar issue, ping to IP address works well, but can't connect using DNS names, no matter wired, wireless, even installing a new ethernet card.

The computer was XP, but what i need to do was disable IPSEC service, after that all runs ok.

0
· · ·
Craig2284
Jalapeno
OP
Craig2284 Jan 29, 2013 at 9:01 UTC

Try resetting IE (Internet Options>Advanced>reset...) also try using chrome or firefox... this will determine if it is a corrupted IE component.

0
· · ·
Desiredfx
Anaheim
OP
Desiredfx Jan 29, 2013 at 9:16 UTC
1st Post

Can you post a hijack this log please.

http://free.antivirus.com/us/#cleanup-and-prevention

0
· · ·
Alexander6920
Chipotle
OP
Alexander6920 Jan 29, 2013 at 11:29 UTC

I usually reimage machines that otherwise would take more then 30-45min to cleanup. Not always can you permanently remove the virus or traces of it and more then likely you have already spent more time cleaning it then reimaging the pc. Unless there is something specific on this pc that will literally take you hours to setup post reimage, I say wipe it and start fresh.

0
· · ·
Peter9481
Anaheim
OP
Peter9481 Jan 30, 2013 at 1:28 UTC

It may be as simple as checking your DNS routes.

Did you try from cmd.exe - "route print"

If nothing's getting through there has likely been a poisoned route set as static in there, or gateway removed, or something unhelpful.

0
· · ·
RichyA
Cayenne
OP
RichyA Jan 30, 2013 at 10:15 UTC

Maybe try manually setting the DNS server to point to one of Google's (8.8.8.8), in case it's having trouble automatically establishing a DNS server. If it works from there, perhaps look at the machine's ability to find the DNS server via IP. Maybe point it directly to your DNS server rather than let it find the information itself.

0
· · ·
ILS
Pimiento
OP
ILS Jan 31, 2013 at 5:44 UTC
1st Post

While running into this problem with customers, the basic symptoms were no DNS or Limited or no connectivity.

In order to fix the problem you will have to check if you have afd.sys in your C:\windows\system32\drivers/. If you do, check whether the date was modified. I like to check the time-stamp in case Combofix changed it.

If you do have afd.sys most likely it is infected.

There is another tool that you can use to verify this, Farbar System Scanner (FSS) , donwload it, run it and select the internet services and run a scan. However if you are not 100% sure that you are clean select the rest of the scans.

The output will look something like this.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.
Checking LEGACY_afd: Attention! Unable to open LEGACY_afd registry key. The key does not exist.

Right there you see the main problem as to why the DNS is not working on your computer. Quickly search for a new afd.sys within your system and replace the one located in c:\windows\system32\drivers\ , you can use FSS to scan for an afd.sys file from another location. If Windows does not let you replace the afd.sys file you will have to do it in Safe Mode.

Next as stated in the following forum post by Broni from Smartest Computing, you will have to modify the registry. You can copy the registry from a working computer or download the Keys from Smartest Computing Downloads located here.

Follow the instructions on that post and that will get your DNS working again.

If you get a permission problem when merging the Legacy_AFD, make sure you read the Broni's instructions on how to allow your user to change the permissions. For Windows 7, I used the following

Quoting Broni, the author of the post,

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Click Advanced.
Under Owner tab select the entry starting with you user name, example: Farbar(Farbar-PC\Farbar)
Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.

As stated by the author of the post, after doing the above you will be able to merge Legacy_AFD.

Even thought that post is old, it works like a charm, we were able to fix 5 computers today, all of them were Windows 7.

0
· · ·
Holsh
Anaheim
OP
Holsh Feb 5, 2013 at 9:54 UTC

I see system restore way to much in these forums. That should be the absolute last thing you do. Put an alternate dns in 8.8.8.8 and see if you can get out.

0

This discussion has been inactive for over a year.

You may get a better answer to your question by starting a new discussion.