One of my friend got a DNS problem. It's seem that his computer have been infected by spyware (I think it's romahere, control there and newdotnet, that what I found suspiscious on his computer).
The problem his that his browser do not recognise any address (like
) but the browser recognize the dns (201.154.222) for exemple. I did a ping the ms-dos and I've got a reply for 201.153.333 but not for
. This computer running on windows ME. I try to remove the spyware using Spysweeper (3.0, registered) and spy bot but It keep coming and coming again. So I try deleting them manually by going directly into the registry and deleted all value related to romahere, control there and newdotnet. When I'm done, I try to erase the file related to this value (for romahere, it was 9565k3?????.exe and for control there w43435??????.exe. I was unable to delete the files, access was denied. First thing I realize, that @$%#@$ romahere and control there was back again in the registry.
I dont know if the DNS problem is directly link to that spywares but I'm pretty sure. Does someone have an idea how to solve this problem (without formating the disk). Thank you.
Get ProcessXP from sysinternals, find the processes and kill them. Then after you kill them, delete their files and replace the files with a blank file of the same name with read only privs. Then check your registry, remove any new entries and reboot.
If this doesnt work, do the deleting from a livecd like Knoppix.
It's work perfectly and I was able to kill the process and erase them, but I had do do it in safe mode.
For the users having an DNS problem like mine related to the removal of newdot.net spyware, know that this spyware cause to break you socket. When you removed the spyware from the registry and then deleted all related files on your hard disk, to replace your internet connection (who is not recognizing any DNS adress but recognizing IP adress), use winsockfix... a good utilities that will find your damages host file and repair it. Youre internet connection will now work again.
If your windows partition is NTFS, you can't (I don't think that the knoppix kernel has ntfs write support as it is still experimental and dangerous).
If your windows partition is fat32, open a terminal, "su -" to root and "mount -t vfat /dev/hd*# /path/directory" Replace hd*# with your partition depending where it is, i.e. hda1 for the first partition of the primary master disk, and /path/directory with the path of a directory on the linux filesystem where you want the new partition to appear. Then you should be able to erase or write any file there, at least as root.
2.6 series Linux kernels support full NTFS read / write and its not experimental anymore. This means you'll need a version of Knoppix with a 2.6 series kernel -- I believe Knoppix 3.6 has the same, but will not boot it by default, you have to specify 'knoppix26' as a boottime option.
You can check what kernel you are running by doing the following:
root@BoA:~# uname -sr
so you can see I've got a 2.6.9 kernel running.
I don't know if it will mount your partition r/w by default, you will probably have to mount it as nske said, something along the lines of
mount /dev/hda1 /mnt/hda1 -t ntfs -w
That should mount it as read write and you can access it in /mnt/hda1