Jump to content


Photo

After removal of spyware, no network connection


  • Please log in to reply
3 replies to this topic

#1 jenmarsh

jenmarsh

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 July 2004 - 03:44 PM

A few months ago, a computer at the office had been hijacked. I used the usual tools: HiJackThis, AdAware, Spybot S&D, CWShredder and a virus scanner to clean it up. Everything appeared clean, and the user began to use Firefox instead of IE.

We were suspicious of another Hijack and ran the regular tools, but it found nothing out of the ordinary. I then tried PestPatrol, which found 106 bits of spyware, adware and a few cookies.
Mostly, things were spyware. Instead of posting it here (because it is so long), here is the link to what PestPatrol found on the PC:

Results of PestPatrol scan

After removing these, we restarted the machine and McAfeeASaP tried to start up and gave us this message:

"Cannot listen on port 6515! Make sure TCP/IP transport is set up correctly and that no other applications are already listening on that port."

Additionally, and expectedly, there is no network communication at all. This computer cannot see the server, access the internet (through the LAN) or any thing of the sort. I have heard of removal of spyware messing up network connections, but I have not been able to find any helpful answers. Anyone have any ideas? Thank you in advance!

-Jen

Edited by jenmarsh, 21 July 2004 - 03:45 PM.


#2 strafer

strafer

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 21 July 2004 - 04:22 PM

This may be a problem in Windows Winsock LSP. Check the hijack this log and see if you see something that says "unknown file in Winsock LSP xxxxxx.dll."

If so download LSP Fix.

Restart into safe mode. Right down the name of the .dll file. Make a backup of the .dll file and rename it and change the extension to something like backup.mp3. Open LSP Fix. Click on the checkbox "I know what I am doing" and move the same .dll file to the remove section and hit finish. Restart into normal mode and check your internet connection. It should be fine, but if not, rename the backup and place it in the folder you found it in (most likely windows/system32).

Hope this helps.

#3 jenmarsh

jenmarsh

    Member

  • New Member
  • Pip
  • 2 posts

Posted 22 July 2004 - 11:26 AM

Okay, I did not try the LSP Fix yet, but will do that next. Apparently, a strange IP address is being generated for it, something that looks more like an internet address than a local area network IP.

We assigned the IP address: 192.168.0.203 and used the DNS servers from the router to see if we could get that to work. Some of the other PCs on the network require static IPs and this setup works perfect for those PCs, which also allows them to connect to the internet.

So, this computer can now access the network, use the accounting system that is hosted on the server on the LAN. It can also send messages through WinPop, however it can't access the internet still.

Can it still be the Winsock problem? I've tried renewing/releasing IPs (when the TCP/IP settings were set to Obtain IP automaticallY).

I will have her run the Hijackthis to at least look fro the Winsock LSP file. Before the removal of all the spyware, everything worked fine, just slow with a bunch of pop-ups. Since the removal is when the network problems began happening.

Thanks in advance.

-Jen

**EDIT**
I ran Hijack this, and nothing suspicious was there. Nothign about the Winsock as well.

Edited by jenmarsh, 22 July 2004 - 11:41 AM.


#4 strafer

strafer

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 22 July 2004 - 01:11 PM

Try showing all hidden files/folders. Go to My Computer and pull down the menu tools and hit folder options. Click on the tab view. Click on show hidden files and folders and uncheck hide extensions for known filetypes. Try running hijack this again and see if there is a problem.

I used to have the about:blank problem. It may have been a different variant than others because mine came with a .dll file in the Winsock LSP which kept re-creating the hijack after I deleted it.

If you manually delete the file in Windows Winsock LSP, then you will be left with a broken connection to the internet. Someone may have tried that, and if so you may need to find a backup or do a system restore to a point before the hijack appeared.

Try running LSP fix and see if there is a file on remove. If not, try finding all the files on the KEEP section and right click on them. Check their company name. The one without the company name will be the culprit.

I can't be sure, but this may have been caused if someone clicked on the pop-ups of the hijack. If it started as soon as the hijack appeared, then you may have a new CWS variant.

If the above information didn't help then try this. Download Task Info (Click Here)

Run the program and open an internet explorer window. On the left pane, where the processes are, click on the internet explorer icon. On the bottom right pane, click modules. This will show all the .dll files that the internet is using. Sort them by company name. If there are .dll files that don't have a company name, then they are part of the hijack. Try rebooting into safe mode and deleting those files. (always make backup copies and move them into a different folder)

If that didn't help, then try this. Download About:Buster and download Remove-ABlank run them in safe mode. The remove-ablank will flash the command prompt and it will go off. That is what is supposed to happen. Reboot into normal mode. Make your homepage back to normal. Open your registry (type regedit in run) and go to HKEY_LOCAL_MACHING > SOFTWARE > Microsoft > Windows NT > Current Version > Windows and look at AppInit_dlls and see if there is a path there to your system32 folder. If so, close all programs except your registry. Double click on the AppInit_DLLs and make write over the filepath with jiberish. Hit ok and don't close your registry. Reboot your computer. See if that deleted the file path. If not, try it again. (It took me two tries).

Again, this may be a new variant of a CWS. This one sounds like it is pretty stealthy too. I am going to be away for 6 days and this will probobly be my final post for you. I will check here when I get back though. I hope this helps and I wish you luck with this thing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button