virus FUBARd my network. XP/Win7

WaxyChicken · 25 Sep 2010

I had a bad virus.
i managed to remove it.
but some bad ARP or DHCP or WINS entries are still there.
(it's a WINS/DHCP workgroup network with XP and Win7 machines)

now on my win7 when i ping my xp machine's IP i get: ping 192.168.2.4 success
but when i ping the xp by name i get:
C:\Windows\system32>ping DVR--PRINCESS

Pinging DVR--PRINCESS.DanceHall [72.215.225.9] with 32 bytes of data:
Request timed out.
Request timed out.

The wrong ip!! (which is also out of network!!)

what could the virus of changed to of made this static entry?
how can i remove it so the DHCP will update it?

my arp -a only shows my router.
other machines are showing up fine on my network.
my XP is working fine, but can't talk to this specific Win7 machine - i think it's because this win7 machine is trying to reply to the wrong IP address.

so basicly - since i got the virus - i can't see my xp machine from my win7.
my xp can see my win7 but can't access it.

suggestions?

chev65 · 25 Sep 2010

You might try resetting both winsock and tcp/ip. Type the following commands one at a time into your command prompt and hit enter. I'm not sure why you are using WINS, I would go with DNS name resolution unless you have a really good reason to use WINS instead.

netsh winsock reset catalog (reset winsock entries)
netsh int ip reset reset.log hit (reset TCP/IP stack)

Then try these commands> ipconfig /release ipconfig /renew

You might also want to post this at the security center of this forum to get more help with the virus problem.

WaxyChicken · 26 Sep 2010

The virus i've already taken care of. this is just left-over damage.

and i've found the problem but not how to fix it.
in the adapter settings i've enabled NetBios over TCP/IP - it's checked. (radio buttoned)
but in IPCONFIG /ALL it comes back as disabled.

is there another way to enable netbios over tcp/ip?

also - in the network sharing center:
i do have the network properly set to DANCEHALL but the "Access Type: Internet"- shouldn't that be network?
if so, how do i change it?

chev65 · 26 Sep 2010

Hard to say what the exact problem is from here with no ipconfig to go from. You can try resetting the TCP/IP stack and winsock which might help. Try the commands below.

netsh winsock reset catalog (reset winsock entries)
netsh int ip reset reset.log hit (reset TCP/IP stack)

Read more: http://windows7themes.net/repair-reset-winsock-windows-7.html#ixzz10eUnQiUw

WaxyChicken · 26 Sep 2010

didn't work.
i'm currently doing 68 hours a week at my two jobs so responses from me may be slow and i have little net time.

Code:

C:\Windows\system32>ipconfig /allcompartments /all

Windows IP Configuration


==============================================================================
Network Information for Compartment 1 (ACTIVE)
==============================================================================
   Host Name . . . . . . . . . . . . : TableDance
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : DanceHall

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : DanceHall
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 40-61-86-99-E8-FF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::57c:47db:e9e4:d469%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.2.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, September 26, 2010 10:29:01 AM
   Lease Expires . . . . . . . . . . : Sunday, October 10, 2010 10:29:01 AM
   Default Gateway . . . . . . . . . : 192.168.2.1
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DHCPv6 IAID . . . . . . . . . . . : 188768646
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-EE-FC-A0-40-61-86-99-E8-FF
   DNS Servers . . . . . . . . . . . : 192.168.2.1
                                       68.105.28.11
                                       68.105.29.11
                                       68.105.28.12
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.DanceHall:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : DanceHall
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e74:1488:287e:bb95:d56f(Preferred)
   Link-local IPv6 Address . . . . . : fe80::1488:287e:bb95:d56f%13(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Windows\system32>

maybe - after the virus - is there anything there that should NOT be there instead of just being wrong?

Dancehall home network
access type: internet
homegroup: joined
connections: local area connection

home or work profile:
Sharing all libraries and printers.
not sharing streaming media.

network discovery: on
file and print sharing: on
Public Sharing: on
enabled for 40 or 56 bit encryptions
password protected sharing: off
allow windows to manage home group

WaxyChicken · 27 Sep 2010

suggestions?

WindowsStar · 27 Sep 2010

Is the sevice started??

Have you tried starting it form a Command Line (Run as Administrator)

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

Does it work now?

Mercurial · 28 Sep 2010

also try ipconfig /flushdns and /release and /renew see if that helps

jimbo45 · 28 Sep 2010

Hi there
in these situations IMO only a COMPETE OS IMAGE restore from a clean image will be any good.

I'd NEVER trust a computer again that had been infected with a Virus -- no matter how good the AV software is supposed to be.

This also amply illustrates the IMPORTANT point of MAKING REGULAR IMAGE BACKUPS OF YOUR OS.

Cheers
jimbo

chev65 · 28 Sep 2010

jimbo45 said:

Hi there
in these situations IMO only a COMPETE OS IMAGE restore from a clean image will be any good.

I'd NEVER trust a computer again that had been infected with a Virus -- no matter how good the AV software is supposed to be.

This also amply illustrates the IMPORTANT point of MAKING REGULAR IMAGE BACKUPS OF YOUR OS.

Cheers
jimbo

I just can't tell you how much I agree with your statements here Jimbo, although I hesitate to tell this to the OP because they usually get upset LOL. :)