1

Im trying to help some friends with a Win XP machine. I got rid of the malware using Malware Bytes, and HiJackThis. But now they(I) have another problem.

When the computer boot into Windows it seems fine. When I start Internet Explorer the browser window opens just fine, but nothing happens for at minute or two. After the two minutes of waiting, the network icon appears in the taskbar next to the clock, and then everything works.

The computer is connected to the internet using a Ethernet adapter.

I have looked at the Rvent Log and found an error from Perfnet with eventid 2004

<Provider Name="PerfNet" />  
<EventID Qualifiers="49152">2004</EventID>  
<Level>2</Level>  
<Task>0</Task>  
<Keywords>0x80000000000000</Keywords>

What I have tried so far:

  • In the device manager i have uninstalled the Ethernet adapter and installed it again.
  • I have uninstalled and installed the Windows File and Printer Sharing service.
  • I have verified that both server and workstation services are started.

What should I do next?

heavyd
  • 65,321
Cruelio
  • 145

6 Answers6

2

Personally, I'd suggest wiping the partitions and reinstalling. You could spend hours trying to clean this up, by which time you could have reinstalled the system from scratch.

Reinstalling is the only guaranteed way of cleaning the malware from the system too.

Educate your friend to not use administrator rights in future, unless of course administrator rights are required, e.g. when installing software.

1

Run a MalWareBytes scan (full scan). You might pick up some registry problems.

Chris
  • 233
1

it may have done something to the TCP/IP Stack, it may be worth going to the command prompt and typing the following:

NETSH INT IP RESET

NETSH INT WINSOCK RESET

Lastly, I would use Microsoft / Sysinternals Autoruns and just check for any bad entries.

Without seeing the machine, it is hard to really help - but you have tried most of the things I would've. After a virus attack, it is hard to know what is still affected and sometimes a reinstall is best.

Also, consider reading this guide.

Community
  • 1
William Hilsum
  • 117,648
1

Have you try another browser like firefox or opera? Or any other networked software? If you don't have one you could just use ping www.google.com in a command prompt

If it's IE only related you could try going in Tools > Manage Addons to disable everything suspect. And this tool Fix IE could help too

If it's a all network issue:

In a command prompt (runned as administrator):

netsh int ip reset intipreset.log
Reset the TCP/IP stack = reset/rewrite the following TCP/IP-related registry keys:

    * SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
    * SYSTEM\CurrentControlSet\Services\DHCP\Parameters\

You may need to re-configure your TCP/IP settings after that

netsh winsock reset
Repair winsock It removes all Winsock LSP (Layered Service Providers) previously installed, including the potential malfunctioned LSP that causes loss of network packets transmission failure.

So all previously-installed LSPs (antivirus/firewall) may need to be reinstalled

netsh interface reset all
Reset all interfaces: 6to4, HTTPSTunnel, ipv4, ipv6, isatap, portproxy, tcp, teredo

I don't know exactly what you risk to do it (not much I think, except reinstalling/reconfiguring network related software & windows parameters...)

fluxtendu
  • 7,219
1

have you tried to connect to anything without using IE.
e.g open a command prompt and ping www.google.com or even just the router to start with.
I do tend to aggree with the consensus though, if its been a paticularly nasty malware attck it is sometimes better just to backup data and do a clean install. it can sometimes be a blessing (I know this sounds odd, but you can totally re-evaluate everything you use and what you need don't need. Re-layout the partitions of the drive etc)

Joe Taylor
  • 13,711
1

My friend called me the other night to tell me the computer works just perfect now. He claimed not to have changed anything, which just makes it all more wierd.

Pat Myron
  • 129
Cruelio
  • 145