McAfee help needed please!
Ok I'll try to keep this as succinct as possible :)
I have been infected with a backdoor keylogging trojan for 3 days now on WindowsXP Professional. Am ready to kill somebody - but that is for another thread ;) Originally had NAV installed with up-to-date virus definitions. Yet I still got infected. Although when I scanned with NAV it reported finding a downloader trojan infecting a file called 'st.exe' but couldn't fix it. Also ran SpySweeper, Adaware and SpyBot but none of them helped. So I do an online McAfee scan and it finds these infected files: C:\...\netdc.exe.q_8040_q C:\I386\system32\notepad.com C:\recycler\...\dc2.exe C:\recycler\...\dc3.exe C:\windows\svchost.exe C:\windows\system32\notepad.com it reports 5 of these files are infected with 'Downloader-ML' and 1 file is infected with 'Spy-Tofger.gen.b' By this point the machine is running very very slowly and erratically. The hard drive is making constant weird clicking noises!!! So I decide to nip down to PC World and buy McAfee Internet Security Suite as I figure it must be able to remove the files that the online scan was picking up. Also I had read good things about it generally and thought maybe now is a good time to ditch Norton and switch to McAfee. Sooo, I deinstall NAV (probably wrongly assuming it would clash with McAfee) and install McAfee onto the infected machine (yeah I wasn't keen on this bit either). Everything installs nicely, I do a scan yet it picks up nothing. Now this doesn't surprise me as I realise the boxed software has been sat in a warehouse for months and does not have up-to-date virus definitions. So I attempt to update the virus definitions but the trojan has now disabled my web access!! I can dial-up and establish a connection but not view any websites. It reports all sites are unavailable and shows it is accessing 'res://C:\windows\system32\chdoclc.dll/dnserror' in the progress bar. I then download the manual McAfee definitions via my Mac, burn a CD and try to update the infected PC from the CD. BUT it won't let me as it tells me my copy of McAfee is unregistered. BUUUT I can't connect to register it. Beautiful. So I try lots of manual removal/cleaning methods and registry tweaks suggested on other forums (which take forever as the machine has virtually ground to a halt now - and sometimes won't reboot properly). I had previously downloaded Security Task Manager and this allows me to identify and quarantine some suspect files/processes/startups. I work in Safe Mode (with System Restore switched off) but still cannot connect to the web to update/register McAfee. And now my head is going to explode because it is day 4 and I still can't use my PC and I need to do work on it. Although it appears I have cleaned off most of the suspicious files, it is still running slowly and still blocking my web access. I have unsuccessfully tried some more suggested solutions/tools to get my web access back. Until I do I can't register McAfee, and until I do that I can't update its definitions and until I do that I can't be sure this trojan is gone. Without knowing whether I'm still infected or not I can't be sure why my web access is still blocked, or effectively troubleshoot it. So is there some way I can manually update my unregistered copy of McAfee via the CD I have burnt (whilst unable to do online registration of the software)???????? This must happen to people from time to time. How can I get out of this chicken 'n' egg scenario??? I haven't cried for many years but am getting close now ;( |
why not rebuild the pc??
its obviously not a server or 'owt. job done. oh, and then get proper protection for it. just an idea.. BB:) |
First, have a cup of tea.
Then Download http://download.nai.com/products/mca...re_betadat.zip Disable VirusScan - Red M in the system tray | VirusScan | Disable Copy the files you've downloaded into C:\Program Files\McAfee.com\VSO Try again. |
Originally Posted by JackClark
First, have a cup of tea.
Then Download http://download.nai.com/products/mca...re_betadat.zip Disable VirusScan - Red M in the system tray | VirusScan | Disable Copy the files you've downloaded into C:\Program Files\McAfee.com\VSO Try again. When you say 'try again' do you mean try to do a system scan again or try to install the new definitions from CD again? Is the thing I'm downloading updated definitions or something to bypass the registration problem? (Sorry for blatant thickness but brain is well and truly fried!) |
Originally Posted by beemerboy
why not rebuild the pc??
its obviously not a server or 'owt. job done. oh, and then get proper protection for it. just an idea.. BB:) Thanks BB, yeah I probably would have rebuilt it by now if: a. I had a WinXP master disc (bl**dy PC didn't come with one) b. I had properly backed up all my work on it - doh! When you say 'proper protection' what would you recommend. As I said I was running Norton, now switching to McAfee. What would you recommend over and above either of these? :) |
Try a scan again.
|
Originally Posted by JackClark
Try a scan again.
Unfortunately the machine is still running slow and I still can't access any websites. Not sure what to do next really. Have tried various tools and tweaks but it still refuses to let me view any sites once connected. Weird and v annoying!!!!! :( |
Check your hosts file. It should be somewhere like C:\WINDOWS\system32\drivers\etc\ and should only contain '127.0.0.1 localhost' and some text preceded by a #
If you're going to edit it, make a back up first, just copy it to your desktop. |
Originally Posted by JackClark
Check your hosts file. It should be somewhere like C:\WINDOWS\system32\drivers\etc\ and should only contain '127.0.0.1 localhost' and some text preceded by a #
If you're going to edit it, make a back up first, just copy it to your desktop. Yep the hosts file looks totally normal. I have the feeling that either I am still infected with something or during the removal of the virus/trojans some system files have been corrupted. I've had a few 'rundll errors'. Unfortunately I don't have a WinXP recovery disc as it came preinstalled (and I stupidly never created my own). Are there any downloadable WinXP diagnosis/recovery tools that I could get on my Mac and burn to CD? Specifically anything that could fix internet problems?? I have tried running lspfix and winsockxpfix (following advice on another forum) to recover my internet connection/functionality, but they haven't helped. Any web page I try to view always calls 'C:\windows\system32/shdoclc.dll/dnserror' and says the page is unavailable. Slowly losing the will to live........ :( |
The dat files I pointed to in an earlier link are updated daily, you could try again.
How about running MSconfig, take a look at what's in Startup for anything suspisious. The sticky post at the top of the Computer Related page here has links to Spybot and Adaware, give those a go. |
Originally Posted by JackClark
The dat files I pointed to in an earlier link are updated daily, you could try again.
How about running MSconfig, take a look at what's in Startup for anything suspisious. The sticky post at the top of the Computer Related page here has links to Spybot and Adaware, give those a go. I'll try the latest DAT file like you say. Yeah I have SpyBot and Adaware already, and have checked MSconfig but nothing suspicious there. Is CWShredder worth trying too? |
>Is CWShredder worth trying too
I've never used it, I'd be giving anything a go if I were you. |
Originally Posted by JackClark
First, have a cup of tea.
Then. |
hokay - do the trick you played with the latest dat and get this:
http://vil.nai.com/vil/stinger/ run that and see what gets picked up. DNS error... right... command prompt, ipconfig /all - what comes up? use this ip addresses for a manual dns entry for your 'net connection 158.43.128.1 (that should be the uunet backup one) as a trial.... (it might be 153.48.128.1!) Check your internet explorer properties to see if there isn't a proxy server ip set (tool, options, connections, lan settings...) Good luck |
now you have the mcafee security suite - you need nothing else to be honest - get it all installed and go from there!
|
Did you still have System Restore off when you re-scanned your PC ?
You may still have loaded back part of the trojan on your system if not Just a thought ;) |
Originally Posted by Kieran_Burns
hokay - do the trick you played with the latest dat and get this:
http://vil.nai.com/vil/stinger/ run that and see what gets picked up. DNS error... right... command prompt, ipconfig /all - what comes up? use this ip addresses for a manual dns entry for your 'net connection 158.43.128.1 (that should be the uunet backup one) as a trial.... (it might be 153.48.128.1!) Check your internet explorer properties to see if there isn't a proxy server ip set (tool, options, connections, lan settings...) Good luck 1. Had already tried Stinger but it found nothing 2. 'Command prompt, ipconfig /all' gives: Windows IP Configuration -------------------- Host name: ThinkPad Primary DNS Suffix: Node type: Unknown IP Routing Enabled: No WINS Proxy Enabled: No Ethernet adapter LAN Connection --------------------- Connection-specific DNS suffix: Description: Intel(R) PRo/100 VE Network Connection Physical Address: 00-09-6B-02-5E-21 DHCP Enabled: Yes Autoconfig Enabled: Yes Autoconfig IP address: 169.254.243.93 Subnet mask: 255.255.0.0 Default gateway: DNS servers: 153.43.128.1, 153.48.128.1 --------------------- Not sure what I'm looking out for here! 3. Used the ip addresses you suggested for a manual dns entry. Just the same - can connect but not access any websites :( 4. Checked IE settings for proxy server ip. None found. Any more help would be much appreciated as I'm really out of my depth now :( Cheers. |
You see that IP address of 169.254.thing....? that means your ethernet card has no connection.
So.... are you on dial up? If so, connect via dial-up and run that again.... If you aren't on dial-up we're getting closer.... |
Had the same problems as you last week. Sounds like your Winsock files are in need of repair. Would have posted earlier but i've only just seen this.
Story as follows >> Had the same Trojans on my computer, so changed my virus software to Panda Titanium and got rid of everything including a virus my old AV software wasn't picking up. Ran spy sweeper / ad aware 6, and found something called Web Hancer and thought it would be a good idea to delete it. Exact same thing happened as in my Net Connection would connect to the net, but no web access would happen. (i.e messenger wouldn't work and internet explorer wouldn't open any webpages). Connected my other computer to my net connection and that worked fine so i was baffled. Tried a system restore but nothing worked... so decided to format/reinstall windows. -------------------------------- After doing so i was pretty annoyed. but got my system back to perfect with new AV software etc. Setup up a system restore point. Again Webhancer had appeared so decided to test it out and see if it was that. I saved a .dll file named "whiehlpr.dll" to my spare hard disk (was located at C:\program files\web hancer\whiehlpr.dll) and deleted web hancer. Again net access went down but net connection was ok. put the dll file back in place and did a system restore and everything went back to normal. Did a search for Web hancer and came up with: http://www.geocities.com/merijn_bell...webhancer.html Worth a read... maybe nothing to do with your problem but you might find it of interest. --------------- Also might be worth looking at: http://www.cexx.org/lspfix.htm http://www.cexx.org/webhancer.htm |
Originally Posted by Hos
Had the same problems as you last week. Sounds like your Winsock files are in need of repair. Would have posted earlier but i've only just seen this.
Story as follows >> Had the same Trojans on my computer, so changed my virus software to Panda Titanium and got rid of everything including a virus my old AV software wasn't picking up. Ran spy sweeper / ad aware 6, and found something called Web Hancer and thought it would be a good idea to delete it. Exact same thing happened as in my Net Connection would connect to the net, but no web access would happen. (i.e messenger wouldn't work and internet explorer wouldn't open any webpages). Connected my other computer to my net connection and that worked fine so i was baffled. Tried a system restore but nothing worked... so decided to format/reinstall windows. -------------------------------- After doing so i was pretty annoyed. but got my system back to perfect with new AV software etc. Setup up a system restore point. Again Webhancer had appeared so decided to test it out and see if it was that. I saved a .dll file named "whiehlpr.dll" to my spare hard disk (was located at C:\program files\web hancer\whiehlpr.dll) and deleted web hancer. Again net access went down but net connection was ok. put the dll file back in place and did a system restore and everything went back to normal. Did a search for Web hancer and came up with: http://www.geocities.com/merijn_bell...webhancer.html Worth a read... maybe nothing to do with your problem but you might find it of interest. --------------- Also might be worth looking at: http://www.cexx.org/lspfix.htm http://www.cexx.org/webhancer.htm Thanks Hos, I'll have a look at the WebHancer info. However, I have just deinstalled McAfee Internet Security Suite 6 as I had a feeling it wasn't helping, and Voila suddenly I got full internet access back. To prove a point I reinstalled it and immediately I lost my web access. So I installed the separate elements of the suite again to isolate the troublemaker. Only problem was that it wouldn't allow me to install Privacy Service like this. I got to the point where I had VirusScan, Personal Firewall and SpamKiller installed and I still had web access, but I couldn't install Privacy Service. So I deinstalled the lot again and just did another standard 'Complete' installation and again I lost web access. I have been through every nook and cranny of Privacy Service playing around with settings, even turning it off, but nothing helps. Once Privacy Service is installed from that point on I lose web access. It seems I have now finally got rid of the virus/trojan that initially caused the problem but I am totally baffled as to why McAfee is now blocking all web access, irrespective of what options/settings I adjust. I'm putting this up as a new thread to hopefully get some quick help, but any ideas would be much appreciated :) |
All times are GMT +1. The time now is 12:17 AM. |
© 2024 MH Sub I, LLC dba Internet Brands