Windows XP using only NBNS, not DNS

1,070 pts.
Tags:
Data center operations
DNS
Help Desk
Microsoft Windows
NetBIOS
Networking
TCP
Tech support
Situation is a system with XP Home, that was BADLY infested with spyware, viruses, etc. Hosts file was filled in with a large number of entries. After everything is cleaned up and the OS reinstalled with the "Repair" option, everything seems to work - except DNS. I can ping by IP address only, despite manually configuring all of the proper DNS values. Attempts to use NSLOOKUP result the server not being found. Attempts to ping or reach even fully qualified domain names (e.g. www.yahoo.com) result in only a NetBIOS name lookup request. There is no WINS server on the network. My guess is that this is an artifact left over from one of the spyware packages, but I've never encountered this one before. Any ideas? Thanks, Bob
ASKED: May 23, 2005  11:27 AM
UPDATED: May 27, 2005  12:17 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Any entries in the Event Logs?

If so, please post. It may help in resolving the DNS issues.

Discuss This Question: 13  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • HappyGene
    Bob, It could be that this cpu.s LMHosts and Hosts files were hijacked. If used, the LMHosts file identifies domain-level resources by ip, mostly servers that provide resolution assistance themselves. The Hosts file provides fast ip resolution and redirection for important and/or frequently used urls. Here.s a link or two: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cnfd_lmh_qxqq.asp http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prjj_ipa_cilb.asp http://www.ultratech-llc.com/BrainWave/TechDocs/Resolution.html :) Gene
    0 pointsBadges:
    report
  • Bobkberg
    Greenie - I will check the event logs as soon as I get back to my desk - I'm on a customer site right now. HappyGene - You are correct, the hosts file had been hijacked - but this is now clean. However, I did not check the LMHOSTS file, and will do that as soon as I get back. However - none of that should have any effect on nslookup - since it is a purely DNS based tool. Bob
    1,070 pointsBadges:
    report
  • Sonyfreek
    Here are some ideas to try. Have you checked to make sure that the machine doesn't have a rootkit installed on it? You probably also want to check to ensure that nslookup is really the Microsoft version and not a trojanized one (as well as other major system executables). You might try reinstalling TCP/IP on the computer (as well as the rest of the networking components). Try changing your host resolution order (HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters add REG_DWORD value of DnsNbtLookupOrder -> Set it to 1 to use DNS first or 0 for default). Have you tried adding an address to the hosts file to see if it "resolves" correctly from the file, but refuses to talk to the DNS? Have you tried using nslookup and changing the server to a trusted server like one of the roots or your ISPs cache servers? Maybe they got at your server as well as your PC. Load a trusted sources nslookup on the box or run it from a CD to see if it's the machine or the DNS that's not working right. Sniff it to see if it is really sending out the query to the server. Hope this puts you in the right direction. Note: I'd reload the box after you had your fun with it. You never really know what else they did if it had that much spyware/trojans/viruses on it. Use the MS and/or CIS security guides to lock down the box(es) as much as you can so that you hopefully will not become a victim of attack again later. SF
    0 pointsBadges:
    report
  • Ve3ofa
    In the services (administrative options/services) do you have the DNS Client Service running? (should be set to AUTO)?? Another quick fix is to delete the Ethernet card from system devices and let the computer find it again.
    80 pointsBadges:
    report
  • Bobkberg
    sonyfreek - thanks very much for your suggestions All - One point I should make clear here is that clearing out difficult spyware is one of the things I do for a living, so I (almost) never do a complete rebuild from scratch simply because of the nasties - I take pride in rooting them out (Pun intended). I use this cleaning activity as "fill-in" work when I don't have other better paying jobs. This intended result is that I'm learning a LOT about exactly how spyware works. We're planning on doing a webcast later this year on the subject of spyware. All systems I work on get "ghosted" for backup safety, and the first cleaning is done with the "guest" hard disk driven from a known clean system with a combination of Norton Anti-Virus, Ad-aware, Pest Patrol, Microsoft Anti-Spyware, Spybot Search & Destroy, and Safer-Networking's ADS Locator. After that, then I reconnect the "guest" system to its own hard drive and allow it to boot, for further cleanup. As for a rootkit, there didn't appear to be any, but then it may have been wiped by some of the cleanup utilities There are a number of error messages in the Event logs about services and such that aren't starting. DCOM+ in particular - which I think might be related to this. Neither the hosts nor the LMHOSTS files contain anything that I haven't put there on purpose. As sonyfreek points out, the Hosts files works just fine for forcing names - that's why I've been populating it - as a way of testing what's broken. It's DNS that's not working. Two things I'm exploring are 1) find the actual cause of this DNS malfunction and 2) Do a clean build of the OS after exporting the legit software registry for later re-import. Bob
    1,070 pointsBadges:
    report
  • Bobkberg
    More follow-up to your suggestions - and my own investigating. Yes, I've checked the DNS Client, and Yes, it's running. I've also loaded ntregmon (from the nice people at SysInternals) and watched registry calls go by while doing an nslookup. This showed that ControlSet001 did not recognize that DNS was there - there was a missing key, and further comparisons with a clean XP Home system showed more. So at this point, I'll experiment with the Repair Console. I'll try to keep you all up on whatever I find, but any way you look at it, I love a challenge. Bob
    1,070 pointsBadges:
    report
  • PeterMac
    Sometimes even Pro's miss the obvious. If your Hosts file was hacked, probably registry was hacked as well to turn off DNS, and force use of the Hosts file. If so you may well be able to recover just by switching off DNS, with reboot, then switching it Back on. Hopefully will rebuild missing registry entries when it restarts DNS use.
    15 pointsBadges:
    report
  • Greenie
    Bob, A few good links for repairing issues with TCP/IP and Winsock on an XP system. Hope this helps with the repair process. http://support.microsoft.com/default.aspx?scid=kb;en-us;314067 http://support.microsoft.com/default.aspx?scid=kb;en-us;811259 I have to take a look at that Sysinternals tool. Sounds like a good one to have. Greenie.
    0 pointsBadges:
    report
  • Bobkberg
    Thanks again to all for your assistance. More followup. As for uninstalling DNS - I doesn't appear to be possible. I already tried uninstalling TCP/IP and discovered that it's not allowed. As for registry entries - I agree PeterMac - and suspected that it might have been hacked to disable it - the question is how and where. I'm trying to do comparisons with a clean system also running WinXP Home - but the level and volume of detail is daunting. The netsh tool is a whole new toybox. The exact command provided didn't work, but there's a LOT to look at there - Thanks VERY much dwiebesick! Thanks greenie - for the IP articles - I'll review them as well. Bob (a serious tool junkie)
    1,070 pointsBadges:
    report
  • PeterMac
    Sorry didn't mean for you to uninstall DNS, you are right neither it nor TCP/IP can be uninstalled directly. Try just disabling it, in properties, then after reboot turn it on again. As last resort uninstall networking completely, (Remove NIC in system device manager), reboot, and let it all re-install (make sure you have any neccessary drivers). This will rebuild all networking registry entries, (Only thing it doesn't fix is corrupt winsock stack). If you want to find problem export out registry beforehand, and again after you have it fixed. You can then run a filecompare utility to pick up differences.
    15 pointsBadges:
    report
  • Greenie
    Bob, One other I forgot to post. http://www.snapfiles.com/get/winsockxpfix.html Try that download. It is a Winsock registry repair tool for WinXP. Greenie.
    0 pointsBadges:
    report
  • Sonyfreek
    Bob: A good resource for looking up those Event log errors is www.eventid.net. I've seen DCOM+ cause problems for DNS Servers in Active Directory and for Microsoft Exchange Server, but I don't believe it does anything for the local DNS as I've disabled the COM before on a machine and it still worked. Microsoft says: Warning If you disable DCOM, may you may lose operating system functionality. After you disable support for DCOM, the following may result: ? Any COM objects that can be started remotely may not function correctly. ? The local COM+ snap-in will not be able to connect to remote servers to enumerate their COM+ catalog. ? Certificate auto-enrollment may not function correctly. ? Windows Management Instrumentation (WMI) queries against remote servers may not function correctly. Found here: http://support.microsoft.com/default.aspx?scid=kb;en-us;825750 Since it's only used for remote COM functionality, it shouldn't affect you and you don't want/need WMI. Hope this helps. SF
    0 pointsBadges:
    report
  • Bobkberg
    Well, much as I hate to give up on a problem, I'm doing so. My final solution is/was to export the software key and ROOT hive and reapply them over a clean install. I'll let you all know how that went when I'm done. Bob
    1,070 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following