Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Losing Local Area Connection after System Restore


  • This topic is locked This topic is locked
16 replies to this topic

#1 BillyAcer

BillyAcer

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 20 May 2011 - 06:28 AM

Greetings,

You folks all do wonderful work, and I just wanted to thank you all first and foremost.

Now my problem:

My PC is losing its Local Area Connection after going into sleep mode. (I think). A reboot brings it back. I was online last night, this AM, the icon at the bottom said "Limited or no connectivity". The repair mode on the LAC did not work, a message said, "no IP found". As I said, rebooting brings my internet back.

This never happened before I did a system restore and clean up, (I also put in a firewall), so some how the computer is losing its IP.

BC AdBot (Login to Remove)

 


#2 USN Vet

USN Vet

  • Members
  • 190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 20 May 2011 - 11:41 AM

how about some info on your pc modem, browser etc

what firewall, and exactly what did you clean up ?

Edited by USN Vet, 20 May 2011 - 11:43 AM.

Feel free to ignore my comment, just another user !

#3 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 20 May 2011 - 08:39 PM

Hello,

I had a Google redirect problem and after flushing the DNS and running Combofix, the problem went away. I then did a defrag. I was advised to put in a firewall, which I did. (Online Armor, which is currently running) I created a restore point and then ran the "clean up" button on OTL. This is, I believe, when the problem began. The next morning I discovered the problem. Tonight, I had to reboot again to get connected.

I have a Motorola modem and use Firefox as a browser. Other computers using the router are fine.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:56 AM

Posted 20 May 2011 - 11:28 PM

Most likely, you're still infected.

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 21 May 2011 - 07:38 AM

Broni,

Do you really think I'm still infected? I went through two teams before I came here. My computer was working fine for a few days, no redirects or problems before the final-post cleanup- defrag/clean up. Even now, no redirect problems at all.

As a update, lost Default Gateway, and DNS Server sometime during the night. Reboot brought it back, but windows was having a problem with the Online Armor firewall, which it removed. I reset the Windows firewall to protect, so lets see if this problem returns.

Edited by BillyAcer, 21 May 2011 - 07:39 AM.


#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:56 AM

Posted 21 May 2011 - 10:32 AM

Keep us posted then...

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 21 May 2011 - 01:20 PM

Well, I don't know what is going on? Computer went back to welcome screen and when I clicked on user name, again had no connectivity. Rebooted to get online, that worked, but now, Online Armor is running again. Should I remove it?

Before rebooting, I checked on the "no connectivity" icon, checked the Local Area Connection. The detail of that was: No Default Gateway, No DNS Server.

How many DNS servers should one have? I have 2 listed.

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:56 AM

Posted 21 May 2011 - 01:23 PM

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 21 May 2011 - 01:37 PM

OK:
MiniToolBox by Farbar
Ran by BoB (administrator) on 21-05-2011 at 14:29:58
Microsoft Windows XP Service Pack 3 (X86)
***************************************************************************
========================= IE Proxy Settings: ==============================
Proxy is not enabled.
No Proxy Server is set.
========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================
127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration

Host Name . . . . . . . . . . . . : BOB_Hp_Tower

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Mixed

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No


Ethernet adapter Local Area Connection:


Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-40-2B-33-CE-1D

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.101

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 167.206.245.129

167.206.245.130

Lease Obtained. . . . . . . . . . : Saturday, May 21, 2011 1:07:17 PM

Lease Expires . . . . . . . . . . : Sunday, May 22, 2011 1:07:17 PM

Server: vdns1.srv.prnynj.cv.net
Address: 167.206.245.129

Name: google.com
Addresses: 74.125.91.103, 74.125.91.147, 74.125.91.99, 74.125.91.106
74.125.91.105, 74.125.91.104


Pinging google.com [74.125.91.105] with 32 bytes of data:


Reply from 74.125.91.105: bytes=32 time=23ms TTL=52

Reply from 74.125.91.105: bytes=32 time=23ms TTL=52


Ping statistics for 74.125.91.105:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 23ms, Maximum = 23ms, Average = 23ms

Server: vdns1.srv.prnynj.cv.net
Address: 167.206.245.129

Name: yahoo.com
Addresses: 69.147.125.65, 72.30.2.43, 98.137.149.56, 209.191.122.70
67.195.160.76



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=98ms TTL=50

Reply from 72.30.2.43: bytes=32 time=108ms TTL=50



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 98ms, Maximum = 108ms, Average = 103ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 40 2b 33 ce 1d ...... Realtek RTL8139/810x Family Fast Ethernet NIC
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.101 192.168.1.101 20
192.168.1.101 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.101 192.168.1.101 20
224.0.0.0 240.0.0.0 192.168.1.101 192.168.1.101 20
255.255.255.255 255.255.255.255 192.168.1.101 192.168.1.101 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (05/18/2011 07:06:46 AM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 2.0.1.4120, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (05/18/2011 06:59:20 AM) (Source: ESENT) (User: )
Description: svchost (1164) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Error: (05/18/2011 06:58:41 AM) (Source: ESENT) (User: )
Description: svchost (1164) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Error: (05/12/2011 00:25:14 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\KATIE\WINDOWS\SYSTEM> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (05/12/2011 00:25:13 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\HELPASSISTANT\WINDOWS\SYSTEM> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (05/08/2011 10:12:39 PM) (Source: Application Hang) (User: )
Description: Hanging application gmer.exe, version 1.0.15.15627, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (05/08/2011 09:21:56 AM) (Source: ESENT) (User: )
Description: Catalog Database (1416) Database C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb is partially attached. Attachment stage: 3. Error: -1032.

Error: (05/08/2011 09:21:56 AM) (Source: ESENT) (User: )
Description: svchost (1416) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Error: (05/05/2011 09:47:12 PM) (Source: Application Hang) (User: )
Description: Hanging application gmer.exe, version 1.0.15.15572, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (05/03/2011 02:14:48 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\BOB\NTUSER.INI> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


System errors:
=============
Error: (05/21/2011 01:38:09 PM) (Source: DCOM) (User: BoB)
Description: Unable to start a DCOM Server: {2F09DFE2-278B-49F7-ABAD-63BED2E84984}.
The error:
"%%5"
Happened while starting this command:
C:\PROGRA~1\WILDTA~1\DDC\DDCMAN~1\DDCMan.exe -Embedding

Error: (05/21/2011 01:10:31 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
TfFsMon
TfSysMon

Error: (05/21/2011 07:34:38 AM) (Source: DCOM) (User: BoB)
Description: Unable to start a DCOM Server: {2F09DFE2-278B-49F7-ABAD-63BED2E84984}.
The error:
"%%5"
Happened while starting this command:
C:\PROGRA~1\WILDTA~1\DDC\DDCMAN~1\DDCMan.exe -Embedding

Error: (05/21/2011 07:32:59 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
TfFsMon
TfSysMon

Error: (05/20/2011 09:11:06 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
TfFsMon
TfSysMon

Error: (05/20/2011 09:10:41 PM) (Source: DCOM) (User: BoB)
Description: Unable to start a DCOM Server: {2F09DFE2-278B-49F7-ABAD-63BED2E84984}.
The error:
"%%5"
Happened while starting this command:
C:\PROGRA~1\WILDTA~1\DDC\DDCMAN~1\DDCMan.exe -Embedding

Error: (05/20/2011 08:58:22 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (05/20/2011 08:58:22 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (05/20/2011 07:03:44 AM) (Source: DCOM) (User: BoB)
Description: Unable to start a DCOM Server: {2F09DFE2-278B-49F7-ABAD-63BED2E84984}.
The error:
"%%5"
Happened while starting this command:
C:\PROGRA~1\WILDTA~1\DDC\DDCMAN~1\DDCMan.exe -Embedding

Error: (05/20/2011 06:59:59 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
TfFsMon
TfSysMon


Microsoft Office Sessions:
=========================
Error: (05/18/2011 07:06:46 AM) (Source: Application Hang)(User: )
Description: firefox.exe2.0.1.4120hungapp0.0.0.000000000

Error: (05/18/2011 06:59:20 AM) (Source: ESENT)(User: )
Description: svchost1164C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (05/18/2011 06:58:41 AM) (Source: ESENT)(User: )
Description: svchost1164C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (05/12/2011 00:25:14 AM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\DOCUMENTS AND SETTINGS\KATIE\WINDOWS\SYSTEM

Error: (05/12/2011 00:25:13 AM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\DOCUMENTS AND SETTINGS\HELPASSISTANT\WINDOWS\SYSTEM

Error: (05/08/2011 10:12:39 PM) (Source: Application Hang)(User: )
Description: gmer.exe1.0.15.15627hungapp0.0.0.000000000

Error: (05/08/2011 09:21:56 AM) (Source: ESENT)(User: )
Description: Catalog Database1416C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb3-1032

Error: (05/08/2011 09:21:56 AM) (Source: ESENT)(User: )
Description: svchost1416C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (05/05/2011 09:47:12 PM) (Source: Application Hang)(User: )
Description: gmer.exe1.0.15.15572hungapp0.0.0.000000000

Error: (05/03/2011 02:14:48 AM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\DOCUMENTS AND SETTINGS\BOB\NTUSER.INI


========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 67%
Total physical RAM: 1021.98 MB
Available physical RAM: 333.46 MB
Total Pagefile: 1696.71 MB
Available Pagefile: 1057.78 MB
Total Virtual: 2047.88 MB
Available Virtual: 1995.96 MB

======================= Partitions: =======================================

1 Drive c: (HP_PAVILION) (Fixed) (Total:50.9 GB) (Free:14.52 GB) NTFS
2 Drive d: (HP_RECOVERY) (Fixed) (Total:5.02 GB) (Free:1.18 GB) FAT32

================= Users: ==================================================

User accounts for \\BOB_HP_TOWER

-------------------------------------------------------------------------------
Administrator ASPNET BoB
Guest HelpAssistant Katie
Owner SUPPORT_388945a0 SUPPORT_fddfa904
The command completed successfully.

================= End of Users ============================================

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:56 AM

Posted 21 May 2011 - 01:46 PM

Your settings are correct, but looking at your Event Viewer, I can see two items giving you some problems:

1. ThreatFire - I suggest, you uninstall it

2. DDCMan.exe - see here: http://www.bleepingcomputer.com/startups/DDCMan.exe-1196.html

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 21 May 2011 - 02:40 PM

Where do I find these?

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:56 AM

Posted 21 May 2011 - 02:45 PM

ThreatFire should be listed in Add\Remove.

As for the other....

Download Autoruns for Windows: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
No installation required.
Simply unzip Autoruns.zip file, and double click on autoruns.exe file to run the program.
Go File>Save, and save it as AutoRuns.txt file to know location.
You must select Text from drop-down menu as a file type:

Posted Image

Attach the file to your next reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 21 May 2011 - 06:55 PM

Not sure if I removed the DDCMan files and could not find Threatfire.

Would these cause me to lose internet?Attached File  AutoRuns.txt   41.46KB   7 downloads

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:56 AM

Posted 21 May 2011 - 07:11 PM

Would these cause me to lose internet?

I don't know.
We're just trying to eliminate possible culprits.

Now, couple of things, I see from your Autoruns log.

1. I can see either some infection, or some infection leftovers, so I suggest, you start new topic in "Am I Infected?" forum.

2. Re-run Autoruns, scroll down to "HKLM\System\CurrentControlSet\Services" section and UN-check:

+ "TfFsMon"
+ "TfNetMon"
+ "tfsnifs"
+ "TfSysMon"

Restart computer.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 BillyAcer

BillyAcer
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 21 May 2011 - 07:33 PM

OK, will do.When you uncheck them, what happens? What infection or leftovers did you see?

Edited by BillyAcer, 21 May 2011 - 07:33 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users