Spyware-laden computers won't get IP address now?  | | | 
January 29th, 2004, 05:31 PM
|
#1 (permalink)
| | Member
Join Date: Oct 2001
Posts: 51
| Spyware-laden computers won't get IP address now?
We've gotten several computers over the last few days just filled with all kinds of spyware, and seem to be able to remove it after several passes with AdAware and Spybot. The user usually complains that their internet does not work to start off, and we've found that the computers will not even get onto our home network which uses DHCP. The computer just assigns itself a private IP address. Is there a new piece of spyware out there that is corrupting Networking files or something? I know removing NewdotNet used to corrupt some vital DLL's...any help? | 
|  | |
January 29th, 2004, 05:40 PM
|
#2 (permalink)
| | Ultimate Member
Join Date: Oct 2001 Location: Trent University
Posts: 2,414
|
What's the IP that is being assigned?
Can the machine ping the other computers on the network?
__________________
The difficulty is to try and teach the multitude that something can be true and untrue at the same time. -- Arthur Schopenhauer
| |
| | |
January 29th, 2004, 05:40 PM
|
#3 (permalink)
| | addicted
Join Date: Oct 2001 Location: Ohio
Posts: 6,103
|
I don't know of any that virus, worm, or spyware that relates to a computer not getting an IP address.
There is a variant of the mydoom that changes the machine's host file. This is to make many well known sites unreachable. Heres one known list: Quote:
The hosts file in the infected machines will be modified so that domains belonging to Anti-Virus companies and other commercial sites are resolved to the IP address 0.0.0.0, rendering them unaccessible.
The full contents of this file follow (The file is encrypted within the worms code):
0.0.0.0 engine.awaps.net awaps.net www.awaps.net ad.doubleclick.net
0.0.0.0 spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com
0.0.0.0 media.fastclick.net fastclick.net www.fastclick.net ad.fastclick.net
0.0.0.0 ads.fastclick.net banner.fastclick.net banners.fastclick.net
0.0.0.0 www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com
0.0.0.0 ftp.f-secure.com securityresponse.symantec.com
0.0.0.0 www.symantec.com symantec.com service1.symantec.com
0.0.0.0 liveupdate.symantec.com update.symantec.com updates.symantec.com
0.0.0.0 support.microsoft.com downloads.microsoft.com
0.0.0.0 download.microsoft.com windowsupdate.microsoft.com
0.0.0.0 office.microsoft.com msdn.microsoft.com go.microsoft.com
0.0.0.0 nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com
0.0.0.0 networkassociates.com avp.ru www.avp.ru www.kaspersky.ru
0.0.0.0 www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com
0.0.0.0 avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com
0.0.0.0 download.mcafee.com mast.mcafee.com www.trendmicro.com
0.0.0.0 www3.ca.com ca.com www.ca.com www.my-etrust.com
0.0.0.0 my-etrust.com ar.atwola.com phx.corporate-ir.net
An additional line is added before the the date when attack against Microsoft begins:
0.0.0.0 www.microsoft.com | In addition, there are some spyware/virus that will change the machines DNS server setting to use a malicious DNS server. This can make any site unreachable at the will of the DNS server owner. | |
| | |
January 29th, 2004, 05:57 PM
|
#4 (permalink)
| | Member
Join Date: Oct 2001
Posts: 51
|
The IP being assigned is just a random XP IP 169.XXX....
All three of the computers are scanned and virus free. We're trying a winsock repair utility now, will let you know. | |
| | |
January 31st, 2004, 06:48 AM
|
#5 (permalink)
| | Member
Join Date: Jan 2004
Posts: 115
|
Are these pcs on a home lan hooked to a cable network? I had the same problem and finally reinstalled the server. this was after uninstalling tcpip,nics etc,etc. That finally fixed it. I wonder if it something the cable co is doing because they are now charging by the pc. let us know what you find. | |
| | |
January 31st, 2004, 11:21 AM
|
#6 (permalink)
| | Senior Member
Join Date: Apr 2003 Location: Chicago
Posts: 975
|
A 169.254.xxx.xxx address is an APIPA address (Automatic Provate Internet Protocol Addressing). That range is reserved for private networks. A release and renew should fix it, but if not then (assuming Windows XP?) open a command window and at the prompt type:
C:\>netsh int ip reset c:\newstack.log
This will rebuild the TCP/IP stack. Release, renew, and reboot. | |
| | |
January 31st, 2004, 12:11 PM
|
#7 (permalink)
| | Member
Join Date: Oct 2001
Posts: 51
|
Downloading a Winsock repair tool fixed each of the three machines. I'm speculating that some piece of spyware is corrupting Winsock dll's...but thats just my opinion. | |
| | |
January 31st, 2004, 12:13 PM
|
#8 (permalink)
| | Senior Member
Join Date: Apr 2003 Location: Chicago
Posts: 975
|
Interesting! I'll have to remember that idea. Thanks for the info! | |
| | |
March 6th, 2004, 07:23 PM
|
#9 (permalink)
| | Junior Member
Join Date: Mar 2004
Posts: 1
|
Just wanted to reply and say thank you for the tip on the winsock repair. My roommates computer was having the same problem, could not /release or /renew, and the IP was 169.254, tried reseting the newstack.log to no avail, but the winsock repair cleaned it up very quickly, thanks again. | |
| | |
March 23rd, 2004, 02:16 AM
|
#10 (permalink)
| | Junior Member
Join Date: Mar 2004
Posts: 1
|
Thank you. I am now having this problem with my XP Pro machine at my apartment and am half the world away from my application CDs. I do remember the IP address starts with 169.254, but don't remember the other two. I'll post them tommorrow (or tonight if running Spybot and the winsock repair tool I downloaded works). I wish spybot had immunized against this one, I probably don't have the latest update. I will once it is working again. | |
| | | Thread Tools | Search this Thread | | | | |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | | | Most Active Discussions  | | | | |   Recent Discussions  | | | | |
 |
hardware
prices 
