Jump to content

Computer can not communicate with W-LAN (although settings appear to be fine)


1chris1

Recommended Posts

I tried to setup a Network share on my Vista Home Basic PC a few days ago. When trying to turn on Network Discovery, File Sharing and other options in Windows, I was getting errors about services / devices unavailable, etc. Windows Firewall also couldn't be turned on. I ended up following advice (posted for people with identical problems) and running ComboFix, several OTL fixes, and adding several registry entries. ComboFix actually said the computer had a rootkit infection, and rebooted several times and went through about 60 stages to clear that up.

 

Now everything SAYS it's working (Network options can be turned on/off, Firewall can be Enabled/disabled, etc), but my computer cannot receive any incoming connections on the W-LAN. For example, my network shares won't show up on my Android phone and the ES FIle explorer can't even find my computer, even when Network discovery is on. Also, my Eye-Fi card suddenly stopped working on this computer, although it works fine with my phone & laptop (through the Wifi). My HP Wireless printer is still working fine through it, though.

 

I have a feeling that something relatively simple such as a service or setting has been disabled...possibly having to do with Link Layer topology or network discovery. I am fairly novice at this, but I'm hoping somebody couldn't point me toward some setting that might bring back Eye-Fi and maybe get the computer visible to my phone, as I intended.

Link to post
Share on other sites

Hello and Welcome to Malwarebytes

As everyone's computer is different, running tools and fixes from someone's else's topic is not recommended as those fixes are created for that specific computer. Its better to start your own topic...

Being that you are probably still infected and/or have left overs from the rootkit, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

Link to post
Share on other sites

Hi, & thanks for your reply!

 

I don't think this computer has ANY remnants of the malware or rootkit now...but running someone else's fixes did DEFINATELY (partially) disrupt my W-LAN connectivity in Windows. My HP Wifi printer is still working...but no files are being transferred to the computer from my Eye-Fi card (even though it's confirmed to be working normally), and my Network shares just aren't showing up. I reset the Eye-Fi card 3 times last night, and reinstalled the software on this computer 3 times, and they just don't come through to this computer anymore. It still works 100% fine (over Wifi) with my laptop and Android smartphone, so I know it isn't my Eye-Fi card. I didn't mess with my router at all, so I don't think there's any problems on that front. This computer is hooked directly to the ADSL router via ethernet, and my internet connection is 100% Ok. I'm pretty confident the router is properly addressing the traffic, but it's like something in the computer is either blocking or not picking up the incoming traffic (even though Windows Firewall says it's disabled at the moment).

 

Also, a few days ago (after the "fixes") a message popped up a saying another computer on my Network has the same IP address as this one! I've never seen that message before, & I just clicked "Close" and it didn't pop up again. So whatever is causing the problem is maybe related to that?

Link to post
Share on other sites

I have tried the following steps (since posting this AM);

  • Reset entire TCP/IP stack (in command prompt)
  • Reset network adapter (with Network disagnostics in Windows)
  • Ran sfc /scannow (no integrity violations)
  • (Temporarily) started some services which were off in services.msc to see if the Eye-Fi starts working again.

 

Here is my DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.45.2
Run by Chris at 14:33:03 on 2014-01-12
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2039.1121 [GMT -5:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Users\Chris\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\Chrome Frame\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\snmptrap.exe
C:\Program Files\Eye-Fi\Helper\EyeFiHelper.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k wdisvc
.
============== Pseudo HJT Report ===============
.


BHO: Yahoo! Toolbar Helper: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: ChromeFrame BHO: {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - c:\program files\google\chrome frame\application\31.0.1650.63\npchrome_frame.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Eye-Fi] "c:\program files\eye-fi\helper\EyeFiHelper.exe"
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRunOnce: [Launcher] c:\windows\sminst\launcher.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"

TCP: NameServer = 192.168.1.1
TCP: Interfaces\{FC5636CB-F9F2-4C95-83A7-63EA8D07883F} : DHCPNameServer = 192.168.1.1
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\31.0.1650.63\npchrome_frame.dll
Notify: igfxcui - igfxdev.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-7-29 21504]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-8-9 418376]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-28 701512]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-28 22856]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2010-11-28 17792]
S4 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2011-7-29 21504]
S4 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2013-11-30 106280]
.
=============== Created Last 30 ================
.
2014-01-12 08:46:02 -------- d-sh--w- C:\$RECYCLE.BIN
2014-01-12 08:44:37 -------- d-s---w- C:\ComboFix
2014-01-12 07:35:50 -------- d-----w- c:\users\chris\appdata\local\Eye-Fi
2014-01-12 07:30:37 -------- d-----w- c:\users\chris\appdata\roaming\Eye-Fi
2014-01-12 07:28:47 -------- d-----w- c:\program files\Eye-Fi
2014-01-09 05:50:56 -------- d-----w- c:\users\chris\appdata\local\temp
2014-01-09 04:55:31 98816 ----a-w- c:\windows\sed.exe
2014-01-09 04:55:31 256000 ----a-w- c:\windows\PEV.exe
2014-01-09 04:55:31 208896 ----a-w- c:\windows\MBR.exe
2014-01-09 03:32:35 -------- d-----w- C:\_OTL
.
==================== Find3M ====================
.
2014-01-09 02:25:59 99816 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS.bak
.
============= FINISH: 14:36:07.69 ===============

Link to post
Share on other sites

That log is not complete.... Try this please...

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool.

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop
  • Please include the following logs in your next reply "as an attachment": DDS.txt and Attach.txt

    You can ignore the note about zipping the Attach.txt file

Link to post
Share on other sites

attach.txtOk, I have attached both DDS files.

 

This is the thread (for reference) where I copied the registry, batch, & OTL fixes from due to identical symptoms: https://forums.malwarebytes.org/index.php?showtopic=115712 . I tried several System Restore points to get back to before the modifications, but everything (before the changes were made) says it was damaged or deleted during the restore.

dds.txt

Link to post
Share on other sites

I just noticed (looking through attach.txt), that I have WinPCap 4.1.2 installed...it caught my attention, because I was looking at dds.txt which lists the "NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys" as a running service which is used by WinPCap. My Uninstall & Change Programs Panel says I installed WinPCap on 1/8/14, when I did all the "fixes". It must have been on the list to capture packet data for analysis by an expert. Is this possibly inhibiting the incoming packets from reaching my software (i.e., Eye-FI)?

Link to post
Share on other sites

I've spent a few hours compairing this PC with my Laptop in MSCONFIG and serivces.msc services side by side. IP Helper and IP Sec Policy Agent were unchecked in MSconfig, & the IKE and AuthIP Ipsec Keying Modules service was disabled in services.msc. So I put those back, among other things. After turning off Network sharing, turning off Windows Firewall, Malwarebytes, reinstalling the network adapter, uninstalling WinPCap & resetting the netsh advfirewall file, Eye-Fi still will not receive any inbound W-LAN traffic on the PC. I don't know if Eye-Fi is a completely seperate issue from the Network Shares not showing up, but I'm working just on the Eye-Fi right now. I think I may have a NICS or policy error which is blocking inbound network traffic.

Link to post
Share on other sites

"I ended up following advice (posted for people with identical problems) and running ComboFix, several OTL fixes, and adding several registry entries. ComboFix actually said the computer had a rootkit infection, and rebooted several times and went through about 60 stages to clear that up."

 

as was stated ... not all comps are the same .

the symptoms may appear to be similar but in reality the cause(s) may be quite different .

for example , a "cold" can give one lung congestion while viral pneumonia can do the same (and is much worse !) . the course of treatment will be different for them .

 

i would suggest heading over to the malware removal section and starting here :

https://forums.malwarebytes.org/index.php?showtopic=9573

follow the instructions as best you are able to do so and start a new help/removal topic .

Link to post
Share on other sites

Well there is definitely more going on with this computer, (according to the logs) more than likely was cause by the infections that you have or had, and there is more clean up that needs to be done.... Your best bet is going to have to be to seek help from one of our experts. Also please stop self medicating as this will make it harder for the experts to help you fix the issues.....

Being that you are probably infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

==== Event Viewer Messages From Past Week ========.1/9/2014 6:36:55 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.1/9/2014 1:50:22 AM, Error: Service Control Manager [7001]  - The UPnP Device Host service depends on the SSDP Discovery service which failed to start because of the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.1/8/2014 4:09:27 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}1/8/2014 11:43:42 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Windows Installer service to connect.1/8/2014 11:43:42 PM, Error: Service Control Manager [7000]  - The Windows Installer service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.1/8/2014 11:43:42 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1053" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}1/8/2014 11:16:05 PM, Error: Service Control Manager [7023]  - The Base Filtering Engine service terminated with the following error:  Access is denied.1/8/2014 11:16:05 PM, Error: Service Control Manager [7001]  - The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error:  Access is denied.1/8/2014 11:16:05 PM, Error: Service Control Manager [7001]  - The Internet Connection Sharing (ICS) service depends on the Base Filtering Engine service which failed to start because of the following error:  Access is denied.1/8/2014 11:05:55 PM, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.1/8/2014 11:05:55 PM, Error: Service Control Manager [7003]  - The Internet Connection Sharing (ICS) service depends the following service: BFE. This service might not be installed.1/8/2014 10:32:35 PM, Error: Service Control Manager [7034]  - The HitmanPro Scheduler service terminated unexpectedly.  It has done this 1 time(s).1/8/2014 10:13:59 PM, Error: Service Control Manager [7001]  - The Wired AutoConfig service depends on the Extensible Authentication Protocol service which failed to start because of the following error:  The dependency service or group failed to start.1/8/2014 10:13:59 PM, Error: Service Control Manager [7001]  - The Extensible Authentication Protocol service depends on the CNG Key Isolation service which failed to start because of the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.1/8/2014 10:13:52 PM, Error: Service Control Manager [7001]  - The WLAN AutoConfig service depends on the Extensible Authentication Protocol service which failed to start because of the following error:  The dependency service or group failed to start.1/12/2014 6:27:28 PM, Error: Microsoft-Windows-PrintSpooler [19]  - The print spooler failed to share printer Send To OneNote 2007 with shared resource name Send To OneNote 2007. Error 2114. The printer cannot be used by others on the network.1/12/2014 6:27:28 PM, Error: Microsoft-Windows-PrintSpooler [19]  - The print spooler failed to share printer PaperPort Image Printer with shared resource name PaperPort Image Printer. Error 2114. The printer cannot be used by others on the network.1/12/2014 6:27:28 PM, Error: Microsoft-Windows-PrintSpooler [19]  - The print spooler failed to share printer HP Officejet Pro 8500 A910 (Network) with shared resource name HP Officejet Pro 8500 A910 (Network). Error 2114. The printer cannot be used by others on the network.1/12/2014 6:27:28 PM, Error: Microsoft-Windows-PrintSpooler [19]  - The print spooler failed to share printer HP Officejet H470 series with shared resource name HP Officejet H470 series. Error 2114. The printer cannot be used by others on the network.1/12/2014 6:27:28 PM, Error: Microsoft-Windows-PrintSpooler [19]  - The print spooler failed to share printer Foxit PDF Printer with shared resource name Foxit PDF Printer. Error 2114. The printer cannot be used by others on the network.1/12/2014 6:27:28 PM, Error: Microsoft-Windows-PrintSpooler [19]  - The print spooler failed to share printer eFax 4.4 with shared resource name eFax 4.4. Error 2114. The printer cannot be used by others on the network.1/12/2014 6:27:28 PM, Error: Microsoft-Windows-PrintSpooler [19]  - The print spooler failed to share printer Brother PC-FAX v.2 with shared resource name Brother PC-FAX v.2. Error 2114. The printer cannot be used by others on the network.1/12/2014 6:27:28 PM, Error: Microsoft-Windows-PrintSpooler [19]  - The print spooler failed to share printer Brother MFC-240C USB Printer with shared resource name Brother MFC-240C USB Printer. Error 2114. The printer cannot be used by others on the network.1/12/2014 6:27:19 PM, Error: Microsoft-Windows-Eventlog [22]  - The event logging service encountered an error while initializing publishing resources for channel ArcSoft-TotalMedia10FT-EventLog/Debug. If channel type is Analytic or Debug, then this could mean there was an error initializing logging resources as well.1/12/2014 5:57:16 PM, Error: Service Control Manager [7022]  - The Windows Update service hung on starting.1/12/2014 3:45:47 AM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.1/12/2014 12:53:59 AM, Error: Microsoft-Windows-Dhcp-Client [1002]  - The IP address lease 192.168.1.5 for the Network Card with network address 001921CFA75B has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).1/10/2014 8:21:53 AM, Error: Tcpip [4199]  - The system detected an address conflict for IP address 192.168.1.4 with the system having network hardware address 6C-B7-F4-F1-23-24. Network operations on this system may be disrupted as a result.1/10/2014 8:21:45 AM, Error: Microsoft-Windows-Dhcp-Client [1002]  - The IP address lease 192.168.1.6 for the Network Card with network address 001921CFA75B has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).1/10/2014 2:37:29 PM, Error: EventLog [6008]  - The previous system shutdown at 2:34:36 PM on 1/10/2014 was unexpected..==== End Of File ===========================
Link to post
Share on other sites

The errors related to the shared printers...some are not hooked up anymore & I just left the drivers on. The others are related to services which I think I manually disabled some time ago in MSCONFIG .

My main problem right now is the network...after I did the "fixes" (some of which were custom & for somebody else), I can turn the stuff on & off (in Control Panel), but I can't actually see the computer on my Android phone (on the network). Also, my Eye-Fi card immediately stopped working (on this computer ONLY), and I can't figure out why.

I pinged my localhost, and it comes back 127.0.0.1....and that matches the only entry in my hosts file. The localhost FirewallTest procedure for Eye-Fi returned 'OK'. I tried resetting the firewall with netsh advfirewall /reset, it didn't help. Renabled IPSEC, IPhelper & few other disabled services.msc things. I spent hours last night researching services that I enabled/disabled (in the past) to see if those might be related to blocking the inbound traffic, although this is a brand new issue.

To be honest: Eye-fi is my main problem right now, & I'm really not experienced at setting up networks, so I may be not doing something right or overlooking something. Any help would be greatly appreciated. Thanks!

Link to post
Share on other sites

There are more errors there than just shared printers, some which are critical in the way windows works. Those have to be sorted out and once that is sorted out, it is quite possible that everything else will work as intended.

We can not proceed any further in this section of the forum, due to the tools that need to be run to correct the issues. This is why I asked you to post in the Possibly infected computers section....

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.