Jump to content
newguy

Google Redirect - McAfee/MBAM won't scan

Recommended Posts

I've attached a screen shot of the ipconfig results. Also, I tried to ping google again with the same results.

post-34849-0-70007600-1318640401.jpg

Share this post


Link to post
Share on other sites

Larry may be out for a couple days. Please try the following from the DOS console.

Type in this and press the Enter key and let me know what you get. (there are 4 eights)

PING 8.8.8.8

If no reply then try restarting the computer and tap F8 and select Safe Mode with Networking and try the same thing from there.

Share this post


Link to post
Share on other sites

OK, Thanks.

Here is what I got:

Pinging 8.8.8.8 with 32 bytes of data:

Reply from 8.8.8.8: bytes=32 time=21ms TTL=52

Reply from 8.8.8.8: bytes=32 time=20ms TTL=52

Reply from 8.8.8.8: bytes=32 time=22ms TTL=52

Reply from 8.8.8.8: bytes=32 time=22ms TTL=52

Ping statistics for 8.8.8.8:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 20ms, Maximum = 22ms, Average = 21ms

Share this post


Link to post
Share on other sites

That's good. My guess is that your router is not set right to obtain DNS information from your ISP. You should check the settings on your router or try resetting it to factory defaults (make sure to put a good password on it after a reset)

Try adding that IP address as your DNS provider in your network settings.

Open your control panel, Network and Internet Connections. (pick a Control Panel icon) Network Connections. Find your network card and right click and select Properties.

Scroll down to the Internet Protocol (TCP/IP) and choose Properties on it.

Leave the Obtain an IP address automatically selected. In the bottom portion though change that from automatic to Use the following DNS server addresses

Then input the following IP addresses in there.

8.8.8.8

8.8.4.4

Then click OK, Close. Then right click and choose Repair.

set_google_dns.png

Then open Internet Explorer and go to Tools/Internet Options/Advanced and click on the Reset button and then quit IE.

Now launch IE again and see if you can now browse the Internet okay.

Share this post


Link to post
Share on other sites

Hi,

Just wanted to give you a heads up on what's been going on. I assume you've read all the posts in this topic and know that the system I am posting with and the infected system I've been working on are both connected to the internet via the same router. Up until my last post I could connect with this system but not through the infected system which suggested that the router was not the problem.

About 12 hours ago I tried to check this site and found I could not connect with this system. I found similar connection issues (except that when I did the "ping 8.8.8.8" on this system, I got a timeout) and assumed that somehow I had infected my system via USB drive or the router. Then I tried to connect another device through the wi-fi and found it could not connect either. That suggested a problem with the router. I removed the router and am now connected straight through the modem and my system seems OK now.

I will follow your latest suggestions and get back to you soon, but in the mean time I have a couple of questions.

Do we know enough about what is going on with the infected system to know if it is possible to infect my system via USB or LAN? (I've run MBAM on the USB drive a number of times just in case, but I wasn't sure if this was maybe a new, unknown problem.)

Is it possible the virus somehow altered the settings in the router itself? (I just got this system connected and haven't had a chance to check the router settings yet.)

Thanks for all the help.

Share this post


Link to post
Share on other sites

OK,

I checked the router and it was set up to obtain DNS information from my ISP, but I cannot connect with either system with the router in place.

I've now disconnected the router and am connecting each system alternately directly to the modem. As you can see I am able to access the web with this system if I don't use the router but still no luck with the other system.

On the infected system I went ahead and changed the settings for the TCP/IP, repaired the connection and reset IE8. Still have the same results. I get a response from the 8.8.8.8 address, but none from google.com.

Here is what I get:

C:\Documents and Settings\User.D6WZS771>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:

Reply from 8.8.8.8: bytes=32 time=20ms TTL=53

Reply from 8.8.8.8: bytes=32 time=20ms TTL=53

Reply from 8.8.8.8: bytes=32 time=21ms TTL=53

Reply from 8.8.8.8: bytes=32 time=20ms TTL=53

Ping statistics for 8.8.8.8:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 20ms, Maximum = 21ms, Average = 20ms

C:\Documents and Settings\User.D6WZS771>ping google.com

Ping request could not find host google.com. Please check the name and try again

.

C:\Documents and Settings\User.D6WZS771>

Share this post


Link to post
Share on other sites

Have you reset the router?

Let’s try to reset the router to its default configuration.

  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Share this post


Link to post
Share on other sites

OK, reset the router and now I am able to connect through the router with this pc, but not the with the infected pc.

Same results when pinging 8.8.8.8 (good), and pinging google.com (could not find host.) IE8 cannot connect.

Share this post


Link to post
Share on other sites

Try restarting the infected pc with Safe Mode with Networking.

Does the internet work?

Share this post


Link to post
Share on other sites

Started in safe mode.

Same results when trying to connect: pinging 8.8.8.8 (good), pinging google.com (could not find host.)

IE8 cannot connect.

Share this post


Link to post
Share on other sites

Try this:

a. Click Start, and then click Run.

b. In the Open box, type cmd, and then click OK.

c. At the command prompt, type the following lines. Press ENTER after each line

net stop DNScache

net start DNScache

Exit

Share this post


Link to post
Share on other sites

I have a Windows OS CD but I'm not sure if it's the one that came with her system.

Share this post


Link to post
Share on other sites

Unless Ron has any other ideas, lets try this:

You can use windows sfc (system file checker) You'd need your XP CD to make this work.

Click Start> Run> type sfc /scannow Note the space.

(Note that there is a space between sfc and /scannow)

Share this post


Link to post
Share on other sites

Ran sfc /scannow. It did not ask for the Windows CD. System still cannot connect.

Share this post


Link to post
Share on other sites

Please download, copy to the infected pc, unzip, and run the QueryServices.bat inside the attached zip file and post back the NetworkDetails.txt file (as an attachment) that it will create in the root of the system drive. C:\NetworkDetails.txt

Do this again please.

GetNetworkInfo2.zip

Share this post


Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    tcpip.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Share this post


Link to post
Share on other sites

Here are the SystemLook results:

SystemLook 30.07.11 by jpshortstuff

Log created at 21:02 on 18/10/2011 by User

Administrator - Elevation successful

========== filefind ==========

Searching for "tcpip.sys"

C:\Documents and Settings\User.D6WZS771\Desktop\tcpip.sys --a---- 361344 bytes [23:23 09/10/2011] [19:20 13/04/2008] 93EA8D04EC73A85DB02EB8805988F733

C:\i386\tcpip.sys --a---- 359040 bytes [02:02 19/04/2005] [10:00 04/08/2004] 9F4B36614A0FC234525BA224957DE55C

C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\tcpip.sys --a---- 361600 bytes [11:59 20/06/2008] [11:59 20/06/2008] AD978A1B783B5719720CFF204B666C8E

C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys --a---- 359936 bytes [01:17 14/03/2005] [19:07 25/05/2005] 63FDFEA54EB53DE2D863EE454937CE1E

C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys --a---- 360960 bytes [10:44 20/06/2008] [10:44 20/06/2008] 744E57C99232201AE98C49168B918F48

C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys --a---- 361600 bytes [11:51 20/06/2008] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D

C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys --a---- 361600 bytes [11:59 20/06/2008] [11:59 20/06/2008] AD978A1B783B5719720CFF204B666C8E

C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys -----c- 360320 bytes [23:24 15/11/2009] [10:45 20/06/2008] 2A5554FC5B1E04E131230E3CE035C3F9

C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys -----c- 359040 bytes [04:18 08/05/2005] [10:00 04/08/2004] 9F4B36614A0FC234525BA224957DE55C

C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys -----c- 361344 bytes [23:40 15/11/2009] [19:20 13/04/2008] 93EA8D04EC73A85DB02EB8805988F733

C:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys -----c- 359808 bytes [21:39 14/11/2009] [19:04 25/05/2005] 88763A98A4C26C409741B4AA162720C9

C:\WINDOWS\ERDNT\cache\tcpip.sys --a---- 361344 bytes [06:34 04/10/2011] [19:20 13/04/2008] 93EA8D04EC73A85DB02EB8805988F733

C:\WINDOWS\ServicePackFiles\i386\tcpip.sys ------- 361344 bytes [23:13 15/11/2009] [19:20 13/04/2008] 93EA8D04EC73A85DB02EB8805988F733

C:\WINDOWS\system32\dllcache\tcpip.sys --a---- 361344 bytes [17:51 10/08/2004] [19:20 13/04/2008] 93EA8D04EC73A85DB02EB8805988F733

C:\WINDOWS\system32\drivers\tcpip.sys --a---- 361344 bytes [17:51 10/08/2004] [19:20 13/04/2008] 93EA8D04EC73A85DB02EB8805988F733

-= EOF =-

Share this post


Link to post
Share on other sites

You might need to stop the services for tcpip.sys to do this.

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Tcpip Netbios

Right click and choose "Properties". On the "General" tab under "Service

Status" click the "Stop" button to stop the service.

Click Apply then OK. Exit the

Services utility.

Lets try this

Go to Start->Run, copy / paste

copy C:\i386\tcpip.sys c:\tcpip.sys

Enter

Go to Start->Run, copy / paste

ren c:\windows\system32\drivers\tcpip.sys tcpip.old

enter

Go to Start->Run, copy / paste

copy c:\tcpip.sys c:\windows\system32\drivers\tcpip.sys

enter

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Tcpip Netbios

Right click and choose "Properties". On the "General" tab under "Service

Status" click the "Start" button to stop the service.

Click Apply then OK. Exit the

Services utility.

Reboot

Share this post


Link to post
Share on other sites

Stopped the tcpip service and recopied the file. Restarted the service and rebooted the system. Still no luck.

When I renamed the tcpip.sys file I used the command console as you suggested. I also had the drivers folder open in Windows. Very soon after I renamed the file (to tcpip.old) it reappeared on it's own (as tcpip.sys) in the drivers folder even though the service was stopped. When I did the copy command I had to say yes to overwriting the file in the command console. It would seem that the new file is in place, having overwritten the one that had reappeared but I thought it was a little strange that it had reappeared before the copy command. Not sure if that's normal, but I thought I would let you know.

Is it possible that all copies of the tcpip.sys file on this system are corrupted? Should I try to get a copy of tcpip.sys from another system or a Windows CD or does it need to be from this system?

Share this post


Link to post
Share on other sites

We could tell by the size.

The one we copied from here is 359040

C:\i386\tcpip.sys --a---- 359040

The one we replaced was 361344

C:\WINDOWS\system32\drivers\tcpip.sys --a---- 361344

Can you check the size now? We want it to be 359040

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.