Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can no longer browse the network on many my machines after virus 1

Status
Not open for further replies.
ei8ball

ei8ball

MIS
Jul 17, 2002
85
US
So my place of work received a nice little virus that spread faster then anything I have witnessed and it's killing the spirits of my coworkers and myself just as fast. I'm hoping someone on the boards here has some experience with such a thing.

We're told the virus was spread due to a vulnerability in the NAV software version we WERE using. I say were because we have sicne updated to the latest greatest and made sure all our clients are being managed correctly. Sometimes you gotta learn the hardway I guess.

Well, after updates/virus removal (So it says), many (Not all) computers now refuse to browse the network. Let me explain. they can...
Ping the gateway.
Ping anything on the network by both the ip addy AND the actual name.

They cannot type \\computername
It gives the message "The network location cannot be reached. For more information about network troubleshooting, see Windows Help."
They can't type \\172.16.x.x either

Which means mapped drives will not work and neither will printers shared on servers.

The computers can get ip addresses from the dhcp server.

So anyway I think you get the point.

So we have like 5 techs workign on this problem... all tired.. all grouchy.. ready to go home to our wives.. lol... please help ;)

Sincerely,

Jason
 
Sort by date Sort by votes
Have you check the Hosts files, to see if there are any strange entries in there?

Only the truly stupid believe they know everything.
Stu.. 2004
 
Upvote 0 Downvote
If your tech guys know their stuff I would leave em to it.
I think it very much depends on how your network is configured.
Network viri do spread faster than you can get to em.

Here we run a small windows P2P network (8 PC's) and the answer is to pull the network plugs and clean up each machine, then only reconnect if you are sure they are OK. (I have had to do that before our ISP started filtering mail)
But that might not be possible in your case.


Steve [The sane]: Delphi a feersum engin indeed.
 
Upvote 0 Downvote
I am one of the tech guys, this virus has just been giving us the run around. You think you've got it.. then it shows up next day or sometimes after a few reboots.

This virus messes with your tcp stack it seems. Running netsh int ip reset c:\resetlog.txt on an xp client seems to fix the browsing issue. On w2k machines it doesn't work and the computers won't grab an ip if you uninstall tcpip and reinstall it as ms recommends.

And in case any are curious the viruses we've been encountering are variants of w32.spybot and w32.Randex. I've never encountered viruses that spread so fast over a network. We're talking over more then 25 subnets in 1 day.

if you're using NAV, be sure you're using the leatest greatest version and defs... we weren't.
 
Upvote 0 Downvote
It sounds like this is opening a SOCKS proxy. If this is a Ranck variation, you need to make certain that all your machine are fully patched, too.

You may have a worm that is delivering the payload. I suspect you will have to "bite the bullet" and remove all the machines from the network and clean them up one by one. This includes servers, too. Just to be safe, I would also reboot all the switches just to be certain something isn't hiding in any free RAM. Don't turn the switches back on until all switches have been turned off.

Once all machines are off, clean one PC and put it back on the network. See if it gets reinfected. If it does, then the problem may be a backdoor on your network. Take your network off the internet are try again.


James P. Cottingham
-----------------------------------------
I'm number 1,229!
I'm number 1,229!
 
Upvote 0 Downvote
2ffat agrees with me. If possible pull all the plugs etc.


Steve [The sane]: Delphi a feersum engin indeed.
 
Upvote 0 Downvote
Yup we had to to that with Natchi...All 2000 of the devils...



Only the truly stupid believe they know everything.
Stu.. 2004
 
Upvote 0 Downvote
I have the exact same issue.
The virus were running as: Mutex.exe and cybershots.exe
They were detected as: W32/Sdbot.worm.gen.h

These are on Win2000 boxes only.

Has someone found a solution for restoring the networking function?

I can ping for days, I can remote the the box, I can run Internet Explorer from the box, I just cannot map a drive, etc.
 
Upvote 0 Downvote
You may find this FAQ helpful
Lost Connectivity after Registry or Malware Cleanup faq779-4625
 
Upvote 0 Downvote
OK, I could have sworn I did this already but...
I removed the TCP/IP stack Proto., I then removed the MS Client. Rebooted. Re-added both items, rebooted again and Volia. Its back to drive mapping mania.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
284
Oorde
Oorde
DrB0b
  • Locked
  • Question
Curious network activity over port 445
Replies
8
Views
334
DrB0b
DrB0b
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
260
2ffat
2ffat
Olumighty
  • Locked
  • Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP 1
Replies
1
Views
178
SamBones
SamBones
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
179
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top