HCHTech
Well-Known Member
- Reaction score
- 4,157
- Location
- Pittsburgh, PA - USA
So...business customer (Win7 Pro 64) calls me with the stated symptom of their browser occasionally redirecting. They have SEP, and MBAM Pro. He tells me he has run full scans with each and come up empty.
I take a look and don't see any browser extensions or addins that might be bad - I do a standard cleanup & update, and rerun a scan with MBAM with the rootkit detection ticked. It finds 4 PUPs, and while spelunking around, I see conduit folders, etc.
After getting rid of those things, I run a scan with ADWCleaner, which find a few more reg entries but nothing spectatular. After a reboot, the computer won't connect to the internet, so I figure I must have gotten it. I reset the TCP/IP stack with netsh, then reset winsock. The winsock reset give me an "access denied" error. I go through the registry to check the networking keys for permission problems, and all looks normal. After a reboot, the computer connects again, but doesn't seem right, so I delete the network card from device manager and let it redetect on a reboot. Now, things seem to work normally - I browse around in a couple of different browsers for a while, ask the customer to check the sites he normally uses and no more redirecting. We reboot about 3 times during this just because, and all seems fixed.
The next day, he calls back, and he can't browse the web - he can send and receive email, but neither browser works. He gets the above error. So I talk him through deleting the network card again and rebooting, and this lets me remote in to check. I go through process explorer with a fine tooth comb and can't find anything unusual. I reset the browsers and they start working again. I run another scan with MBAM and ADWCleaner, which comes back clean. Just for a kicks, I change the DNS settings to use Google's servers. I also ran SFC, which was clean. I check the winsock reset again, and this time it works fine.
Two hours later, it stops working again with the same error when he tries to bring up a website. None of the other computers in the office (they are on a workgroup, no server) are having problems, so I don't think it's a router issue. Unfortunately, he would like to avoid having me take the computer so I could hammer it with scans or any of the other things I do when I'm not counting hours like I have to onsite.
So I'm heading back out there tomorrow with a plan to uninstall SEP, maybe replace the NIC, confirm the router configuration, etc. Is there anything else I should put on the list? I think I'm just going to tell him I have to take it to be sure.
I take a look and don't see any browser extensions or addins that might be bad - I do a standard cleanup & update, and rerun a scan with MBAM with the rootkit detection ticked. It finds 4 PUPs, and while spelunking around, I see conduit folders, etc.
After getting rid of those things, I run a scan with ADWCleaner, which find a few more reg entries but nothing spectatular. After a reboot, the computer won't connect to the internet, so I figure I must have gotten it. I reset the TCP/IP stack with netsh, then reset winsock. The winsock reset give me an "access denied" error. I go through the registry to check the networking keys for permission problems, and all looks normal. After a reboot, the computer connects again, but doesn't seem right, so I delete the network card from device manager and let it redetect on a reboot. Now, things seem to work normally - I browse around in a couple of different browsers for a while, ask the customer to check the sites he normally uses and no more redirecting. We reboot about 3 times during this just because, and all seems fixed.
The next day, he calls back, and he can't browse the web - he can send and receive email, but neither browser works. He gets the above error. So I talk him through deleting the network card again and rebooting, and this lets me remote in to check. I go through process explorer with a fine tooth comb and can't find anything unusual. I reset the browsers and they start working again. I run another scan with MBAM and ADWCleaner, which comes back clean. Just for a kicks, I change the DNS settings to use Google's servers. I also ran SFC, which was clean. I check the winsock reset again, and this time it works fine.
Two hours later, it stops working again with the same error when he tries to bring up a website. None of the other computers in the office (they are on a workgroup, no server) are having problems, so I don't think it's a router issue. Unfortunately, he would like to avoid having me take the computer so I could hammer it with scans or any of the other things I do when I'm not counting hours like I have to onsite.
So I'm heading back out there tomorrow with a plan to uninstall SEP, maybe replace the NIC, confirm the router configuration, etc. Is there anything else I should put on the list? I think I'm just going to tell him I have to take it to be sure.
