Jump to content

Can't get online after removing a virus


rendrag

Recommended Posts

Hi guys,

A friend of mine brought me his laptop (XP SP3) claiming it was acting slow. Turns out he had a mess of viruses -- some trojans, google redirect... pretty nasty stuff. I finally got all that cleaned off (no small feat given the virus auto-rebooted out of safe mode), and now I can't get online. Whether I use wired or wireless, DHCP or static, nothing works. Renewing the IP fails, claiming the "socket operation encountered a dead network". Static IP's fail to get a DNS lookup

I've tried all manners of winsock2 resets (both commandline and programs)

I've reinstalled TCP/IP on both adapters

I've uinstall the wireless and wired adapters and had windows reinstall them

I'm hoping I've missed something or someone has worked through this before and can offer me some suggestions. It's a Gateway laptop, and he claims not to have the original XP Home disk, so I don't know how possible a clean wipe/reinstall is (plus he's really pressing me not to go that route)

So, any suggestions?

Link to comment
Share on other sites


most unwanted network "apps" (worms, virus, browser-plugins, spyware, malware, etc..) have nasty habit adding another uneeded layer in networking process,

which its obvious reason to monitor/profiling/mining/re-directing the users' browsing habit.

Those extra layers route might still exist in registry and used by system,

and since the files need for the layer were now gone, the networking function got crippled.

Adding network layer have it legitimate uses however,

such as used by Internet Download Manger' Advanced Browser Integration.

That feature will take over any downloading process that utilize TCP/IP and using HTTP' GET command.

It works for any program (not just 'browser') by monitoring outgoing TCP/IP packets.

Therefore, i would suggest to check registry for such entries.

Edited by Joseph_sw
Link to comment
Share on other sites

I would format anyway as you can't know for sure if you didn't missed something else when there are many virus/trojans.

Did you checked if the loopback was still working (ping 127.0.0.1) ?

Also, the error message you get is usually related to .net framework so may be removing it or reinstalling it might solve the problem.

Edited by allen2
Link to comment
Share on other sites

Although it doesn't sound like your issue, I've noticed that a common leftover after virus removal for users of Internet Explorer is usually fixed thus:

navigate to

Internet Options > Connections > LAN Settings > Proxy server

then

Uncheck the Use a proxy server for your LAN checkbox

Link to comment
Share on other sites

Therefore, i would suggest to check registry for such entries.

Any suggestions as to where I should look? I've already deleted the winsock and winsock2 reg entries and had Windows recreate them.

I would format anyway as you can't know for sure if you didn't missed something else when there are many virus/trojans.

Did you checked if the loopback was still working (ping 127.0.0.1) ?

Also, the error message you get is usually related to .net framework so may be removing it or reinstalling it might solve the problem.

I'm still holding out hope that I can avoid a reformat, as much of a pipe dream as that may be. I've been able to scan the system in safe mode with spybot and hijackthis and ms security essentials with no hits, so I'm reasonably confident the system is clean.

I haven't tried the loopback yet. What will that tell me? I'll try deleting the .net framework if he has it.

Although it doesn't sound like your issue, I've noticed that a common leftover after virus removal for users of Internet Explorer is usually fixed thus:

navigate to

Internet Options > Connections > LAN Settings > Proxy server

then

Uncheck the Use a proxy server for your LAN checkbox

That was unchecked and I rechecked the "automatically detect settings" box as well. No change in behavior.

Edited by rendrag
Link to comment
Share on other sites

you might want to use Process Monitor very powerful utility that monitor registry/file/etc access, its report rather overwhelming though.

run the Process Monitor,

try to stop/start windows services that required for TCP/IP connection process, try to connect online, etc...

then look in Process Monitor' reports for attempt to access non-existing files.

Link to comment
Share on other sites

  • 3 weeks later...

So I finally gave up and wiped the drive. Unfortunately because he doesn't have his original disks I couldn't use them to re-install windows, so I had to download a copy of XP SP3. Got windows installed, but Activation doesn't want to take the product key that's on the bottom of his PC. I tried calling MS, and after they reject the installation ID, they tell me to go to support.microsoft.com/pag, which tells me that XP is no longer sold and I have to buy win7. Is there any way around this? He has a legal copy of windows, so I'd rather not crack the activation.Any suggestions?

Edited by rendrag
Link to comment
Share on other sites

Thanks for the link. I did some more research before spending the dough and it turns out that I downloaded a Retail version of XP where the original was an OEM copy. Once I reinstalled an OEM copy, the key took just fine.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...