IE (DNS error?) and ns14.attbi.com ?? HELP!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DesertWench, Nov 16, 2005.

  1. DesertWench

    DesertWench Private E-2

    I'm a Firefox user but keep IE on my machine for use when needed. IE won't open (Page cannot be displayed) and Zone Alarm Professional version 6.0.667 detects that Windows Explorer is attempting to connect to ns11.attbi.com or ns14.attbi.com (63.240.76.193:53 or 204.27.199.8:53) Research turns up nothing I can figure out. (I'm running Win98)

    I ran the cleaning/scans you recommended in the "READ AND RUN ME FIRST" Post. Made somewhat of difference but still didn't resolve the IE/Explorer issues. I downloaded HijackThis and saved the log (see attached).

    Please go easy on me fellas, I'm totally new at this and hope I've done everything I needed to up to this point. My firerwall was active when I created the log. Please let me know if I need to re-scan minus the firewall. Thanks in advance.

    The Wench
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In order for us to properly help you, you must complete all steps in the READ & RUN ME sticky thread. I do not see any signs of any of the online scanners being run. You must run at least two of them per the READ ME step 5.

    Do you recognize the IP Addresses now as listed below? They could be your ISP and your company? Also the attbi.com stuff is for AT & T? Do you use them for an ISP?

    Code:
    [url="http://samspade.org/t/whois?a=63.240.76.193;server=auto"][color=#0000ff]63.240.76.193[/color][/url] = [ [url="http://samspade.org/t/whois?a=sccscix11-ve14.comcast.net;server=auto"][color=#0000ff]sccscix11-ve14.comcast.net[/color][/url] ] 
     
    OrgName:	CERFnet 
    OrgID:	 CERF 
    Address:	5738 Pacific Center Blvd 
    City:	 San Diego 
    StateProv: CA 
    PostalCode: 92121 
    Country:	US 
    NetRange: [url="http://samspade.org/t/whois?a=63.240.0.0;server=auto"][color=#0000ff]63.240.0.0[/color][/url] - [url="http://samspade.org/t/whois?a=63.242.255.255;server=auto"][color=#0000ff]63.242.255.255[/color][/url] 
    CIDR:	 63.240.0.0/15 63.242.0.0/16 
    NetName:	 [url="http://samspade.org/t/whois?a=CERFNET-BLK-5;server=whois.arin.net"][color=#0000ff]CERFNET-BLK-5[/color][/url] 
    NetHandle: [url="http://samspade.org/t/whois?a=NET-63-240-0-0-1;server=whois.arin.net"][color=#0000ff]NET-63-240-0-0-1[/color][/url] 
    Parent:	 NET-63-0-0-0-0 
     
     
    [url="http://samspade.org/t/whois?a=204.27.199.8;server=auto"][color=#0000ff]204.27.199.8[/color][/url] = [ ] 
     
    OrgName:	Equipto Electronics Corporation 
    OrgID:	 EEC-2 
    Address:	351 Woodlawn Ave 
    City:	 Aurora 
    StateProv: IL 
    PostalCode: 60506-9988 
    Country:	US 
    NetRange: [url="http://samspade.org/t/whois?a=204.27.199.0;server=auto"][color=#0000ff]204.27.199.0[/color][/url] - [url="http://samspade.org/t/whois?a=204.27.199.255;server=auto"][color=#0000ff]204.27.199.255[/color][/url] 
    CIDR:	 204.27.199.0/24 
    NetName:	EQUIPTO-ELEC 
    NetHandle: [url="http://samspade.org/t/whois?a=NET-204-27-199-0-1;server=whois.arin.net"][color=#0000ff]NET-204-27-199-0-1[/color][/url] 
    Parent:	 NET-204-0-0-0-0 
    
     
  3. DesertWench

    DesertWench Private E-2

    Thanks for the reply....

    Because IE won't open, only Firefox is accesible so I used the alternative scan in Step #5 for Firefox users: Trend Micro. I then followed the directions in Step #6 while booted in safe mode with the internet cable unplugged. I ran Ccleaner, Ad-Aware SE and Spybot. It did remove several spyware programs and two trojans.

    The ISP for comcast is mine. I do not use AT&T for an ISP and have no idea why or how it is acessing my machine. In the research I've done I find information that says AT&T is merging with Comcast so I called Comcast. They knew nowthing about it. I'm concerned about giving the attbi.com address access to my machine until I know what it is.

    Any suggestions as to what I should try next?
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you mean IE will not connect to the URL you are entering?
    Or do you mean IE will not open? This would mean it does not run. I believe from your first message you mean IE will not display the page desired.

    Have you tried using an IP address instead of a URL to see what happens?

    Try 66.102.7.147 instead of www.google.com

    Does the IP address form work?
     
  5. DesertWench

    DesertWench Private E-2

    I was able to get IE working, somehow. Previously it would not connect to anything however I was not typing in the IP. Seems to be working fine now after I did some more scanning.

    I ran Bit Defender which was terminated early and I received this message: Microsoft Visual C++ Runtime Library: Run Time Error C:\WINDOWS\EXPLORER.EXE terminated in an unusual way.

    I ran Trojan Scan which found: Program Files\DesktopManager\8876480\6.1.0.155-8876480L\PAROGRAM\runner.exe but did not remove it. I'd like to remove it but using the add/remove program tool it does not appear on the list.

    Active scan found nothing so there was no log to save.

    I reran HJT with the firewall (Zone Alarm) OFF and attached the log file here. I'm still having trouble with Explorer.exe wanting to connect to ns14.attbit.com or ns11.attbi.com. When I have the firewall on, the connection is blocked however, I receive many pop-ups from Zone Alarm requesting access. When I deny access, sometimes my connection will work, sometimes it won't. I don't know how the attbi addresses are connected to my machine (or WHY they got connected since I didn't allow it) and I want to remove it but don't know how. Zone alarm is telling me I can't delete an active network. The machine is running pretty slow and keeps trying to load explorer.

    Is there a reason explorer.exe would be trying to connect to the internet? I thought this was windows explorer but perhaps I'm wrong?

    Thanks so much for your help...I rally appreciate it. I'm in unknown territory here!
     

    Attached Files:

    Last edited: Nov 18, 2005
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I believe you mean Iexplore.exe keeps trying to connect not explorer.exe. Is that true? They are related but they are not the samething. Or is ZoneAlarm really saying explorer.exe is trying to connect?

    Let's fix the below items first.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {44EFB53C-C965-43CF-9F45-52242D134187} - (no file)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB
    O16 - DPF: {416792D8-F532-493A-BECC-1C99A1501FF9} (vmLaunch Class) - http://media2.comcast.net/anon.comcastonline2/onleng/downloads/VideoMail/vmLauncher2.cab

    After clicking Fix, exit HJT.

    If you are still having problems now, continue with the below and attach the SpySweeper log.

    Running Spy Sweeper...
     
  7. DesertWench

    DesertWench Private E-2

    Yep, Zone Alarm is telling me that EXPLORER.EXE is trying to connect, not Iexplorer. I thought it was odd too :p Any suggestions?

    I'll print out your instruction from my office and make the fixes when I get home. I'll re-post with my results after the fixes.

    Thanks again for your assitance!
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please give me the exact message that ZoneAlarm gives. Also look in the Alerts & Logs table and see what you find on it. When do you get these messages?

    I wonder if it has anything to do with your PC Tel Modem which is loading the below at startup:
    F1 - win.ini: load=ptsnoop.exe
     
  9. DesertWench

    DesertWench Private E-2

    I've attached a screen capture of ZA and the message info I get when explorer.exe tries to connect. PTSnoop has been a prblem to keep from starting even though I thought I deleted it, but the explorer issue began about a month ago when this mysterious network connection to attbi showed up.
     

    Attached Files:

  10. DesertWench

    DesertWench Private E-2

    OKay, ran SpySweeper. Attached is the log. Removed a few nasties but have still not resolved the Explorer.exe problem. Even though I am already connected to the internet, ZA keeps sending pop ups requesting permission to connect. I attached a screen shot of ZA in an earlier post. Hopefully this will help?
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you need PTSnoop?

    The IP address in the ZoneAlarm snapshot is for access to your ISP. What do you have installed from them? Ask them what they are trying to send back toward their address from your PC. The port they are using (port 53) is associated with DNS (Domain Name Server).

    Show me the network connection stuff you are referring to. Afterwards I'll delete it for security purposes. Have you tried booting in safe mode and deleting the network connection? How do you connect to the internet (dial-up, cable, dsl etc)? Do you use a router?
     
    Last edited: Nov 18, 2005
  12. DesertWench

    DesertWench Private E-2

    Okay, I thought I would clarify what my IP address actually is with Comcast and did the following:

    I went to the start menu, clicked "run" typed in "winipcfg", selected my network card (SiS NIC SISNIC) from the drop down window and there was my comacst IP in the "Ethernet Adapter" window. However, when I click on "more info" in the top window under "Host Information" and in the box "DNS Servers" are two IP's belonging to attbi.com which are not associated with comcast. The DNS Server IP's are 204.127.199.8 and 63.240.76.198 both acessing through port 53. These are the two addresses I have blocked with ZA but are causing severe slow down and are the adresses that explorer.exe is trying to connect to. In the Box "Node Type" it says "Broadcast". I connect to the internet using a broadband connection through a modem. (If you'd like a screen shot of that let me know. Just not sure how wise it is to post my real IP here?)

    I did not knowingly download anything from attbi.com and am completly flummoxed as to how they ended up as a DNS. At one time I did download a program from COmcast, videomail, but that was ages ago and it never worked properly do I deleted it.

    Because this is all so foreign to me, a friend who is much more savvy about this sort of thing is coming over tomorrow to have a look. I'll show him our discussion and all the notes I've printed from the forums that have been VERY helpful. We'll try removing the unkown server in safe mode. Don't need PTSnoop and will try again to blast it off the drive.

    Thanks, again, for all your help! I'll owe you something for this...hmmmmm... maybe I'll send you a pizza from Dominic's in Haworth? Sicilian of course....
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have HJT fix this line:
    F1 - win.ini: load=ptsnoop.exe

    And then find and delete the file.

    You should just take your network card out of service (disconnecting the cable may work too) and then delete those networks that you do not need from ZOneAlarm.

    You should be able to remove the DNS items too using the Properties of Network Places and looking at the TCP/IP driver.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds