- Posts: 2
- Thank you received: 0
DNS problem
19 years 11 months ago #6101
by xray_mtl
DNS problem was created by xray_mtl
:x Hi there,
One of my friend got a DNS problem. It's seem that his computer have been infected by spyware (I think it's romahere, control there and newdotnet, that what I found suspiscious on his computer).
The problem his that his browser do not recognise any address (like www.videotron.ca ) but the browser recognize the dns (201.154.222) for exemple. I did a ping the ms-dos and I've got a reply for 201.153.333 but not for www.videotron.ca . This computer running on windows ME. I try to remove the spyware using Spysweeper (3.0, registered) and spy bot but It keep coming and coming again. So I try deleting them manually by going directly into the registry and deleted all value related to romahere, control there and newdotnet. When I'm done, I try to erase the file related to this value (for romahere, it was 9565k3?????.exe and for control there w43435??????.exe. I was unable to delete the files, access was denied. First thing I realize, that @$%#@$ romahere and control there was back again in the registry.
I dont know if the DNS problem is directly link to that spywares but I'm pretty sure. Does someone have an idea how to solve this problem (without formating the disk). Thank you.
(I want to apologize for my bad english...)
'artin
One of my friend got a DNS problem. It's seem that his computer have been infected by spyware (I think it's romahere, control there and newdotnet, that what I found suspiscious on his computer).
The problem his that his browser do not recognise any address (like www.videotron.ca ) but the browser recognize the dns (201.154.222) for exemple. I did a ping the ms-dos and I've got a reply for 201.153.333 but not for www.videotron.ca . This computer running on windows ME. I try to remove the spyware using Spysweeper (3.0, registered) and spy bot but It keep coming and coming again. So I try deleting them manually by going directly into the registry and deleted all value related to romahere, control there and newdotnet. When I'm done, I try to erase the file related to this value (for romahere, it was 9565k3?????.exe and for control there w43435??????.exe. I was unable to delete the files, access was denied. First thing I realize, that @$%#@$ romahere and control there was back again in the registry.
I dont know if the DNS problem is directly link to that spywares but I'm pretty sure. Does someone have an idea how to solve this problem (without formating the disk). Thank you.
(I want to apologize for my bad english...)
'artin
19 years 11 months ago #6109
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: DNS problem
Get ProcessXP from sysinternals, find the processes and kill them. Then after you kill them, delete their files and replace the files with a blank file of the same name with read only privs. Then check your registry, remove any new entries and reboot.
If this doesnt work, do the deleting from a livecd like Knoppix.
If this doesnt work, do the deleting from a livecd like Knoppix.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
19 years 11 months ago #6118
by xray_mtl
Replied by xray_mtl on topic Re: DNS problem
Thank you sir,
It's work perfectly and I was able to kill the process and erase them, but I had do do it in safe mode.
For the users having an DNS problem like mine related to the removal of newdot.net spyware, know that this spyware cause to break you socket. When you removed the spyware from the registry and then deleted all related files on your hard disk, to replace your internet connection (who is not recognizing any DNS adress but recognizing IP adress), use winsockfix... a good utilities that will find your damages host file and repair it. Youre internet connection will now work again.
It's work perfectly and I was able to kill the process and erase them, but I had do do it in safe mode.
For the users having an DNS problem like mine related to the removal of newdot.net spyware, know that this spyware cause to break you socket. When you removed the spyware from the registry and then deleted all related files on your hard disk, to replace your internet connection (who is not recognizing any DNS adress but recognizing IP adress), use winsockfix... a good utilities that will find your damages host file and repair it. Youre internet connection will now work again.
19 years 11 months ago #6135
by jhun
Replied by jhun on topic Re: DNS problem
Hi sahirh,
just a quick question. I have a knoppix cd and would like to kjnow how would i be able to delete a file from windows using this CD?..sorry i am still exploring knoppix
just a quick question. I have a knoppix cd and would like to kjnow how would i be able to delete a file from windows using this CD?..sorry i am still exploring knoppix
19 years 11 months ago #6142
by nske
Replied by nske on topic Re: DNS problem
If your windows partition is NTFS, you can't (I don't think that the knoppix kernel has ntfs write support as it is still experimental and dangerous).
If your windows partition is fat32, open a terminal, "su -" to root and "mount -t vfat /dev/hd*# /path/directory" Replace hd*# with your partition depending where it is, i.e. hda1 for the first partition of the primary master disk, and /path/directory with the path of a directory on the linux filesystem where you want the new partition to appear. Then you should be able to erase or write any file there, at least as root.
If your windows partition is fat32, open a terminal, "su -" to root and "mount -t vfat /dev/hd*# /path/directory" Replace hd*# with your partition depending where it is, i.e. hda1 for the first partition of the primary master disk, and /path/directory with the path of a directory on the linux filesystem where you want the new partition to appear. Then you should be able to erase or write any file there, at least as root.
19 years 11 months ago #6149
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: DNS problem
2.6 series Linux kernels support full NTFS read / write and its not experimental anymore. This means you'll need a version of Knoppix with a 2.6 series kernel -- I believe Knoppix 3.6 has the same, but will not boot it by default, you have to specify 'knoppix26' as a boottime option.
You can check what kernel you are running by doing the following:
root@BoA:~# uname -sr
Linux 2.6.9
so you can see I've got a 2.6.9 kernel running.
I don't know if it will mount your partition r/w by default, you will probably have to mount it as nske said, something along the lines of
mount /dev/hda1 /mnt/hda1 -t ntfs -w
That should mount it as read write and you can access it in /mnt/hda1
Furthermore if you have an older version of Knoppix or some problems with this method, Knoppix includes a neat system called 'CaptiveNTFS'
[ www.jankratochvil.net/project/captive/ ]
It allows you to scan your NTFS partition and use the Windows NTFS drivers, so its perfectly safe.. you can try this if the kernel level NTFS support doesn't happen for some reason.
Lets take a scenario where you have a file called rada.exe, and you want to get rid of it and create a file in its place... you can do it like this:
Go to the directory where the file is
cd /mnt/hda1/WINNT/System32
Delete the file
rm rada.exe
Create a file in its place
touch rada.exe
You can also have a look at this really nice LiveCD I found that has Windows and Linux utilities, its called the Ultimate Boot CD.
ubcd.sourceforge.net/
Cheers,
You can check what kernel you are running by doing the following:
root@BoA:~# uname -sr
Linux 2.6.9
so you can see I've got a 2.6.9 kernel running.
I don't know if it will mount your partition r/w by default, you will probably have to mount it as nske said, something along the lines of
mount /dev/hda1 /mnt/hda1 -t ntfs -w
That should mount it as read write and you can access it in /mnt/hda1
Furthermore if you have an older version of Knoppix or some problems with this method, Knoppix includes a neat system called 'CaptiveNTFS'
[ www.jankratochvil.net/project/captive/ ]
It allows you to scan your NTFS partition and use the Windows NTFS drivers, so its perfectly safe.. you can try this if the kernel level NTFS support doesn't happen for some reason.
Lets take a scenario where you have a file called rada.exe, and you want to get rid of it and create a file in its place... you can do it like this:
Go to the directory where the file is
cd /mnt/hda1/WINNT/System32
Delete the file
rm rada.exe
Create a file in its place
touch rada.exe
You can also have a look at this really nice LiveCD I found that has Windows and Linux utilities, its called the Ultimate Boot CD.
ubcd.sourceforge.net/
Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.140 seconds