Is is the heart of the problem, perhaps. Thanks for your help and persistence. Most appreciated.
Posted on 10/22/2007 7:03:23 AM PDT by jdm
My gut says you were jacked by cwshredder or a variant like qhost1. That’s why your dns was changed.
Do me a favor. Click on Run, then type in regedit hit enter. Now, click on edit and then find, and type in nameserverport, and post the numbers it reports, and then type in dhcpnameserver, and post the number it reports.
nameserverport = 0x00000089(137)
There are several instances of dhcpnameserver and no numbers/values which I can see.
They’re all located under: DHCP > Parameters > Options.
Under Options are eight sub-folders:
1, 15, 3, 44, 46, 47, 6 and DCHPNETBIOSOPTIONS
Yes, SuperAntiSpyware is something I installed. It’s not a rogue program or anything like that.
I ran CWShredder and it didn’t find any infected files. Neither did Spybot. Strange.
Your dhcp server should be like an ip i.e. 192.168.0.1 or ?
Is is the heart of the problem, perhaps. Thanks for your help and persistence. Most appreciated.
Also, when I opened up the last folder underneath the “Interfaces” tree, there is an entry called DHCPServer which has 255.255.255.255 as its value.
Find out from your isp what are your ip, subnet mask, gateway, and dns addresses assigned to you.
Then, open your Network Connections. Now, right click on and select Properties for your local connection.
Next, click on Internet Protocol (TCP/IP), and then click on the Properties button just below and to the right.
On the General Tab, you’ll see...
*Obtain an IP address automatically
*Use the following IP address.
Choose the second option by clicking the “Radio” button.
Now, enter your ip, subnet mask, and gateway addresses in the appropriate fields.
Do the same for the dns section.
Click OK. Now, reboot your pc, and then check your connection.
BTW, Did you modify your “Hosts” file yet?
Papa, My sincere apologies for taking so long to reply. To be 100% honest, this is the first time I’ve been able to get online (dial-up) since this afternoon. Something is messing with my services.msc.
For instance, in the Event Log it will say certain services terminated unexpectedly.
I see this as an error quite often in the Event Log:
“The account specified for this service is different from the account specified for other services running in the same process.”
Or certain services will stop because it will say the file can’t be found.
However, I did sfc /scannow at cmd, and it shows no errors (go figure!).
I can’t even get Plug & Play to start anymore.
I did enter all that information you suggested (Static IP, DNS, etc.) many days ago and rebooted, but it doesn’t seem to make things better. At least none of the info has changed to different values/numbers since I’ve inputted it. I would think if it was an active hack, that info would have changed again by now.
Something seriously messing up my computer big-time, but it’s not showing up via HiJackThis log, Spybot, etc.
When I ran Sophos Anti-Rootkit, it showed four rogue hidden items, but said two were not removable and another two were not recommended for clean-up (since removing them could permanently screw up my OS).
One of the hidden files which said it would remove for me, but not recommended to do so, was in my Java folder.
Maybe I got a Java virus?
My hosts file says it’s just a sample (# This is a sample HOSTS file used by Microsoft TCP/IP for Windows).
Do you know how you get your actual hosts file?
I followed the path you said (C:\WINDOWS\system32\drivers\etc), but don’t see it there.
hosts.default hasn’t been updated since July.
I’m not sure how to modify it. If you are able to advice on that front, I would be so very appreciative.
Thank you much.
There is NO hosts.default . It’s just hosts, without an extension.
Use the number I emailed you.
You’ve got Freepmail.
BTW, I finally found out what causes those (rogue?) processes to appear on my computer.
Whenever I double left click the Local Area Connection icon in the bottom right corner of my screen (right now it says “a network cable is unplugged,” as it has said all week) doing so launches that suspicious process.
If I click the Local Area Connection icon 10 times, then I’ll have 10 instances of that weird and hidden process running on my machine.
Trojan Remover found these (please see four screen-shots below).
They don't look like official items to me.
It appears as you’ve already gotten rid of the files, themselves, but not the damage they’ve done.
But still the "a network cable is unplugged" message appears in the bottom right of the screen.
I also ran a utility used often at Geeks To Go called SDFix in safe mode and that identified three trojans and apparently deleted them:
SDFix: Version 1.112
Run by Jeff on 10/29/2007 at 12:39 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\regedit.com - Deleted
C:\WINDOWS\system32\inst.dat - Deleted
C:\WINDOWS\system32\web.dat - Deleted
It also said it restored my original hosts file.
Now if only I can find a way to get rid of the "a network cable is unplugged" message and get back on high-speed internet.
I re-entered my IP and DNS info and rebooted. Didn't change anything, unfortunately.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.