Removed some malware off work computer. Now it doesn't connect to the network

Mike9999

New Member
*Just to clarify, I don't have internet access, I also reset everything (hosts file, flushed dns, release and renewed CHCP, etc... with a program called "netadapter repair all in one" that is on the bleeping computer site*


So I had some malware on the computer, it was "dns" something. I think it was DNS unlocker but I'm not 100% sure. I removed it with malwarebytes & adwcleaner and it now recognizes that its connected via ethernet cable, but it says unrecognized network. Its a Windows 7 PC and it worked fine before and other Windows 7 PCs work fine.

I believe it has to do with the sonicwall or something else. We have a cable modem/router (2 in 1), a big switch, and a sonicwall. I tried restarting all of them, but that didn't help. So I bypassed the sonicwall and it works, but now that computer doesn't see the network printer!

So basically I would be ok with bypassing the sonicwall as long as I can get the network printer to be recognized, but its not and when I open an explorer window and click on "network" on the left, the other computer that is connected through the sonicwall doesn't show up so I can access the shared printer (the printer is connected via USB to the other computer for now temporarily so 1 computer can use it).

I would prefer to do things correctly and have it work with the sonicwall, but I'm not sure how, any ideas?

Some things I noticed or tried:

1. The computer that does work has an IP, subnetmask, etc... put into it while the computer that doesnt work has it set to obtain the IP automatically. I tried adding +1 to the end of the IP address and entering it in the second computer (so the one that works has the IP 10.10.5.5 (just an example) and I tried 10.10.5.6 in the one that doesn't work) and that didnt work.

2. Tried "diagnosing" it with windows but it couldnt fix it.

3. Under network and sharing, it shows (NAME OF PC) ---> Unidentified network (I think thats what it said) ---> internet, but it had an "X" inbetween unidentified network and internet. Clicking on the "X" didn't fix it. Under "active network" it said "public network" and it wouldn't let me change it, but I used a microsoft fix it tool to change it to "work network" like the other computer and it didn't help.

4. Under "network map" it showed the PC I was using and the gateway, but nothing else after the gateway. It did show another computer we don't use that is connected, that one is bypassing the firewall as well.

The other computer that does work shows more than just "gateway" and it has a few things after it on the map (can't remember what they were)

5. I tried removing the driver for the ethernet card and reinstalling it. It didn't fix it. I tried reseating the cable on both ends and using a laptop and the internet didn't work on a laptop either.

Any ideas?
 
Last edited:

johnb35

Administrator
Staff member
Since this is a windows 7 pc lets try running combofix to check for additional malware.
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
  • Download this file here :

    Combofix

  • When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
  • Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.

    cf-icon.jpg
  • We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

  • Close all open Windows including this one.
  • Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
    Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  • Please click on I agree on the disclaimer window.
  • ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.

    cf-preparing.jpg

  • ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.

    erunt.jpg

  • Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:

    recovery-console-prompt.jpg

  • At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  • Please click on yes in the next window to continue scanning for malware.
  • ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  • ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.

    still-scanning-clockchanges.jpg

  • When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  • This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  • When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  • Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.

If for some reason, if you try to run a program or open a file and you get an error message saying "illegal operation attempted on a registry key that has been marked for deletion", please just reboot your pc and you'll be fine.


In your next reply please post:

The combofix log
 

Mike9999

New Member
Hi johnb35, I'm not at work yet, but I will try combofix. One question though, isn't this a settings related problem?

The reason I was thinking this is because the computer that does work has an IP address, default gateway, etc... assigned. The computer that doesn't is set to automatically obtain that information. How can I get the correct IP address for the second computer? The ISP says we don't have static IPs, so I'm assuming somehow I can get it from the sonicwall? I've never used one before, but do you think its in the settings maybe?
 

johnb35

Administrator
Staff member
You haven't posted any malware logs for me to see, not sure what infection you had but certain infections do play havoc with internet connection such Zeroaccess rootkit. Lets make sure you actually malware free first.

However, are you the network admin for these computers?
The ISP says we don't have static IPs

That just means your external IP address isn't static meaning it changes now and then. You pay extra to have a static external IP. You can manually create static internal IP's though and it doesn't matter if one machine is set for a static IP and the other isn't.

Did you run junkware removal tool as well? Can you post the logs for the scans you've done?
 

Mike9999

New Member
I'm sorry I didn't save the logs. It was DNS unlocker that was removed, I ran TDSS Killer, rkill, adw cleaner, JRT, and malwarebytes in that order. I will post the combofix log once I get to work and run it.

I am the only "computer guy" we have. I wasn't the one that set the sonicwall up and I can't get a hold of the person that did.


> it doesn't matter if one machine is set for a static IP and the other isn't.

So the sonicwall doesn't require the computers to have a specific IP to access the network through it?
 

johnb35

Administrator
Staff member
Hold on, i'll get the one of the network guru's to answer that. In a normal network setup, it doesn't but not sure about through a sonic wall.

@beers
 

beers

Moderator
Staff member
Yo dawgs,

It depends really on the specific configuration in the SonicWALL. Usually you'll have an outbound PAT address that stuffs all of the traffic to the Internet behind a single IP or pool, and the firewall keeps track of which port maps to which LAN client that initiated it. The outside and inside interfaces of the FW are separate network segments with their own addressing.

Usually an ACL on the firewall will reference an entire subnet, so you can get whatever DHCP address in that range and your traffic will still apply to that access list.
 

Mike9999

New Member
Usually you'll have an outbound PAT address that stuffs all of the traffic to the Internet behind a single IP or pool

Does this mean I can put the same IP address that is in the working computer into the one that doesn't work? Sorry I have no idea how this stuff works.
 

beers

Moderator
Staff member
I don't think your issue is a DHCP/Static one, if you get a valid address in that subnet for the PC then it really doesn't make a difference. You'd be best off using DHCP for workstations since you would avoid duplicate allocations.
 
Top