Getting pounded by malformed DNS requests

As of 4/23/04 my firewall (Black Ice Defender) started getting a ton of malformed DNS requests from the following IP address: 205.177.124.71. I can use the computer all day with no trouble, but as soon as I open an IE window the pounding begins. I have ran Adaware, Xcleaner, Panda Platinum, AVG, Trend Housecall, Trend Damage Control, Hijack This, Cool Web Shredder, TDS-3m, and I also run SpywareBlaster. I can find nothing wrong with my machine. The last virus I had arrived via pop-up and AVG cleaned it fine on 4/20/03. That was the StartPage.4.AB, and StartPage.3.BC. I don't think that these caused the problem, since it didn't start until 3 days later and AVG caught them immediately. I am running WinXP Home, always kept updated, behind a Netgear firewalled router (also updated).

I would be happy to post my Hijack This log if needed, but it's pretty darn bare. I've been a system admin for the better part of 10 years and was pretty confident I could fix anything up until now. This is extremely frustrating. It has slowed IE down to a crawl on this machine only, the other 3 machines on my network are fine.

I tried contacting the Sam Spade listed system administrator with no response. I have also contacted my ISP and they told me it is on the list as a known trojan address, but they are unable to blacklist it at this time for reasons they chose not to share with me.

Help would be most appreciated, I am ready to pull my hair out.

Thanks

 

I went ahead and followed your instructions even though I had already done all of it. Ran Adaware and Spybot, both came up empty. Here is my Hijack log. Nothing in there that I can see. I was hoping someone here might know which Trojan or Malware that IP address belonged to so I could do a more specific search. The help is appreciated, like I said I am at the end of all of my ideas.


Logfile of HijackThis v1.97.7
Scan saved at 4:03:46 PM, on 5/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mdm.exe
C:\Program Files\KeirNet\K9\K9.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Global\Work\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\Program Files\ANONYMIZER\CORE\Anonymizer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Anonymizer Toolbar - {C14DC52F-B4D9-11D5-B1E6-0050DAD7AF62} - C:\Program Files\ANONYMIZER\TOOLBAR\AnonymizerBar.dll
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {49A3DCEE-FC3C-11D4-83E5-0050DA33C619} (BVXPlayer Class) - http://www.biovirtual.com/xplayer/xplayer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.9363541667
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

 

Hi zmaint,

All unrelated but, check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.iwon.com/index.jsp?PG=home&SEC=bnav

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab

O16 - DPF: {49A3DCEE-FC3C-11D4-83E5-0050DA33C619} (BVXPlayer Class) - http://www.biovirtual.com/xplayer/xplayer.cab

Then reboot.

205.177.124.66 is a known CWS domain. Not sure if they are related, but that looks like a mighty coincidence.

Regards,

Pieter

 

Pieter,

Thanks for the reply. I use Iwon as my home page. Not the fastest or best, but I really want that money...... The tdserver.cab file is part of Ultima Online which I still play regularly. Biovirtual is legit also, its a 3d facial mapping program.

I was reasonably certain I had seen that IP address listed in a forum somewhere as a known Trojan address, I just couldn't remember where. If it is CWS how do I get rid of it? I have already tried version 1.57 of CWS, Adaware, and SpyBot, and they all came up with a big fat 0. Any ideas what the reg keys, .dll's, or exe's I am looking for are? I could remove them manually.

Thank you though, now I can narrow my search in for CWS cleaners. I finally have a place to start. Its much easier to hit the target when you know where it's at

Zach

 

Well it sounded good. I went and checked every registry entry that symantec listed there. I had none of them. I also checked to see if I could find anything else in the IE registry keys while I was in there, but also came up empty. I didn't have the ctrlpan.dll, either. The IP was in the right range for it tho. Thank you.

I also want to apologize for emailing you as well yesterday.... I was reading up on your website, and several others including Merijn's while I was posting here. I didn't realize that you were the same guy that had replied to me here. Whoops

Here is a log of all the processes I currently have running. I do know that sometimes CWS won't show up in Hijack.


Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll
GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll
SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll
msvsres.dll 10000000 61440 C:\WINDOWS\System32\msvsres.dll
WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll
ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll
CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll
AnonymizerBar.dll 930000 114688 C:\Program Files\ANONYMIZER\TOOLBAR\AnonymizerBar.dll
WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll
MSVCP60.dll 55900000 397312 C:\WINDOWS\System32\MSVCP60.dll
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll
MSH_ZWF.dll 61220000 73728 C:\Program Files\Microsoft Hardware\Mouse\MSH_ZWF.dll
Anonymizer.dll e40000 434176 C:\Program Files\ANONYMIZER\CORE\Anonymizer.dll
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll
shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll
mlang.dll 74770000 585728 C:\WINDOWS\System32\mlang.dll
wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll
NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll
TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll
serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll
umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll
POINT32.dll 61210000 61440 C:\Program Files\Microsoft Hardware\Mouse\POINT32.dll
sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll
msi.dll 1650000 2101248 C:\WINDOWS\System32\msi.dll
SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL
DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll
mshtml.dll 63580000 2818048 C:\WINDOWS\System32\mshtml.dll
PDM.DLL 4a000000 180224 C:\WINDOWS\System32\PDM.DLL
MSDBG.DLL 4aa00000 86016 C:\WINDOWS\System32\MSDBG.DLL
msimtf.dll 746f0000 155648 C:\WINDOWS\System32\msimtf.dll
MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll
MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL
IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll
scrauth.dll 25a0000 110592 C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll
ScrBlock.dll 26d0000 122880 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll
wintrust.dll 76c30000 176128 C:\WINDOWS\System32\wintrust.dll
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll
cryptnet.dll 73d50000 65536 C:\WINDOWS\System32\cryptnet.dll
jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll
mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll

 

You know, I realize you guys are busy but I really need some help getting this fixed. It takes forever to load web pages, its actually worse than 14.4 dial-up.

Thanks