[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 682
  • Last Modified:

Windows XP SP2 DNS not resolving

I'm helping a system recover from malware infection.  It's a turnkey system that has no restore options, otherwise I'd blast it all and restore.  "Personal Security" started it all, but several other trojans eventually came along.

Symptoms:
IE tries to go to any web page, and displays the cannot open web page screen at the bottom of which says : "cannot find server or DNS error".

Nslookup *can* resolve names - nslookup www.google.com gives the correct IP address, and nslookup of the resultant IP number gives www.google.com.

FTP does not resolve with a mnemonic name such as ftp.mozilla.org, but DOES connect when using the ip number instead of the name.  Same for IE - it will go with an IP number, but mnemonics don't work.

Among the things I have tried:

- restored registry from several months ago, using the recovery console and going into the C:\System Volume Information\_restore area to copy in the registry from october 2009 (well before the infection) (this is what allowed me to boot the thing again)
- netsh int ip reset c:\resetlog.txt
- netsh winsock reset
- ipconfig /flushdns and ipconfig /registerdns.
- in-place reinstall of windows using the SP2 install disk
-Full all-file scans using adaware, malwarebytes, spybot, stinger, avira - all packages manually updated with current signatures, or run from fully updated CD boot disk

(and I did copious reboots at the appropriate times during all of the above).

I've been searching off and on for several days. Nothing seems to help.  I'll try any suggestions, even ones I've already done.

Any clues?
0
melchioe
Asked:
melchioe
  • 9
  • 6
  • 2
  • +3
1 Solution
 
optomaCommented:
Run Combofix and attach logfile here after
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After Combofix and still issue:
Run autoruns.
In Autoruns:
Hit options and check "verify code signatures" and rescan (F5 key)
Don't make any other changes...

Within Autoruns,select the file tab and select save(Ctrl+S) and save as AutoRuns Data (*.arn) -Output file is a few megs in size
Once saved then right click autoruns.arn and rename to autoruns.txt to upload

Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
0
 
Jason WatkinsIT Project LeaderCommented:
Sounds like your browser has been hijacked.  Does this happen with any other web browser?
0
 
senadCommented:
Maybe you involuntarily in LAN settings checked the option to use a proxy server.
Remove it and also set IE to automatically detect settings.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
GiladnCommented:
happened to me once, I had to change/buy a new nic and within 2 minutes everything worked.
0
 
melchioeAuthor Commented:
Optoma:  sounds very promising, never heard of that tool before.  Will try that tonight after everyone else goes to bed.
Firebar: Firefox does same, and ftp does not recognize mnemonics, so at this time, I'm thinking it's something deeper than a dedicated browser hijack
Senad:  thanks, great suggestion; checked it, and it is not set to proxy
Giladn:  that might do the trick - I'll keep that in mind if less expensive things don't work - at some point, a few dollars for a new nic might be a good investment against my time.

Thanks all, and I'll post tomorrow, probably later in the day after wife isn't paying attention. :)
0
 
melchioeAuthor Commented:
Well, that was interesting.  It shut off my windows firewall, wont let me start the ICS service necessary to run firewall, and made it so i have NO connectivity - it gets the autoconfig ip address of 169.254.22.170. Other machines on this switch get appropriate IP addresses of 192.168.1.100-190 (my DHCP range, served by a Cisco PIX I have in my home network) -  i tested by releasing and renewing another machine plugged into the same switch.  It got a good IP address.  I then plugged in a machine that had never been connected by wire to that subnet, and it got a new IP address - so the DHCP server is fine. I also swapped cables for the one that just got the new IP addy, and i still get local config.  

I've attached the combofix log as requested, and the autoruns output.

Thanks again for looking at this!
ComboFix.txt
AutoRuns.txt
0
 
optomaCommented:
Thanks for those.

Could you disable Spy Bot's Tea Timer and rerun Combofix. Attach new logfile
http://forums.majorgeeks.com/showthread.php?t=103692&highlight=Teatimer
0
 
Jason WatkinsIT Project LeaderCommented:
Hello,

Have you tried just setting a static IP address for your connection?  Is there any type of access list on the Pix which could be causing this issue?
0
 
MikeKAtLCSCommented:
Pull the hard drive and install it in another system as a second drive.  Make sure the second system has a current antivirus installed.  You may be dealing with a rootkit that is still in the system.  If you scan the drive from the second system then the rootkit won't get a chance to run and you should be able to find it.  That would also be a good time to delete temporary files.  I would also delete any files in C:\windows\Prefetch.  Windows will rebuild prefetch on the next boot.  Look around in C:\Windows, C:\Windows\System32, C:\Windows\System32\Drivers for any new files.  Sort the screen by date and see what has been installed recently.  Verify that any new files really belong there.  You can google them to be sure. You should know that your antivirus may update files in system32 and system32\drivers so make sure new files don't belong to your antivirus.

Removing files in C:\Documents and Settings\user\Local Settings\temp & temporary internet may prevent a virus from loading on the next boot.  Also delete files in C:\Windows\Temp.

Take a look at any new files in C:\ and C:\Program files also.
0
 
melchioeAuthor Commented:
optoma: teatime disabled, new log file attached.

modus_in_rebus: thanks, I don't know why I didn't do that in the first place.

firebar: I did as you suggested, and no dice.  Doesn't even recognize the nameserver anymore, and I tried my ISP's servers, some global DNS servers, and one from work that allows outside access.  To be certain, I set another machine in this same subnet with those settings, and it worked.  Just not the infected machine.  I am highly doubting the PIX has an access list issue.  I've had 4 other machines in here over the holidays (guests, like son, nephew, etc.) who have had no access issues while hooked into the same wired switch as this machine.  Additionally, I have 8 other machines including Macs, iPhones, ASUS netbook, HP and Dell laptops, and an old eMachines desktop that go through the PIX with no issues.  If you'd like, I can post the PIX config, but I'm not thinking this is a current front-runner for the issue.

MikeKAtLCS: I started the machine from a CD several times: UBCD windows, UBCD 5.0 RC1, UBCD 4.1.1, and an Avira rescue CD.  This should give me the same results as putting the HD into another box, no?  Great suggestion as to delteint the temp files and prefetch;  I had not done the prefetch, but had done al of the others.
combofix.txt
0
 
optomaCommented:
Thanks for that.
Did one of the previous scanners detect atapi.sys as being infected?. The logfile has this :
c:\windows\system32\drivers\atapi.sys.XXX >renamed?


Try Winsock fix http://download.softpedia.com/dl/601898bc636a67694dd1b89d227da0be/4b3ef80b/100015337/software/tweak/winsockfix.exe

Make note of IP settings before running tool
0
 
melchioeAuthor Commented:
yes, Avira detected atapi.sys as infected.  I tried winsockxpfix earlier, and I just downloaded winsockfix and ran it.  It looked just like winsockxpfix, and behaved the same way.  

It gave me back some functionality - I now have a DHCP-provided IP, and can once again ping outside.  I have some nslookup connectivity, about the same as before - I can nslookup IP numbers and get the proper mnemonic name, and lookup up the mnemonic name and get the proper IP number.  Other applications such as IE, FireFox, FTP do not have the ability to use mnemonic names.
0
 
melchioeAuthor Commented:
Oh, and I now have the Windows Firewall back.
0
 
optomaCommented:
In cases like that I'd get a copy of the file from another machine with same OS and replace atapi.sys in locations:
C:\WINDOWS\system32\drivers
C:\WINDOWS\system32\dllcache

You would have to use a Live cd like knoppix to replace it as OS cant be active:
http://knopper.net/knoppix-mirrors/index-en.html

Delete the infected atapi.sys.XXX

After that we can try Lsp fix>are you familiar with it?
0
 
melchioeAuthor Commented:
I used ubcd windows version as a live CD and ran the expand utility to put the atapi.sys from the windows xp SP2 install disc into both of the locations you specified.  Before I expanded the file to those places, I deleted the two I was replacing along with the atapi.sys.XXX file.

That did not work (although as far as i can tell, it didn't hurt), so I downloaded lspfix from bleepingcomputer and ran it using the live CD (ubcd Windows) off of a USB stick that I put lspfix on using my Mac.  It reported "No problems found", and listed three dlls running:

mswsock.dll  Tcpip
winrnr.dll NTDS
rsvpsp.dll (protocol handler)

In addition, when booting from the live CD, this system connects perfectly to the internet.

Do you think it would help if I tried another in-place install of XP from the SP2 disk?
0
 
optomaCommented:
Try these steps.
Can you remove Spy Bot for now so its reg tea timer wont interfere.

Run sfc /purgecache
Then sfc /scannow >hopefully it asks for cd.

After that try in-place repair
0
 
melchioeAuthor Commented:
I uninstalled spybot, malwarebytes, and adaware to be thorough.

sfc /scannow did not ask for a CD.  after the progress bar got all the way, the sfc window closed itself.  I'm progressing with an in-place repair.
0
 
melchioeAuthor Commented:
Optoma, your suggestions got rid of the thing, and the in-place repair made the internet work again.  It's functional for now, and I've given it back to the owner and recommended a full software backup and re-format.  It appears to work, and I rebooted it 20+ times after fixing, and it shows no symptoms, but I'm an untrusting sort.

So I'm considering it solved, and awarding the points to optoma.  Thanks!

-e-
0
 
melchioeAuthor Commented:
Optoma is very persistent!  Great troubleshooter!
0
 
optomaCommented:
You're welcome!
Never any harm to backup + format :)
Spy Bot's tea timer can interfere with running of things sometimes. It and Adaware have lost its place to Mbam and Superantispyware.

What can be helpful in prevention is a hosts blocker. This one is fairly good if ya wanna test it out. Just disable its dns service in its configuration
http://blocklistpro.com/download-center/start-download/biss-hosts-manager/1263-hosts20setup.exe.html
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 9
  • 6
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now