One of my computers refuses to connect to the Internet

[TheForce]

Windows 7 Professional.

This problem started this on Monday. It has happened twice now with two new drives that were cloned from original that remains trouble free.

I have several other computers that connect just fine through my router/cable modem. The problem computer still sees other computers on my network.
I thought it may be Windows firewall. Shut it down and still have the problem. I connected the problem computer directly to my Cable modem, bypassing the router and switches and it still will not connect to the internet. Tried all the windows diagnostics and it indicates there is a problem but doesn't know how to fix it because it can't determine what the problem is.
I tried restore points but the restore process failed with an unknown reason.


When this first happened, I finally reformatted the hard drive to delete everything, reconnected my original drive and cloned the new drive to a known good drive with the basic windows 7 Pro on it that I know works. The recloned drive worked until this morning when I was working with Google Earth and then it just hung and I noticed the cloud based application could no longer access the internet. Same problem!

So what's different on the drive clone from the original? I did install Photoshop CS3 in both cases to the new drive that was not on the older drive. I also downloaded Google Earth to the new drive.

I ran a complete virus scan of the drive and it turns up nothing.


I'm stumped on this one. Any ideas?

Now off to re-clone the drive again!

 

[Juan]

there was an article awhile back about the FBI blocking certain IP ranges...just a thought....it was supposed to start in June

 

[yourbeliefs]

July actually.. here's some info.
DNSChanger: FBI Warns Infected Computers Will Lose Web, Email Access in July | Techland | TIME.com

 

[TheForce]

Thanks juan!

Not much of a clue to go on but it was just enough. Did a Google search on "FBI blocking IP Ranges" and came up with this web page-

DNS Changer Removal Guide - spyware news

I downloaded the removal tool tdsskiller and it detected 3 infections that looked like travel agencies names. I put them in quarantine but that did not work. Next I selected the option to delete them and then got the instruction to reboot. It worked. Internet access came right back.

Oh yes, your clue came just as I was about to rewire the drives for cloning. I might get some work done this afternoon, now!

 

[Hall]

I'm confused how that fixed the issue. Your PCs are hidden from the public Internet by being behind your router. If your IP was within a range blocked, it would affect ALL of your PCs....

Oh wait -- after reading the linked article -- that single machine had it's DNS hijacked. Makes sense now...

 

[TheForce]

Here is another pdf that helped me get resolution

 

[TheForce]

It's been exactly one month to the day and guess what? This same computer got infected again! same exact symptoms. Acquired an unidentified network and no internet access. This time I was ready and followed a procedure I used a month ago.
Step 1- shut off auto system restore.
Step 2- load the TDSS tool to detect and remove the suspect after scan.
Step 3- Reboot.
Step 4- confirm the unidentified network is now gone.
Step 5- turn on system restore and do a manual restore point.

I guess I'm on some sort of hit list since I got attacked again. This time the file name suspect was "Bonjour" Cute!


I wonder if I'll get hit again on August 6th?

My wife said there was a memo sent on the 5th from their internet security people warning to be on the alert for this to hit but she said she recalled it was the 8th, not the 6th. She may have misread it.

Second question- Why doesn't my antivirus detect this threat? I pay good money for protection and you'd think they could figure it out after a month! According to the internet none of the antivirus packages you pay for detect these DNS hijackers.

 

[Hall]

I suppose there may be valid reasons for DNS to be changed and the AV tools can't differentiate.

 

[TheForce]

According to one article I read on it is that the offending file has the ability to hide itself inside a regular system file. The special tool is designed to hunt down the hidden code. It's a reason why the auto restore point feature must be shut down so that this software can modify the system files back to the original code state. This is a bit beyond my pay grade of understanding but I accept that is the reason. So, in order to work inside something like Norton AV, the system restore would need to disable the auto restore point, run the scan, then reset it again with a reboot. ugh!... talk about a hit to performance! Do you think my understanding is on track?

Until the experts figure this out, we need to just be ready to use the detect and removal tool as a repair function, post mortem, rather than prophylactically. I'd bet this type of trojan may require a rethink on how the OS is structured and protected.

 

[mike123abc]

Is this the 32 bit or 64 bit installation? I would do 64bit if you are reinstalling. 32 bit is much more vulnerable since drivers (and viruses) have a much easier time messing with all of memory. Once they get in they can hide themselves from the OS completely. Even reading the virus file fails since the virus just returns an innocent looking file instead of itself - the basis of a root kit. Once you cannot trust your disk driver since it "covers" for the virus files, you probably are looking at a reinstall.

 

[TheForce]

64 bit. Everything I have now is 64 bit.

 

[TheForce]

What I still find astounding is with all the IT professionals in this group and many of my friends who work in the business, so few are even aware of this. Yet, there are quite a few news articles on it available with a little searching. Personally, I am disappointed in the availability of details and explanations available. All I can say is the media really doesn't understand what happened here.

Internet Shutdown Looms for Some as US Fix Expires
10:00p ET July 8, 2012 (Dow Jones)
Internet Shutdown Looms for Some as US Fix Expires

WASHINGTON (AFP)--Tens of thousands of people around the world whose computers were infected with malware last year may lose their Internet access Monday when a U.S. government fix expires, security experts say.
The problem stems from malware known as DNS Changer, which was created by cybercriminals to redirect Internet traffic by hijacking the domain name systems of Web browsers.
The ring behind the DNS Changer virus, discovered in 2007, was shut down last year by the U.S. Federal Bureau of Investigation, Estonian police and other law enforcement agencies.
Because the virus controlled so much Internet traffic, authorities obtained a court order to allow the FBI to operate replacement servers which allow traffic to flow normally, even from infected computers.
But those replacement servers will be shut down at 0401 GMT Monday, when some experts say infected computers will face an "Internet doomsday."
"DNS Changer is an insidious form of malware affecting everyone from the everyday consumer to a large chunk of the Fortune 500," said Lars Harvey, the chief executive of security firm Internet Identity.
The FBI, Facebook Inc. (FB), Google Inc. (GOOG), Internet service providers and security firms have been scrambling to warn users about the problem and direct them to fixes.
According to a working group set up by experts, more than 300,000 computers remained infected as of June 11.
The largest number were in the U.S. (69,000), but more than a dozen countries--including Italy, Germany, India, the U.K., Canada, France and Australia--are also believed to have infected computers.
Security experts say it's not clear how many of those computers are active.
"Reaching victims is a very hard problem, and something we have had issues with for years," said Johannes Ullrich, a researcher with the SANS Security Institute.
But he said he expected the impact to be "minimal" because many of these systems are no longer used or maintained.
Internet Identity said last week that at least 58 of all Fortune 500 companies and two out of 55 major government entities had at least one computer or router that was infected with DNS Changer.
That is an improvement over January, when half of Fortune 500 companies and U.S. federal agencies were infected.
IID said that the malware also compromises computers by preventing antivirus software updates.
Users who think they are infected may perform a test at the DNS Changer Working Group's website or others operated by various security firms.
For computers affected, the blackout will be total, experts say.
"Connectivity will be lost to the Internet PERIOD," said a blog posting from the security firm Symantec.
Six Estonians and a Russian were charged last November with infecting computers, including NASA machines, with the malware as part of an online advertising scam that reaped at least $14 million.

 

[mdonnelly]

Yahoo! News has been putting notices up on this issue for weeks. Here's today's notice.

Deadline expires for "Doomsday" fix.

 

[Hall]

I suspect that the IT pros and the computers they manage will be largely unaffected. This is going to hit the casual users who many of us get to "clean" their PCs on a routine basis. You know, the ones with a McAfee subscription that expired three months after they bought their PC (3-1/2 years ago !) but they'll tell you, "yeah, I have anti-virus program installed".

 

[Bongu]

Careful browsing habits, routine scans with decent AV software, and frequent updates of AV software and OS files will help to keep you safe from most of these baddies. Everyone swears by different AV programs, I like the free ones like what Microsoft offers and like AVG. The basic versions that dont cost money are decent and do not contain too much bloat. When I rebuild a system for a customer, I always do a fresh OS install and I always install one of the free AV programs before I release it to them. My customers usually dont come back with problems, they usually bring me another computer that belongs to a friend or their kids. One kid I had to set up with Ubuntu since he kept getting in trouble with virus/malware activity, I havent seen that laptop in well over a year now. Ubuntu/Linux derivatives arent completely safe, but are a lot safer than the main OS out there.