Windows 7 loses internet connectivity, but local access is fine

I have a Windows 7 machine here that is constantly losing connection to the internet. The weird thing is that all local network shares are fine during these outages. I'm not having any internet issues on any other computers here, so it is not our internet connection. Some things I have tried:

Checked that the only A/V running is MSE (MS Security Essentials).
Disabled the ethernet card and switched to WiFi on the computer. Problem is still the exact same.
Pinged this machine from another in the office for 24+ hours with only a couple packets that were lost.
Ran HiJackThis and the log showed nothing out of the ordinary
Ran Malwarebyte's Antimalware a couple of times and that found nothing.
Disabled IPv6

The user has had this problem for a few weeks but I was only recently told about it. I looked at the history in MSE and it found "PWS:Win32/Zbot" on Oct 1. The user said that's probably about when it started. MSE said it cleaned it, but I'm wondering if maybe it didn't or it installed something else that wasn't found.

Anyone have any idea what might be going on?
bhilgenkampAsked:
Who is Participating?
 
bhilgenkampAuthor Commented:
Well I finally figured this one out this morning. There was a managed switch here with the same IP as the firewall. Changed that IP and all is good now. Things have been configured like this for at least a year so I don't know why it just recently started acting up.
0
 
bhilgenkampAuthor Commented:
0
 
Paul MacDonaldDirector, Information SystemsCommented:
How does it lose Internet connectivity?  Can you not browse web sites?  Have you tried more than one browser? When the problem occurs, can you still ping servers on the Internet?  When the problem occurs, can you do an ipconfig/all to verify you have a default gateway?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
bhilgenkampAuthor Commented:
How does it lose Internet connectivity?
Internet browsers stop loading pages, mail client constantly times out when trying to read/delete messages (IMAP)

Can you not browse web sites?
Correct, browsing dies

Have you tried more than one browser?
Yes - IE, FireFox, and Chrome

When the problem occurs, can you still ping servers on the Internet?
No, but DNS names do get resolved to the correct IP. Ex: ping google.com and it will say pinging xxx.xxx.xxx.xxx but it gets no replies. Pinging internal machines still works during this time.

When the problem occurs, can you do an ipconfig/all to verify you have a default gateway?
I have not checked this but will try to run this next time there is an outage.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
So it's not a browser issue, but it's obviously a machine issue.  DNS works because resolution is taking place on a DNS server, not the affected machine.

It sounds like the machine is temporarily losing its default gateway, but that's a really, really weird thing to have happen.
0
 
younghvCommented:
I would try using both RogueKiller and Malwarebytes (again) with a fresh download of MBAM.

RogueKiller has 6 Menu Options to select; one of which may address your connectivity problem.
Details here:
Rogue-Killer-What-a-great-name

MBAM can be blocked by some forms of malware, which is why it always a good idea to run RogueKiller immediately before doing that scan.
Details here:
Stop-the-Bleeding-First-Aid-for-Malware

Please be sure to post (as attachments) all logs that are generated by both programs.
0
 
bhilgenkampAuthor Commented:
I've ran ipconfig /all a few times during the internet outages and the gateway stays correct each time. I'll try the Rogue Killer and MBAM tonight when the user leaves for the day.
0
 
bhilgenkampAuthor Commented:
OK, I ran RogueKiller and then MBAM right after that and still nothing was found. I've attached the log files from both.
mbam-log-2011-10-18--18-47-02-.txt
RKreport-1-.txt
RKreport-2-.txt
0
 
younghvCommented:
I'll ask Tigzy (creator of RogueKiller) to review your logs, but it looks as though rogue processes were found and stopped.

Go ahead and run Menu Options 3-6 and post those logs also. I am sure he will want to see them
0
 
JonveeCommented:
While you are waiting for log review reports from younghv and Tigzy, may i suggest you try running ComboFix which could well find the problem.

Download CF from here, and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, or Shields that you may have running.
It may be necessary to rename ComboFix.exe, before saving it to your desktop.

Double click "combofix.exe"(or the renamed ComboFix.exe) and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
Please post that log here.

ComboFix should be run in normal mode, in the way it was designed.

Should you need it>   A guide and tutorial on using ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Incidently HiJackThis was unlikely to detect the more recently (advanced) Malware, so it's unlikely to show anything out of the ordinary in the log file.

If still unresolved, and your Internet connectivity is still unreliable, it could possibly be corrupted WinSock settings.
0
 
bhilgenkampAuthor Commented:
RogueKiller logs are numbered 3-6, each number corresponds to the menu option I ran

It appears ComboFix removed something, but the problem still exists.


RKreport-3-.txt
RKreport-4-.txt
RKreport-5-.txt
RKreport-6-.txt
ComboFix.txt
0
 
JonveeCommented:
Thanks for the logs.   Yes, ComboFix removed what appears to be one problem, g2mdlhlpx.exe, and its a 'problem file' that's mentioned in this next link ...i'm still studying it:
http://www.google.com/support/forum/p/Web+Search/thread?tid=6df7e15519290612&hl=en&start=160 

Therefore, as you've already scanned with MSE and still having internet difficulties, i suggest you now try running tdsskiller to see if it finds anything:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

Download the file TDSSKiller.zip and extract it into a folder
Execute the file TDSSKiller.exe.
Wait for the scan and disinfection process to be over.
Close all programs and press “Y” key to restart your computer.
Please post the resulting log here.

More detail TDSSKiller tutorial:
http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 
bhilgenkampAuthor Commented:
Slight update if this helps - I was pinging my default gateway on this computer while randomly browsing websites just to see if it would drop packets to the gateway. I noticed the TTL on the pings would change from 255 to 64, then back to 255, then 64, etc... When the TTL was 255 I had no internet connection, but at 64 it would come back. Maybe this helps diagnose the issue.

C:\Users\Admin>ping -t 192.168.1.254

Pinging 192.168.1.254 with 32 bytes of data:
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=1ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=1ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=1ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=1ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=1ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=5ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=1ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=3ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=1ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=1ms TTL=255
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time<1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time<1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time<1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=1ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=8ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64
Reply from 192.168.1.254: bytes=32 time=1ms TTL=64

Ping statistics for 192.168.1.254:
    Packets: Sent = 161, Received = 161, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 8ms, Average = 1ms

Open in new window

0
 
JonveeCommented:
In assuming for the moment that TDSSKiller did not detect a rootkit, there is still another option.   FixTDSS.exe from Symantec has often been recommended here for browser issues, and well worth trying:
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

This is not a case of simply throwing various apps at the problem, it often does take a number of scanners to fully disinfect a machine.

Cannot add anything useful to your 'TTL information'.

Incidently by studying the ComboFix log it may be possible to write a small script, then rerun CF.  Ideally for that option we need rpggamergirl's skills...
0
 
JonveeCommented:
Update:  have studied the CF log file and cannot identify any other definite nasty.

Reference:  
>> Orphans Removed:
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)  <<

If you re-ran CF it should show if this entry has regenerated ...previously it was removed.
The entry resembled part of an Ask Toolbar BHO.
For information only:  http://www.file.net/process/genericasktoolbar.dll.html
0
 
JonveeCommented:
>>If you re-ran CF it should show if this entry has regenerated <<

Meant more as a last resort if the two "TDSS" apps don't find anything.
0
 
bhilgenkampAuthor Commented:
I ran TDSSKiller and it did not find anything. I need to wait to run FixTDSS until the user leaves since it requires a restart. TDSSKiller log attached.

TDSSKiller.txt
0
 
bhilgenkampAuthor Commented:
Ran FixTDSS and it said nothing was found.
TDSS-Fix-Tool-Results.PNG
0
 
JonveeCommented:
Assuming for the moment that the problem could be corrupted WinSock settings, you may like to see this MS article.
Its advisable to creat a System Restore point before you try resetting the Winsock protocol.  
At the command prompt type the following:
netsh winsock reset

Scroll down for details ...
"How to troubleshoot network connectivity problems in Internet Explorer":
http://support.microsoft.com/kb/936211
0
 
JonveeCommented:
0
 
JonveeCommented:
Later thoughts ...  unlikely, but has this particular computer got its own Router?  
If yes, the router may require a reset, or could even be infected.

Not sure if this is helpful, but see sub-heading "Time To Live (TTL)" for TTL info:
http://www.fifi.org/services/ping-help

A bit risky, but have you tried momentarily disabling AV, firewall, antiMalware, etc..?

Thanks for the FixTDSS log.
0
 
bhilgenkampAuthor Commented:
I've reset WinSOCK and it's still happening.

This machine does not have it's own router. It is on a switch with the other PCs in that part of the building and no one else is having these issues. I've plugged it in to a completely different switch and still have the same issues.

I have tried disabling AV, antimalware, etc. and the issue persists.

One last note that I found odd - I logged in to our firewall and started pinging this machine. When there is a loss of internet connectivity the pings just seem to pause - there are no dropped packets and when the replies start coming back they are still <1ms. I'm somewhat wondering if the firewall (SmoothWall Express 3.0-polar-i386) might be to blame, but no one else is seeing these issues so it made me think it was a single machine.

Also worth noting is the computer with the problems is the only Win7 machine here (I should have mentioned this earlier).
0
 
JonveeCommented:
If it is not due to the Firewall, wonder if there is a connection between having a Display or Network adaptor option checked so that it is set to "Allow the computer to turn off this device to save power", and it is this setting which is causing momentary(?) internet connectivity loss.  
You may need to checkout at least two adaptors.

[ Device Manager > Network Adaptor > properties > Power Management tab ].
0
 
bhilgenkampAuthor Commented:
A bit of an update:
I pulled a Win7 laptop off the shelf and it's having the same issues, if not worse. I was completely unable to get on the internet with it until I pinged it from my firewall, and then the connection started working. So this now means that it's not a single machine with problems, but is coming down to something about Win7 not liking something on my network, or something on my network not liking Win7. The odd thing though is that the original problem computer has been working correctly all week, even though I didn't make any changes to it or my network. But yesterday I was having the problems with the laptop, while the original computer with issues was working fine. Think I'm about to pull my hair out on this one lol.... When I connected the laptop it knew what network I was on (I set up a dozen or so of these laptops last month without a single issue). Is there any way to remove Windows' memory of what network it is on? In other words, it knew the network name I was one based off the WiFi connection name, but even when I shut off WiFi and connected via ethernet it picked up that name again. So I'm wondering if I can clear that out of it's list and start from scratch maybe it will work?
0
 
JonveeCommented:
Thanks for the new update but regret I am unable to add any new, constructive suggestions at this time.  If you get no more assistance in the hours ahead, may I suggest you click the "Request Attention" key at the top right of this thread to summon a Moderator, who, at your request, may offer this question in yet another Zone.  Naturally i'll monitor the outcome - good luck.
0
 
bhilgenkampAuthor Commented:
I chose my solution because that was the issue
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Interesting!  I was in the ballpark when I said "It sounds like the machine is temporarily losing its default gateway...", but I wouldn't have guessed what you ended up finding.  Thanks for sharing the solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.