Help - Search - Members - Calendar
Full Version: IE gives DNS error all time
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
blindmanpugh
Oct 3 2004, 03:45 PM
Running Windows XP Home edition with Service Pack 1 and all security updates on the families computer. McAffe AV with latest data files and McAffe firewall. Can connect to internet via dial up modem but all I get is a DNS error no matter what site i try.

Read all information i can and run Spybot search and destroy, Adaware, Internet cleanup and tried to run Noadware, but can't because my computer won't let me connect to their website to register.

Loaded HiJackThis and got the following log. If anyone can help i would greatly apprecviate it as I am now at a loss what else to do.

Also On booting up get a message cannot load "TopSearch.dll"

Following is Log file

Logfile of HijackThis v1.98.2
Scan saved at 18:50:12, on 02/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\Kazaa.exe /SYSTRAY
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: DownloadLegalMusic - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\DownloadLegalMusic (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB8B21B3-4FBC-43A5-A43A-8AE2622DF644}: NameServer = 213.1.119.97 213.1.119.98

I do hope someone can find a problem somewhere..

Thanks in advance

Ken
LoPhatPhuud
Oct 3 2004, 06:57 PM
First:
I recommend that you uninstall P2P Networking through Add/Remove Programs.

If/when asked whether you also want to remove Altnet components, say 'Yes'.

P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.

Subsequently remove the P2P Networking folder in C:\Windows\System32, if still there.



[bSecond:[/b]
Your DNS problem can be easily checked, but if the problem is not on your computer, it will take a call to your ISP to fix. After each of the following steps. check to see if you can get to sites.

1. If you have a firewall installed, be sure it is not blocking DNS. The parameters for allowing DNS are as follows:
Direction: Both (inbound and outbound)
Protocol: UDP
Source Port: any
Remote Address: any (can be restricted to your ISP's Nameservers if the remain constant)
Source Port: 53
Application: any

2. Download and install this program: (make a shortcut on your desktop for it)
http://download.microsoft.com/download/win...Ipcfg_Setup.exe

This a Win 2000 program that also runs under Windows XP.

Check the following items in HiJackThis:
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB8B21B3-4FBC-43A5-A43A-8AE2622DF644}: NameServer = 213.1.119.97 213.1.119.98

Close all open windows except HiJackThis and press 'Fix Checked'.

Reboot.

Open your Control Panels
Double Click on Network Connections
Right Click on Local Connection (or which ever connection you use)
Select Properties
Select Internet Protocol (TCP/IP)
Click on Properties Button
Be sure that 'Obtain DNS server address autonatically' is selected
Press 'OK' and close out of the Control Panel

Double Click on the wntipcfg shortcut
Press the 'More Info >>' button on the lower right
The second line will show your ISP's DNS servers
Copy the address shown down for reference
Press the '...' to the right of the address
Copy the second address
Press the 'Release All' Button
Press the 'Renew All' button
Check the DNS servers addresses again and copy them down

Try a few web siites and see if you can get to them.

If not, a call to your ISP is probably in order.

Note: if needed you can restore the removed HJT entry by using Config -> Restore and selecting the file for the O17 entry we removed.
blindmanpugh
Oct 3 2004, 08:53 PM
Thanks for the prompt reply. Unfortunately I have to go away for 3 weeks with work so will not be able to try it until my return.
Will let you know what happens when i try it.
regards
Ken
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.