Solved

Can't connect to internet, maybe DNS problem.

Posted on 2006-06-19
16
1,301 Views
Last Modified: 2008-02-01
Hi all, I have a Windows2000 with me, I just ran Avgfree (antivirus scan) it did found some virus and corrected them. However, after it found the virus and removed it, my computer can nolonger connect to the internet.

I went to the eventlogs and found these errors

Event ID 406
"The DNS Server could not create a User Datagram Protocol (UDP) socket. The event data is the error code. Restart the DNS server or reboot your computer.

Event ID: 408
Description: DNS Server could not open socket for address [IP address of server]. Verify that this is a valid IP address on this machine. If it is NOT valid use the Interfaces dialog under Server Properties in the DNS Manager to remove it from the list of IP interfaces. Then stop and restart the DNS server. (If this was the only IP interface on this machine and the DNS server may not have started as a result of this error. In that case remove the DNS\Parmeters\ListenAddress value in the services section of the registry and restart.) If this is a valid IP address for this machine, make sure that no other application (e.g. another DNS server) is running that would attempt to use the DNS port.

Event ID: 414
The DNS server computer currently has no DNS domain name. Its DNS name is a single label hostname with no domain (example: "host" rather than "host.microsoft.com").

I'm not connected to any domain, only workgroup

When i try to start my DNS server service, i get an error 6: Handle Is Invalid

my question is
1. In winXP there's no DNS server.. least not in the services.. but in Win2k, do i need this thing started to surf the net?
2. If not, how do i diagnose my problem and fix it?
3. If so, How do i fix it.


thx





0
Comment
Question by:Sylpheed777
  • 8
  • 7
16 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16939370
Have you tried WinsockFix to fix the connection?
http://www.majorgeeks.com/download4372.html
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16939384
Have you also tried.
Start -> Control Panel, and choose Network Connections.  Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.  Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says "Obtain DNS servers automatically".  
Click OK twice, and restart your computer.


Or try flushing the DNS cache?

ipconfig /flushdns
0
 
LVL 2

Author Comment

by:Sylpheed777
ID: 16939427
thx for the quick replies.

WinsockFix did help, it fixed the DNS servers, but i still can't get online

Here's what's happening

When i try to ping google
by www.google.com i get "Unknown Host www.google.com"
but when i ping it's ip , it works.

same thing for other computers that are on LAN, i ping by the name i get unknown host, if i ping by ip, i can get through.

I tried flushDns also, didn't work.

ip and dns are both entered manually, i have the exact same config on this comp, last time it works for my other comp, but now it doesn't.

please advice.. thx
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16939518
Can we look at your hijackthis log? it might show something.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either of these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
LVL 2

Author Comment

by:Sylpheed777
ID: 16939563
thx for the advice.. here's it

http://www.hijackthis.de/logfiles/a2a43d419b2fa22fe3898a80d71f0378.html
http://www.rafb.net/paste/results/H3ldqt97.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

      

Logfile of HijackThis v1.99.1
Scan saved at 11:42:04 AM, on 6/20/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\System32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\htpatch.exe
C:\WINNT\System32\sistray.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Utopia\Angel\Angel.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Metacafe\MetacafeAgent.exe
C:\WINNT\system32\mmc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\CMD.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe
 
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - Startup: MetaCafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: MetaCafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{83FAAC47-C782-42F4-AFD8-BBA1F7461C18}: NameServer = 10.216.254.1
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SAV\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\System32\cba\pds.exe
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SAV\Rtvscan.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\System32\libsysmgr.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16939624
You need to uninstall "NewDotNet" if it's still listed in add/remove programs list.

Delete this folder if still present --> C:\Program Files\NewDotNet
You must delete this file --> C:\WINNT\System32\syslog32.exe

Put a check nect to the entries and click "Fix Checked":
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll (file missing)
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm  
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\System32\libsysmgr.exe (file missing)


Open Hijackthis > Open Misc Tools Section > Open "Delete an NT Service"
In the new window, copy and paste or type this service --> ntlogin32
into the Open field and hit OK


Also try Kaspersky's scan and MS Removal tool.
1. Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok. Then choose: my computer: scan all your hard drives and mapped disks. when finished click save as text and post that in your reply.
   
2. MS malicious software removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
0
 
LVL 2

Author Comment

by:Sylpheed777
ID: 16939684
hi thx for the advice..

"You need to uninstall "NewDotNet" if it's still listed in add/remove programs list."
No NewDotNet listed there

Delete this folder if still present --> C:\Program Files\NewDotNet - was deleted before, but register was still showing i guess
You must delete this file --> C:\WINNT\System32\syslog32.exe - file doesn't exist in system32

Put a check nect to the entries and click "Fix Checked":
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll (file missing)  - done
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe - done
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -  C:\WINNT\web\related.htm  - done
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm - done
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\System32\libsysmgr.exe (file missing) - done but it's still there after i rescanned



Open Hijackthis > Open Misc Tools Section > Open "Delete an NT Service"
In the new window, copy and paste or type this service --> ntlogin32
into the Open field and hit OK  - Done but it says "The service 'ntlogin32' is enabled and /or running. Disable it first, using HijackThis itself (from the scan results) or the serevices.msc window.

through the HijackThis scan results, i checked it again and click "Fix checked" but it's still there



Also try Kaspersky's scan and MS Removal tool.
1. Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok. Then choose: my computer: scan all your hard drives and mapped disks. when finished click save as text and post that in your reply.
   
2. MS malicious software removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en


I'm downloading the scan now. will post my results once i'm done
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16939708
I forgot, you can also run "new.netfix" which will remove the keys left behind when uninstalling NewDotNet.

Download new.netfix.exe by noahdfear.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=9
Save the file to your desktop. Double click, then click Start to extract the contents to it's own folder. Open the folder and double click the "RunThis.bat" file to start the tool.
Follow the prompts and post the contents of the new.net.txt file it creates in the folder.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 2

Author Comment

by:Sylpheed777
ID: 16939718
yup, done, it's removed :D nifty tool indeed :)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16939911
>>>C:\WINNT\System32\syslog32.exe - file doesn't exist in system32<<<
Did you use explorer when you looked for the file or you used "Search"?
Were you showing "hidden files and folders" first?

If you used "Search" it will not look for hidden files even if explorer's folder options is already showing hidden files and folders.

If you use Search, you then need to reconfigure it first because by Default it does not look for hidden files even if hidden files are already showing:
Start > Search >
Click "all files and folders" then scroll down
and click "more advanced options"
put a check next to "hidden files and folders"
scroll up, type the file and click Search.

If you still can't find it, then maybe it's just the leftover registry entry that's left. It's hard to know because an 04 entries never says "file missing" even if the file no longer exists.


>>> Done but it says "The service 'ntlogin32' is enabled and /or running. Disable it first, using HijackThis itself (from the scan results) or the serevices.msc window.<<<

So is this servicce still showing when you run Hijackthis then? --> ntlogin32

You can use Start > Run > then type in:

sc stop ntlogin32

press Enter, then

sc delete ntlogin32

press Enter


0
 
LVL 2

Author Comment

by:Sylpheed777
ID: 16939933
when i did my search, all hidden files were shown.

under search options -> advanced options -> only 3 check boxes, Search subfolders, case sensitive, search slow files



as for sc stop ntlogin32

i did that, gave me this error, "Cannot find the file 'sc' (or one of it's components). Make sure the path and filename are correct and that all required libraries are available.

0
 
LVL 2

Author Comment

by:Sylpheed777
ID: 16939946
As for the Kaspersky AV, i can't seem to find the right version...
i downloaded 3 versions but all 3 are giving me the same error "cannot be installed on a server version of Microsoft windows'

THe 3 versions i've downloaded are
1. Personal
2. 6.0
3. Workstations
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 16945185
My experience with a heavy infected system like yours is that it might never come back to work normally ... I would suggest (well ... i know, ... it sound crazy!) to reinstall windows. My understanding is that this is a small network or maybe a single pc ... If you don't have to many stuff to reinstall, I think it is better to waste 1h to reinstall windows rather than 1h trying to get rid of nasty browser hijackers ....

Can you access websites by ip address instead of using the name?
Here it is one: http://64.236.16.20/ (CNN.Com Ip address)

Hope I didn't scare you too much with the win reinstall ...

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 250 total points
ID: 16947481
>>as for sc stop ntlogin32

i did that, gave me this error, "Cannot find the file 'sc' (or one of it's components). Make sure the path and filename are correct and that all required libraries are available.<<

Okay, just fix that service by fixing the entry in hijackthis,(doing that will stop and disable the service)
Put a check next to this entry and click "Fix Checked":
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\System32\libsysmgr.exe (file missing)

After hijackthis fixed that entry, you then delete it using hijackthis like i said before.
Open Hijackthis > Open Misc Tools Section > Open "Delete an NT Service"
In the new window, copy and paste or type this service --> ntlogin32
into the Open field and hit OK

The service has to be stopped first before hijackthis can delete an NT Service,
Hijackthis stops the service by Fixing the 023 entry, then hijackthis deletes it by going to Misc . Delete an NT Service.


Tehn Try Ewido:
Please download Ewido anti-malware free trial version..
Install Ewido
"http://www.ewido.net/en/download/"
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click "update"
Then click on "Start Update"
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net/en/download/updates/

Once the updates are installed close the Ewido program.

Then Reboot your computer into "Safe Mode"

Once in safe mode, start Ewido and do the following:

Click on "scanner"
Click on "Complete System Scan" and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report.txt file to your desktop.
Close Ewido.


0
 
LVL 2

Author Comment

by:Sylpheed777
ID: 16948309
that worked! :) well maybe everything helped it to that..

when i did the scan in safe mode, i found this other worm "worm.ankar.a" something like that Ewido fixed that promptly

after that i rebooted to normal mode, still didn't work, but i went ot fiddle with the ip address that i put there. It's teh same ip address on other comps that it works. But this time i just changed the number, and it worked immediately. Then i changed back to the original one, it still works.

I think probably cached the wrong ip adress or something was spoiled and WinSockFX fixed it also, but i didn't reset the ip.

Thx alot guys! :D
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16949669
Glad to hear you've got it working!

No problem and thank you, :)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this step by step tutorial with screenshots, we will show you HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 6.5 (ESXi 6.5). This is important if you need to enable SSH remote access for additional troubleshooting of the ESXi hos…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now