Solved

Internet Not Browsing

Posted on 2002-05-08
14
224 Views
Last Modified: 2013-12-28
ok, the nets not working, the comptuer just had the klez worm removed from it.

Then internet connects - its on adsl.

I can ping computers with no problems

I cant access ftp

I cant browse

I cant recieve email

I cant work out how to fix it.

help!  - oh yeah, it just comes up with the dns error as if the web page name didn't exist, or saying that the mail server can not be found.
0
Comment
Question by:xizor
  • 5
  • 2
  • 2
  • +5
14 Comments
 
LVL 2

Expert Comment

by:percy_k
Comment Utility
Can you ping the Internet? such as yahoo.com, microsoft.com? If yes, can you browse them by entry their IP in the browser?

How's your gateway setting?



I just wondering your net interface has no problem as you said you can ping other computer but not Internet.

0
 
LVL 41

Expert Comment

by:stevenlewis
Comment Utility
first check your dns settings, make sure they are correct. If it is all ok, try removing all network components from network neighborhood, right click choose properties, then remove everything
reboot and reinstall
0
 
LVL 2

Author Comment

by:xizor
Comment Utility
yeah, sorry, by pinging another computer, i ment i can ping another computer on the internet there are no DNS setups, and I have tried removing all communicatrions software, and all network adaptors and protocols and reloading them all, didn't work either. any other ideas?
0
 
LVL 41

Expert Comment

by:stevenlewis
Comment Utility
from a prompt type
ping www.experts-exchange.com
see if you get a response
then from a prompt type
ping 206.169.61.246
if you get a response from the second, but not the first open a browser window and in the address bar type
http://206.169.61.246
If it takes you here, then you need to enter the correct dns settings (as provided by your isp)
0
 
LVL 41

Expert Comment

by:stevenlewis
Comment Utility
also go to control panel-->add/remove programs-->windows setup and remove dialup networking, reboot and reinstall
0
 
LVL 41

Expert Comment

by:stevenlewis
Comment Utility
Are you using Enternet 300 or some other type of PPPoE software? if so uninstall and reinstall it too
0
 
LVL 2

Expert Comment

by:percy_k
Comment Utility
So, you mean you can access the internet by IP?

Nice if you can give the following result

1. try 207.46.197.102 in your browser.
2. try another DNS server
3. netstat -a     any listening http port?

Best


0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Expert Comment

by:pleasenospam
Comment Utility
Create a shortcut on your DESKTOP with this in the command line:

C:\WINDOWS\WINIPCFG.EXE

Set to run MAXIMIZED.

Check with your ISP on the proper IP settings.

0
 
LVL 3

Accepted Solution

by:
pallidin earned 100 total points
Comment Utility
Some info, sorry for the long entry.


Instructions for removing W32/ElKern-C and W32/Klez-H


W32/Klez-H is a Win32 worm that carries a compressed copy of the W32/ElKern-C virus, which it drops and executes when the worm is run. Detection for W32/Klez-G includes detection for W32/Klez-H and other variants. These notes can be used to disinfect the W32/Klez-E, -F, -G and -H variants and Elkern-A,- B and -C.

W32/ElKern-C is an executable file virus that works only under Windows 98, Windows Me, Windows 2000 and Windows XP. It is capable of infecting file cavities, meaning that it may not change the sizes of files it infects. W32/ElKern-C copies itself to the Windows System directory and sets a registry key to point to this file so that the virus runs every time the computer is rebooted.

W32/Klez-H will remove any installation of Sophos Anti-Virus it finds, so it must be removed with DOS SWEEP or SAV32CLI before installing a new version.

To disinfect W32/ElKern-C and to remove W32/Klez-H use DOS SWEEP or SAV32CLI.

Disconnecting from the network
Sophos recommends that you disconnect infected computers from the network before proceeding. This simple measure will prevent the virus from spreading any further while you are getting ready to clean your computer.

Obtaining the W32/ElKern-C IDE
Please read the description of W32/ElKern-C. Download the W32/ElKern-C IDE and save it to floppy disk.

If you are disinfecting a Windows XP computer go to Obtaining SAV32CLI for Windows XP computers section.

Obtaining DOS SWEEP
There is a basic version of DOS SWEEP in the Tools\ESD folder on the Sophos CD. You can also download DOS SWEEP from the downloads section. Enter your customer or evaluation details, then select 'Emergency SAV distribution (DOS)', download and unzip the file.

Copy the DOS SWEEP files into a C:\Sophtemp directory on your PC.

In Windows 95/98/Me if W32/Klez-H has not completely corrupted your installation of Sophos Anti-Virus it may be possible to run DOS SWEEP in DOS mode from C:\Program files\Sophos SWEEP.

Copy the W32/ElKern-C IDE into the folder you are using DOS SWEEP in.

Before running DOS SWEEP under Windows 95/98/Me, it is vital that you ensure that the W32/ElKern virus is not resident in memory. For this you must disinfect in a 16-bit environment under which you can be sure that the 32-bit W32/ElKern virus is completely paralysed. Under Windows NT it is possible to disinfect at a command prompt. Under Windows 2000 it may be possible to do so.

On Windows 95/98/Me
a) On Windows 95/98

Restart the computer in MS-DOS mode. Note: starting a Command Prompt (a DOS window) is not enough.

Go to the Start menu and select Shut Down. Choose the option 'Restart the computer in DOS mode'. This disables the virus and provides a safe environment for disinfection.

b) On Windows Me

This version of Windows does not allow you to exit directly into MS-DOS mode. You need to create a startup disk and boot from that. Go to Start|Settings|Control Panel. Click on 'Add/Remove Programs', select the 'Startup Disk' tab and press the 'Create Disk' button.

When you have created the startup disk, write-protect it and boot from it. This disables the virus and provides a safe environment for disinfection.

Go to the Sophtemp directory and run DOS SWEEP.


C:
CD \
CD SOPHTEMP
SWEEP C: -PB -DIPE -P=ELKLOGC.TXT

Note: If the copy of DOS SWEEP has survived in Program files\Sophos SWEEP use:


C:
CD \
CD PROGRA~1
CD SOPHOS~1
SWEEP C: -PB -DIPE -P=ELKLOGC.TXT

The command above runs SWEEP, which scans all of the directories and files on your PC, including subdirectories. Files which the virus has infected are cleaned and a report is made of them.

W32/ElKern may corrupt files so that they cannot be cleaned. These files will have to be deleted. Make a note of the deleted files so that useful ones can be restored from backups. This process will probably also remove W32/Klez worm files.

SWEEP C: -PB -P=KLEZLOGC.TXT -REMOVEF

Note: only remove files which say they are infected with W32/Klez or W32/ElKern. Files infected by other viruses should be treated separately later.

It is important to remember that infected files are not always restored to their original state. Note: W32/ElKern when it infects a file is committing an unauthorised, illegal act and may damage the file. Such damage cannot be reversed automatically without a copy of the original file.

Repeat this process for any other hard drives, e.g. drive D:


SWEEP D: -PB -DIPE -P=ELKLOGD.TXT

and


SWEEP D: -PB -P=KLEZLOGD.TXT -REMOVEF

The deleted files should be restored from a clean backup or the original CD.

After the disinfection process described above you must restart the computer in Windows and do the following:


i. System Restore and Windows Me

Go to Start|Settings|Control Panel. Double-click System, then select the Performance tab. Click File System and then click the Troubleshooting tab. Click to select the Disable System Restore box, click Apply, click to clear the Disable System Restore box, then click OK. Restart the computer.


ii. Reinstall Sophos Anti-Virus and scan the computer in Windows

Reinstall Sophos Anti-Virus as directed in the relevant installation guide, then run a scan to ensure that directories that cannot be recognised under DOS (whose names contain illegal characters such as "!" and "?") are scanned. Run an 'All files' scan.

Start Sophos Anti-Virus. Right-click your hard drive and select All files from the menu that appears. Ensure that Subfolders is selected. Then run a scan. After you have finished right-click the drive again and select Executables.

Now go to Recovery section below.

On Windows NT
W32/ElKern-C does not infect Windows NT files, but infected files may find their way onto a Windows NT computer. To clean such files, shut down all programs. Go to Start|Run and type Command. At the command prompt type


CD SOPHTEMP
SWEEP C: -PB -DIPE -P=ELKLOGC.TXT

The command above runs SWEEP, which scans all of the directories and files on your PC, including subdirectories. Files which the virus has infected are cleaned and a report is made of them.

Repeat this process for other hard drives, e.g. SWEEP D: -PB -DIPE -P=ELKLOGD.TXT.

This will have disinfected all files that can be disinfected.

W32/ElKern may corrupt files so that they cannot be cleaned. These files will have to be deleted. Make a note of the deleted files so that useful ones can be restored from backups. Repeat this for all drives. This process will probably also remove W32/Klez worm files.


SWEEP C: -PB -P=KLEZLOGC.TXT -REMOVEF

When disinfection has finished run an All files scan in Sophos Anti-Virus to check that the virus has gone. If the virus has not gone, contact Sophos technical support.

On Windows 2000
On a computer running Windows 2000 it should be possible to run SWEEP from a command prompt in Safe Mode.

Go to Start|Shut Down. Select Restart from the drop down list and click OK. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu select the top option 'Safe Mode'. When requested, logon as local administrator.

When Windows 2000 has started in Safe Mode go to Start|Settings|Control Panel|Administrative Tools and double-click Services. Among the Services you will see one called Wink*, where * represents random characters. Use the Stop button to shut down this Wink* service. Close all windows.

Go to Start|Run and type Command. At the command prompt type


CD \
CD SOPHTEMP
SWEEP C: -PB -DIPE -P=ELKLOGC.TXT

The command above runs SWEEP, which scans all of the directories and files on your PC, including subdirectories. Files which the virus has infected are cleaned and a report is made of them.

Repeat this process for other hard drives,
(e.g. SWEEP D: -PB -DIPE -P=ELKLOGD.TXT.)

This will have disinfected all files that can be disinfected.

W32/ElKern may corrupt files so that they cannot be cleaned. These files will have to be deleted. Make a note of the deleted files so that useful ones can be restored from backups. Repeat this for all drives. This process will probably also remove W32/Klez files.


SWEEP C: -PB -P=KLEZLOGC.TXT -REMOVEF

When disinfection has finished, run a second scan to check that the viruses have gone. If they have not gone, or you encounter any problems, contact Sophos technical support.

You must now restart Windows and reinstall Sophos Anti-Virus.

Reinstall Sophos Anti-Virus as directed in the relevant installation guide, then run a scan to ensure that directories that cannot be recognised under DOS (whose names contain illegal characters such as "!" and "?") are scanned.

Start Sophos Anti-Virus. Right-click your hard drive and ensure that Subfolders is selected. Then run a scan.

Now go to Recovery section below.

Obtaining SAV32CLI for Windows XP computers
W32/Klez should be removed on Windows XP using SAV32CLI.

There is a copy of SAV32CLI in the WIN32\I386\SAV32CLI folder on the Sophos CD. Copy this folder onto a medium that can be write-protected, add the W32/ElKern-C IDE to this folder and write-protect the disk (on a CD/R or CD/RW close the session).

There is an emergency download of SAV32CLI at sav32sfx.exe. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected, add the W32/ElKern-C IDE to this folder and write-protect the disk (on a CD/R or CD/RW close the session).

Before running SAV32CLI it is vital that you ensure that the W32/ElKern virus is not resident in memory. Under Windows XP it should be possible to disinfect in Safe Mode.

Removing W32/Klez and W32/ElKern on Windows XP systems
On a lightly infected computer running Windows XP it should be possible to run SAV32CLI from a command prompt in Safe Mode.

Go to Start|Shut Down. Select Restart from the drop down list and click OK. Windows will restart. Press F8 repeatedly as the computer boots up to get to the Windows Advanced Options Menu. In this menu select the top option 'Safe Mode', then select Windows XP. When requested, logon as local administrator.

When Windows XP has started in Safe Mode go to Start|Settings|Control Panel|Administrative Tools and double-click Services. Among the Services you will see one called Wink*, where * represents random characters. Use the Stop button to shut down this Wink* service. Close all windows.

Insert the write-protected disk onto which you copied SAV32CLI.

Go to Start|Run and type 'Cmd'. At the command prompt which opens type


E:

where E: is the drive in which you placed the SAV32CLI disk. Type:


CD SAV32CLI
SAV32CLI -DI -P=C:\ELKLOGC.TXT

to disinfect all fixed drives.

The command above runs SAV32CLI, which scans all of the directories and files on your PC, including subdirectories. Files which the virus has infected are cleaned and a report is made of them in the root of the C: drive.

This will have disinfected all files that can be disinfected.

W32/ElKern may corrupt files so that they cannot be cleaned. These files will have to be deleted. Make a note of the deleted files so that useful ones can be restored from backups. This process will probably also remove W32/Klez files.


SAV32CLI -P=C:\KLEZLOGC.TXT -REMOVE

Note: only remove files which say they are infected with W32/Klez or W32/ElKern. Files infected by other viruses should be treated separately later.

When disinfection has finished run a second scan to check that the viruses have gone. If they have not gone, or you encounter any problems, contact Sophos technical support.

After the disinfection process described above you must restart the computer in Windows and do the following:

a) Purge System Restore

Go to Start|Settings|Control Panel|Performance and Maintenance. Double- click System, then select the System Restore tab. Click to select the Turn off System Restore on all drives box, click Apply and click Yes.

Now click to clear the Turn off System Restore on all drives box, then click OK. Restart the computer.

b) Reinstall Sophos Anti-Virus and scan the computer in Windows

Reinstall Sophos Anti-Virus as directed in the relevant installation guide, then run a scan.

Now go to Recovery section below.

Recovery
1. Repairing the registry

You now need to delete the registry keys that point to the infected files and services. These may not be present on some infected systems.

The file the key uses will be one of the infected files listed in KLEZLOGC.TXT in the SOPHTEMP (or Sophos SWEEP) folder or the root of the C: drive. Double-click on KLEZLOGC.TXT to open it in Notepad or Wordpad and search for the word 'virus' to find the names of the infected files. You can leave it open for searching while you edit the registry.

At the Windows taskbar, select Start|Run. Type in Regedit and press return. Regedit will open.

Before you edit the registry, back it up. In the Registry menu, click on Export Registry File, in Export Range select All, then save your registry as Backup.

Now you can edit the registry.

HKLM is an abbreviation for HKey_Local_Machine.

Open the registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"infected file"

where "infected file" is one of the infected files in the log. Delete this key.

You may also need to remove the Wink* service key.

Open the registry key

HKLM\System\CurrentControlSet\Services\Wink*

where "*" represents random characters. Delete this key.

Close the Registry Editor when you have finished.

2. Replacing disinfected files

Infected files are not always restored to their original state. This damage cannot be reversed automatically without a copy of the original file. You should subsequently replace all files that have been infected with copies from backups, new media or a clean PC.

3. Finding renamed files

W32/Klez-H renames and hides copies of some of the files that it has infected in the same directory. The original name is retained, but the file extension is random and the files have 'system', 'hidden' and 'read only' attributes set. These files can be renamed back to their original name.

4. Using the Microsoft patch

W32/Klez-H exploits a MIME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer which allows a file to run automatically without the user double-clicking on the attachment.

Download the patch which Microsoft has issued to secure against this vulnerability.

5. Disinfecting or removing files on other platforms

If you find any infected files on platforms other than Windows 95/98/Me and Windows NT/2000/XP, disinfect W32/ElKern-C using the instructions for Disinfecting PE executables and remove W32/Klez variants using the instructions for Removing infected executable files.

0
 
LVL 1

Expert Comment

by:Computer101
Comment Utility
Hello all,
I am Computer101, a moderator from Experts-Exchange and also an expert within this topic area. This uestion has been open a long time.  What I am going to do is allow feedback from the questioner and xperts.  If it is not resolved, I will delete or accept an answer based on the info I have been given, Experts, feel free to offer input.  I will monitor these questions for a period of 5-7 days and come back and evaluate.  I will have another moderator (who is also an expert in this topic area) look at the question also to ensure we do the right thing for this question.

Thank you
Computer101
Community Support Moderator
0
 
LVL 3

Expert Comment

by:pleasenospam
Comment Utility
Without feedback it is impossible to solve a difficult problem like this.
This member is not a computer novice.
0
 

Expert Comment

by:mattx
Comment Utility
try installing IE 6.  could have been that your system has "remembered" to lock down on the connection, even from a clean win98 install (harddisk formatted and all that stuff).  sounds strange, but it worked for me a number of times.
0
 
LVL 41

Expert Comment

by:stevenlewis
Comment Utility
amazing, zero feedback from the user, and then a "C" grade
this grade should be changed
0
 
LVL 6

Expert Comment

by:Hunty
Comment Utility
You have to admit that pallidin's comment was very good and was deseved of an A grade.  It dealt precisely with the KLEZ and appearantly fixed the problem so......................
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Windows Mobile Barcode Scanning These days almost every product has a barcode in some way... amongst there are 1D barcodes en 2D barcodes.. From http://www.barcodeman.com/faq/2d.php I found some handy definitions and insights. 1D barcodes …
Update 11/3/2014 - Although the below article will get you to relocate the WINSXS folder, Microsoft has finally released a utility to reduce the size of the WINSXS folder. For some reason, it's not that straightforward. It only works on Windows 2008…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now