LocalHost ping fails after removing spyware

G

Guest

Hi all,
My wife had several nasty pieces of Spyware (mostly Coolweb if I recall) at
last check, and it took about 4 separate apps to remove all traces. Now the
box no longer has no internet connectivity (connecting via DLink Wireless
router to Cable modem). I'm actually cabled into the router rather than
running it on wireless.

Here's what I tried:
Opened IE and got a 404. Clicked Detect Settings. Same result.
Checked the light on the Ethernet jack - it was lit.
Checked the Device Manager, no errors on the adapter.
Pinged Default Gateway. Echo returned successful reply.
Pinged Loopback. Echo returned successful reply.
Pinged Localhost (192.168.0.6). Reply failed.
Ipconfig /all turns up Node type = Unknown ; IP Routing Enabled= No

Actions took:
Ipconfig /release
Ipconfig /renew [IP address stayed the same, result of pings stayed the same)
Opened network diagnostic troubleshooter - ran test; received this error:

Network Adapters [00000001] DAVICOM 9102/A PCI Fast Ethernet Adapter FAILED
Caption = [00000001] DAVICOM 9102/A PCI Fast Ethernet Adapter
DatabasePath = %SystemRoot%\System32\drivers\etc
[snip]
..
..
..
+ DNSServerSearchOrder = 192.168.0.1 (PASSED)
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time<1ms TTL=0
Reply from 192.168.0.1: bytes=32 time<1ms TTL=0
Reply from 192.168.0.1: bytes=32 time<1ms TTL=0
Reply from 192.168.0.1: bytes=32 time<1ms TTL=0
Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
FullDNSRegistrationEnabled = TRUE
GatewayCostMetric = 20
Index = 1
- IPAddress = 192.168.0.6 (FAILED)
Pinging 192.168.0.6 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.6:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
IPConnectionMetric = 20
IPEnabled = TRUE
IPFilterSecurityEnabled = FALSE
IPSubnet = 255.255.255.0

Attempted rolling back network adapter (Davicom 9102 integrated Ethernet on
Soyo mb) driver. Restarted machine. Same result.
Attempted downloading updated driver and updating. Same result.
Attempted resetting the default TCP/IP settings per netsh command, using
example in this article: http://support.microsoft.com/kb/299357/. Same
result.

I'm at the end of my knowledge here. What am I missing? Thanks in advance!

Jason B
 
C

Chuck

One correction: (connecting via NETGEAR Wireless router to Cable modem, not
Dlink)

Jason Bennett said:
Hi all,
My wife had several nasty pieces of Spyware (mostly Coolweb if I recall) at
last check, and it took about 4 separate apps to remove all traces. Now the
box no longer has no internet connectivity (connecting via DLink Wireless
router to Cable modem). I'm actually cabled into the router rather than
running it on wireless.

Here's what I tried:
Opened IE and got a 404. Clicked Detect Settings. Same result.
Checked the light on the Ethernet jack - it was lit.
Checked the Device Manager, no errors on the adapter.
Pinged Default Gateway. Echo returned successful reply.
Pinged Loopback. Echo returned successful reply.
Pinged Localhost (192.168.0.6). Reply failed.
Ipconfig /all turns up Node type = Unknown ; IP Routing Enabled= No

Actions took:
Ipconfig /release
Ipconfig /renew [IP address stayed the same, result of pings stayed the same)
Opened network diagnostic troubleshooter - ran test; received this error:

Network Adapters [00000001] DAVICOM 9102/A PCI Fast Ethernet Adapter FAILED
Caption = [00000001] DAVICOM 9102/A PCI Fast Ethernet Adapter
DatabasePath = %SystemRoot%\System32\drivers\etc
[snip]
.
.
.
+ DNSServerSearchOrder = 192.168.0.1 (PASSED)
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time<1ms TTL=0
Reply from 192.168.0.1: bytes=32 time<1ms TTL=0
Reply from 192.168.0.1: bytes=32 time<1ms TTL=0
Reply from 192.168.0.1: bytes=32 time<1ms TTL=0
Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
FullDNSRegistrationEnabled = TRUE
GatewayCostMetric = 20
Index = 1
- IPAddress = 192.168.0.6 (FAILED)
Pinging 192.168.0.6 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.6:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
IPConnectionMetric = 20
IPEnabled = TRUE
IPFilterSecurityEnabled = FALSE
IPSubnet = 255.255.255.0

Attempted rolling back network adapter (Davicom 9102 integrated Ethernet on
Soyo mb) driver. Restarted machine. Same result.
Attempted downloading updated driver and updating. Same result.
Attempted resetting the default TCP/IP settings per netsh command, using
example in this article: http://support.microsoft.com/kb/299357/. Same
result.

I'm at the end of my knowledge here. What am I missing? Thanks in advance!

Jason B
Click to expand...
Click to expand...

Jason,

Spyware removal can corrupt the LSP / Winsock stack.
http://support.microsoft.com/?id=318584
http://support.microsoft.com/?id=811259

If XP RTM or Service Pack 1:
1. Backup and delete the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
2. Reboot.
3. Open the network connections folder, right click your network connection, and
click Properties.
4. Click Install | Protocol | Add.
5. Click "Have Disk...", type "\windows\inf" in the box, and click OK.
6. Click "Internet Protocol (TCP/IP)", then click OK.
7. Reboot.

If XP SP2:
1. Start - Run - "cmd".
2. Type "netsh winsock reset catalog" into the command window.

Give LSP-Fix <http://www.cexx.org/lspfix.htm>, WinsockFix
<http://www.tacktech.com/display.cfm?ttid=257>, or WinsockXPFix
<http://www.spychecker.com/program/winsockxpfix.html> a shot.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
 
G

Guest

Thanks for the swift response Chuck. I installed the XP Support Tools
(\support\tools) and ran netdiag /test: winsock per the kb you included. It
showed that the Winsock test =passed. The 2nd KB mentioned doesn't seem to
apply to XP.

Do you think it's a good idea to still try the registry key fix you
mentioned below, or should I be looking elsewhere? I've included the Netdiag
/test:winsock results below.

Thanks,
Jason

Netdiag /test:winsock results:

Netcard queries test . . . . . . . : Passed

Information of Netcard drivers:


---------------------------------------------------------------------------
Description: DAVICOM 9102-Based PCI Fast Ethernet Adapter - Packet
Scheduler
Miniport
Device: \DEVICE\{0C6592F2-F9CC-48C4-8237-5EC8D0B9881F}

Media State: Connected

Device State: Connected
Connect Time: 00:09:26
Media Speed: 100 Mbps

Packets Sent: 87
Bytes Sent (Optional): 0

Packets Received: 41
Directed Pkts Recd (Optional): 9
Bytes Received (Optional): 0
Directed Bytes Recd (Optional): 0

Packets SendError: 131331
Packets RecvError: 131332

---------------------------------------------------------------------------
Description: DAVICOM 9102/A PCI Fast Ethernet Adapter
Device: \DEVICE\{1F4C291C-9A9B-416F-AC2F-85D06257D74A}

Media State: Connected

Device State: Connected
Connect Time: 00:09:26
Media Speed: 100 Mbps

Packets Sent: 87
Bytes Sent (Optional): 0

Packets Received: 41
Directed Pkts Recd (Optional): 9
Bytes Received (Optional): 0
Directed Bytes Recd (Optional): 0

Packets SendError: 131331
Packets RecvError: 131332

---------------------------------------------------------------------------
[PASS] - At least one netcard is in the 'Connected' state.



Per interface results:

Adapter : Local Area Connection 5
Adapter ID . . . . . . . . : {1F4C291C-9A9B-416F-AC2F-85D06257D74A}

Netcard queries test . . . : Passed


Global results:


Domain membership test . . . . . . : Passed
Machine is a . . . . . . . . . : Standalone Workstation
Netbios Workgroup name . . . . : BENNETTFAMILY
Dns domain name is not specified.
Dns forest name is not specified.
Domain Guid. . . . . . . . . . : {00000000-0000-0000-0000-000000000000}
Logon User . . . . . . . . . . : LillianB
Logon Domain . . . . . . . . . : LILLIAN


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{1F4C291C-9A9B-416F-AC2F-85D06257D74A}
1 NetBt transport currently configured.


Winsock test . . . . . . . . . . . : Passed
The number of protocols which have been reported : 14
Description: MSAFD Tcpip [TCP/IP]
Provider Version :2
Max message size : Stream Oriented
Description: MSAFD Tcpip [UDP/IP]
Provider Version :2
Description: RSVP UDP Service Provider
Provider Version :6
Description: RSVP TCP Service Provider
Provider Version :6
Max message size : Stream Oriented
Description: MSAFD NetBIOS
[\Device\NetBT_Tcpip_{1F4C291C-9A9B-416F-AC2F
-85D06257D74A}] SEQPACKET 0
Provider Version :2
Description: MSAFD NetBIOS
[\Device\NetBT_Tcpip_{1F4C291C-9A9B-416F-AC2F
-85D06257D74A}] DATAGRAM 0
Provider Version :2
Description: MSAFD NetBIOS
[\Device\NetBT_Tcpip_{E7E57A6B-5265-46C6-A386
-EAAEC0760EA8}] SEQPACKET 1
Provider Version :2
Description: MSAFD NetBIOS
[\Device\NetBT_Tcpip_{E7E57A6B-5265-46C6-A386
-EAAEC0760EA8}] DATAGRAM 1
Provider Version :2
Description: MSAFD NetBIOS
[\Device\NetBT_Tcpip_{1F4B4904-4CD0-4C9F-BCCC
-3A38B0D00D98}] SEQPACKET 2
Provider Version :2
Description: MSAFD NetBIOS
[\Device\NetBT_Tcpip_{1F4B4904-4CD0-4C9F-BCCC
-3A38B0D00D98}] DATAGRAM 2
Provider Version :2
Description: MSAFD NetBIOS
[\Device\NetBT_Tcpip_{29EC5251-C1F6-4B50-AD9B
-1BE0678CA4B4}] SEQPACKET 3
Provider Version :2
Description: MSAFD NetBIOS
[\Device\NetBT_Tcpip_{29EC5251-C1F6-4B50-AD9B
-1BE0678CA4B4}] DATAGRAM 3
Provider Version :2
Description: MSAFD NetBIOS
[\Device\NetBT_Tcpip_{E0188375-F59F-45B5-93A4
-4FF37F1F4082}] SEQPACKET 4
Provider Version :2
Description: MSAFD NetBIOS
[\Device\NetBT_Tcpip_{E0188375-F59F-45B5-93A4
-4FF37F1F4082}] DATAGRAM 4
Provider Version :2

Max UDP size : 65507 bytes



Chuck said:
One correction: (connecting via NETGEAR Wireless router to Cable modem, not
Dlink)

Jason Bennett said:
Hi all,
My wife had several nasty pieces of Spyware (mostly Coolweb if I recall) at
last check, and it took about 4 separate apps to remove all traces. Now the
box no longer has no internet connectivity (connecting via DLink Wireless
router to Cable modem). I'm actually cabled into the router rather than
running it on wireless.

Here's what I tried:
Opened IE and got a 404. Clicked Detect Settings. Same result.
Checked the light on the Ethernet jack - it was lit.
Checked the Device Manager, no errors on the adapter.
Pinged Default Gateway. Echo returned successful reply.
Pinged Loopback. Echo returned successful reply.
Pinged Localhost (192.168.0.6). Reply failed.
Ipconfig /all turns up Node type = Unknown ; IP Routing Enabled= No

Actions took:
Ipconfig /release
Ipconfig /renew [IP address stayed the same, result of pings stayed the same)
Opened network diagnostic troubleshooter - ran test; received this error:

Network Adapters [00000001] DAVICOM 9102/A PCI Fast Ethernet Adapter FAILED
Caption = [00000001] DAVICOM 9102/A PCI Fast Ethernet Adapter
DatabasePath = %SystemRoot%\System32\drivers\etc
[snip]
.
.
.
+ DNSServerSearchOrder = 192.168.0.1 (PASSED)
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time<1ms TTL=0
Reply from 192.168.0.1: bytes=32 time<1ms TTL=0
Reply from 192.168.0.1: bytes=32 time<1ms TTL=0
Reply from 192.168.0.1: bytes=32 time<1ms TTL=0
Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
FullDNSRegistrationEnabled = TRUE
GatewayCostMetric = 20
Index = 1
- IPAddress = 192.168.0.6 (FAILED)
Pinging 192.168.0.6 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.6:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
IPConnectionMetric = 20
IPEnabled = TRUE
IPFilterSecurityEnabled = FALSE
IPSubnet = 255.255.255.0

Attempted rolling back network adapter (Davicom 9102 integrated Ethernet on
Soyo mb) driver. Restarted machine. Same result.
Attempted downloading updated driver and updating. Same result.
Attempted resetting the default TCP/IP settings per netsh command, using
example in this article: http://support.microsoft.com/kb/299357/. Same
result.

I'm at the end of my knowledge here. What am I missing? Thanks in advance!

Jason B
Click to expand...
Click to expand...

Jason,

Spyware removal can corrupt the LSP / Winsock stack.
http://support.microsoft.com/?id=318584
http://support.microsoft.com/?id=811259

If XP RTM or Service Pack 1:
1. Backup and delete the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
2. Reboot.
3. Open the network connections folder, right click your network connection, and
click Properties.
4. Click Install | Protocol | Add.
5. Click "Have Disk...", type "\windows\inf" in the box, and click OK.
6. Click "Internet Protocol (TCP/IP)", then click OK.
7. Reboot.

If XP SP2:
1. Start - Run - "cmd".
2. Type "netsh winsock reset catalog" into the command window.

Give LSP-Fix <http://www.cexx.org/lspfix.htm>, WinsockFix
<http://www.tacktech.com/display.cfm?ttid=257>, or WinsockXPFix
<http://www.spychecker.com/program/winsockxpfix.html> a shot.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
Click to expand...
 
C

Chuck

Thanks for the swift response Chuck. I installed the XP Support Tools
(\support\tools) and ran netdiag /test: winsock per the kb you included. It
showed that the Winsock test =passed. The 2nd KB mentioned doesn't seem to
apply to XP.

Do you think it's a good idea to still try the registry key fix you
mentioned below, or should I be looking elsewhere? I've included the Netdiag
/test:winsock results below.

Thanks,
Jason
Click to expand...

Jason,

Corruption of LSP / Winsock is a common result in removal of malware that embeds
itself there. Depending upon what was removed, and what removal tool was used,
one or more repair tools may have different success.

There are 3 third party tools, plus "netsh" (XP SP2). Depending upon what is
corrupt, any one of the 4 may be successful, in spite of the others being
useless.

It's also possible that you may not have gotten the entire mess of spyware out.
Did you run HijackThis, and get expert help? CWS is a very nasty devil, and
requires expert help.

Can you post a link to the forums where you got help? There might be a clue in
your experience there.

If the expert help didn't involve HijackThis, and LSP / Winsock repair, it may
not have been too expert. Start with the current version of HijackThis.
HijackThis <http://www.tomcoyote.com/hjt/>

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the
HJT Log.
<http://forums.spywareinfo.com/index.php?showtopic=227>

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts, here):
Aumha: <http://forum.aumha.org/index.php>
Net-Integration: <http://forums.net-integration.net/>
Spyware Info: <http://forums.spywareinfo.com/>
Spyware Warrior: <http://spywarewarrior.com/index.php>
Tom Coyote: <http://forums.tomcoyote.org/>

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
 
G

Guest

HijackThis help I received:
http://castlecops.com/modules.php?&name=Forums&file=viewtopic&t=104018

In the actions I took, after restarting one last time, the AppInit dlls that
were present in the last log I posted (at the above URL) disappeared. I also
used CWShredder, Cleanup, Swap.bat and Killbox.

The question I have is: if it turns out to NOT be a Winsock/LSP problem,
will the patches you mention create any additional headaches? If not, I'll
go ahead and try them.

Jason
 
C

Chuck

HijackThis help I received:
http://castlecops.com/modules.php?&name=Forums&file=viewtopic&t=104018

In the actions I took, after restarting one last time, the AppInit dlls that
were present in the last log I posted (at the above URL) disappeared. I also
used CWShredder, Cleanup, Swap.bat and Killbox.

The question I have is: if it turns out to NOT be a Winsock/LSP problem,
will the patches you mention create any additional headaches? If not, I'll
go ahead and try them.

Jason
Click to expand...

Jason,

All 4 of the LSP / Winsock fixes only remove problems with LSP / Winsock.
Excepting the "Netsh" XP native command, the three third party tools will all
present you with a list of recommended fixes. If you are unsure about the
wisdom of applying any recommended changes, post a log from any LSP / Winsock
repair program here, and we'll try and help you decide.

You can also save a listing of the current configuration, using (Start - Run -)
- "msinfo32". In MSInfo, File - Export lets you export a complete report, which
includes LSP / Winsock configuration.

And before making any repairs, you also might want to make a new System Restore
Point, and make no other system changes til you get this working to your
satisfaction.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

urgetly need help 2
XP - Ping one way but not other? 0
XP - Ping one way but not other? 8
Two XPs home network trouble 1
Need Ipconfig /renew to get an IP after reboot 6
File and print sharing problems 6
Windows XP Home Network Frustration 1
Problem with Dns 0

Top