Bob,

It could be that this cpu.s LMHosts and Hosts files were hijacked.

If used, the LMHosts file identifies domain-level resources by ip, mostly servers that provide resolution assistance themselves.

The Hosts file provides fast ip resolution and redirection for important and/or frequently used urls.

Here.s a link or two:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cnfd_lmh_qxqq.asp

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prjj_ipa_cilb.asp

http://www.ultratech-llc.com/BrainWave/TechDocs/Resolution.html

Gene

Greenie – I will check the event logs as soon as I get back to my desk – I’m on a customer site right now.

HappyGene – You are correct, the hosts file had been hijacked – but this is now clean. However, I did not check the LMHOSTS file, and will do that as soon as I get back.

However – none of that should have any effect on nslookup – since it is a purely DNS based tool.

Bob

Here are some ideas to try.

Have you checked to make sure that the machine doesn’t have a rootkit installed on it? You probably also want to check to ensure that nslookup is really the Microsoft version and not a trojanized one (as well as other major system executables).

You might try reinstalling TCP/IP on the computer (as well as the rest of the networking components). Try changing your host resolution order (HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
add REG_DWORD value of DnsNbtLookupOrder -> Set it to 1 to use DNS first or 0 for default).

Have you tried adding an address to the hosts file to see if it “resolves” correctly from the file, but refuses to talk to the DNS? Have you tried using nslookup and changing the server to a trusted server like one of the roots or your ISPs cache servers? Maybe they got at your server as well as your PC. Load a trusted sources nslookup on the box or run it from a CD to see if it’s the machine or the DNS that’s not working right. Sniff it to see if it is really sending out the query to the server.

Hope this puts you in the right direction. Note: I’d reload the box after you had your fun with it. You never really know what else they did if it had that much spyware/trojans/viruses on it. Use the MS and/or CIS security guides to lock down the box(es) as much as you can so that you hopefully will not become a victim of attack again later.

SF

In the services (administrative options/services) do you have the DNS Client Service running? (should be set to AUTO)??

Another quick fix is to delete the Ethernet card from system devices and let the computer find it again.

sonyfreek – thanks very much for your suggestions

All – One point I should make clear here is that clearing out difficult spyware is one of the things I do for a living, so I (almost) never do a complete rebuild from scratch simply because of the nasties – I take pride in rooting them out (Pun intended). I use this cleaning activity as “fill-in” work when I don’t have other better paying jobs. This intended result is that I’m learning a LOT about exactly how spyware works. We’re planning on doing a webcast later this year on the subject of spyware.

All systems I work on get “ghosted” for backup safety, and the first cleaning is done with the “guest” hard disk driven from a known clean system with a combination of Norton Anti-Virus, Ad-aware, Pest Patrol, Microsoft Anti-Spyware, Spybot Search & Destroy, and Safer-Networking’s ADS Locator.

After that, then I reconnect the “guest” system to its own hard drive and allow it to boot, for further cleanup.

As for a rootkit, there didn’t appear to be any, but then it may have been wiped by some of the cleanup utilities

There are a number of error messages in the Event logs about services and such that aren’t starting. DCOM+ in particular – which I think might be related to this.

Neither the hosts nor the LMHOSTS files contain anything that I haven’t put there on purpose. As sonyfreek points out, the Hosts files works just fine for forcing names – that’s why I’ve been populating it – as a way of testing what’s broken. It’s DNS that’s not working.

Two things I’m exploring are 1) find the actual cause of this DNS malfunction and 2) Do a clean build of the OS after exporting the legit software registry for later re-import.

Bob

More follow-up to your suggestions – and my own investigating.

Yes, I’ve checked the DNS Client, and Yes, it’s running.

I’ve also loaded ntregmon (from the nice people at SysInternals) and watched registry calls go by while doing an nslookup. This showed that ControlSet001 did not recognize that DNS was there – there was a missing key, and further comparisons with a clean XP Home system showed more. So at this point, I’ll experiment with the Repair Console.

I’ll try to keep you all up on whatever I find, but any way you look at it, I love a challenge.

Bob

Sometimes even Pro’s miss the obvious. If your Hosts file was hacked, probably registry was hacked as well to turn off DNS, and force use of the Hosts file. If so you may well be able to recover just by switching off DNS, with reboot, then switching it Back on. Hopefully will rebuild missing registry entries when it restarts DNS use.

Bob,

A few good links for repairing issues with TCP/IP and Winsock on an XP system.

Hope this helps with the repair process.

http://support.microsoft.com/default.aspx?scid=kb;en-us;314067

http://support.microsoft.com/default.aspx?scid=kb;en-us;811259

I have to take a look at that Sysinternals tool. Sounds like a good one to have.

Greenie.

Thanks again to all for your assistance. More followup.

As for uninstalling DNS – I doesn’t appear to be possible. I already tried uninstalling TCP/IP and discovered that it’s not allowed.

As for registry entries – I agree PeterMac – and suspected that it might have been hacked to disable it – the question is how and where. I’m trying to do comparisons with a clean system also running WinXP Home – but the level and volume of detail is daunting.

The netsh tool is a whole new toybox. The exact command provided didn’t work, but there’s a LOT to look at there – Thanks VERY much dwiebesick!

Thanks greenie – for the IP articles – I’ll review them as well.

Bob
(a serious tool junkie)

Sorry didn’t mean for you to uninstall DNS, you are right neither it nor TCP/IP can be uninstalled directly. Try just disabling it, in properties, then after reboot turn it on again. As last resort uninstall networking completely, (Remove NIC in system device manager), reboot, and let it all re-install (make sure you have any neccessary drivers). This will rebuild all networking registry entries, (Only thing it doesn’t fix is corrupt winsock stack). If you want to find problem export out registry beforehand, and again after you have it fixed. You can then run a filecompare utility to pick up differences.

Bob,

One other I forgot to post.

http://www.snapfiles.com/get/winsockxpfix.html

Try that download. It is a Winsock registry repair tool for WinXP.

Greenie.

Bob:

A good resource for looking up those Event log errors is http://www.eventid.net. I’ve seen DCOM+ cause problems for DNS Servers in Active Directory and for Microsoft Exchange Server, but I don’t believe it does anything for the local DNS as I’ve disabled the COM before on a machine and it still worked.

Microsoft says:
Warning If you disable DCOM, may you may lose operating system functionality. After you disable support for DCOM, the following may result:
? Any COM objects that can be started remotely may not function correctly.
? The local COM+ snap-in will not be able to connect to remote servers to enumerate their COM+ catalog.
? Certificate auto-enrollment may not function correctly.
? Windows Management Instrumentation (WMI) queries against remote servers may not function correctly.

Found here: http://support.microsoft.com/default.aspx?scid=kb;en-us;825750

Since it’s only used for remote COM functionality, it shouldn’t affect you and you don’t want/need WMI.

Hope this helps.

SF

Well, much as I hate to give up on a problem, I’m doing so. My final solution is/was to export the software key and ROOT hive and reapply them over a clean install.

I’ll let you all know how that went when I’m done.

Bob