Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero internet access, typical troubleshooting already tried


  • Please log in to reply
10 replies to this topic

#1 mogle222

mogle222

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 19 December 2014 - 07:41 PM

I cannot access any service that uses the internet the router acknowledges that I am on the network.
TDSKiller, Mcafee malware bytes, avast, detects nothing.
I rebuilt a new pc recently.
Every Single Time I boot the computer I get 50 errors related to mswsock.dll. And it is basically saying its related to every single program yhat uses internet.
Recently now I am getting a failed to find socket error.

BC AdBot (Login to Remove)

 


#2 mogle222

mogle222
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 19 December 2014 - 08:03 PM

Windows 7 64 bit OEM
Intel Core I7-4790k unlocked
8GB Ram
2Tb Hardrive

#3 mogle222

mogle222
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 20 December 2014 - 11:47 AM

So I managed to fix my problem myself by following the steps typically used on bleepingcomputer.com and malwarebytes.org to fix and/or find malware, rootkits, and viruses.
To test and see if my internet problems was a user error or bad network config, I ran command prompt as Admin, then typed "ping google.com." The results of the test showed I had no problems connecting to the internet.
My results found that I had a powerful version of poweliks that hid itself in my mswsock.dll file.
According to Windows, this file pretty much has to do with your internet, and how your computer will access it.
Symptoms I had:
-Slow Computer
-Errors spitting out pertaining to mswsock.dll "either missing or working incorrectly"
-ANY AND ALL PROGRAMS THat have a internet connection involved, will not open no matter what, but malware programs not dependent on internet access will work.
Poweliks information and why it isn't detected (I found out I had one of the newest revision of poweliks as of 12/3/14):
https://blog.malwarebytes.org/security-threat/2014/11/no-more-poweliks/
The link above shows that Poweliks isn't detected by malwarebytes because it hides in commonly used processes.

Methodology To Solve my Problem came from:
http://www.bleepingcomputer.com/forums/t/443790/mswsockdll-infected-antivirus-doesnt-fix-it/

Edited by mogle222, 20 December 2014 - 12:03 PM.


#4 mogle222

mogle222
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 20 December 2014 - 11:49 AM

If any of the problem solvers on here would like to see my logs, reply here. (it will help me see if there is a hole on my methodology).
Also it would be nice to know if I did everthing I could to prevent poweliks coming back.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:43 AM

Posted 20 December 2014 - 12:24 PM

Your methodology link points to a topic almost 3 years old before the existence of Poweliks. Eset released a PoweliksCleaner which works in most cases. However, Poweliks has the ability to download more malicious files so systems risk being infected by other malware, causing a more damaging infection it the removal tool is not used in time.
 
What is Poweliks?

Poweliks has reportedly been delivered through social engineering...by opening malicious spam emails (attachments) that claim to be a missed package delivery from the Canadian Post or U.S. Postal Service purportedly carrying tracking information. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) that will entice a user to read the email and open the attachment. Poweliks can also spread via exploit kits that deliver drive-by downloads.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 mogle222

mogle222
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 20 December 2014 - 12:51 PM

Wow it's nice to see someone give me the response I was looking for. I am also honored that a Global Mod took time to answer me.
You see I am currently studying for a Bachelor's in Digital Forensics and Information Assurance. While I know alot in those areas, I know very little about Malware.
My college emphasizes Methodology, which is why I asked for peer review.

So anyways, I am running EST Online scanner now, I already cleaned up with CCleaner, but I didn't delete the logs, so that I can write a Malware Analysis report later (I like having probs to learn and write about).

So based on what you said, you are suggesting I also run EST's Poweliks Cleaner?

As of 11:54 AM Central Time, Eset Online Scanner has found 5 PUPs, according to what the scanner identifies them as, they are:
Win64/Systweak.A
Win32/Toolbar.Conduit.AH
Win32/Adware.ShandaAdd.A
Win32/Hao123.A
Win32/Toolbar.Conduit.Y

Now, I had used rkill64 and then without rebooting, used AdwCleaner from bleepingcomputer.com.
After it was finished it said it deleted those same exact PUPs that are listed above. But I guess they are back again.

Edited by mogle222, 20 December 2014 - 01:04 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:43 AM

Posted 20 December 2014 - 01:00 PM

...So based on what you said, you are suggesting I also run EST's Poweliks Cleaner?

If you are experiencing the symptoms described in the What is Poweliks? topic link I provided above...then, yes.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 mogle222

mogle222
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 20 December 2014 - 01:29 PM

I just finished reading in your forum topic: what is poweliks? Which seems to have been posted very recently. What popped up at me is the fact that alot of poweliks topics have popped up recently as Of November.

Which is funny, because according to my logs that I examined in Events viewer, problems with my computer began around November 20-27 and then on December 3rd my computer's internet stopped working. (Although pinging a website showed it should have been working.)
Starting around November 20th prior to the internet shutting down, I noticed some uncommon processes running, that normally only appear in the CTF competitions I do.
Also, the processes looked like there may have been outside access of my computer involved. Although the common defense tools like Mcafee, Avast, Malwarebytes,etc. Detected nothing during this time.

OF NOTE IS THAT WHEN THE PROCESSES WERE ACTIVE MY COMPUTER SLOWED DOWN, AND MY COMPUTER WOULD CRASH ANY PROGRAMS RUNNING, and the internet would seize to work. Although a reboot or ending the processes would get everything working. I also noticed that disconnecting from my network stopped the suspicious processes entirely.

Later, I used Malwarebytes and removed some red items on Nov. 27th. Afterwards I received mswsock.dll errors for all programs that use the internet and run on startup as soon as my computer boots. This problem kept up until today, when I finally removed it with ComboFix.(I used it without an expert helping me, however I followed the same steps that experts were suggesting on other peoples topics related to my issue)

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:43 AM

Posted 20 December 2014 - 03:08 PM

According to Symantec, Poweliks was discovered around August 3, 2014 but Gdata had an ariticle about it dated in July. The Eset Cleaner was released about a month ago.

I'm glad to hear you were successful in using Combofix. However, it's not a safe practice to be following specific instructions provided to someone else especially if they were given in the Malware Removal Logs forum and involved using advanced tools like Combofix, FRST, etc. Those instructions are given under the guidance of a trained expert to fix that particular member's problems after careful evaluation of the malware involved. Before taking any action, the helper must investigate the nature of the infection and then formulate a fix strategy for the victim. Many times instructions for using specific scripts are provided and only intended for that user's computer.

Although your problem may be similar, the solution could be different based on the kind of hardware, software, system requirements, etc. and the presence of other malware which means the degree of infection can vary. Using someone else's fix insructions could lead to disastrous problems with your operating system.

In that particular thread, the Helper recommended using ComboFix. Please be aware that using ComboFix is only one part of the disinfection process. Preliminary scans from other tools like DDS, OTL, Zoek and RSIT should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning a strategy for effective disinfection and a determination if using ComboFix is necessary.

Further, when issues arise due to complex malware infections, problems running ComboFix (i.e. stalling, hanging, crashing) or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. When false detections are identified, experts have access to the developer and can report them so he can investigate, confirm and make corrections. These are reasons we ask people not to use ComboFix without being advised to do so by a trained expert (see here) who is assisting them deal with a malware problem.

With that said, you were fortunate in this instance that no unforeseen consequences or serious problems occurred.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 mogle222

mogle222
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 20 December 2014 - 06:06 PM

I didn't follow their method step by step. What I did was seeing what their method of solving the problem was, and modified it based on what my computer needed.
and like you said I started with prelim software, generated logs, examined them, compared the files hashes to the national software reference library to determine the normal from the abnormal. Then, based on my results, whether they were good or bad, I followed the next appropriate decision.

Oh and before I did anything I backed up my registry and ran software off a write protected usb. *Savd the logs on the infected computer.


So I used Eset's Poweliks after Eset scanner was done, and the results said their was no poweliks on my system.

Edited by mogle222, 20 December 2014 - 06:08 PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:43 AM

Posted 20 December 2014 - 08:18 PM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users