Jump to content


DNS not resolving after malware removal

  • This topic is locked This topic is locked
5 replies to this topic

#1 onix



  • New Member
  • Pip
  • 4 posts

Posted 09 July 2004 - 04:59 PM

A friend gave me his notebook (XP Pro), which wasn't booting to try to save it. I went into safemode and by carefully selecting which services ran, was able to get it to boot. I then installed AVG, AdAware, Spybot S & D, and CWShredder, running them in that order. It found tons of malware. Several trojans, but mostly spyware.

Now, when I plug ethernet cable into the port (I'm running a DHCP server for my house and am on a cable connection), it detects the cable, "enables" the network, but does not properly acquire an address from my DHCP server.

If I manually configure the IP address, netmask, default gateway and DNS, I can ping IP addresses but not domain names. I can use NSLOOKUP to discover IP addresses, but I cannot resolve web pages in IE.

Alarmingly, when I double click on the network icon in the system tray, I can see that there are lots of packets being sent out to somewhere, and the activity light on the eithernet jack of the notebook is on fairly steadily.

I have done a "non-destructive OS repair" from the XP system disk.

Being primarily a Linux user, I am not completely familiar with all the processes, though I have tried to look up the ones I wasn't familiar with in the HijackThis log. I have read the FAQ the removal article for hijacked pages (this had the Win min error on shutdown and hijacked to your-searcher.com).

My most recent hijackthis log is below. Can anyone clue me in on how to fix this without a format and reinstall?


Logfile of HijackThis v1.98.0
Scan saved at 4:41:10 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Edited by onix, 09 July 2004 - 08:18 PM.

#2 onix



  • New Member
  • Pip
  • 4 posts

Posted 10 July 2004 - 10:14 AM

Perhaps I should also mention that within a minute or so of loging into this machine, the hard drive starts to read in bursts about 1 second apart and if connected to the network, begins madly trying to send some kind of packets out in time with the hard drive activity.


#3 Mike


    Dark Lord of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 514 posts

Posted 10 July 2004 - 11:01 AM

Most likely something ate the TCP/Winsock stack in the registry. Download LSP Fix and see if it helps at all. http://cexx.org/lspfix.htm
SpywareInfo: How are you gentlemen?? All your base are belong to us!!
Spyware: What you say!!
SpywareInfo: You have no chance to survive. Make your time!

#4 onix



  • New Member
  • Pip
  • 4 posts

Posted 10 July 2004 - 02:12 PM

When I run LSP-Fix, I get 3 items in the "Keep" side:
mswsock.... Tcpip
winmr.dll NTDS
rsvpsp.dll (protocol handler)

Nothing appears in the Remove side

the summary shows:

0 NameSpace provider entries removed
0 NameSpace provider entries renumbered
0 Protocol provider entries removed
0 Protocol provider entries renumbered

I can connect out by IP address, but not by domain name using either a browser or ping. In other words, it is not resolving dns.

#5 Mike


    Dark Lord of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 514 posts

Posted 11 July 2004 - 04:23 PM

Look at the TCP properties of the LAN connection and see if it's using the wrong entry for Primary DNS. That's all I can think of.

How is the internet shared there? Are you running ICS on one of the machines? Or do you have the router plugged into the cable modem and all the PCs plugged into the router?

I have my modem plugged into a PC running ICS, then the router plugged into that with all DNS on the clients pointing to I have to do it that way because I use a satellite connection.
SpywareInfo: How are you gentlemen?? All your base are belong to us!!
Spyware: What you say!!
SpywareInfo: You have no chance to survive. Make your time!

#6 onix



  • New Member
  • Pip
  • 4 posts

Posted 11 July 2004 - 07:41 PM

My network is this:

Cable -> cable modem -> linux box acting as router/dns/dhcp server
all other computers in the house are some breed of linux except my wife's 98 box.

All other machines that we've brought in (Mac, Windows XP, 2000, ME, 98, 95) have picked up the settings perfectly... dns =, default gateway =, netmask =, and of course it gets assigned an IP from my dhcp server in the 192.168.0.x range. Works like a champ.

Unfortunately, this laptop still isn't resolving dns. I have tried pointing it to other working dns servers, too, to no avail.

However, a quick update... I manually updated AVG again, and this time it found some more... I'll let you know what happens after this scan.


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!