McAfee help needed please!
#1
McAfee help needed please!
Ok I'll try to keep this as succinct as possible
I have been infected with a backdoor keylogging trojan for 3 days now on WindowsXP Professional. Am ready to kill somebody - but that is for another thread
Originally had NAV installed with up-to-date virus definitions. Yet I still got infected. Although when I scanned with NAV it reported finding a downloader trojan infecting a file called 'st.exe' but couldn't fix it. Also ran SpySweeper, Adaware and SpyBot but none of them helped.
So I do an online McAfee scan and it finds these infected files:
C:\...\netdc.exe.q_8040_q
C:\I386\system32\notepad.com
C:\recycler\...\dc2.exe
C:\recycler\...\dc3.exe
C:\windows\svchost.exe
C:\windows\system32\notepad.com
it reports 5 of these files are infected with 'Downloader-ML' and 1 file is infected with 'Spy-Tofger.gen.b'
By this point the machine is running very very slowly and erratically. The hard drive is making constant weird clicking noises!!!
So I decide to nip down to PC World and buy McAfee Internet Security Suite as I figure it must be able to remove the files that the online scan was picking up. Also I had read good things about it generally and thought maybe now is a good time to ditch Norton and switch to McAfee.
Sooo, I deinstall NAV (probably wrongly assuming it would clash with McAfee) and install McAfee onto the infected machine (yeah I wasn't keen on this bit either). Everything installs nicely, I do a scan yet it picks up nothing. Now this doesn't surprise me as I realise the boxed software has been sat in a warehouse for months and does not have up-to-date virus definitions.
So I attempt to update the virus definitions but the trojan has now disabled my web access!! I can dial-up and establish a connection but not view any websites. It reports all sites are unavailable and shows it is accessing 'res://C:\windows\system32\chdoclc.dll/dnserror' in the progress bar.
I then download the manual McAfee definitions via my Mac, burn a CD and try to update the infected PC from the CD. BUT it won't let me as it tells me my copy of McAfee is unregistered. BUUUT I can't connect to register it. Beautiful.
So I try lots of manual removal/cleaning methods and registry tweaks suggested on other forums (which take forever as the machine has virtually ground to a halt now - and sometimes won't reboot properly).
I had previously downloaded Security Task Manager and this allows me to identify and quarantine some suspect files/processes/startups. I work in Safe Mode (with System Restore switched off) but still cannot connect to the web to update/register McAfee.
And now my head is going to explode because it is day 4 and I still can't use my PC and I need to do work on it. Although it appears I have cleaned off most of the suspicious files, it is still running slowly and still blocking my web access. I have unsuccessfully tried some more suggested solutions/tools to get my web access back. Until I do I can't register McAfee, and until I do that I can't update its definitions and until I do that I can't be sure this trojan is gone. Without knowing whether I'm still infected or not I can't be sure why my web access is still blocked, or effectively troubleshoot it.
So is there some way I can manually update my unregistered copy of McAfee via the CD I have burnt (whilst unable to do online registration of the software)????????
This must happen to people from time to time. How can I get out of this chicken 'n' egg scenario???
I haven't cried for many years but am getting close now ;(
I have been infected with a backdoor keylogging trojan for 3 days now on WindowsXP Professional. Am ready to kill somebody - but that is for another thread
Originally had NAV installed with up-to-date virus definitions. Yet I still got infected. Although when I scanned with NAV it reported finding a downloader trojan infecting a file called 'st.exe' but couldn't fix it. Also ran SpySweeper, Adaware and SpyBot but none of them helped.
So I do an online McAfee scan and it finds these infected files:
C:\...\netdc.exe.q_8040_q
C:\I386\system32\notepad.com
C:\recycler\...\dc2.exe
C:\recycler\...\dc3.exe
C:\windows\svchost.exe
C:\windows\system32\notepad.com
it reports 5 of these files are infected with 'Downloader-ML' and 1 file is infected with 'Spy-Tofger.gen.b'
By this point the machine is running very very slowly and erratically. The hard drive is making constant weird clicking noises!!!
So I decide to nip down to PC World and buy McAfee Internet Security Suite as I figure it must be able to remove the files that the online scan was picking up. Also I had read good things about it generally and thought maybe now is a good time to ditch Norton and switch to McAfee.
Sooo, I deinstall NAV (probably wrongly assuming it would clash with McAfee) and install McAfee onto the infected machine (yeah I wasn't keen on this bit either). Everything installs nicely, I do a scan yet it picks up nothing. Now this doesn't surprise me as I realise the boxed software has been sat in a warehouse for months and does not have up-to-date virus definitions.
So I attempt to update the virus definitions but the trojan has now disabled my web access!! I can dial-up and establish a connection but not view any websites. It reports all sites are unavailable and shows it is accessing 'res://C:\windows\system32\chdoclc.dll/dnserror' in the progress bar.
I then download the manual McAfee definitions via my Mac, burn a CD and try to update the infected PC from the CD. BUT it won't let me as it tells me my copy of McAfee is unregistered. BUUUT I can't connect to register it. Beautiful.
So I try lots of manual removal/cleaning methods and registry tweaks suggested on other forums (which take forever as the machine has virtually ground to a halt now - and sometimes won't reboot properly).
I had previously downloaded Security Task Manager and this allows me to identify and quarantine some suspect files/processes/startups. I work in Safe Mode (with System Restore switched off) but still cannot connect to the web to update/register McAfee.
And now my head is going to explode because it is day 4 and I still can't use my PC and I need to do work on it. Although it appears I have cleaned off most of the suspicious files, it is still running slowly and still blocking my web access. I have unsuccessfully tried some more suggested solutions/tools to get my web access back. Until I do I can't register McAfee, and until I do that I can't update its definitions and until I do that I can't be sure this trojan is gone. Without knowing whether I'm still infected or not I can't be sure why my web access is still blocked, or effectively troubleshoot it.
So is there some way I can manually update my unregistered copy of McAfee via the CD I have burnt (whilst unable to do online registration of the software)????????
This must happen to people from time to time. How can I get out of this chicken 'n' egg scenario???
I haven't cried for many years but am getting close now ;(
#3
First, have a cup of tea.
Then
Download http://download.nai.com/products/mca...re_betadat.zip
Disable VirusScan - Red M in the system tray | VirusScan | Disable
Copy the files you've downloaded into C:\Program Files\McAfee.com\VSO
Try again.
Then
Download http://download.nai.com/products/mca...re_betadat.zip
Disable VirusScan - Red M in the system tray | VirusScan | Disable
Copy the files you've downloaded into C:\Program Files\McAfee.com\VSO
Try again.
#4
Originally Posted by JackClark
First, have a cup of tea.
Then
Download http://download.nai.com/products/mca...re_betadat.zip
Disable VirusScan - Red M in the system tray | VirusScan | Disable
Copy the files you've downloaded into C:\Program Files\McAfee.com\VSO
Try again.
Then
Download http://download.nai.com/products/mca...re_betadat.zip
Disable VirusScan - Red M in the system tray | VirusScan | Disable
Copy the files you've downloaded into C:\Program Files\McAfee.com\VSO
Try again.
When you say 'try again' do you mean try to do a system scan again or try to install the new definitions from CD again?
Is the thing I'm downloading updated definitions or something to bypass the registration problem?
(Sorry for blatant thickness but brain is well and truly fried!)
Last edited by blip; 19 August 2004 at 12:26 PM. Reason: Needed to add some smilies!!
#5
Originally Posted by beemerboy
why not rebuild the pc??
its obviously not a server or 'owt.
job done.
oh, and then get proper protection for it.
just an idea.. BB
its obviously not a server or 'owt.
job done.
oh, and then get proper protection for it.
just an idea.. BB
Thanks BB, yeah I probably would have rebuilt it by now if:
a. I had a WinXP master disc (bl**dy PC didn't come with one)
b. I had properly backed up all my work on it - doh!
When you say 'proper protection' what would you recommend. As I said I was running Norton, now switching to McAfee. What would you recommend over and above either of these?
#7
Originally Posted by JackClark
Try a scan again.
Unfortunately the machine is still running slow and I still can't access any websites. Not sure what to do next really. Have tried various tools and tweaks but it still refuses to let me view any sites once connected. Weird and v annoying!!!!!
Trending Topics
#8
Check your hosts file. It should be somewhere like C:\WINDOWS\system32\drivers\etc\ and should only contain '127.0.0.1 localhost' and some text preceded by a #
If you're going to edit it, make a back up first, just copy it to your desktop.
If you're going to edit it, make a back up first, just copy it to your desktop.
#9
Originally Posted by JackClark
Check your hosts file. It should be somewhere like C:\WINDOWS\system32\drivers\etc\ and should only contain '127.0.0.1 localhost' and some text preceded by a #
If you're going to edit it, make a back up first, just copy it to your desktop.
If you're going to edit it, make a back up first, just copy it to your desktop.
Yep the hosts file looks totally normal.
I have the feeling that either I am still infected with something or during the removal of the virus/trojans some system files have been corrupted. I've had a few 'rundll errors'. Unfortunately I don't have a WinXP recovery disc as it came preinstalled (and I stupidly never created my own). Are there any downloadable WinXP diagnosis/recovery tools that I could get on my Mac and burn to CD? Specifically anything that could fix internet problems??
I have tried running lspfix and winsockxpfix (following advice on another forum) to recover my internet connection/functionality, but they haven't helped. Any web page I try to view always calls 'C:\windows\system32/shdoclc.dll/dnserror' and says the page is unavailable.
Slowly losing the will to live........
#10
The dat files I pointed to in an earlier link are updated daily, you could try again.
How about running MSconfig, take a look at what's in Startup for anything suspisious. The sticky post at the top of the Computer Related page here has links to Spybot and Adaware, give those a go.
How about running MSconfig, take a look at what's in Startup for anything suspisious. The sticky post at the top of the Computer Related page here has links to Spybot and Adaware, give those a go.
#11
Originally Posted by JackClark
The dat files I pointed to in an earlier link are updated daily, you could try again.
How about running MSconfig, take a look at what's in Startup for anything suspisious. The sticky post at the top of the Computer Related page here has links to Spybot and Adaware, give those a go.
How about running MSconfig, take a look at what's in Startup for anything suspisious. The sticky post at the top of the Computer Related page here has links to Spybot and Adaware, give those a go.
I'll try the latest DAT file like you say.
Yeah I have SpyBot and Adaware already, and have checked MSconfig but nothing suspicious there. Is CWShredder worth trying too?
#14
hokay - do the trick you played with the latest dat and get this:
http://vil.nai.com/vil/stinger/
run that and see what gets picked up.
DNS error... right... command prompt, ipconfig /all - what comes up?
use this ip addresses for a manual dns entry for your 'net connection 158.43.128.1 (that should be the uunet backup one) as a trial.... (it might be 153.48.128.1!)
Check your internet explorer properties to see if there isn't a proxy server ip set (tool, options, connections, lan settings...)
Good luck
http://vil.nai.com/vil/stinger/
run that and see what gets picked up.
DNS error... right... command prompt, ipconfig /all - what comes up?
use this ip addresses for a manual dns entry for your 'net connection 158.43.128.1 (that should be the uunet backup one) as a trial.... (it might be 153.48.128.1!)
Check your internet explorer properties to see if there isn't a proxy server ip set (tool, options, connections, lan settings...)
Good luck
#17
Originally Posted by Kieran_Burns
hokay - do the trick you played with the latest dat and get this:
http://vil.nai.com/vil/stinger/
run that and see what gets picked up.
DNS error... right... command prompt, ipconfig /all - what comes up?
use this ip addresses for a manual dns entry for your 'net connection 158.43.128.1 (that should be the uunet backup one) as a trial.... (it might be 153.48.128.1!)
Check your internet explorer properties to see if there isn't a proxy server ip set (tool, options, connections, lan settings...)
Good luck
http://vil.nai.com/vil/stinger/
run that and see what gets picked up.
DNS error... right... command prompt, ipconfig /all - what comes up?
use this ip addresses for a manual dns entry for your 'net connection 158.43.128.1 (that should be the uunet backup one) as a trial.... (it might be 153.48.128.1!)
Check your internet explorer properties to see if there isn't a proxy server ip set (tool, options, connections, lan settings...)
Good luck
1. Had already tried Stinger but it found nothing
2. 'Command prompt, ipconfig /all' gives:
Windows IP Configuration
--------------------
Host name: ThinkPad
Primary DNS Suffix:
Node type: Unknown
IP Routing Enabled: No
WINS Proxy Enabled: No
Ethernet adapter LAN Connection
---------------------
Connection-specific DNS suffix:
Description: Intel(R) PRo/100 VE Network Connection
Physical Address: 00-09-6B-02-5E-21
DHCP Enabled: Yes
Autoconfig Enabled: Yes
Autoconfig IP address: 169.254.243.93
Subnet mask: 255.255.0.0
Default gateway:
DNS servers: 153.43.128.1, 153.48.128.1
---------------------
Not sure what I'm looking out for here!
3. Used the ip addresses you suggested for a manual dns entry. Just the same - can connect but not access any websites
4. Checked IE settings for proxy server ip. None found.
Any more help would be much appreciated as I'm really out of my depth now
Cheers.
#18
You see that IP address of 169.254.thing....? that means your ethernet card has no connection.
So.... are you on dial up? If so, connect via dial-up and run that again....
If you aren't on dial-up we're getting closer....
So.... are you on dial up? If so, connect via dial-up and run that again....
If you aren't on dial-up we're getting closer....
#19
Had the same problems as you last week. Sounds like your Winsock files are in need of repair. Would have posted earlier but i've only just seen this.
Story as follows >>
Had the same Trojans on my computer, so changed my virus software to Panda Titanium and got rid of everything including a virus my old AV software wasn't picking up.
Ran spy sweeper / ad aware 6, and found something called Web Hancer and thought it would be a good idea to delete it.
Exact same thing happened as in my Net Connection would connect to the net, but no web access would happen. (i.e messenger wouldn't work and internet explorer wouldn't open any webpages).
Connected my other computer to my net connection and that worked fine so i was baffled.
Tried a system restore but nothing worked... so decided to format/reinstall windows.
--------------------------------
After doing so i was pretty annoyed. but got my system back to perfect with new AV software etc. Setup up a system restore point.
Again Webhancer had appeared so decided to test it out and see if it was that. I saved a .dll file named "whiehlpr.dll" to my spare hard disk (was located at C:\program files\web hancer\whiehlpr.dll) and deleted web hancer.
Again net access went down but net connection was ok. put the dll file back in place and did a system restore and everything went back to normal.
Did a search for Web hancer and came up with:
http://www.geocities.com/merijn_bell...webhancer.html
Worth a read... maybe nothing to do with your problem but you might find it of interest.
---------------
Also might be worth looking at:
http://www.cexx.org/lspfix.htm
http://www.cexx.org/webhancer.htm
Story as follows >>
Had the same Trojans on my computer, so changed my virus software to Panda Titanium and got rid of everything including a virus my old AV software wasn't picking up.
Ran spy sweeper / ad aware 6, and found something called Web Hancer and thought it would be a good idea to delete it.
Exact same thing happened as in my Net Connection would connect to the net, but no web access would happen. (i.e messenger wouldn't work and internet explorer wouldn't open any webpages).
Connected my other computer to my net connection and that worked fine so i was baffled.
Tried a system restore but nothing worked... so decided to format/reinstall windows.
--------------------------------
After doing so i was pretty annoyed. but got my system back to perfect with new AV software etc. Setup up a system restore point.
Again Webhancer had appeared so decided to test it out and see if it was that. I saved a .dll file named "whiehlpr.dll" to my spare hard disk (was located at C:\program files\web hancer\whiehlpr.dll) and deleted web hancer.
Again net access went down but net connection was ok. put the dll file back in place and did a system restore and everything went back to normal.
Did a search for Web hancer and came up with:
http://www.geocities.com/merijn_bell...webhancer.html
Worth a read... maybe nothing to do with your problem but you might find it of interest.
---------------
Also might be worth looking at:
http://www.cexx.org/lspfix.htm
http://www.cexx.org/webhancer.htm
Last edited by Hos; 24 August 2004 at 12:50 AM. Reason: to add urls in
#20
Originally Posted by Hos
Had the same problems as you last week. Sounds like your Winsock files are in need of repair. Would have posted earlier but i've only just seen this.
Story as follows >>
Had the same Trojans on my computer, so changed my virus software to Panda Titanium and got rid of everything including a virus my old AV software wasn't picking up.
Ran spy sweeper / ad aware 6, and found something called Web Hancer and thought it would be a good idea to delete it.
Exact same thing happened as in my Net Connection would connect to the net, but no web access would happen. (i.e messenger wouldn't work and internet explorer wouldn't open any webpages).
Connected my other computer to my net connection and that worked fine so i was baffled.
Tried a system restore but nothing worked... so decided to format/reinstall windows.
--------------------------------
After doing so i was pretty annoyed. but got my system back to perfect with new AV software etc. Setup up a system restore point.
Again Webhancer had appeared so decided to test it out and see if it was that. I saved a .dll file named "whiehlpr.dll" to my spare hard disk (was located at C:\program files\web hancer\whiehlpr.dll) and deleted web hancer.
Again net access went down but net connection was ok. put the dll file back in place and did a system restore and everything went back to normal.
Did a search for Web hancer and came up with:
http://www.geocities.com/merijn_bell...webhancer.html
Worth a read... maybe nothing to do with your problem but you might find it of interest.
---------------
Also might be worth looking at:
http://www.cexx.org/lspfix.htm
http://www.cexx.org/webhancer.htm
Story as follows >>
Had the same Trojans on my computer, so changed my virus software to Panda Titanium and got rid of everything including a virus my old AV software wasn't picking up.
Ran spy sweeper / ad aware 6, and found something called Web Hancer and thought it would be a good idea to delete it.
Exact same thing happened as in my Net Connection would connect to the net, but no web access would happen. (i.e messenger wouldn't work and internet explorer wouldn't open any webpages).
Connected my other computer to my net connection and that worked fine so i was baffled.
Tried a system restore but nothing worked... so decided to format/reinstall windows.
--------------------------------
After doing so i was pretty annoyed. but got my system back to perfect with new AV software etc. Setup up a system restore point.
Again Webhancer had appeared so decided to test it out and see if it was that. I saved a .dll file named "whiehlpr.dll" to my spare hard disk (was located at C:\program files\web hancer\whiehlpr.dll) and deleted web hancer.
Again net access went down but net connection was ok. put the dll file back in place and did a system restore and everything went back to normal.
Did a search for Web hancer and came up with:
http://www.geocities.com/merijn_bell...webhancer.html
Worth a read... maybe nothing to do with your problem but you might find it of interest.
---------------
Also might be worth looking at:
http://www.cexx.org/lspfix.htm
http://www.cexx.org/webhancer.htm
Thanks Hos, I'll have a look at the WebHancer info.
However, I have just deinstalled McAfee Internet Security Suite 6 as I had a feeling it wasn't helping, and Voila suddenly I got full internet access back. To prove a point I reinstalled it and immediately I lost my web access. So I installed the separate elements of the suite again to isolate the troublemaker. Only problem was that it wouldn't allow me to install Privacy Service like this. I got to the point where I had VirusScan, Personal Firewall and SpamKiller installed and I still had web access, but I couldn't install Privacy Service. So I deinstalled the lot again and just did another standard 'Complete' installation and again I lost web access.
I have been through every nook and cranny of Privacy Service playing around with settings, even turning it off, but nothing helps. Once Privacy Service is installed from that point on I lose web access.
It seems I have now finally got rid of the virus/trojan that initially caused the problem but I am totally baffled as to why McAfee is now blocking all web access, irrespective of what options/settings I adjust.
I'm putting this up as a new thread to hopefully get some quick help, but any ideas would be much appreciated
Thread
Thread Starter
Forum
Replies
Last Post
MH-Racing
Subaru Parts
18
18 October 2015 04:49 PM
robbie1988
Wanted
2
13 September 2015 09:25 AM
Scooby-Doo 2
Wheels And Tyres For Sale
1
09 September 2015 06:51 PM