Windows XP SP2 DNS not resolving
I'm helping a system recover from malware infection. It's a turnkey system that has no restore options, otherwise I'd blast it all and restore. "Personal Security" started it all, but several other trojans eventually came along.
Symptoms:
IE tries to go to any web page, and displays the cannot open web page screen at the bottom of which says : "cannot find server or DNS error".
Nslookup *can* resolve names - nslookup www.google.com gives the correct IP address, and nslookup of the resultant IP number gives www.google.com.
FTP does not resolve with a mnemonic name such as ftp.mozilla.org, but DOES connect when using the ip number instead of the name. Same for IE - it will go with an IP number, but mnemonics don't work.
Among the things I have tried:
- restored registry from several months ago, using the recovery console and going into the C:\System Volume Information\_restore area to copy in the registry from october 2009 (well before the infection) (this is what allowed me to boot the thing again)
- netsh int ip reset c:\resetlog.txt
- netsh winsock reset
- ipconfig /flushdns and ipconfig /registerdns.
- in-place reinstall of windows using the SP2 install disk
-Full all-file scans using adaware, malwarebytes, spybot, stinger, avira - all packages manually updated with current signatures, or run from fully updated CD boot disk
(and I did copious reboots at the appropriate times during all of the above).
I've been searching off and on for several days. Nothing seems to help. I'll try any suggestions, even ones I've already done.
Any clues?
Symptoms:
IE tries to go to any web page, and displays the cannot open web page screen at the bottom of which says : "cannot find server or DNS error".
Nslookup *can* resolve names - nslookup www.google.com gives the correct IP address, and nslookup of the resultant IP number gives www.google.com.
FTP does not resolve with a mnemonic name such as ftp.mozilla.org, but DOES connect when using the ip number instead of the name. Same for IE - it will go with an IP number, but mnemonics don't work.
Among the things I have tried:
- restored registry from several months ago, using the recovery console and going into the C:\System Volume Information\_restore area to copy in the registry from october 2009 (well before the infection) (this is what allowed me to boot the thing again)
- netsh int ip reset c:\resetlog.txt
- netsh winsock reset
- ipconfig /flushdns and ipconfig /registerdns.
- in-place reinstall of windows using the SP2 install disk
-Full all-file scans using adaware, malwarebytes, spybot, stinger, avira - all packages manually updated with current signatures, or run from fully updated CD boot disk
(and I did copious reboots at the appropriate times during all of the above).
I've been searching off and on for several days. Nothing seems to help. I'll try any suggestions, even ones I've already done.
Any clues?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Jason Watkins
Sounds like your browser has been hijacked. Does this happen with any other web browser?
Maybe you involuntarily in LAN settings checked the option to use a proxy server.
Remove it and also set IE to automatically detect settings.
Remove it and also set IE to automatically detect settings.
happened to me once, I had to change/buy a new nic and within 2 minutes everything worked.
ASKER
Optoma: sounds very promising, never heard of that tool before. Will try that tonight after everyone else goes to bed.
Firebar: Firefox does same, and ftp does not recognize mnemonics, so at this time, I'm thinking it's something deeper than a dedicated browser hijack
Senad: thanks, great suggestion; checked it, and it is not set to proxy
Giladn: that might do the trick - I'll keep that in mind if less expensive things don't work - at some point, a few dollars for a new nic might be a good investment against my time.
Thanks all, and I'll post tomorrow, probably later in the day after wife isn't paying attention. :)
Firebar: Firefox does same, and ftp does not recognize mnemonics, so at this time, I'm thinking it's something deeper than a dedicated browser hijack
Senad: thanks, great suggestion; checked it, and it is not set to proxy
Giladn: that might do the trick - I'll keep that in mind if less expensive things don't work - at some point, a few dollars for a new nic might be a good investment against my time.
Thanks all, and I'll post tomorrow, probably later in the day after wife isn't paying attention. :)
ASKER
Well, that was interesting. It shut off my windows firewall, wont let me start the ICS service necessary to run firewall, and made it so i have NO connectivity - it gets the autoconfig ip address of 169.254.22.170. Other machines on this switch get appropriate IP addresses of 192.168.1.100-190 (my DHCP range, served by a Cisco PIX I have in my home network) - i tested by releasing and renewing another machine plugged into the same switch. It got a good IP address. I then plugged in a machine that had never been connected by wire to that subnet, and it got a new IP address - so the DHCP server is fine. I also swapped cables for the one that just got the new IP addy, and i still get local config.
I've attached the combofix log as requested, and the autoruns output.
Thanks again for looking at this!
ComboFix.txt
AutoRuns.txt
I've attached the combofix log as requested, and the autoruns output.
Thanks again for looking at this!
ComboFix.txt
AutoRuns.txt
Thanks for those.
Could you disable Spy Bot's Tea Timer and rerun Combofix. Attach new logfile
http://forums.majorgeeks.com/showthread.php?t=103692&highlight=Teatimer
Could you disable Spy Bot's Tea Timer and rerun Combofix. Attach new logfile
http://forums.majorgeeks.com/showthread.php?t=103692&highlight=Teatimer
Hello,
Have you tried just setting a static IP address for your connection? Is there any type of access list on the Pix which could be causing this issue?
Have you tried just setting a static IP address for your connection? Is there any type of access list on the Pix which could be causing this issue?
Pull the hard drive and install it in another system as a second drive. Make sure the second system has a current antivirus installed. You may be dealing with a rootkit that is still in the system. If you scan the drive from the second system then the rootkit won't get a chance to run and you should be able to find it. That would also be a good time to delete temporary files. I would also delete any files in C:\windows\Prefetch. Windows will rebuild prefetch on the next boot. Look around in C:\Windows, C:\Windows\System32, C:\Windows\System32\Driver
Removing files in C:\Documents and Settings\user\Local Settings\temp & temporary internet may prevent a virus from loading on the next boot. Also delete files in C:\Windows\Temp.
Take a look at any new files in C:\ and C:\Program files also.
Removing files in C:\Documents and Settings\user\Local Settings\temp & temporary internet may prevent a virus from loading on the next boot. Also delete files in C:\Windows\Temp.
Take a look at any new files in C:\ and C:\Program files also.
ASKER
optoma: teatime disabled, new log file attached.
modus_in_rebus: thanks, I don't know why I didn't do that in the first place.
firebar: I did as you suggested, and no dice. Doesn't even recognize the nameserver anymore, and I tried my ISP's servers, some global DNS servers, and one from work that allows outside access. To be certain, I set another machine in this same subnet with those settings, and it worked. Just not the infected machine. I am highly doubting the PIX has an access list issue. I've had 4 other machines in here over the holidays (guests, like son, nephew, etc.) who have had no access issues while hooked into the same wired switch as this machine. Additionally, I have 8 other machines including Macs, iPhones, ASUS netbook, HP and Dell laptops, and an old eMachines desktop that go through the PIX with no issues. If you'd like, I can post the PIX config, but I'm not thinking this is a current front-runner for the issue.
MikeKAtLCS: I started the machine from a CD several times: UBCD windows, UBCD 5.0 RC1, UBCD 4.1.1, and an Avira rescue CD. This should give me the same results as putting the HD into another box, no? Great suggestion as to delteint the temp files and prefetch; I had not done the prefetch, but had done al of the others.
combofix.txt
modus_in_rebus: thanks, I don't know why I didn't do that in the first place.
firebar: I did as you suggested, and no dice. Doesn't even recognize the nameserver anymore, and I tried my ISP's servers, some global DNS servers, and one from work that allows outside access. To be certain, I set another machine in this same subnet with those settings, and it worked. Just not the infected machine. I am highly doubting the PIX has an access list issue. I've had 4 other machines in here over the holidays (guests, like son, nephew, etc.) who have had no access issues while hooked into the same wired switch as this machine. Additionally, I have 8 other machines including Macs, iPhones, ASUS netbook, HP and Dell laptops, and an old eMachines desktop that go through the PIX with no issues. If you'd like, I can post the PIX config, but I'm not thinking this is a current front-runner for the issue.
MikeKAtLCS: I started the machine from a CD several times: UBCD windows, UBCD 5.0 RC1, UBCD 4.1.1, and an Avira rescue CD. This should give me the same results as putting the HD into another box, no? Great suggestion as to delteint the temp files and prefetch; I had not done the prefetch, but had done al of the others.
combofix.txt
Thanks for that.
Did one of the previous scanners detect atapi.sys as being infected?. The logfile has this :
c:\windows\system32\driver
Try Winsock fix http://download.softpedia.com/dl/601898bc636a67694dd1b89d227da0be/4b3ef80b/100015337/software/tweak/winsockfix.exe
Make note of IP settings before running tool
Did one of the previous scanners detect atapi.sys as being infected?. The logfile has this :
c:\windows\system32\driver
Try Winsock fix http://download.softpedia.com/dl/601898bc636a67694dd1b89d227da0be/4b3ef80b/100015337/software/tweak/winsockfix.exe
Make note of IP settings before running tool
ASKER
yes, Avira detected atapi.sys as infected. I tried winsockxpfix earlier, and I just downloaded winsockfix and ran it. It looked just like winsockxpfix, and behaved the same way.
It gave me back some functionality - I now have a DHCP-provided IP, and can once again ping outside. I have some nslookup connectivity, about the same as before - I can nslookup IP numbers and get the proper mnemonic name, and lookup up the mnemonic name and get the proper IP number. Other applications such as IE, FireFox, FTP do not have the ability to use mnemonic names.
It gave me back some functionality - I now have a DHCP-provided IP, and can once again ping outside. I have some nslookup connectivity, about the same as before - I can nslookup IP numbers and get the proper mnemonic name, and lookup up the mnemonic name and get the proper IP number. Other applications such as IE, FireFox, FTP do not have the ability to use mnemonic names.
ASKER
Oh, and I now have the Windows Firewall back.
In cases like that I'd get a copy of the file from another machine with same OS and replace atapi.sys in locations:
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\dllcac
You would have to use a Live cd like knoppix to replace it as OS cant be active:
http://knopper.net/knoppix-mirrors/index-en.html
Delete the infected atapi.sys.XXX
After that we can try Lsp fix>are you familiar with it?
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\dllcac
You would have to use a Live cd like knoppix to replace it as OS cant be active:
http://knopper.net/knoppix-mirrors/index-en.html
Delete the infected atapi.sys.XXX
After that we can try Lsp fix>are you familiar with it?
ASKER
I used ubcd windows version as a live CD and ran the expand utility to put the atapi.sys from the windows xp SP2 install disc into both of the locations you specified. Before I expanded the file to those places, I deleted the two I was replacing along with the atapi.sys.XXX file.
That did not work (although as far as i can tell, it didn't hurt), so I downloaded lspfix from bleepingcomputer and ran it using the live CD (ubcd Windows) off of a USB stick that I put lspfix on using my Mac. It reported "No problems found", and listed three dlls running:
mswsock.dll Tcpip
winrnr.dll NTDS
rsvpsp.dll (protocol handler)
In addition, when booting from the live CD, this system connects perfectly to the internet.
Do you think it would help if I tried another in-place install of XP from the SP2 disk?
That did not work (although as far as i can tell, it didn't hurt), so I downloaded lspfix from bleepingcomputer and ran it using the live CD (ubcd Windows) off of a USB stick that I put lspfix on using my Mac. It reported "No problems found", and listed three dlls running:
mswsock.dll Tcpip
winrnr.dll NTDS
rsvpsp.dll (protocol handler)
In addition, when booting from the live CD, this system connects perfectly to the internet.
Do you think it would help if I tried another in-place install of XP from the SP2 disk?
Try these steps.
Can you remove Spy Bot for now so its reg tea timer wont interfere.
Run sfc /purgecache
Then sfc /scannow >hopefully it asks for cd.
After that try in-place repair
Can you remove Spy Bot for now so its reg tea timer wont interfere.
Run sfc /purgecache
Then sfc /scannow >hopefully it asks for cd.
After that try in-place repair
ASKER
I uninstalled spybot, malwarebytes, and adaware to be thorough.
sfc /scannow did not ask for a CD. after the progress bar got all the way, the sfc window closed itself. I'm progressing with an in-place repair.
sfc /scannow did not ask for a CD. after the progress bar got all the way, the sfc window closed itself. I'm progressing with an in-place repair.
ASKER
Optoma, your suggestions got rid of the thing, and the in-place repair made the internet work again. It's functional for now, and I've given it back to the owner and recommended a full software backup and re-format. It appears to work, and I rebooted it 20+ times after fixing, and it shows no symptoms, but I'm an untrusting sort.
So I'm considering it solved, and awarding the points to optoma. Thanks!
-e-
So I'm considering it solved, and awarding the points to optoma. Thanks!
-e-
ASKER
Optoma is very persistent! Great troubleshooter!
You're welcome!
Never any harm to backup + format :)
Spy Bot's tea timer can interfere with running of things sometimes. It and Adaware have lost its place to Mbam and Superantispyware.
What can be helpful in prevention is a hosts blocker. This one is fairly good if ya wanna test it out. Just disable its dns service in its configuration
http://blocklistpro.com/download-center/start-download/biss-hosts-manager/1263-hosts20setup.exe.html
Never any harm to backup + format :)
Spy Bot's tea timer can interfere with running of things sometimes. It and Adaware have lost its place to Mbam and Superantispyware.
What can be helpful in prevention is a hosts blocker. This one is fairly good if ya wanna test it out. Just disable its dns service in its configuration
http://blocklistpro.com/download-center/start-download/biss-hosts-manager/1263-hosts20setup.exe.html