Notices
Computer & Technology Related Post here for help and discussion of computing and related technology. Internet, TVs, phones, consoles, computers, tablets and any other gadgets.

McAfee help needed please!

Old 19 August 2004 | 10:24 AM
  #1  
blip's Avatar
blip
Thread Starter
Scooby Regular
 
Joined: Jan 2002
Posts: 495
Likes: 0
Unhappy McAfee help needed please!

Ok I'll try to keep this as succinct as possible

I have been infected with a backdoor keylogging trojan for 3 days now on WindowsXP Professional. Am ready to kill somebody - but that is for another thread

Originally had NAV installed with up-to-date virus definitions. Yet I still got infected. Although when I scanned with NAV it reported finding a downloader trojan infecting a file called 'st.exe' but couldn't fix it. Also ran SpySweeper, Adaware and SpyBot but none of them helped.

So I do an online McAfee scan and it finds these infected files:

C:\...\netdc.exe.q_8040_q
C:\I386\system32\notepad.com
C:\recycler\...\dc2.exe
C:\recycler\...\dc3.exe
C:\windows\svchost.exe
C:\windows\system32\notepad.com

it reports 5 of these files are infected with 'Downloader-ML' and 1 file is infected with 'Spy-Tofger.gen.b'

By this point the machine is running very very slowly and erratically. The hard drive is making constant weird clicking noises!!!

So I decide to nip down to PC World and buy McAfee Internet Security Suite as I figure it must be able to remove the files that the online scan was picking up. Also I had read good things about it generally and thought maybe now is a good time to ditch Norton and switch to McAfee.

Sooo, I deinstall NAV (probably wrongly assuming it would clash with McAfee) and install McAfee onto the infected machine (yeah I wasn't keen on this bit either). Everything installs nicely, I do a scan yet it picks up nothing. Now this doesn't surprise me as I realise the boxed software has been sat in a warehouse for months and does not have up-to-date virus definitions.

So I attempt to update the virus definitions but the trojan has now disabled my web access!! I can dial-up and establish a connection but not view any websites. It reports all sites are unavailable and shows it is accessing 'res://C:\windows\system32\chdoclc.dll/dnserror' in the progress bar.

I then download the manual McAfee definitions via my Mac, burn a CD and try to update the infected PC from the CD. BUT it won't let me as it tells me my copy of McAfee is unregistered. BUUUT I can't connect to register it. Beautiful.

So I try lots of manual removal/cleaning methods and registry tweaks suggested on other forums (which take forever as the machine has virtually ground to a halt now - and sometimes won't reboot properly).

I had previously downloaded Security Task Manager and this allows me to identify and quarantine some suspect files/processes/startups. I work in Safe Mode (with System Restore switched off) but still cannot connect to the web to update/register McAfee.

And now my head is going to explode because it is day 4 and I still can't use my PC and I need to do work on it. Although it appears I have cleaned off most of the suspicious files, it is still running slowly and still blocking my web access. I have unsuccessfully tried some more suggested solutions/tools to get my web access back. Until I do I can't register McAfee, and until I do that I can't update its definitions and until I do that I can't be sure this trojan is gone. Without knowing whether I'm still infected or not I can't be sure why my web access is still blocked, or effectively troubleshoot it.

So is there some way I can manually update my unregistered copy of McAfee via the CD I have burnt (whilst unable to do online registration of the software)????????

This must happen to people from time to time. How can I get out of this chicken 'n' egg scenario???

I haven't cried for many years but am getting close now ;(
Old 19 August 2004 | 11:08 AM
  #2  
beemerboy's Avatar
beemerboy
Scooby Regular
 
Joined: Sep 2002
Posts: 4,391
Likes: 0
From: Essexville
Default

why not rebuild the pc??
its obviously not a server or 'owt.

job done.

oh, and then get proper protection for it.

just an idea.. BB
Old 19 August 2004 | 11:35 AM
  #3  
JackClark's Avatar
JackClark
Scooby Senior
 
Joined: Dec 2000
Posts: 20,878
Likes: 51
From: Overdosed on LCD
Default

First, have a cup of tea.
Then

Download http://download.nai.com/products/mca...re_betadat.zip

Disable VirusScan - Red M in the system tray | VirusScan | Disable

Copy the files you've downloaded into C:\Program Files\McAfee.com\VSO
Try again.
Old 19 August 2004 | 12:23 PM
  #4  
blip's Avatar
blip
Thread Starter
Scooby Regular
 
Joined: Jan 2002
Posts: 495
Likes: 0
Default

Originally Posted by JackClark
First, have a cup of tea.
Then

Download http://download.nai.com/products/mca...re_betadat.zip

Disable VirusScan - Red M in the system tray | VirusScan | Disable

Copy the files you've downloaded into C:\Program Files\McAfee.com\VSO
Try again.
Thanks - am downloading it now.

When you say 'try again' do you mean try to do a system scan again or try to install the new definitions from CD again?

Is the thing I'm downloading updated definitions or something to bypass the registration problem?

(Sorry for blatant thickness but brain is well and truly fried!)

Last edited by blip; 19 August 2004 at 12:26 PM. Reason: Needed to add some smilies!!
Old 19 August 2004 | 12:32 PM
  #5  
blip's Avatar
blip
Thread Starter
Scooby Regular
 
Joined: Jan 2002
Posts: 495
Likes: 0
Default

Originally Posted by beemerboy
why not rebuild the pc??
its obviously not a server or 'owt.

job done.

oh, and then get proper protection for it.

just an idea.. BB

Thanks BB, yeah I probably would have rebuilt it by now if:

a. I had a WinXP master disc (bl**dy PC didn't come with one)
b. I had properly backed up all my work on it - doh!

When you say 'proper protection' what would you recommend. As I said I was running Norton, now switching to McAfee. What would you recommend over and above either of these?
Old 19 August 2004 | 12:33 PM
  #6  
JackClark's Avatar
JackClark
Scooby Senior
 
Joined: Dec 2000
Posts: 20,878
Likes: 51
From: Overdosed on LCD
Default

Try a scan again.
Old 19 August 2004 | 04:08 PM
  #7  
blip's Avatar
blip
Thread Starter
Scooby Regular
 
Joined: Jan 2002
Posts: 495
Likes: 0
Default

Originally Posted by JackClark
Try a scan again.
OK did a new scan and this time it picked up and cleaned various infected files. Many thanks for your help

Unfortunately the machine is still running slow and I still can't access any websites. Not sure what to do next really. Have tried various tools and tweaks but it still refuses to let me view any sites once connected. Weird and v annoying!!!!!
Old 19 August 2004 | 04:37 PM
  #8  
JackClark's Avatar
JackClark
Scooby Senior
 
Joined: Dec 2000
Posts: 20,878
Likes: 51
From: Overdosed on LCD
Default

Check your hosts file. It should be somewhere like C:\WINDOWS\system32\drivers\etc\ and should only contain '127.0.0.1 localhost' and some text preceded by a #

If you're going to edit it, make a back up first, just copy it to your desktop.
Old 20 August 2004 | 10:17 AM
  #9  
blip's Avatar
blip
Thread Starter
Scooby Regular
 
Joined: Jan 2002
Posts: 495
Likes: 0
Default

Originally Posted by JackClark
Check your hosts file. It should be somewhere like C:\WINDOWS\system32\drivers\etc\ and should only contain '127.0.0.1 localhost' and some text preceded by a #

If you're going to edit it, make a back up first, just copy it to your desktop.

Yep the hosts file looks totally normal.

I have the feeling that either I am still infected with something or during the removal of the virus/trojans some system files have been corrupted. I've had a few 'rundll errors'. Unfortunately I don't have a WinXP recovery disc as it came preinstalled (and I stupidly never created my own). Are there any downloadable WinXP diagnosis/recovery tools that I could get on my Mac and burn to CD? Specifically anything that could fix internet problems??

I have tried running lspfix and winsockxpfix (following advice on another forum) to recover my internet connection/functionality, but they haven't helped. Any web page I try to view always calls 'C:\windows\system32/shdoclc.dll/dnserror' and says the page is unavailable.

Slowly losing the will to live........
Old 20 August 2004 | 11:29 AM
  #10  
JackClark's Avatar
JackClark
Scooby Senior
 
Joined: Dec 2000
Posts: 20,878
Likes: 51
From: Overdosed on LCD
Default

The dat files I pointed to in an earlier link are updated daily, you could try again.

How about running MSconfig, take a look at what's in Startup for anything suspisious. The sticky post at the top of the Computer Related page here has links to Spybot and Adaware, give those a go.
Old 20 August 2004 | 12:00 PM
  #11  
blip's Avatar
blip
Thread Starter
Scooby Regular
 
Joined: Jan 2002
Posts: 495
Likes: 0
Default

Originally Posted by JackClark
The dat files I pointed to in an earlier link are updated daily, you could try again.

How about running MSconfig, take a look at what's in Startup for anything suspisious. The sticky post at the top of the Computer Related page here has links to Spybot and Adaware, give those a go.
Thanks Jack

I'll try the latest DAT file like you say.

Yeah I have SpyBot and Adaware already, and have checked MSconfig but nothing suspicious there. Is CWShredder worth trying too?
Old 20 August 2004 | 04:20 PM
  #12  
JackClark's Avatar
JackClark
Scooby Senior
 
Joined: Dec 2000
Posts: 20,878
Likes: 51
From: Overdosed on LCD
Default

>Is CWShredder worth trying too

I've never used it, I'd be giving anything a go if I were you.
Old 20 August 2004 | 05:18 PM
  #13  
mynickers's Avatar
mynickers
Scooby Regular
 
Joined: Sep 2003
Posts: 1,194
Likes: 0
From: London(ish)
Default

Originally Posted by JackClark
First, have a cup of tea.
Then.
PMSL.
Old 20 August 2004 | 07:29 PM
  #14  
Kieran_Burns's Avatar
Kieran_Burns
Scooby Regular
Support Scoobynet!
iTrader: (1)
 
Joined: Jul 2004
Posts: 10,208
Likes: 0
From: There on the stair
Default

hokay - do the trick you played with the latest dat and get this:

http://vil.nai.com/vil/stinger/

run that and see what gets picked up.

DNS error... right... command prompt, ipconfig /all - what comes up?

use this ip addresses for a manual dns entry for your 'net connection 158.43.128.1 (that should be the uunet backup one) as a trial.... (it might be 153.48.128.1!)

Check your internet explorer properties to see if there isn't a proxy server ip set (tool, options, connections, lan settings...)

Good luck
Old 20 August 2004 | 07:30 PM
  #15  
Kieran_Burns's Avatar
Kieran_Burns
Scooby Regular
Support Scoobynet!
iTrader: (1)
 
Joined: Jul 2004
Posts: 10,208
Likes: 0
From: There on the stair
Default

now you have the mcafee security suite - you need nothing else to be honest - get it all installed and go from there!
Old 20 August 2004 | 07:36 PM
  #16  
Nicks VR4's Avatar
Nicks VR4
Scooby Regular
 
Joined: May 2003
Posts: 1,165
Likes: 0
Default

Did you still have System Restore off when you re-scanned your PC ?

You may still have loaded back part of the trojan on your system if not

Just a thought
Old 23 August 2004 | 12:46 PM
  #17  
blip's Avatar
blip
Thread Starter
Scooby Regular
 
Joined: Jan 2002
Posts: 495
Likes: 0
Default

Originally Posted by Kieran_Burns
hokay - do the trick you played with the latest dat and get this:

http://vil.nai.com/vil/stinger/

run that and see what gets picked up.

DNS error... right... command prompt, ipconfig /all - what comes up?

use this ip addresses for a manual dns entry for your 'net connection 158.43.128.1 (that should be the uunet backup one) as a trial.... (it might be 153.48.128.1!)

Check your internet explorer properties to see if there isn't a proxy server ip set (tool, options, connections, lan settings...)

Good luck
Thanks Kieran, I have tried what you say:

1. Had already tried Stinger but it found nothing

2. 'Command prompt, ipconfig /all' gives:

Windows IP Configuration
--------------------
Host name: ThinkPad
Primary DNS Suffix:
Node type: Unknown
IP Routing Enabled: No
WINS Proxy Enabled: No

Ethernet adapter LAN Connection
---------------------
Connection-specific DNS suffix:
Description: Intel(R) PRo/100 VE Network Connection
Physical Address: 00-09-6B-02-5E-21
DHCP Enabled: Yes
Autoconfig Enabled: Yes
Autoconfig IP address: 169.254.243.93
Subnet mask: 255.255.0.0
Default gateway:
DNS servers: 153.43.128.1, 153.48.128.1
---------------------

Not sure what I'm looking out for here!

3. Used the ip addresses you suggested for a manual dns entry. Just the same - can connect but not access any websites

4. Checked IE settings for proxy server ip. None found.

Any more help would be much appreciated as I'm really out of my depth now

Cheers.
Old 23 August 2004 | 07:32 PM
  #18  
Kieran_Burns's Avatar
Kieran_Burns
Scooby Regular
Support Scoobynet!
iTrader: (1)
 
Joined: Jul 2004
Posts: 10,208
Likes: 0
From: There on the stair
Default

You see that IP address of 169.254.thing....? that means your ethernet card has no connection.

So.... are you on dial up? If so, connect via dial-up and run that again....

If you aren't on dial-up we're getting closer....
Old 23 August 2004 | 07:32 PM
  #19  
Hos's Avatar
Hos
Scooby Regular
iTrader: (1)
 
Joined: Jul 1999
Posts: 978
Likes: 0
From: Dundee
Default

Had the same problems as you last week. Sounds like your Winsock files are in need of repair. Would have posted earlier but i've only just seen this.

Story as follows >>

Had the same Trojans on my computer, so changed my virus software to Panda Titanium and got rid of everything including a virus my old AV software wasn't picking up.

Ran spy sweeper / ad aware 6, and found something called Web Hancer and thought it would be a good idea to delete it.

Exact same thing happened as in my Net Connection would connect to the net, but no web access would happen. (i.e messenger wouldn't work and internet explorer wouldn't open any webpages).

Connected my other computer to my net connection and that worked fine so i was baffled.

Tried a system restore but nothing worked... so decided to format/reinstall windows.

--------------------------------

After doing so i was pretty annoyed. but got my system back to perfect with new AV software etc. Setup up a system restore point.

Again Webhancer had appeared so decided to test it out and see if it was that. I saved a .dll file named "whiehlpr.dll" to my spare hard disk (was located at C:\program files\web hancer\whiehlpr.dll) and deleted web hancer.

Again net access went down but net connection was ok. put the dll file back in place and did a system restore and everything went back to normal.

Did a search for Web hancer and came up with:
http://www.geocities.com/merijn_bell...webhancer.html

Worth a read... maybe nothing to do with your problem but you might find it of interest.

---------------
Also might be worth looking at:
http://www.cexx.org/lspfix.htm
http://www.cexx.org/webhancer.htm

Last edited by Hos; 24 August 2004 at 12:50 AM. Reason: to add urls in
Old 24 August 2004 | 12:46 PM
  #20  
blip's Avatar
blip
Thread Starter
Scooby Regular
 
Joined: Jan 2002
Posts: 495
Likes: 0
Default

Originally Posted by Hos
Had the same problems as you last week. Sounds like your Winsock files are in need of repair. Would have posted earlier but i've only just seen this.

Story as follows >>

Had the same Trojans on my computer, so changed my virus software to Panda Titanium and got rid of everything including a virus my old AV software wasn't picking up.

Ran spy sweeper / ad aware 6, and found something called Web Hancer and thought it would be a good idea to delete it.

Exact same thing happened as in my Net Connection would connect to the net, but no web access would happen. (i.e messenger wouldn't work and internet explorer wouldn't open any webpages).

Connected my other computer to my net connection and that worked fine so i was baffled.

Tried a system restore but nothing worked... so decided to format/reinstall windows.

--------------------------------

After doing so i was pretty annoyed. but got my system back to perfect with new AV software etc. Setup up a system restore point.

Again Webhancer had appeared so decided to test it out and see if it was that. I saved a .dll file named "whiehlpr.dll" to my spare hard disk (was located at C:\program files\web hancer\whiehlpr.dll) and deleted web hancer.

Again net access went down but net connection was ok. put the dll file back in place and did a system restore and everything went back to normal.

Did a search for Web hancer and came up with:
http://www.geocities.com/merijn_bell...webhancer.html

Worth a read... maybe nothing to do with your problem but you might find it of interest.

---------------
Also might be worth looking at:
http://www.cexx.org/lspfix.htm
http://www.cexx.org/webhancer.htm

Thanks Hos, I'll have a look at the WebHancer info.

However, I have just deinstalled McAfee Internet Security Suite 6 as I had a feeling it wasn't helping, and Voila suddenly I got full internet access back. To prove a point I reinstalled it and immediately I lost my web access. So I installed the separate elements of the suite again to isolate the troublemaker. Only problem was that it wouldn't allow me to install Privacy Service like this. I got to the point where I had VirusScan, Personal Firewall and SpamKiller installed and I still had web access, but I couldn't install Privacy Service. So I deinstalled the lot again and just did another standard 'Complete' installation and again I lost web access.

I have been through every nook and cranny of Privacy Service playing around with settings, even turning it off, but nothing helps. Once Privacy Service is installed from that point on I lose web access.

It seems I have now finally got rid of the virus/trojan that initially caused the problem but I am totally baffled as to why McAfee is now blocking all web access, irrespective of what options/settings I adjust.

I'm putting this up as a new thread to hopefully get some quick help, but any ideas would be much appreciated
Related Topics
Thread
Thread Starter
Forum
Replies
Last Post
MH-Racing
Subaru Parts
18
18 October 2015 04:49 PM
taylor85
Wanted
2
13 September 2015 04:57 PM
AzzDSM
Engine Management and ECU Remapping
4
13 September 2015 03:59 PM
robbie1988
Wanted
2
13 September 2015 09:25 AM
Scooby-Doo 2
Wheels And Tyres For Sale
1
09 September 2015 06:51 PM


Thread Tools
Search this Thread
Quick Reply: McAfee help needed please!



All times are GMT +1. The time now is 12:36 AM.