TCP/IP connect DNS error

BJ,

I think Puggs has been trying to do this. See message # 5. But could not run in safe mode.

Puggs,
I would suggest that if possible, just run ALL steps in normal boot mode and get all logs from online scanners and then HJT and attach them to a message.

 

Spy Sweeper no longer offers a 15 day trial. It only does a scan and then you must purchase it to fix!

And you are completely wrong about few other items:
1) Spybot is not complete garabage
2) by WAS I assume you really meant Microsoft Windows Antispyware. Well it is a pretty good program and it is okay to run short term with another program like Spy Sweeper. But in the long run that is a very bad idea because they will consume too much system resources and will conflict with each other just like multiple antivirus applications will.
3) Why would you suggest a registry cleaner when you have no idea what is actually wrong. And what makes you think Puggs would have any idea where and what to look for. Using a registry cleaner can do more harm then good if you do not know what you are doing.

 

Puggs,

Just see if you can get HijackThis onto this PC. Use what BJ gave you ( Downloading, Installing, and Running HijackThis ) to get a copy and install it properly. If you cannot download on this PC, then download on another, unzip it on the other, and copy it here by any method possible (like floppy, CD, USB flash drive, local network etc).

Try to attach the log here. If you cannot attach it, post it inline and we will attach it.

 

Try renaming the hijackthis.exe to myhjt.com and see if it will run. If not, open try opening a command prompt by clicking Start, Run and enter cmd and click OK. Then at the command prompt enter taskmgr and hit the enter key. I just want to see if you can run cmd.exe and taskmgr.exe. There could be a problem running EXE files.

 

BJ,
It maybe difficult to run this due to the problems Puggs is having.

Puggs, you have some serious issues!!

If you can run Ewido, run it. But either way continue on to the below. If Ewido does run it may have already fixed some of these problems. So don't worry if you do not find some after running Ewido.

First we need to disable Spybot's Teatime because it could block the fixes.
To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
Now quit Spybot!

Do you know if this client.exe is actually something you are running. It seem bad to me.
C:\WINDOWS\system32\client.exe
O4 - HKLM\..\Run: [dhcp] C:\WINDOWS\system32\client.exe

If you do not know what it is, add the C:\WINDOWS\system32\client.exe file to the list of process to kill below. And then add the
O4 - HKLM\..\Run: [dhcp] C:\WINDOWS\system32\client.exe
line to the list of items to fix with HJT. Then in the area where you reboot and delete files in safe mode, delete the client.exe file.

For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\OFICEXP.exe
C:\Program Files\Zvqm\Xnlbxw.exe
C:\WINDOWS\System32\CPUBuffer.exe
C:\windows\png.exe
C:\WINDOWS\MSDATA32.EXE

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.go2realsearch.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe <--- not necessary unless you want to be notified of Dell updates. Up to you.
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe <--- Dell Support Damon. Not necessary. Up to you.
O4 - HKLM\..\Run: [Microsoft Time Manager] dveldr.exe
O4 - HKLM\..\Run: [MsWindows SysDate] sysmsvc.exe
O4 - HKLM\..\Run: [Kodac] C:\OFICEXP.exe
O4 - HKLM\..\Run: [Mpxjym] C:\Program Files\Zvqm\Xnlbxw.exe
O4 - HKLM\..\Run: [CPU Buffer] CPUBuffer.exe
O4 - HKLM\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\windows\png.exe
O4 - HKLM\..\Run: [MS DATABASE] MSDATA32.EXE
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe <--- this will probably come back!
O4 - HKLM\..\RunServices: [Microsoft Time Manager] dveldr.exe
O4 - HKLM\..\RunServices: [MsWindows SysDate] sysmsvc.exe
O4 - HKLM\..\RunServices: [CPU Buffer] CPUBuffer.exe
O4 - HKLM\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKLM\..\RunServices: [MS DATABASE] MSDATA32.EXE
O4 - HKCU\..\Run: [CPU Buffer] CPUBuffer.exe
O4 - HKCU\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\Run: [MS DATABASE] MSDATA32.EXE
O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\RunServices: [MS DATABASE] MSDATA32.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://webmail.att.net
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\OFICEXP.exe
C:\windows\png.exe
C:\WINDOWS\MSDATA32.EXE
C:\Program Files\Zvqm <--- the whole Zvqm folder
C:\WINDOWS\etb <--- the whole etb folder
C:\WINDOWS\System32\CPUBuffer.exe
C:\WINDOWS\dveldr.exe or C:\WINDOWS\System32\dveldr.exe
C:\WINDOWS\sysmsvc.exe or C:\WINDOWS\System32\sysmsvc.exe
C:\WINDOWS\mxpsp.exe or C:\WINDOWS\System32\mxpsp.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

But it does not look like you complete my steps in message # 31. I still see Teatimer running and I see a load of the bad stuff I had given you steps to fix. Did you run all those steps in message #31. If so, disable Teatimer and do them again.

You also forgot to answer my question about client.exe and you did not follow the steps to save the Bitdefender log as a text file. You saved raw HTML code to a text file.

 

The below is normal! Don't worry about it.
C:\WINDOWS\system32\svchost.exe Why are 4 showing?

You can change your search page to anything you want. Just reset web settings and appove the change if any software asks you. But I already had you do this in HJT. Looks like you are not fixing things.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.go2realsearch.com/sp2.php Does this have to point here?

I also see some malware still present. Did you forget to fix the below:

O4 - HKLM\..\Run: [MsWindows SysDate] sysmsvc.exe
O4 - HKLM\..\Run: [MS DATABASE] MSDATA32.EXE
O4 - HKLM\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKLM\..\RunServices: [MsWindows SysDate] sysmsvc.exe
O4 - HKLM\..\RunServices: [MS DATABASE] MSDATA32.EXE
O4 - HKLM\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\Run: [MS DATABASE] MSDATA32.EXE
O4 - HKCU\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\RunServices: [MS DATABASE] MSDATA32.EXE
O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) Is this bad?
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://webmail.att.net
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)

 

They are showing in your HJT log. You must follow the directions for using HJT and then select each of the lines. After they are selected (all the items I listed in messsage # 35) make sure you close ALL browser windows and then click Fix checked at the bottom left of the HJT window. Then reboot into safe mode and make sure you have followed directions for viewing of hidden and system files and locate and delete the files. The files to delete were listed in message # 31.

If those lines still appear in HJT after trying to Fix them again, then uninstall MS Antispyware or disable all of its Realtime protection and try again.

 

I'm not sure why you are not able to get the below fixed:


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.go2realsearch.com/sp2.php
O4 - HKLM\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\Run: [MS DATABASE] MSDATA32.EXE
O4 - HKCU\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\RunServices: [MS DATABASE] MSDATA32.EXE
O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe
O15 - Trusted Zone: http://webmail.att.net
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com

Are you actually locating all of these lines in your HJT log?
Are you putting check marks on each of the lines?
Are you shutting down browsers and then clicking Fix checked?
Are you getting any error messages?

If your answers are Yes, Yes, Yes, & No, then continue with the below. If you did not answer the questions this way, explain what you do and what happens.

Uninstall SpywareDoctor, Microsoft Antispyware, and Ewido. Then reboot your PC and try the fixes again. Then post a new log.

 

Okay! Now you finally have gotten rid of them. I still see the below line for SpywareDoctor:

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

If it is uninstalled you should fix this line and delete the folder for it. If you did not buy it, there is no sense re-installing it though. You do need to have a good full time spyware blocker installed. MS Antispyware can be used for free if desired.

What you should do, now that you are clean, is the steps in the below link:

How to Protect yourself from malware!

 

You're welcome! Now that you are clean, it is safe to install SP2 and that is the first step in the How to protect thread.