• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
onix

DNS not resolving after malware removal

6 posts in this topic

A friend gave me his notebook (XP Pro), which wasn't booting to try to save it. I went into safemode and by carefully selecting which services ran, was able to get it to boot. I then installed AVG, AdAware, Spybot S & D, and CWShredder, running them in that order. It found tons of malware. Several trojans, but mostly spyware.

 

Now, when I plug ethernet cable into the port (I'm running a DHCP server for my house and am on a cable connection), it detects the cable, "enables" the network, but does not properly acquire an address from my DHCP server.

 

If I manually configure the IP address, netmask, default gateway and DNS, I can ping IP addresses but not domain names. I can use NSLOOKUP to discover IP addresses, but I cannot resolve web pages in IE.

 

Alarmingly, when I double click on the network icon in the system tray, I can see that there are lots of packets being sent out to somewhere, and the activity light on the eithernet jack of the notebook is on fairly steadily.

 

I have done a "non-destructive OS repair" from the XP system disk.

 

Being primarily a Linux user, I am not completely familiar with all the processes, though I have tried to look up the ones I wasn't familiar with in the HijackThis log. I have read the FAQ the removal article for hijacked pages (this had the Win min error on shutdown and hijacked to your-searcher.com).

 

My most recent hijackthis log is below. Can anyone clue me in on how to fix this without a format and reinstall?

 

Thanks

Onix

 

Logfile of HijackThis v1.98.0

Scan saved at 4:41:10 PM, on 7/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Dell\AccessDirect\dadapp.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\AccessDirect\DadTray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\System32\qttask.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Microsoft Money\System\mnyexpr.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Edited by onix

Share this post


Link to post
Share on other sites

Perhaps I should also mention that within a minute or so of loging into this machine, the hard drive starts to read in bursts about 1 second apart and if connected to the network, begins madly trying to send some kind of packets out in time with the hard drive activity.

 

Onix

Share this post


Link to post
Share on other sites

When I run LSP-Fix, I get 3 items in the "Keep" side:

mswsock.... Tcpip

winmr.dll NTDS

rsvpsp.dll (protocol handler)

 

Nothing appears in the Remove side

 

the summary shows:

 

0 NameSpace provider entries removed

0 NameSpace provider entries renumbered

0 Protocol provider entries removed

0 Protocol provider entries renumbered

 

I can connect out by IP address, but not by domain name using either a browser or ping. In other words, it is not resolving dns.

Share this post


Link to post
Share on other sites

Look at the TCP properties of the LAN connection and see if it's using the wrong entry for Primary DNS. That's all I can think of.

 

How is the internet shared there? Are you running ICS on one of the machines? Or do you have the router plugged into the cable modem and all the PCs plugged into the router?

 

I have my modem plugged into a PC running ICS, then the router plugged into that with all DNS on the clients pointing to 192.168.0.1. I have to do it that way because I use a satellite connection.

Share this post


Link to post
Share on other sites

My network is this:

 

Cable -> cable modem -> linux box acting as router/dns/dhcp server

all other computers in the house are some breed of linux except my wife's 98 box.

 

All other machines that we've brought in (Mac, Windows XP, 2000, ME, 98, 95) have picked up the settings perfectly... dns = 192.168.0.1, default gateway = 192.168.0.1, netmask = 255.255.255.0, and of course it gets assigned an IP from my dhcp server in the 192.168.0.x range. Works like a champ.

 

Unfortunately, this laptop still isn't resolving dns. I have tried pointing it to other working dns servers, too, to no avail.

 

However, a quick update... I manually updated AVG again, and this time it found some more... I'll let you know what happens after this scan.

 

Onix

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0