No network access after (possible) Trojan

[MJoshi]

Hello all,

I am no longer able to connect to a network or the Internet. I believe the cause may be the 'Sirefef' Trojan.

Both Microsoft Security Essentials and Windows firewall had been disabled.

I ran MalwareBytes, SpyBot (Search & Destroy) which picked up some Browser exploits and the Trojans. I removed them.

I managed to uninstall and reinstall Microsoft Security Essentials and run a scan. The Trojans were detected again and removed.

Now when I run a scan with all of the above, nothing is detected.

However, I am now unable to obtain an IP address. Internet Explorer 9 is slow loading as is Firefox.

I have tried various registry fixes for the 'Sirefef' Trojan and also the Microsoft 'FixIt' repair tools. I have also tried the built-in recovery function on my computer.

The 'ipconfig' command in Command Prompt just returns: 169.254.93.152

I have tried repairing the network adapter a number of times but it still doesn't work. I also have the same problem in Safe Mode with Networking.

I am currently using a Linux live CD to send this!

 

[Nothinman]

The only way to be 100% sure that everything is fixed is to restore from a known good backup or reload from scratch. A 169 address means it didn't receive a positive reply from your DHCP server, so it's possible that reloading the NIC drivers, doing a TCP/IP reset from netsh or possibly a full scan with sfc may repair that particular damage, but there's no telling what else the trojan may have done.

 

[Bubbaleone]

If you don't have a complete backup to restore or a fresh install isn't viable, and you want to try a manual repair, see bleepingcomputer.com's How to use ComboFix.

Towards the bottom of that page is a complete list of forums to receive help analyzing ComboFix logs, correct procedures for eliminating the infection/s, and restoring the operating system. They'll guide you through it step-by-step. Proper use of ComboFix, and most of the other software it will probably need to work in conjunction with, is not for novices.

 

[MJoshi]

Thanks, ComboFix seems to have resolved the problem.

It was related to the Windows Firewall service (MpsSvc) not starting. The Microsoft 'FixIt' utility to repair the firewall did not work. So, I deleted the registry entries for MpsSvc which allowed the network interface to obtain an IP address and connect to the Internet.

I then downloaded ComboFix which resolved the Windows Firewall issue (not starting).

 

[vailr]

For future reference, try using this:
Tweaking.com - Windows Repair 1.7.4
http://majorgeeks.com/Tweaking.com_-_Windows_Repair_d7141.html

 

[MJoshi]

For future reference, try using this:
Tweaking.com - Windows Repair 1.7.4
http://majorgeeks.com/Tweaking.com_-_Windows_Repair_d7141.html

Thanks for that - Tweaking.com seems like a useful tool. I also ran it and it found and repaired a number of things.

However, the computer and applications do seem to load slower after running it?

 

[Nothinman]

Thanks for that - Tweaking.com seems like a useful tool. I also ran it and it found and repaired a number of things.

However, the computer and applications do seem to load slower after running it?

I have no experience with that tool, but as I mentioned without a frame of reference to compare you can never be sure that you've completely cleaned your PC. To be confident that you're really clean you really need to either restore a known-good backup or reinstall from scratch.

 

[nitrous9200]

I agree. Even if you did get the system online again after removing the infection, you really should backup your data (preferably from a Linux live CD), wipe the drive and start over to be safe. The disinfection might also cause strange problems later on, so you should reload for that reason in addition to doing it for security purposes.

 

[airdata]

Lookup 'winsock repair'.

The more recent malware I've seen has been a complete PITA. Have seen systems recently infected at the hard disk level, making clean up a time sink.