Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

OTL, MBAM, GMER results - Possible redirect

Started by Kashink , Jan 28 2010 11:21 AM

  • Please log in to reply

#16
RKinner
Posted 03 February 2010 - 02:54 PM

RKinner

    Malware Expert

  • Expert
  • 24,735 posts
  • MVP
Didn't quite work. Should be

ipconfig SPACE /all SPACE >> SPACE junk2.txt

Appears that the DNS server is not working for you so we definitely need ipconfig /all in both unconnected and connected modes. Also want the nslookup command for both connected and unconnected.

Ron
  • 0

Advertisements

#17
Kashink
Posted 03 February 2010 - 04:53 PM

Kashink

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Gosh! I missed your answer earlier.

When I did the test a few minutes ago, a message came in the DOS window. It said: xxx.dc4.xxxad.xxx.ca cannot find http://logiterm/index.php -- non-existant domain.

Here is the report:



Configuration IP de Windows



Nom de l'hôte . . . . . . . . . . : ACER

Suffixe DNS principal . . . . . . :

Type de nœud . . . . . . . . . . : Inconnu

Routage IP activé . . . . . . . . : Non

Proxy WINS activé . . . . . . . . : Non

Liste de recherche du suffixe DNS : sympatico



Carte Ethernet Connexion au réseau local:



Statut du média . . . . . . . . . : Média déconnecté

Description . . . . . . . . . . . : Broadcom NetLink ™ Gigabit Ethernet

Adresse physique . . . . . . . . .: 00-1D-72-02-76-54



Carte Ethernet Connexion réseau sans fil:



Suffixe DNS propre à la connexion : sympatico

Description . . . . . . . . . . . : Intel® Wireless WiFi Link 4965AGN

Adresse physique . . . . . . . . .: 00-13-E8-DF-D3-33

DHCP activé. . . . . . . . . . . : Oui

Configuration automatique activée . . . . : Oui

Adresse IP. . . . . . . . . . . . : 192.168.1.102

Masque de sous-réseau . . . . . . : 255.255.255.0

Passerelle par défaut . . . . . . : 192.168.1.1

Serveur DHCP. . . . . . . . . . . : 192.168.1.1

Serveurs DNS . . . . . . . . . . : 192.168.2.1

192.168.2.1

Bail obtenu . . . . . . . . . . . : 3 février 2010 13:15:52

Bail expirant . . . . . . . . . . : 4 février 2010 13:15:52



Carte Ethernet {3414D784-7C26-4C28-B01E-F9774ED296C7}:



Suffixe DNS propre à la connexion :

Description . . . . . . . . . . . : Nortel IPSECSHM Adapter - Miniport d'ordonnancement de paquets

Adresse physique . . . . . . . . .: 44-45-53-54-42-00

DHCP activé. . . . . . . . . . . : Non

Adresse IP. . . . . . . . . . . . : 0.0.0.0

Masque de sous-réseau . . . . . . : 0.0.0.0

Passerelle par défaut . . . . . . :

DNS request timed out.
timeout was 2 seconds.
Serveur : UnKnown
Address: 192.168.2.1

Nom : http://logiterm/index.php.sympatico
Address: 67.63.55.2



Configuration IP de Windows



Nom de l'hôte . . . . . . . . . . : ACER

Suffixe DNS principal . . . . . . :

Type de nœud . . . . . . . . . . : Inconnu

Routage IP activé . . . . . . . . : Non

Proxy WINS activé . . . . . . . . : Non

Liste de recherche du suffixe DNS : xxx.ca



Carte Ethernet Connexion au réseau local:



Statut du média . . . . . . . . . : Média déconnecté

Description . . . . . . . . . . . : Broadcom NetLink ™ Gigabit Ethernet

Adresse physique . . . . . . . . .: 00-1D-72-02-76-54



Carte Ethernet Connexion réseau sans fil:



Suffixe DNS propre à la connexion : sympatico

Description . . . . . . . . . . . : Intel® Wireless WiFi Link 4965AGN

Adresse physique . . . . . . . . .: 00-13-E8-DF-D3-33

DHCP activé. . . . . . . . . . . : Oui

Configuration automatique activée . . . . : Oui

Adresse IP. . . . . . . . . . . . : 192.168.1.102

Masque de sous-réseau . . . . . . : 255.255.255.0

Passerelle par défaut . . . . . . : 192.168.1.1

Serveur DHCP. . . . . . . . . . . : 192.168.1.1

Serveurs DNS . . . . . . . . . . : 192.168.2.1

192.168.2.1

Bail obtenu . . . . . . . . . . . : 3 février 2010 13:15:52

Bail expirant . . . . . . . . . . : 4 février 2010 13:15:52



Carte Ethernet {3414D784-7C26-4C28-B01E-F9774ED296C7}:



Suffixe DNS propre à la connexion : xxx.ca

Description . . . . . . . . . . . : Nortel IPSECSHM Adapter - Miniport d'ordonnancement de paquets

Adresse physique . . . . . . . . .: 44-45-53-54-42-00

DHCP activé. . . . . . . . . . . : Non

Adresse IP. . . . . . . . . . . . : 10.20.209.179

Masque de sous-réseau . . . . . . : 255.255.255.0

Passerelle par défaut . . . . . . : 10.20.209.179

Serveurs DNS . . . . . . . . . . : 10.1.60.12

10.1.60.27

Serveur : xxx.ca
Address: 10.1.60.12
  • 0

#18
RKinner
Posted 03 February 2010 - 07:01 PM

RKinner

    Malware Expert

  • Expert
  • 24,735 posts
  • MVP
OK I see what is going on. I don't think you can get to your DNS at your client's company.

Connect up to your client.

Open a command window as before and type:

nslookup

(It will give 2 lines about your default DNS server and prompt will change to > )

server 10.1.60.12

( You will probably get:
> server 10.1.60.12
DNS request timed out.
timeout was 2 seconds.
Default Server: [10.1.60.12]
Address: 10.1.60.12 )

(now type in the usual url without the http:// or the stuff behind the last / which I guess is: )

logiterm

(We are asking the client's DNS for the IP address. If you just get time outs like this:
> logiterm
Server: [10.1.60.12]
Address: 10.1.60.12

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to [10.1.60.12] timed-out
>
then either we are not reaching it or it doesn't want to talk to us for some reason. We can try debug)

set debug

(prompt will return)

logiterm

(If you get something similar to this:

> set debug
> att.com
Server: [192.168.0.1]
Address: 192.168.0.1

DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
------------
Got answer:
HEADER:
opcode = QUERY, id = 28, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 2, authority records = 3, additional = 1

QUESTIONS:
att.com, type = A, class = IN
ANSWERS:
-> att.com
internet address = 144.160.1.81
ttl = 168 (2 mins 48 secs)
-> att.com
internet address = 144.160.143.51
ttl = 168 (2 mins 48 secs)
AUTHORITY RECORDS:
-> att.com
nameserver = ns1.attdns.com
ttl = 2832 (47 mins 12 secs)
-> att.com
nameserver = ns2.attdns.com
ttl = 2832 (47 mins 12 secs)
-> att.com
nameserver = ns3.attdns.com
ttl = 2832 (47 mins 12 secs)
ADDITIONAL RECORDS:
-> ns1.attdns.com
internet address = 144.160.112.22
ttl = 18828 (5 hours 13 mins 48 secs)

------------
Non-authoritative answer:
------------
Got answer:
HEADER:
opcode = QUERY, id = 29, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
att.com, type = AAAA, class = IN
AUTHORITY RECORDS:
-> att.com
ttl = 4190 (1 hour 9 mins 50 secs)
primary name server = ns0.attdns.com
responsible mail addr = eiss-dns.att.com
serial = 2010020301
refresh = 3600 (1 hour)
retry = 1800 (30 mins)
expire = 2592000 (30 days)
default TTL = 14400 (4 hours)

------------
Name: att.com
Addresses: 144.160.1.81
144.160.143.51

>
then we are connecting to the client's DNS server (I used att.com to get a real response but you would have your url - http:// instead) but more likely you will get this:

> logiterm
Server: [192.168.0.1]
Address: 192.168.0.1

DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** Request to [192.168.0.1] timed-out

Try the other DNS: )

server 10.1.60.27
set debug
10.1.60.27
logiterm


If you do get something besides time outs then right click and select Mark then highlight the text and then hit Enter. Move to a reply and paste it.

Assuming you just get timeouts then try: )

tracert -d 10.1.60.12 > junk.txt

tracert -d 10.1.60.27 >> junk.txt

(SPACE before and after -d and > or >> )

ping 10.1.60.12 >> junk.txt

ping 10.1.60.27 >> junk.txt

(SPACE after ping and before and after >> )

notepad junk.txt

(Post the text and close notepad)

(I'm assuming that you can no longer connect to the DNS, however, all is not lost. Odds are that the logiterm server uses a fixed IP address or at least never changes. Ask the client for the ip address of the logiterm server. I presume it will be 10.a.b.c where a.b.c are numbers. Open your hosts file:)

notepad \windows\system32\drivers\etc\hosts

You will see a line 127.0.0.1 localhost
create a new line at the bottom that looks like the 127.0.0.1 line but which says:
10.a.b.c logiterm

File, Save (it may be a read only file but it should let your overwrite it anyway) and then exit.

Try it now.

Ron
  • 0

#19
Kashink
Posted 03 February 2010 - 07:20 PM

Kashink

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
I'm absolutely blown away by your last post! I would never have expected such dedication on a forum. :)

I will do as you instructed, but it seems more reasonable to wait until morning. There will be a better chance of success than at the end of a long and frustrating day (these operations seem very complex to me right now). :)
  • 0

#20
RKinner
Posted 03 February 2010 - 09:07 PM

RKinner

    Malware Expert

  • Expert
  • 24,735 posts
  • MVP
Before I retired I was a network engineer so this is actually what I used to do.

Ron
  • 0

#21
Kashink
Posted 04 February 2010 - 06:53 AM

Kashink

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
I'm impressed just the same. :)

So I tried your first test and here is what I got, not quite what was predicted. As you can see, I tried it different ways, to make sure it would be right.

Serveur par défaut : xxx-dc4.xxad.xxx.ca
Address: 10.1.60.12

> server 10.1.60.12
Serveur par défaut : xxx-dc4.xxxad.xxx.ca
Address: 10.1.60.12

> serveur 10.1.60.12
Serveur : [10.1.60.12]
Address: 10.1.60.12

*** 10.1.60.12 ne parvient pas à trouver serveur : Non-existent domain
> logiterm
Serveur : xxx-dc4.xxxad.xxx.ca
Address: 10.1.60.12

*** xxx-xx4.xxxad.xxx.ca ne parvient pas à trouver logiterm : Non
-existent domain


I will now go through with the rest (just wanted to avoid losing any significant data (I get disconnected here when I connect to the client).
  • 0

#22
Kashink
Posted 04 February 2010 - 07:49 AM

Kashink

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Here is the result of the second test:

> set debug
> logiterm
Serveur : xxx-dc4.xxxad.xxx.ca
Address: 10.1.60.12

------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
logiterm.sympatico, type = A, class = IN
AUTHORITY RECORDS:
-> (root)
ttl = 10799 (2 hours 59 mins 59 secs)
primary name server = a.root-servers.net
responsible mail addr = nstld.verisign-grs.com
serial = 2010020400
refresh = 1800 (30 mins)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 178 (2 mins 58 secs)

------------
*** xxx-dc4.xxxad.xxx.ca ne parvient pas à trouver logiterm : Non
-existent domain
>

> server 10.1.60.27
------------
Got answer:
HEADER:
opcode = QUERY, id = 6, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0

QUESTIONS:
27.60.1.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 27.60.1.10.in-addr.arpa
name = osc-dc2.xxxad.xxx.ca
ttl = 1200 (20 mins)

------------
Serveur par défaut : osc-dc2.xxxad.xxx.ca
Address: 10.1.60.27



> server 10.1.60.27
------------
Got answer:
HEADER:
opcode = QUERY, id = 6, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0

QUESTIONS:
27.60.1.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 27.60.1.10.in-addr.arpa
name = osc-dc2.xxxad.xxx.ca
ttl = 1200 (20 mins)

------------
Serveur par défaut : osc-dc2.xxxad.xxx.ca
Address: 10.1.60.27

Got time out here after trying logiterm. Tried the "tracert" line three times, response was : unrecognized command. Then, I couldn't get DOS to open a notepad window, so here it is directly from the DOS window:

> ping 10.1.60.12 >> junk4.txt
------------
Got answer:
HEADER:
opcode = QUERY, id = 9, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
ping.sympatico, type = A, class = IN
AUTHORITY RECORDS:
-> (root)
ttl = 10800 (3 hours)
primary name server = A.ROOT-SERVERS.NET
responsible mail addr = NSTLD.VERISIGN-GRS.COM
serial = 2010020400
refresh = 1800 (30 mins)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 86400 (1 day)

------------
*** 10.1.60.12 ne parvient pas à trouver ping : Non-existent domain
> ping 10.1.60.12 >> junk4.txt
------------
Got answer:
HEADER:
opcode = QUERY, id = 9, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
ping.sympatico, type = A, class = IN
AUTHORITY RECORDS:
-> (root)
ttl = 10800 (3 hours)
primary name server = A.ROOT-SERVERS.NET
responsible mail addr = NSTLD.VERISIGN-GRS.COM
serial = 2010020400
refresh = 1800 (30 mins)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 86400 (1 day)

------------
*** 10.1.60.12 ne parvient pas à trouver ping : Non-existent domain
> ping 10.1.60.27 >> junk4.txt
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** Le délai de la requête sur 10.1.60.27 est dépassé
> notepad junk4.txt
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** Impossible de trouver l'adresse pour le serveur junk4.txt : Timed out
> notepad junk4.txt
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
DNS request timed out.


Strangely enough, this last message I got even after disconnecting from the client. I hope I did it right.
  • 0

#23
RKinner
Posted 04 February 2010 - 10:15 AM

RKinner

    Malware Expert

  • Expert
  • 24,735 posts
  • MVP
I messed up. Forgot to tell you to exit from the nslookup command before running tracert and ping. Getting old I guess.

the command should have been used before using the tracert

exit

Just connect to your client and run:

tracert -d 10.1.60.12 > junk.txt

tracert -d 10.1.60.27 >> junk.txt

(SPACE before and after -d and > or >> )

ping 10.1.60.12 >> junk.txt

ping 10.1.60.27 >> junk.txt

(SPACE after ping and before and after >> )

notepad junk.txt
  • 0

#24
Kashink
Posted 04 February 2010 - 10:40 AM

Kashink

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Not getting old, working with someone who doesn't know better... :)

Now I have to say that, as of this morning, the IT people got me to connect through another application: ZeroFootprint. It works, so if you'd rather leave it at that, it's fine with me. If you like the challenge, though, I would gladly keep trying, because the previous connection was much better for a number of reasons, but also because I find the whole thing very fascinating.

Did what you asked. But before I show you the result, I remember you had asked for the address of the logiterm server. Here it is: xxx
By the way, also wanted to mention something that I confirmed this morning. The TI guy told me he tried to access logiterm with his "test setup", which mirrors mine, and succeeded (same OS, same IP, different city). He is still convinced my laptop has a malware of some kind and that's why I can't connect. There is one thing though he couldn't mirror: my own network and router configuration. Sorry I did not mention it earlier if it makes a difference.

Here goes:
Détermination de l'itinéraire vers 10.1.60.12 avec un maximum de 30 sauts.

1 78 ms 26 ms 25 ms 10.1.101.21
2 26 ms 25 ms 24 ms 10.1.101.5
3 26 ms 156 ms 122 ms 172.16.14.49
4 27 ms 26 ms 32 ms 140.80.191.220
5 26 ms 26 ms 31 ms 10.1.60.12

Itinéraire déterminé.

Détermination de l'itinéraire vers 10.1.60.27 avec un maximum de 30 sauts.
1 25 ms 25 ms 29 ms 10.1.101.21
2 25 ms 26 ms 27 ms 10.1.101.5
3 28 ms 26 ms 26 ms 172.16.14.49
4 26 ms 26 ms 29 ms 140.80.191.220
5 27 ms 26 ms 25 ms 10.1.60.27

Itinéraire déterminé.

Envoi d'une requête 'ping' sur 10.1.60.12 avec 32 octets de données :

Réponse de 10.1.60.12 : octets=32 temps=25 ms TTL=124
Réponse de 10.1.60.12 : octets=32 temps=26 ms TTL=124
Réponse de 10.1.60.12 : octets=32 temps=25 ms TTL=124
Réponse de 10.1.60.12 : octets=32 temps=25 ms TTL=124

Statistiques Ping pour 10.1.60.12:
Paquets : envoyés = 4, reçus = 4, perdus = 0 (perte 0%),
Durée approximative des boucles en millisecondes :
Minimum = 25ms, Maximum = 26ms, Moyenne = 25ms

Envoi d'une requête 'ping' sur 10.1.60.27 avec 32 octets de données :

Réponse de 10.1.60.27ÿ: octets=32 temps=27 ms TTL=124
Réponse de 10.1.60.27ÿ: octets=32 temps=27 ms TTL=124
Réponse de 10.1.60.27ÿ: octets=32 temps=26 ms TTL=124
Réponse de 10.1.60.27ÿ: octets=32 temps=26 ms TTL=124

Statistiques Ping pour 10.1.60.27:
Paquets : envoyés = 4, reçus = 4, perdus = 0 (perte 0%),
Durée approximative des boucles en millisecondes :
Minimum = 26ms, Maximum = 27ms, Moyenne = 26ms

Edited by Kashink, 04 February 2010 - 02:07 PM.

  • 0

#25
RKinner
Posted 04 February 2010 - 01:32 PM

RKinner

    Malware Expert

  • Expert
  • 24,735 posts
  • MVP
OK. It appears we can talk to the DNS servers but I don't see where they gave us a good answer for logiterm.

If you connect to your client and type in:

http://10.1.x.x/index.php

in your browser what happens?

Also go back to a command prompt and type:

tracert -d 10.1.x.x0 > junk.txt

(tracert SPACE -d SPACE 10.1.x.x SPACE > SPACE junk.txt)

nslookup logiterm >> junk.txt

(nslookup SPACE logiterm SPACE >> SPACE junk.txt)

notepad junk.txt

(notepad SPACE junk.txt)

copy the text and paste it in a reply.

Ron

Edited by RKinner, 04 February 2010 - 04:55 PM.

  • 0

Advertisements

#26
Kashink
Posted 04 February 2010 - 02:06 PM

Kashink

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Well well, we've got a winner! :) :) :)

I typed the address and here I am, exactly as before! I entered my id and password for that page and tried a query: it works!!!

I just can't believe it! The person who gave me that address earlier today suggested that I try this method, but I had forgotten everything about it until you mentioned it.

Do you understand what is happening and why it works when I do it this way?

BTW, is it possible for you to erase that address in your posts? I will do so in mine, just in case, to make sure no one gets in trouble. Thanks.

Edited by Kashink, 04 February 2010 - 03:55 PM.

  • 0

#27
RKinner
Posted 04 February 2010 - 04:54 PM

RKinner

    Malware Expert

  • Expert
  • 24,735 posts
  • MVP
For some reason their DNS is not working. It should be giving you the correct address but it's not. You can make it work if you edit the hosts file like I mentioned earlier. Just put in the good address and logiterm like I said earlier.

I'll edit the addresses out but there is no danger. 10 net addresses are not accessible from the internet.
  • 0

#28
Kashink
Posted 04 February 2010 - 04:57 PM

Kashink

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Are you saying that I can fix their problem by editing their host file?

About the address, not that I fear someone could access it, but that someone could see it there and wonder who revealed it.
  • 0

#29
RKinner
Posted 04 February 2010 - 07:27 PM

RKinner

    Malware Expert

  • Expert
  • 24,735 posts
  • MVP
No you edit your hosts file. IF the information is in the hosts file then Windows doesn't bother asking the DNS for it.

notepad \windows\system32\drivers\etc\hosts

then add
10.1.x.x logiterm

underneath where it says 127.0.0.1 localhost then File Save and exit

Then you can go back to typing logiterm and it should work.

Ron
  • 0

#30
Kashink
Posted 05 February 2010 - 06:47 AM

Kashink

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
It works, you are right. Thanks a lot!

I'm still curious though. Do you know what caused this to happen or is it one of those mysterious things that will remain unexplained?

I re-read your previous post and found your answer: "for some reason their DNS is not working". I guess we will never know, but it is a comfort to see that the problem was not caused by me, a virus in my laptop or a new install, like the IT guy said.

Once again, thanks for everything, Ron. I was lucky indeed that my original post got picked up by you.

Edited by Kashink, 05 February 2010 - 09:31 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP