Malware disabled my Internet connection

Being just smart enough to be dangerous, I am hoping for some guidance.  The chronical goes like:

My kid is running XP SP3 on an Intel D865GBF with Norton 360 4.0

I'm visiting and the connection is down and she says it happened when they put the new router in.  I can access the net through the router with my laptop, but not her main machine hard wired.  I tell her perhaps Comcast has altered a setting, call them to discuss.  They assure her it's not  them, and suggest  Norton is preventing the connection.

 

She takes the machine to a local techie shop, he also tells her it's probably Norton, remove and retry.  She does, no joy.

 

She takes the machine to Best Buy service center, and their guy looks at the machine and tells her the mobo is failing, buy this new $400 machine to fix all your woes.

 

She calls me, and I tell her to wait til Thanksgiving when I visit, and we'll see what's up.  We spent the time having fun with kids and I brought the machine home with me, and tested the onboard LAN.  Seems to be okay, just in case, I replace with PCI LAN.  Seems okay, ping it from my wifes machine, and now her internet connection goes away.  WHAT?  Now things are bad, if Mama has no connection I'm toast.

 

I was able to run NPE on Mama's machine, and it found that one of her high use programs hjas an infected exe.  I irradicated that, reloaded and the machine is good.

 

Back to this other machine now, I can not access the internet, so none of the Norton stuff will run.  I downloaded one of the Malware, ARO I think, after reading a lot of reviews that said use a thumb drive and run in safe mode.  Supposedly it found lots of things, but of course the free version won't fix, they want $29.95.  A price I'm willing to pay, but need assurance it will fix the problem. 

 

Then I ask mysel, doesn't Norton have this stuff?  Hell, why am I paying for Norton and not using it???  So here I am, realzing that Norton doesn't really have any Malware hotline.  i see a lot of blogs that are things similar, but nothing hit the nail on the head. 

 

I'm wide open to suggestions on how to proceed.

 

HELP!

Thanks

Bob

In addition to Andmike's suggestion, have you run a full scan using your copy of 360 from safe mode?  The free version of the Malwarebytes scanner will clean out anything it finds just as quickly as your copy of 360 will. There are some differences in the way they scan and the things they look for.

Hope this helps

Here is the link for Malwarebytes free version.  Run it in normal mode as it is more effective that way.

 

http://www.filehippo.com/download_malwarebytes_anti_malware/

 

Check in your network settings to make sure that there is not a proxy setting checked.  Also check the settings in N360 to ensure that a proxy server is not checked.

 

Let us know what Malwarebytes finds.  Save the log as a text file in Notepad and attach it in the editor. 

...and whatever you do, don't pay the other company the $29.95. Real antivirus programs don't find threats for free then make you pay to fix them; that's what's known as "ransomware," and it tells you that you have a whole lot of infections that you don't really have, then promises to fix everything (that's not really wrong) if you pay up. Sort of a cyber version of the old protection racket.

 

You were wise to remember your Norton protection--and wise to pay attention to the suggestions of my experienced colleagues already here! Keep us posted--we're here to help until any nasties are gone and you're up and running again on all machines!

Being just smart enough to be dangerous, I am hoping for some guidance.  The chronical goes like:

My kid is running XP SP3 on an Intel D865GBF with Norton 360 4.0

I'm visiting and the connection is down and she says it happened when they put the new router in.  I can access the net through the router with my laptop, but not her main machine hard wired.  I tell her perhaps Comcast has altered a setting, call them to discuss.  They assure her it's not  them, and suggest  Norton is preventing the connection.

 

She takes the machine to a local techie shop, he also tells her it's probably Norton, remove and retry.  She does, no joy.

 

She takes the machine to Best Buy service center, and their guy looks at the machine and tells her the mobo is failing, buy this new $400 machine to fix all your woes.

 

She calls me, and I tell her to wait til Thanksgiving when I visit, and we'll see what's up.  We spent the time having fun with kids and I brought the machine home with me, and tested the onboard LAN.  Seems to be okay, just in case, I replace with PCI LAN.  Seems okay, ping it from my wifes machine, and now her internet connection goes away.  WHAT?  Now things are bad, if Mama has no connection I'm toast.

 

I was able to run NPE on Mama's machine, and it found that one of her high use programs hjas an infected exe.  I irradicated that, reloaded and the machine is good.

 

Back to this other machine now, I can not access the internet, so none of the Norton stuff will run.  I downloaded one of the Malware, ARO I think, after reading a lot of reviews that said use a thumb drive and run in safe mode.  Supposedly it found lots of things, but of course the free version won't fix, they want $29.95.  A price I'm willing to pay, but need assurance it will fix the problem. 

 

Then I ask mysel, doesn't Norton have this stuff?  Hell, why am I paying for Norton and not using it???  So here I am, realzing that Norton doesn't really have any Malware hotline.  i see a lot of blogs that are things similar, but nothing hit the nail on the head. 

 

I'm wide open to suggestions on how to proceed.

 

HELP!

Thanks

Bob

Hey Guys,

 

Answering Dick's question, I did run the full Norton Scan, but since I'm off line I only had what came off the original CD.  A year out of date, and probably not complete if I understand how Norton loads.  And, found nothing.

 

Now the Malwarebytes scan has found 2 infected objects.  There are a bunch or adware things in the quarantine section after it ran as well. The log is:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/27/2011 2:34:29 PM
mbam-log-2011-11-27 (14-34-09).txt

Scan type: Full scan (C:\|)
Objects scanned: 214941
Time elapsed: 26 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\windows live\messenger\riched20.dll (PUP.FunWebProducts) -> No action taken.
c:\program files\windows live\messenger\msimg32.dll (PUP.FunWebProducts) -> No action taken.

 

Presumeably I'll remove these two things and reboot.

 

Bob

Howdy,

 

Using the thumbdrive I ran the MBAM, checking first on the proxies.  There are no proxies set, and the config is DCHP.

 

Log from first pass posted a minute ago.

 

Thanks,

Bob

 

The items taken by MBAM are from the same advertising app.  A PUP is a "Potentially Unwanted Program" rather than actually malicious.  

 

In your original post, it looked more as if there was a disconnect in the router between wired and wireless.  I'm not sure went on with your wife's machine, but NPE throws frequent false positives because it is aggressive.  I have not seen malware that shuts down one machine when pinged by another.

 

We do have a member on our forum who also volunteers on the Comcast forum.  He may have some questions about who set up the router, the settings and whether certain other software was also installed that may be causing a problem.

 

I'm not seeing much indication of malware.  I will have Yank look in. 

Thanks Delphinium,

 

At present, I've got the machine hooked to my network, and the PCI card is sending and receiving data packets, but I can not get to the net.  I ran a MBAM a second time, it found 2 more files, both associated with the PUP Adware, and nothing else.

 

When in DCHP mode, I could not ever acheive an address, so I assigned an IP address, and I get the packets moving with no connectivity. 

 

Perhaps there are some default settings I can trigger?  Lord only knows what kind of things were altered by eveyone (self included) who has looked at this box.

 

Thoughts?

 

Thanks,

Bob

 

Hi Bob,

 

The best I can do for you information wise is to go to this link and you will have to register on the forum  in order to post:  http://forums.comcast.com/

 

Once registered you can go to this board:  http://forums.comcast.com/t5/Connectivity-and-Modem-Help/bd-p/5. and ask for help. 

 

I apologize that I am not a very knowledgeable person on networks, connectivity etc, but we have some very sharp folks that man those boards for Comcast.  They are customers - just like you are and really are more help than the Comcast Tech Support would be.

 

Hopefully you'll be able to get some good info over there.

Thanks Yank.  I'll get over there and give it all a whirl.

 

Best regards,

Bob

 

Have you checked in your router settings as well?  Since the machine is not normally at your residence, and with the change in the card, i'm wondering if the router is blocking your access as an unknown machine.

 

You will need to find your default gateway address to access the router settings.  Preumably you have been there before to set up security. 

Hey Delphinium,

 

I thought the DHCP setting should allow me in hard wire.  Been a while since I set it up.  The wireless has WPA.  I did run the IE diagnostic last failed attempt top connect and got this:

Last diagnostic run time: 11/27/11 17:23:53

Gateway Diagnostic

Gateway

 

info

The following proxy configuration is being used by IE: Automatically Detect Settings:Disabled Automatic Configuration Script: Proxy Server: Proxy Bypass list:

info

This computer has the following default gateway entry(ies): 192.168.0.1

info

This computer has the following IP address(es): 192.168.0.12

info

The default gateway is in the same subnet as this computer

info

The default gateway entry is a valid unicast address

info

The default gateway address was resolved via ARP in 1 try(ies)

info

The default gateway was reached via ICMP Ping in 1 try(ies)

warn

Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue

action

Automated repair: Reset network connection

action

Disabling the network adapter

action

Enabling the network adapter

info

Network adapter successfully enabled

info

This computer has the following default gateway entry(ies): 0.0.0.0

warn

There is no default gateway entry

info

Redirecting user to support call

 

 

IP Layer Diagnostic

Corrupted IP routing table

 

info

The default route is valid

info

The loopback route is valid

info

The local host route is valid

info

The local subnet route is valid

 

Invalid ARP cache entries

 

action

The ARP cache has been flushed

 

 

IP Configuration Diagnostic

Invalid IP address

 

info

Valid IP address detected: 192.168.0.12

 

 

Wireless Diagnostic

Wireless - Service disabled

 

 

Wireless - User SSID

 

 

Wireless - First time setup

 

 

Wireless - Radio off

 

 

Wireless - Out of range

 

 

Wireless - Hardware issue

 

 

Wireless - Novice user

 

 

Wireless - Ad-hoc network

 

 

Wireless - Less preferred

 

 

Wireless - 802.1x enabled

 

 

Wireless - Configuration mismatch

 

 

Wireless - Low SNR

 

 

 

WinSock Diagnostic

WinSock status

 

info

All base service provider entries are present in the Winsock catalog.

info

The Winsock Service provider chains are valid.

info

Provider entry MSAFD Tcpip [TCP/IP] passed the loopback communication test.

info

Provider entry MSAFD Tcpip [UDP/IP] passed the loopback communication test.

error

Provider entry RSVP UDP Service Provider could not perform simple loopback communication. Error 10091.

error

Provider entry RSVP TCP Service Provider could not perform simple loopback communication. Error 10091.

error

A connectivity problem exists with a base winsock provider.

 

 

Network Adapter Diagnostic

Network location detection

 

info

Using home Internet connection

 

Network adapter identification

 

info

Network connection: Name=Local Area Connection 5, Device=NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI), MediaType=LAN, SubMediaType=LAN

info

Ethernet connection selected

 

Network adapter status

 

info

Network connection status: Connected

 

 

HTTP, HTTPS, FTP Diagnostic

HTTP, HTTPS, FTP connectivity

 

warn

HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved

warn

HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved

warn

FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved

warn

HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved

warn

HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved

warn

FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved

error

Could not make an HTTP connection.

error

Could not make an HTTPS connection.

error

Could not make an FTP connection.

 

 

The following proxy configuration is being used by IE: Automatically Detect Settings:smileyvery-happy:isabled Automatic Configuration Script: Proxy Server: Proxy Bypass list:

 

So you need to go into the network settings and uncheck Use proxy server and check automatically detect settings.

 

Control panel>internet options>connections>LAN settings and then reboot. The diagnostic says that you have a valid IP address. 

ARO is a malware virus.....Unfortunately, I've had it on several of my PC's or laptops over the years.....either my kids or I clicked on a link.   It gets into the registry and even bypasses Norton security which is frustrating.   To date, I've used Norton's paid services several times (frustrating) to clean my PC.

 

Good Luck.