Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Puzzled [resolved]


  • This topic is locked This topic is locked

#1
mjb

mjb

    New Member

  • Member
  • Pip
  • 3 posts
Greetings,

I've been trying to fix this machine for 2 days now and have no idea what's causing the problem(s).

First, it had a ton of spyware and a couple viruses. Those have subsequently been removed. Now, I'm able to ping, but unable to nslookup. It says 'server not found' (included in paste below).

I've ran HiJackThis, but don't see anything obvious. The process list shows 6 instances of 'svchost' running, 3 by 'SYSTEM', 1 by 'LOCAL SERVICE' and one by 'NETWORK SERVICE', one of the instances owned by 'SYSTEM' is utilizing 99% of CPU. (just for the record, I did verify that it was 'svc' and not 'scv')

It's Windows XP Pro SP2 (newly upgraded to SP2).

Also, in the paste of the log below, notice the odd characters displayed when attempting to ping an address.

In the 'nslookup' section, 10.0.0.3 is a valid name server on our network that is verified working.

Any help would be GREATLY appreciated.

Thanks!

[begin]

C:\>nslookup www.google.com
*** Can't find server name for address 10.0.0.3: No response from server
*** Default servers are not available
Server: UnKnown
Address: 10.0.0.3

*** UnKnown can't find www.google.com: No response from server

C:\>ping 128.8.5.2

Pinging °˙ with 32 bytes of data:

Reply from 128.8.5.2: bytes=32 time=53ms TTL=233
Reply from 128.8.5.2: bytes=32 time=53ms TTL=233
Reply from 128.8.5.2: bytes=32 time=58ms TTL=233
Reply from 128.8.5.2: bytes=32 time=54ms TTL=233

Ping statistics for :
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 53ms, Maximum = 58ms, Average = 54ms

C:\>


Logfile of HijackThis v1.99.1
Scan saved at 11:24:33 AM, on 3/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net;<local>
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Deleteheartwebknob] C:\Documents and Settings\All Users\Application Data\Hide exit delete heart\Ref sign.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Clare\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4863626-D167-4064-A62B-0978E873A53D}: NameServer = 10.0.0.3
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
[end]
  • 0

Advertisements


#2
mjb

mjb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
FYI -

I just noticed the 'hide exit delete heart' thing and removed that via hijackthis and deleted the directory which contained 'ref sign.exe' (and a bunch of other binaries.

Problem still exists.
  • 0

#3
mjb

mjb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Greetings,

I've been trying to fix this machine for 2 days now and have no idea what's causing the problem(s).

First, it had a ton of spyware and a couple viruses. Those have subsequently been removed. Now, I'm able to ping, but unable to nslookup. It says 'server not found' (included in paste below).

I've ran HiJackThis, but don't see anything obvious. The process list shows 6 instances of 'svchost' running, 3 by 'SYSTEM', 1 by 'LOCAL SERVICE' and one by 'NETWORK SERVICE', one of the instances owned by 'SYSTEM' is utilizing 99% of CPU. (just for the record, I did verify that it was 'svc' and not 'scv')

It's Windows XP Pro SP2 (newly upgraded to SP2).

Also, in the paste of the log below, notice the odd characters displayed when attempting to ping an address.

In the 'nslookup' section, 10.0.0.3 is a valid name server on our network that is verified working.

Any help would be GREATLY appreciated.

Thanks!

[begin]

C:\>nslookup www.google.com
*** Can't find server name for address 10.0.0.3: No response from server
*** Default servers are not available
Server: UnKnown
Address: 10.0.0.3

*** UnKnown can't find www.google.com: No response from server

C:\>ping 128.8.5.2

Pinging °˙ with 32 bytes of data:

Reply from 128.8.5.2: bytes=32 time=53ms TTL=233
Reply from 128.8.5.2: bytes=32 time=53ms TTL=233
Reply from 128.8.5.2: bytes=32 time=58ms TTL=233
Reply from 128.8.5.2: bytes=32 time=54ms TTL=233

Ping statistics for :
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 53ms, Maximum = 58ms, Average = 54ms

C:\>


Logfile of HijackThis v1.99.1
Scan saved at 11:24:33 AM, on 3/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net;<local>
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Clare\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4863626-D167-4064-A62B-0978E873A53D}: NameServer = 10.0.0.3
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
[end]
  • 0

#4
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Hi mjb, welcome at Geeks to Go!

* Please Download LSPFix from http://www.downloads....org/lspfix.zip and Run the Program.
  • Disconnect from the Internet and close all Internet Explorer Windows.
  • Check the "I know what I'm doing" Button.
  • Remove all traces of cdlsp.dll.
  • Reboot your system
These are optional items that you can fix in HijackThis:

* Scan again with HijackThis and check the following items:

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"


Part of MS Money. Available via Start -> Programs.

* After checking these items, close all browser windows except HijackThis and click "Fix checked".

* Reboot your system and post a new HJT log,
Didom
  • 0

#5
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
User was helped in chat by Didom and gave the All Clear

This thread is now closed. mjb if you need any help in the future, just PM a Staff Member to have this thread re-opened.

ScHwErV :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP