1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: DNS server issue

Discussion in 'Networking' started by G-Stress, Sep 19, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. G-Stress

    G-Stress Thread Starter

    Joined:
    Feb 4, 2008
    Messages:
    259
    Having a weird DNS issue. I have my TCP/IP properties set for DHCP with DHCP disabled in the router, but alternate configuration is configured. For some reason I keep getting DNS servers assigned to me that I've never used.

    It keeps setting the DNS to staticly uses these addresses

    85.255.115.75
    85.255.112.109

    I've flushed the DNS rebooted I've checked the Advanced DNS tab in the TCP/IP Properties and it also lists those DNS Server addresses there as well, I remove them and they just keep comming back. This is happening on 1 of 2 machines on the same network. Any idea what would cause this?

    XP Pro SP2

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : antec
    Primary Dns Suffix . . . . . . . : xtech.n64
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . :No
    WINS Proxy Enabled. . . . . . . No
    DNS Suffix Search List. . . . . . xtech.n64

    Ethernet adapter Wireless Network Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Linksys Wireless-G PCI Network Adapt
    er with SpeedBooster
    Physical Address. . . . . . . . . : 00-12-17-69-AF-C4
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Autoconfiguration IP Address. . . : 10.0.1.20
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.0.1.1
    DNS Servers . . . . . . . . . . . : 85.255.115.75
    85.255.112.109
     
  2. Courtneyc

    Courtneyc

    Joined:
    Dec 6, 2003
    Messages:
    1,936
    Is your DNS set to get DNS server automatically? Incidentally, you always use the DNS servers you are assigned. I would bet that they are being issued to you from your ISP.

    Why in the world did you enable DHCP on your system but disable it on your router? Although you are getting an IP address from your alternate configuration, your system is still broadcasting for a DHCP server every 5 minutes. How about just statically assigning an IP address on your network. Set the DNS and the default gateway to the router.

    Or do what I did: Disable DHCP on your router, but enable it on a server on the network. Include a DNS server, a WINS server, and an NTP time server. (With a small network, all can be on the same Windows 2003 Server.) Use DHCP to send all the setup information to any DHCP client on the network.

    This way, my network never uses the DNS servers of the ISP (which are poor), keep perfect time, and drastically reduce broadcasts.

    Courtney
     
  3. G-Stress

    G-Stress Thread Starter

    Joined:
    Feb 4, 2008
    Messages:
    259
    I do have 2k3 setup as a DC. I'm in the process of doing an MCSE course and I'm just gettings hands on as much as I can to familiarize myself. I am going ot set static addresses, but I just wanted to see how good the "alternate configuration" option would work.

    The DNS servers this machine is getting are not the same issued to me by my ISP. My setup is as follows.

    Modem
    Router 1 192.168.15.x network which shares the internet connection for router 2 and 3
    Router 2 10.0.1.x network which is my network (DHCP Disabled)
    Router 3 172.16.0.x network (guest access)

    As I said I'm going to set static addresses, but it bugs me to not know how or why I keep getting assigned these DNS Servers. I'm also probably going to use OpenDNS eventually.


    Oh yea, yes my DNS is set to get DNS automatically, but it keeps setting itself back to static addresses. I change it back to auto and apply changes and it keeps setting it back to the same static addresses.
     
  4. G-Stress

    G-Stress Thread Starter

    Joined:
    Feb 4, 2008
    Messages:
    259
    Situation is worse then I thought. No matter what I set the DNS server to it always resets itself back to those same static addresses. I've tried setting my own static addresses, resetting winsock, re-installing tcp/ip, restarting the tcp/ip and dns services and it still keeps giving me these same DNS addresses.

    I would really like to know how I can find out who or what exactly is issuing me these addresses. :confused:
     
  5. JohnWill

    JohnWill Retired Moderator

    Joined:
    Oct 19, 2002
    Messages:
    106,418
    Malware is the logical explanation for what you're seeing.

    Please post a HijackThis 2.00.2 Log here.
     
  6. G-Stress

    G-Stress Thread Starter

    Joined:
    Feb 4, 2008
    Messages:
    259
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:38:14 AM, on 9/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\r_server.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\TightVNC\WinVNC.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\BPK\bpk.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\Documents and Settings\G-Stress\Desktop\HiJackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [bpk] C:\Program Files\BPK\bpk.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdtcc.exe] C:\WINDOWS\system32\kdtcc.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1208658727781
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xtech.n64
    O17 - HKLM\Software\..\Telephony: DomainName = xtech.n64
    O17 - HKLM\System\CCS\Services\Tcpip\..\{01B65D11-9A17-423B-AB08-88F5A82BB019}: NameServer = 85.255.115.75,85.255.112.109
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EFA09CA7-E9E1-402D-B4D6-A4D182E8198C}: NameServer = 85.255.115.75,85.255.112.109
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xtech.n64
    O17 - HKLM\System\CS1\Services\Tcpip\..\{01B65D11-9A17-423B-AB08-88F5A82BB019}: NameServer = 85.255.115.75,85.255.112.109
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xtech.n64
    O17 - HKLM\System\CS2\Services\Tcpip\..\{01B65D11-9A17-423B-AB08-88F5A82BB019}: NameServer = 85.255.115.75,85.255.112.109
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
    O23 - Service: SSL-Explorer - Unknown owner - C:\Program Files\sslexplorer\install\platforms\windows\wrapper.exe
    O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

    --
    End of file - 6298 bytes
     
  7. JohnWill

    JohnWill Retired Moderator

    Joined:
    Oct 19, 2002
    Messages:
    106,418
    You have a keylogger and your DNS address has been hijacked, so you have several issues here. Let's see if I can get a security person to take a look at this.
     
  8. G-Stress

    G-Stress Thread Starter

    Joined:
    Feb 4, 2008
    Messages:
    259
    Appreciate it JohnWill. The keylogger is installed by myself, however I did notice the DNS servers in the log also. I tried to fix them with hijackthis to no success and I found and tried deleting the registry keys to no success they just keep comming back.
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,322
    First Name:
    Karen
    Please print these instructions for reference, as you will have to restart your computer during the fix.

    Please download FixWareout from Here or Here.

    Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.
    1. Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    2. The fix will begin; follow the prompts.
    3. If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.
    4. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
    5. Once the desktop loads a text file will open (report.txt).
      Please post the C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.
     
  10. G-Stress

    G-Stress Thread Starter

    Joined:
    Feb 4, 2008
    Messages:
    259
    Username "G-Stress" - 09/21/2008 20:44:42 [Fixwareout edited 9/01/2007]

    ~~~~~ Prerun check
    HKLM\SOFTWARE\~\Winlogon\ "System"="kdtcc.exe"

    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{01B65D11-9A17-423B-AB08-88F5A82BB019}
    "nameserver"="85.255.115.75,85.255.112.109" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{EFA09CA7-E9E1-402D-B4D6-A4D182E8198C}
    "nameserver"="85.255.115.75,85.255.112.109" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{01B65D11-9A17-423B-AB08-88F5A82BB019}
    "DhcpNameServer"="85.255.115.75,85.255.112.109" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{EFA09CA7-E9E1-402D-B4D6-A4D182E8198C}
    "DhcpNameServer"="85.255.115.75,85.255.112.109" <Value cleared.

    Successfully flushed the DNS Resolver Cache.


    System was rebooted successfully.

    ~~~~~ Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "system"=""
    ....
    ....
    ~~~~~ Misc files.
    ....
    ~~~~~ Checking for older varients.
    ....
    ~~~~~ Other
    C:\WINDOWS\TEMP\kdtcc.ren 53248 06/13/2007

    ~~~~~ Current runs (hklm hkcu "run" Keys Only)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinVNC"="\"C:\\Program Files\\TightVNC\\WinVNC.exe\" -servicehelper"
    "vptray"="C:\\Program Files\\NavNT\\vptray.exe"
    "bpk"="C:\\Program Files\\BPK\\bpk.exe"
    "C:\\WINDOWS\\system32\\kdtcc.exe"="C:\\WINDOWS\\system32\\kdtcc.exe"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
    "Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
    ....
    Hosts file was reset, If you use a custom hosts file please replace it...
    ~~~~~ End report ~~~~~






    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:56:42 PM, on 9/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\r_server.exe
    C:\Program Files\TightVNC\WinVNC.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\BPK\bpk.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\G-Stress\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SS SS Plugin - {1D1B2879-99FF-11E3-8D96-D7ACAC95952A} - C:\Program Files\BPK\bpkwb.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [bpk] C:\Program Files\BPK\bpk.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdtcc.exe] C:\WINDOWS\system32\kdtcc.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1208658727781
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xtech.n64
    O17 - HKLM\Software\..\Telephony: DomainName = xtech.n64
    O17 - HKLM\System\CCS\Services\Tcpip\..\{01B65D11-9A17-423B-AB08-88F5A82BB019}: NameServer = 85.255.115.75,85.255.112.109
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EFA09CA7-E9E1-402D-B4D6-A4D182E8198C}: NameServer = 85.255.115.75,85.255.112.109
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xtech.n64
    O17 - HKLM\System\CS1\Services\Tcpip\..\{01B65D11-9A17-423B-AB08-88F5A82BB019}: NameServer = 85.255.115.75,85.255.112.109
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xtech.n64
    O17 - HKLM\System\CS2\Services\Tcpip\..\{01B65D11-9A17-423B-AB08-88F5A82BB019}: NameServer = 85.255.115.75,85.255.112.109
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
    O23 - Service: SSL-Explorer - Unknown owner - C:\Program Files\sslexplorer\install\platforms\windows\wrapper.exe
    O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

    --
    End of file - 6506 bytes
     
  11. G-Stress

    G-Stress Thread Starter

    Joined:
    Feb 4, 2008
    Messages:
    259
    Figured it out :D Whatever "kdtcc.exe" is seems to have been the issue. I deleted all registry entries pertaining to kdtcc.exe then I was able to finally delete the NameServer entries with the rogue DNS server addresses and now all is well.

    I ran another hijack this just to make sure and everything seems to be fine. For anyone interested this all seem to have started when I was trying to watch a streaming video a couple days ago. It prompted me to download and install a codec "fire-codec.v3.134.exe" specifically. I realized it when I tried to access a site I frequent and was unable to only on this pc. Then I ran an ipconfig /all and realized the DNS issue.

    I wanna thank everyone for their effort to help and excellent advice :D
     
  12. JohnWill

    JohnWill Retired Moderator

    Joined:
    Oct 19, 2002
    Messages:
    106,418
    Glad you got it running. I'd still post another HJT log for Cookiegal to take a peek at, just to make sure something's not lurking in the corner ready to get you again. :D
     
  13. G-Stress

    G-Stress Thread Starter

    Joined:
    Feb 4, 2008
    Messages:
    259
    No problem. Again thanks for everyone's help.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:51:42 AM, on 9/22/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\r_server.exe
    C:\Program Files\TightVNC\WinVNC.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\BPK\bpk.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\Documents and Settings\G-Stress\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [bpk] C:\Program Files\BPK\bpk.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1208658727781
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xtech.n64
    O17 - HKLM\Software\..\Telephony: DomainName = xtech.n64
    O17 - HKLM\System\CCS\Services\Tcpip\..\{01B65D11-9A17-423B-AB08-88F5A82BB019}: NameServer = 10.0.1.21,10.0.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xtech.n64
    O17 - HKLM\System\CS1\Services\Tcpip\..\{01B65D11-9A17-423B-AB08-88F5A82BB019}: NameServer = 10.0.1.21,10.0.1.1
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xtech.n64
    O17 - HKLM\System\CS2\Services\Tcpip\..\{01B65D11-9A17-423B-AB08-88F5A82BB019}: NameServer = 10.0.1.21,10.0.1.1
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
    O23 - Service: SSL-Explorer - Unknown owner - C:\Program Files\sslexplorer\install\platforms\windows\wrapper.exe
    O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

    --
    End of file - 6111 bytes
     
  14. JohnWill

    JohnWill Retired Moderator

    Joined:
    Oct 19, 2002
    Messages:
    106,418
    Personally, I'm still curious about the domain specification xtech.n64, is that something you know about?
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,322
    First Name:
    Karen
    Yes, that file was definitely part of the problem but there's more to do.

    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/751516

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice