Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1373
  • Last Modified:

Computer no longer receiving IP address from DHCP on router

Hi,
Two days ago we lost internet access from our home PC (desktop).  I investigated and found that the computer is no longer receiving an IP address via DHCP.  DHCP is running on my Cisco Linksys Wireless router.  The computer is connected via a cable to the router.

My laptop was, however, still working and connected wirelessly to the same router.  So I thought I'd test the wired connection with my laptop. I shutdown the radio on my laptop and pulled the ethernet cable out of the desktop computer and plugged the same cable into the laptop.  I was able to renew the IP address at will, with no problems.  That meant that the problem lay soley with the desktop computer.

Rather than using DCHP, I tried to give the desktop a static address.  When I tried this, I was able to ping the router, but still could not connect to the internet.

Back to trying DCHP -- when I type ipconfig in the dos shell, the only two entries are:

Autoconfiguration IP Address: 169.254.31.204
Subnet Mask:  255.255.0.0
(other fields are blank)

I tried disabling the realtek hardware, and re-enabling it -- no joy.

I tried downloading and insalling the latest driver for the h/w -- also no joy.

(BTW, I tried rebooting both the router and the computer several times)

I'm about out of ideas.  The only other wierd things that may be a coincidence (and I'm not sure I believe in all these things being a coincidence) is that on the same day the problem occurred, the following was also observed:

1.  My AVG virus program found 21virus  threats the night before, which it said it cleaned.
2.  My AVG virus program is now reporting that the email scanner is not fully functional (I've never seen this message before, and I've never touched its settings).
3.  Every time I reboot the computer, Windows now warns me that the firewall is turned off and prompts me to turn it back on (which I do).

So is it possible this is caused by a virus?

If so, what next?  (I've run the virus checker again and found one threat each night-- mljul1.exe the first night and A0023676.dll last night)
If not, do you have any other ideas?

Thanks very much for your help!

Chris
0
sensfan07
Asked:
sensfan07
  • 26
  • 20
  • +1
1 Solution
 
poweruser32Commented:
i would look at completely removing the av software from the computer and than trying it again-remove the static address and try again-if it works reinstall the av
another thing i have found is when you run into wireless problems updating drivers doesnt help-only the other day i just totally removed the wireless softwre and reinstalled it again-everything is fresh than
0
 
IndiGenusCommented:
You may have 2 issues here now, and the network issue could certainly have been created by Malware.

It would help if we could see what was going on with your computer. I suggest that you download, run, and post a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

NOTE: Do not fix anything with HJT at this point, upload the log to the link below and just post the link to it back here.

http://www.ee-stuff.com
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
AVG (and other free software products like it) are one of those things of "you get what you pay for" items.

Look at running the Kaspersky online scanner on the PC. If possible, run HijackThis on it as well and cut-n-paste the output of its report here to see what else is hiding.

HijackThis: http://www.download.com/HijackThis/3000-8022_4-10379544.html
Kaspersky: http://usa.kaspersky.com/products_services/free-virus-scanner.php
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
sensfan07Author Commented:
Thank you,
The link below is the log output from HijackThis that I ran on my desktop computer.

One of you also suggested running the Kaspersky online scanner as well.  Unfortunately this is not possible because (due to the original problem), I can't get online with the desktop computer.

https://filedb.experts-exchange.com/incoming/ee-stuff/5637-HJT-log-071115-1.txt 
0
 
IndiGenusCommented:
Well you have quite a nice collection of Malware present there. One of the worst of it is AWF.
AWF replaces legitimate files, typically exe's, with the infected versions and places the good ones in a bak folder. Because the valid exe's get replaced now programs won't work any more. This will likely take several steps so please be patient.

Download FindAWF
http://noahdfear.net/downloads/FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please upload it in your reply.
0
 
sensfan07Author Commented:
Thanks IndiGenus,
Doesn't sound too good.
I did as you asked.  The find awf file is uploaded at the link below.
https://filedb.experts-exchange.com/incoming/ee-stuff/5665-Find-AWF-Report-071116-1.txt 
0
 
sensfan07Author Commented:
Hi IndiGenus,

Are you around today to give me a hand in continuing to fix my problem with malware & DHCP?

Thanks for you help so far!
0
 
IndiGenusCommented:
I'm in and out today. Here is the next step though. I'll check in later today.

Please double-click the FindAWF icon once again.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Copy and paste the following list of files from between the lines to be restored:

-----------------------------------------------------------------
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Analog Devices\SoundMAX\bak\Smtray.exe"
"C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
-----------------------------------------------------------------

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
0
 
sensfan07Author Commented:
Thanks.  
 
OK, no problems --- the new FindAWF log is at the following link:
https://filedb.experts-exchange.com/incoming/ee-stuff/5678-Find-AWF-Report-071118-1.txt 
0
 
IndiGenusCommented:
Double-click the FindAWF icon once again.
This time we are going to remove the bak folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders between the line to be removed:

------------------------------------------------

C:\Program Files\QuickTime\bak
C:\Program Files\Analog Devices\SoundMAX\bak
C:\Program Files\Grisoft\AVG Free\bak
C:\Program Files\Common Files\Real\Update_OB\bak

------------------------------------------------

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Upload that please.

Also let me know how it's running at this point. I would advise you check those programs we just fixed. AVG, Quicktime, ect...


0
 
sensfan07Author Commented:
Ok, done.
The log file is at the link below.
https://filedb.experts-exchange.com/incoming/ee-stuff/5679-Find-AWF-Report-071118-2.txt 

I rebooted so that all that should be running is, especially AVG.
(Note that when I click on "Turn off Computer", it takes forever (35 sec) for the "Turn off Computer" pop-up to come up, and another 20 sec before the mouse pointer chnages from an hourglass to an arrow so that I can select "Restart".  Meanwhile the rest of the screen fades to completely black.)

When it rebooted, I still get the message that the firewall is off, so I renabled the Windows firewall.
I plugged my network cable back in to see if it could now grap an IP address from my router, but no luck.
AVG was still complaining that the E-mail Scanner was not active, but since all email I receive on this computer is either via yahoo, hotmail, or a VPN, I should need this option so I disabled it.

So, AVG seems to be running ok (although no noticable change from before we ran options 1,2,3 on FindAWF).  I also opened QuickTime and that seemed to go ok, although I rarely use Quicktime for anything.

I've also pulled the network cable again for the time being.

What's next?

Thanks,
Chris
0
 
sensfan07Author Commented:
BTW, I believe the SoundMax application is the driver for my media card, and sound seems to still be ok.
0
 
IndiGenusCommented:
Okay, no surprise there and I'm sure you're not clean yet. Just trying to deal with one issue at at time right now. You still need to run option four on the AWF tool.

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Reboot and run Hijackthis again and upload the file to see where we're at.
0
 
IndiGenusCommented:
I've just reviewed your last HJT log. If you get this post in time just do option 4 from above, then do the following:

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, so please upload the contents to http://www.ee-stuff.com.

-------------------------------------------

Download and Run ComboFix (by sUBs)

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log. Upload to the following link and post the link to it back here.

http://www.ee-stuff.com

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware before reconnecting to the Internet.
0
 
sensfan07Author Commented:
OK, sounds good.  
Domain zones have been reset.
I rebooted and reran HijackThis.
The log is at the link below:

https://filedb.experts-exchange.com/incoming/ee-stuff/5681-HJT-log-071118-1.txt 

(Firewall was still disabled upon reboot.  I enabled Windows firewall again. Network cable still physically disconnected.)
0
 
IndiGenusCommented:
Also, your LSP stack is likely damaged, which is causing the network issues.

Please download LSPFix from: http://cexx.org/LSPFix.exe

Disconnect from the Internet and close all Internet Explorer and Explorer Windows.
Run the program.
On the opening screen, click the "I know what I'm doing" checkbox.
Check all instances of "rsvp322.dll" (and nothing else)
Move them to the "Remove" pane.
Then click Finish.

Reboot and check your network.
0
 
sensfan07Author Commented:
I just saw your last post (20309376) after I made my last reply.

Should I still follow your instructions?
Note that the computer that we're fixing is not able to connect to the internet.
I've been using my laptop to download files as needed and moving them to the problem desktop PC via a USP flash drive.
0
 
IndiGenusCommented:
Try the LSPFix first, see if that restores the network.
0
 
sensfan07Author Commented:
I ran LSP Fix.
There was only one instance of rsvp322.dll and it was already in the "Remove" pane.
I clicked Finish and it immediately came back with:
---------------------------------------------------------------
Repairs complete.

0 NameSpace provider entries removed.
0 NameSpace provider entries renumbered.
13 Protocol provider entries removed
11 Protocol provider entries renumbered.
---------------------------------------------------------------

I clicked OK and rebooted.

(The big delay in bringing up the Turn Off Computer window happened again, as did the disabling of Windows firewall which I renabled.)

Once it finished rebooting I plugged the network cable back in to see if it would grab the IP address using DHCP from the router.  It recognized that the cable was connected (as before) and BAM! I now have a valid IP address. Great-thanks!!

What's next? Sould I follow your steps from comment 20309376?
0
 
IndiGenusCommented:
Yesss...good job. Pick it up with SDFix (ID: 20309376), you are still VERY infected. But we can get it.
0
 
sensfan07Author Commented:
Ok, I rebooted & ran SDFix in safe mode as you described.
All was ok except that before it prompted me to hit a key to restart, a ton of "Access Denied" messages scrolled by in the window.  Is this important?
I had logged in using my usual account, but I noticed that there was an Administrator account now visible which hasn't been visible before.  Should I repeat the process after logging in as the Administrator?

I rebooted after SDFix finished and everything behaved as you described. The log file is at:
https://filedb.experts-exchange.com/incoming/ee-stuff/5682-SDFix-Report-071118-1.txt 
0
 
sensfan07Author Commented:
Note that I'm leaving my network cable disconnected (on the desktop PC that we're fixing) for the time being because so that I don't get it reinfected by what we are removing.  I'll continue to transfer necessary up/downloads between my laptop and desktop using the USB flash drive.
0
 
IndiGenusCommented:
No, no need to repeat I don't think. Move on to combofix.
0
 
sensfan07Author Commented:
Ok, will do.

Note that when I click on "Turn off Computer", the pop-up box comes up immediately now, and the background fades to black&white.  Previously it was taking forever and fading to complete black.  So this seems to be fixed too.  .......on to combo fix now.....
0
 
sensfan07Author Commented:
Problem:  When I ran combofix, it came back with the following "ABORT" pop-up:

Current date is 2007-11-18.  This copy of ComboFix has expired.
Please download an updated copy.

I redownloaded and got the same error.
0
 
IndiGenusCommented:
Remove any and all versions you currently have. Then download and try the version of Combofix from this link:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
0
 
sensfan07Author Commented:
I tried downloading the file from the most recent link.  I didn't need to delete any old files because when it came up with the error message it automatically deleted the .exe file.  Unfortunately the same thing happened (same error message).  
I thought that it might be a problem running the .exe from the flash drive so I redownloaded and copied it to the desktop and reran it -- same error message, and it uninstalled the file from the desktop.
0
 
IndiGenusCommented:
There seems to be an issue with the current version of CF. I get the same error on my machine.

I will notify the proper people in the antimalware forums and find out what is going on. It's not you or your computer.
0
 
sensfan07Author Commented:
OK, thanks.  Anything else I should do in the meantime?
0
 
IndiGenusCommented:
Well, here's the story. CF has "timed out" and the developer has not uploaded a new version. CF is constantly updated, so the developer put in this feature so users would not use old versions. I have a link to the beta which should be fine to run. Just ran on my machine with no issues. For some reason this version doesn't time out for another day.

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
0
 
sensfan07Author Commented:
OK thanks, running now.....
0
 
sensfan07Author Commented:
0
 
IndiGenusCommented:
1. Please open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
C:\WINDOWS\nnmwsdgv.exe
C:\WINDOWS\eucubyhl.exe
C:\WINDOWS\system32\mob250.dll
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\pushow45.dll
C:\WINDOWS\cbyyww.dll
C:\WINDOWS\system32\tcpconn.exe

Folder::
C:\WINDOWS\system32\wsnpoem

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fe9823fe-a18c-47b5-bc43-f3c28de11b7f}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe                  
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mob250]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]
 

---------------------------------------------------------------------------------------------------------------


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log
0
 
sensfan07Author Commented:
OK, no problems.

The new ComboFix log is at:
https://filedb.experts-exchange.com/incoming/ee-stuff/5687-ComboFix-log-071118-2.txt 

and the new HijackThis file is at:
https://filedb.experts-exchange.com/incoming/ee-stuff/5688-HJT-log-071118-3.txt 

Note: The computer did not reboot, nor did I reboot it.
0
 
IndiGenusCommented:
Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on this:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

Then close all windows except this one and press Fix checked

What I would recommend now is to run some spyware and virus scans.

It was mentioned to run Kaspersky in post ID: 20292608. It won't fix anything, but save and upload the log to eestuff.

Also update and run your AVG AntiSpyware in Safe Mode. Have anything it finds quarantined.
0
 
sensfan07Author Commented:
Ok, will do.

Sounds like that'll take a fair bit of time to complete (I know the AVG Spyware scan takes a few hours itself) so I'll probably get those results tomorrow morning.

As for Kaspersky, it looks as if this is an online scan (i.e. the computer will have to be connected to the internet.  Is it ok to do this now?  I would obviously re-enable the AVG virus scanner and Microsoft firewall, but I don't want to get back into the state I was in before you've given me all of this help.  
0
 
IndiGenusCommented:
I think you are clean enough at this point to be safe connected to the internet. And yes, Kaspersky will take a while also. But I think we got most of it here.
0
 
sensfan07Author Commented:
OK, I'll let you know when the virus scan and spyware scan are finished.

I ran the HijackThis as you described, and fixed the one entry.  If it did anything it was instantaneous.
I scanned again and the same line ("F2 - REG.....") is there.  I assume this is expected?
0
 
IndiGenusCommented:
Is the whole line still present like this?

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

If so that's not good.

I am heading off to bed right now so will check in tomorrow. Have a feeling there's something I'm missing here.

@rpggamergirl - I would appreciate if you looked in on this mess and gave a second opinion here.
0
 
sensfan07Author Commented:
Yes, it is still present as you stated.
0
 
sensfan07Author Commented:
Good Morning,

So I ran the Kaspersky online scanner and it found a few things:
https://filedb.experts-exchange.com/incoming/ee-stuff/5710-Kaspersky-Report-071119-1.txt 

I then ran the AVG Anti-Spyware in safe mode and in normal mode and it didn't find anything.

The AVG Anti-Virus Scanner ran automatically last night as well and it found 8 threats. The log and summary are below:
https://filedb.experts-exchange.com/incoming/ee-stuff/5711-AVG-AntiVirus-log-071119-1.txt 
https://filedb.experts-exchange.com/incoming/ee-stuff/5712-AVG-AntiVirus-summary-071119-1.txt 

This morning, I thought I'd run HiJackThis again.  When I did, the same line ("F2 - REG.....")  was still  there so I tried again to "Fix" it.  I scanned again and this time it was gone!  Not sure what the difference was between this morninig and last night, but this time the line no longer appeared in the scan.  Both scan logs are below (before and after clicking Fix):
https://filedb.experts-exchange.com/incoming/ee-stuff/5713-HJT-log-071119-1.txt 
https://filedb.experts-exchange.com/incoming/ee-stuff/5714-HJT-log-071119-2.txt 
0
 
IndiGenusCommented:
Looks like you finally got it. Sometimes it's just a matter of persistence. Most of what is left is in your restore points or quarantined folders. If all is well you can clean up now.

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
0
 
sensfan07Author Commented:
I ran Combofix /u and it came back pretty quickly with the message that ComboFix was uninstalled (there was never an option to select "2" or anything).

I ran AVG Anti-Virus scan again and it found 2 "threats":
- C:\WINDOWS\system32\drivers\etc\hosts   ----  This was changed.
- C:\WNDOWS\system32\ntos.exe --- This was infected by a virus identified by "Obfustat.YVQ" and was deleted.
0
 
sensfan07Author Commented:
Is there more clean-up to do?

I'm also wondering if I should have any other software or do other routine maintenance so that I am more protected and so that I don't get into the state I was in before you gave me all of the help?  
Any recommendations?
0
 
IndiGenusCommented:
I think you should be all set. Here is a link with some suggestions by one of the prominent members of the
Antimalware community.

http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I
0
 
sensfan07Author Commented:
Thanks very much for all of your help.  You were patient, clear and very helpful.  I'm very impressed with my first use of this site.

Have a great day!
0
 
sensfan07Author Commented:
IndiGenus was patient, clear, responsive, and very helpful.  I'm very impressed with the first use of this site.
0
 
IndiGenusCommented:
You are quite welcome. Nice job on your end also, this was a pretty badly infected PC.

Good luck in the future,
Dave
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 26
  • 20
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now