Posted 15 January 2009 - 07:11 PM
I have a laptop running XP-Pro Ser Pk 3 with all the latest updates. The system is running AVG 8 with all the latest updates.
The machine was infected with some sort of malware that I never completely identified (could be a Trojan of the “Google redirect” type) . I deleted some bogus dll files that were created at the time of the infection. There doesn't SEEM to be any virus activity going on, but it appears that the TCP stack/DNS service has been corrupted and I cannot get it back to normal.
I tried using Spyware Dr, malwarebytes, and combo-fix. None of these tools will run. They all have an issue with updating. I tried HiJackThis and scans from AVG. The HJT log had a couple of bad entries that I cleaned out.
When I do a ping test I get interesting results. Most any site will respond back from the DNS servers with the correct address. But any security type site reports back a "Could Not find" type answer and the site referenced is the localhost 127.0.0.1. Only security type sites seem to fail. I used a clean machine to ping AVG. I can then type the returned address in the address bar of the infected machine and reach AVG that way.
I have tried WinSock fix, fix lsp, msconfig, HJT, CC cleaner, malwarebytes, combofix, Spyware Dr. I have been in the registry and deleted all of the old WinSock keys. I have removed and reinstalled the TCP stack. I have run the TCP repair commands via the command line using netsh. I deleted the host file in \system32\drivers\etc. I tried to add sites like AVG, Symantec and McAfee into a fresh host file. Still "page cannot be displayed". Yet Google, Yahoo, MSN all come in correctly. They are fresh pages because I have cleared all temp files and history files. I deleted all cookies. I can do searches in Yahoo and Google. I have been connecting to the machine via LogMeIn without any problems at all. So I know the basic TCP is working the problem is in the DNS service.
I have tried restarting the system in Safe mode and Safe Mode with networking. Nothing seems to change the problem. I have tried both MSIE 7 and FireFox3. I believe they all use the same TCP stack. I really don't think this is a browser issue. The problem centers on the DNS being hijacked.
I have taken the system off auto configure. I have hard coded both a TCP address and the dns entries. This is on a home network so there isn't any WINS information. I have used dns servers from both Cox communications and Verizon.
I have tried to use system restore. I cannot create or roll back. The system restore will open but there are no restore points and you get an error when you try to create one. Yet looking at the computer properties Restore claims to be on and working. There is no check mark in the box to turn restore off.
Right now the laptop is in California. I live in Las Vegas. The laptop is being shipped here. I wanted to start the wheels turning to see if anyone with a high level of dns experience might see this posting.
I am sorry this is so lengthy but the "how to post" recommended listing all the things done to the system.
Thanks for your help,