none
Chyba WinSock - DNS klient error

    Dotaz

  • Zdravim Vas, mam takovy problem - az se stydim...

    Na jednom z pc nastala chyba a na serveru v logu neni zadny zaznam, ale na stroji je v logu hlaska, ze RPC server se nepodarilo kontaktovat...

    Odebral jsem pc z domeny a priradil do workgroupu. nyni se vse trvari ok, ale nedari se preklad DNS na zadnych serverech.. tedy nslookup funguje, ale ping na jmeno uz ne.

    Pocitac nevidi ani domenu, ani jine pc ve workgrupu -ping na jine stroje i z jinych na nej funguje.

    stranky prez IP naskoci..

    zkousel jsem vsemozne, od resetu winsocku, provereni vsech sluzeb, procesu, reinstall tcpip apodobne. (pc je/bylo apsolutne ciste - zadny virus, spy apod..)

    jedine voditko co jsem nasel, je ze v logu toho pc je, ze bylo priliz mnoho spojeni na tcpip - byly tam hlasky nekolik dnu stare a tento warning skakal cely den po pulhodine

    Jedine co jsem snad nezkousel je zmena MAC, ale to myslim, ze nepomuze..

     

    Nejake napady?

    Diky, Radek.

    16. června 2010 14:48

Odpovědi

Všechny reakce

  • Mohl by jsi trochu popsat vaši síť? Na internet se připojuje pomocí routeru? Jaké má nastavené DNS servery? Když nastavíš DNS server na třeba 8.8.8.8 tak DNS funguje? Když to PC zapojíš jinam tak funguje net bez problému? Nemáš možnost se připojit na nějaké VPN, aby jsi zkusil, jestli třeba když se bude veškerý provoz někam tunelovat, tak to bude fungovat?
    16. června 2010 17:58
  • co jsem nasel, je ze v logu toho pc je, ze bylo priliz mnoho spojeni na tcpip - byly tam hlasky nekolik dnu stare a tento warning skakal cely den po pulhodine

    To je divne. Bezi na tom PC nejaky torrent nebo neco podobneho? Jinak to vypada na virus.

    Zkontroluj soubor hosts zda v nem nejsou napr. nepovolene znaky. Dale zastav sluzbu DNS client.

    MP

    16. června 2010 18:08
    Moderátor
  • Diky za reakce.

    stroj pouzivaji pro office - Uzivatel se priznal k facebooku ;-)

    ?komunikace na FW byla v te dobe normalni? ; ?mozny problem sitovky?

    Rano zkusim jeste mcafee, ikdyz kombinace NOD+SB vzdy stacila, a sluzbu dns client jsem pouze resnul, co ziskam, kdyz ji zastavim?.

    Radek.

    16. června 2010 22:21
  • a sluzbu dns client jsem pouze resnul, co ziskam, kdyz ji zastavim?.

    Resnul znamena co? Vymazal klientskou cache?

    Ziskas samozrejme to ze z procesu hledani problemu odstranis jednu vrstvu ve ktere problem muze byt a tedy o malicko zmensis prostor ve kterem hledas.

    Jinak malware skenuj idealne OFFLINE (boot z cd, pripojeni HDD k jinemu PC...). Pokud je pocitac zavirovany nema skenovani PRI BEHU VIRU valny smysl.

    HOSTS kontroloval's? Pokud adresu ktera je jinak nepreklada naopak PRIDAS DO HOSTS zacne preklad fungovat? Bohuzel jak jsem jiz psal, presmerovani DNS je casty projev viru resp. i rootkitu.

    MP

    17. června 2010 5:22
    Moderátor
  • Ano, reset cashe...

    Host je prazdny, ale zkusim jeste doplnit do hosta nejakou adresu at zkusim aspon tohle..

    Jinak uz mam disk napojeny v jinem PC a probiha test!

     

    Ano, presmerovani dns byva casto virem...

    PAN Pragl ma palec nahoru :)

    //EDIT: Tak po zapisu do Hosts souboru nefunguje. Pc neprelozi ani adresu kterou ma v nem...

    //EDIT: Ani Mcafee ani NOD neobevili zadnou nakazu (nabootovano z jineho disku) ... HW problem to neni, na jinem stroji take nefunguje. Asi reinstall..
    Jeste dotaz: Uzivatel nema opravneni, aby mohl upravit nastaveni site, nebo registraci servisu + zapis do registru.. jak pod timto uzivatelem mohlo vubec neco takoveho nastat.?

    17. června 2010 7:22
  • NEPRELOZI ji jak? Napr. NSLOOKUP.exe se bavi VZDY S DND SERVEREM, tzn. nslookup ignoruje HOSTS. Otestuj jinym prikazem (ping a pod) ktery pouziva standardni resolving vc. HOSTS

    MP

    17. června 2010 8:28
    Moderátor
  • Popravde, ze nslookup ignoruje hosts jsem zjistil teprve vcera.. :)

    Ale samozdrejme jsem hosts zaznam testoval jak pingem tak i prez explorer - odpoved je stejna, nenalezen zadny zaznam.

     

    Zajimave, ze?

    //EDIT: uz jenom hlaska: "...not find localhost..." (ping na 127.0.0.1 jede, ping localhost ne..)

    17. června 2010 8:58
  • mas localhost v hosts? JE TAM ZAREMOVANY od nejake verze windows!

    MP

    17. června 2010 10:43
    Moderátor
  • Samozdrejme mam - zaremovany nebyl..

    Napada te, jaka vrstva by mohla byt nabourana, kdyz ignoruje i hosts?

    17. června 2010 11:10
  • hosts nefunguje ani se zapnutym ani s vypnutym DNS client service? Mne se takto chovalo pokud v hosts byly nekorektni znaky.

    Netsh Winsock Reset
    Netsh Int IP Reset log.txt

    jsi predpokladam oboje provedl. Malware jsi vyloucil skenovanim alespon trema antiviry (muj favorit je DrWeb - CureIt) OFFLINE?

    MP

    17. června 2010 11:51
    Moderátor
  • Hosts he vpohode - pro jistotu jsem zkopiroval z jineho PC a chova se stejne zap/vyp DNS client :(

    Netsh Winsock Reset i Netsh Int IP Reset report.txt jsem zkousel (zlvastni je, ze do reportu zapsal jenom "Complete" :) pro jistotu zkusim znovu.

    Ted jeste zkousim Kasperkeho. Dekuji za typ DrWeb zni dobre..

    Dalsi krok uz bude asi reinstall :(

    R.

    17. června 2010 12:33
  • jak skenujes? OPRAVDU OFFLINE (vytazeni hadrdisku, pripojeni pres USB adapter k jinemu PC a sken / nabootovani z live CD ...)?

    jeste doporucuji utility MBR (http://www2.gmer.net/mbr/mbr.exe) resp. cely GMER (http://www.gmer.net/)

    MP

    17. června 2010 12:41
    Moderátor
  • Vytahuji disk a davam jako "slave" do jineho zeleza..
    Spybotem jsem scanoval, kdyz bylo z disku nabootovano a ted kaspersky jede taky tak. Az dobehne nainstaluji DrWeba projedu za chodu, pak jeste zkusim odpojit a proscanovat jako "slave".

    Pokud tam nejaky cervik byl / je zatim jsem neodhalil a mozna spise nez hodnba za cervikem me trapi duvod nefunkcniho prekladu adres. Kdyby odkazoval na nejake vzdalene DNS tak prece v offline modu musi kricet o nedostupnosti dns, a ne, ze nezna domenu..?
    Mohl by byt jenom pozmeneny zaznam registru? Ze bych zkusil importovat reg z jineho pc?

    Dalsi poznatek - ackoli uz DHCP IP priradil.. dole stale blika sitove pripojeni v rezimu "aquiring IP adress"

    a Untilitka od ms mi vyplivla toto:

    Last diagnostic run time: 06/17/10 14:58:20 DNS Client Diagnostic
    DNS - Not a home user scenario

    info Using Web Proxy: no
    info Resolving name ok for (www.microsoft.com): no
    warn Unrecognized WinSock NSP: NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
    warn Missing TCP/IP NSP
    info Redirecting user to support call
     


    Gateway Diagnostic
    Gateway

    info The following proxy configuration is being used by IE: Automatically Detect Settings:Disabled Automatic Configuration Script: Proxy Server: Proxy Bypass list: 
    info This computer has the following default gateway entry(ies): **.**.107.1
    info This computer has the following IP address(es): **.**.107.37
    info The default gateway is in the same subnet as this computer
    info The default gateway entry is a valid unicast address
    info The default gateway address was resolved via ARP in 1 try(ies)
    info The default gateway was reached via ICMP Ping in 1 try(ies)
    warn Hostname www.microsoft.com could not be resolved (Error code 0x2af9). Could be either gateway or DNS issue
    action Automated repair: Renew IP address
    action Releasing the current IP address...
    action Successfully released the current IP address
    action Renewing the IP address...
    action Successfully renewed the current IP address
    info This computer has the following default gateway entry(ies): **.**.107.1
    info This computer has the following IP address(es): **.**.107.37
    info The default gateway is in the same subnet as this computer
    info The default gateway entry is a valid unicast address
    info The default gateway address was resolved via ARP in 1 try(ies)
    info The default gateway was reached via ICMP Ping in 1 try(ies)
    warn Hostname www.microsoft.com could not be resolved (Error code 0x2af9). Could be either gateway or DNS issue
    action Automated repair: Reset network connection
    action Disabling the network adapter
    action Enabling the network adapter
    info Network adapter successfully enabled
    error Unexpected error from iphlpapi: The pipe is being closed. 
    error Unexpected error from iphlpapi: The pipe is being closed. 
    error Unexpected error from iphlpapi: The pipe is being closed. 
    info This computer has the following default gateway entry(ies): **.**.**.1
    info This computer has the following IP address(es): **.**.**.37
    info The default gateway is in the same subnet as this computer
    info The default gateway entry is a valid unicast address
    info The default gateway address was resolved via ARP in 1 try(ies)
    info The default gateway was reached via ICMP Ping in 1 try(ies)
    warn Hostname www.microsoft.com could not be resolved (Error code 0x2af9). Could be either gateway or DNS issue
    action Manual repair: Reboot modem
    info This computer has the following default gateway entry(ies): **.**.**.1
    info This computer has the following IP address(es): **.**.**.37
    info The default gateway is in the same subnet as this computer
    info The default gateway entry is a valid unicast address
    info The default gateway address was resolved via ARP in 1 try(ies)
    info The default gateway was reached via ICMP Ping in 1 try(ies)
    warn Hostname www.microsoft.com could not be resolved (Error code 0x2af9). Could be either gateway or DNS issue
    info Waiting some time for the modem/router to stabilize
    action Automated repair: Renew IP address
    action Releasing the current IP address...
    action Successfully released the current IP address
    action Renewing the IP address...
    action Successfully renewed the current IP address
    info This computer has the following default gateway entry(ies): **.**.**.1
    info This computer has the following IP address(es): **.**.**.37
    info The default gateway is in the same subnet as this computer
    info The default gateway entry is a valid unicast address
    info The default gateway address was resolved via ARP in 1 try(ies)
    info The default gateway was reached via ICMP Ping in 1 try(ies)
    warn Hostname www.microsoft.com could not be resolved (Error code 0x2af9). Could be either gateway or DNS issue
    info Waiting some time for the modem/router to stabilize
    action Automated repair: Renew IP address
    action Releasing the current IP address...
    action Successfully released the current IP address
    action Renewing the IP address...
    action Successfully renewed the current IP address
    info This computer has the following default gateway entry(ies): **.**.**.1
    info This computer has the following IP address(es): **.**.**.37
    info The default gateway is in the same subnet as this computer
    info The default gateway entry is a valid unicast address
    info The default gateway address was resolved via ARP in 1 try(ies)
    info The default gateway was reached via ICMP Ping in 1 try(ies)
    warn Hostname www.microsoft.com could not be resolved (Error code 0x2af9). Could be either gateway or DNS issue
    info Waiting some time for the modem/router to stabilize
    action Automated repair: Renew IP address
    action Releasing the current IP address...
    action Successfully released the current IP address
    action Renewing the IP address...
    action Successfully renewed the current IP address
    info This computer has the following default gateway entry(ies): **.**.**.1
    info This computer has the following IP address(es): **.**.**.37
    info The default gateway is in the same subnet as this computer
    info The default gateway entry is a valid unicast address
    info The default gateway address was resolved via ARP in 1 try(ies)
    info The default gateway was reached via ICMP Ping in 1 try(ies)
    warn Hostname www.microsoft.com could not be resolved (Error code 0x2af9). Could be either gateway or DNS issue
    info Waiting some time for the modem/router to stabilize
    action Automated repair: Renew IP address
    action Releasing the current IP address...
    action Successfully released the current IP address
    action Renewing the IP address...
    action Successfully renewed the current IP address
    info This computer has the following default gateway entry(ies): **.**.**.1
    info This computer has the following IP address(es): **.**.**.37
    info The default gateway is in the same subnet as this computer
    info The default gateway entry is a valid unicast address
    info The default gateway address was resolved via ARP in 1 try(ies)
    info The default gateway was reached via ICMP Ping in 1 try(ies)
    warn Hostname www.microsoft.com could not be resolved (Error code 0x2af9). Could be either gateway or DNS issue
    info Waiting some time for the modem/router to stabilize
    action Automated repair: Renew IP address
    action Releasing the current IP address...
    action Successfully released the current IP address
    action Renewing the IP address...
    action Successfully renewed the current IP address
    info This computer has the following default gateway entry(ies): **.**.**.1
    info This computer has the following IP address(es): **.**.**.37
    info The default gateway is in the same subnet as this computer
    info The default gateway entry is a valid unicast address
    info The default gateway address was resolved via ARP in 1 try(ies)
    info The default gateway was reached via ICMP Ping in 1 try(ies)
    warn Hostname www.microsoft.com could not be resolved (Error code 0x2af9). Could be either gateway or DNS issue 
     
    IP Layer Diagnostic
    Corrupted IP routing table

    info The default route is valid
    info The loopback route is valid
    info The local host route is valid
    info The local subnet route is valid
    Invalid ARP cache entries

    action The ARP cache has been flushed 
     
    IP Configuration Diagnostic
    Invalid IP address

    info Valid IP address detected: **.**.**.37 
     
    WinSock Diagnostic
    WinSock status

    info All base service provider entries are present in the Winsock catalog.
    info The Winsock Service provider chains are valid.
    info Provider entry MSAFD Tcpip [TCP/IP] passed the loopback communication test.
    info Provider entry MSAFD Tcpip [UDP/IP] passed the loopback communication test.
    info Provider entry RSVP UDP Service Provider passed the loopback communication test.
    info Provider entry RSVP TCP Service Provider passed the loopback communication test.
    info Connectivity is valid for all Winsock service providers. 
     
    Network Adapter Diagnostic
    Network location detection

    info Using home Internet connection
    Network adapter identification

    info Network connection: Name=Local Area Connection 2, Device=Intel(R) 82566DM-2 Gigabit Network Connection, MediaType=LAN, SubMediaType=LAN
    info Ethernet connection selected
    Network adapter status

    info Network connection status: Connected 
     
    HTTP, HTTPS, FTP Diagnostic
    HTTP, HTTPS, FTP connectivity

    warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved 
    warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved 
    warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved 
    warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved 
    warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved 
    warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved 
    error Could not make an HTTP connection.
    error Could not make an HTTPS connection.
    error Could not make an FTP connection.
     

    Strucne receno totez co popisuji :)

    17. června 2010 13:11
  • 1. Az dobehne nainstaluji DrWeba

    2. Pokud tam nejaky cervik byl / je zatim jsem neodhalil a mozna spise nez hodnba za cervikem me trapi duvod nefunkcniho prekladu adres. Kdyby odkazoval na nejake vzdalene DNS tak prece v offline modu musi kricet o nedostupnosti dns, a ne, ze nezna domenu..?

    1. drweb se neinstaluje. proste se spusti :) Pozor, za 2 hodiny bude urcite novejsi verze!
    2. cervik te necha zit v iluzi ze pouzivas legitimni DNSko ale ve skutecnosti pouziva jine. ze/zda se o tom dozvis z nejake chyby je iluzorni, programatori malware moc chyb nedelaji - rozhodne mene nez programatori beznych komercnich aplikaci

    Jinak: pri nastaveni PEVNE IP se chova stejne? Drivery k sitovce jsou aktualizovane, port nastaven konzervativne (vypnuty autosensing, offloading, jumbo frames)? Neni v PC nejaky firewall/vpn/antivir ktery zasahuje do sitove komunikace?

    MP

    17. června 2010 13:26
    Moderátor
  • 1 Uz jsem take zjistil, a v express modu nic, ted jede komplet scan.
    2 Bohuzel jetotak, jen a to se budu opakovat, mi je divne, ze kdyby bylo DNS spolu s malwarem, musel bych ho na tom stroji najit ne? Pokud je stroj odkazovan na vzdalene DNS, jakto, ze nehlasi chybu o nedostupnosti v Offline? Bud jsou to skutecne machri, nebo hladem problem tam, kde neni...

    Na pevne ip se chova stejne (i jiny subnet) driver asi neni uplne aktualni, ale ovladac je komplet preinstalovan z CD. Port? Nevim, jak bych mohl nastavit port konzervativne?? - na pc krom MS-FW neni nic (prvni vec co jsem udelal, byla odinstalace vseho, co ma neco spol. se siti.) Sitovka (100Mb)- nastaveni je v tovaru.

    Jedna se o Intel9xxx

    zbylich 100pc jede bez problemu - dnes jsem probehnul logy.

    Profil toho uzivatele jsem proveril na serveru a taky je cistouckej.

    "vypnuty autosensing, offloading, jumbo frames" nic takoveho nepouzivam * jak rikam, vse v tovaru. :(

     

    //EDIT: ted jsem si uvedomil, ze je to stroj od DELLu, trebas maji nejakou sikovnou untilitku.... jeste zapatram.

    17. června 2010 13:41
  • stahni aktualni driver od intelu

    k malwaru: jednou jsem jej odstranoval skoro 3 dny. z beziciho systemu nezjistitelny

    MP

    • Označen jako odpověď rka123 17. června 2010 13:59
    17. června 2010 13:55
    Moderátor
  • Mam jeste den, tak trebas te trumfnu ;-)
    Moc dik, jsi Machr!

    R.

    17. června 2010 14:00
  • Nene.. To vidim prvne, diky, zkusim..
    Protoze je cele PC od DELLu, stahuji ovladace od nich.

    Je hezky, asi to dnes vzdam a pujdu nekam na skopek.
    Dekuji za rady, urcite dam vedet, jesi jeste neco objevim.

    R.

    17. června 2010 14:30
  • Protoze je cele PC od DELLu, stahuji ovladace od nich.

    MAXIMALNI chyba: instalovat ovladace z CD (zastarale, de facto betaverze)
    VELKA chyba: instalovat ovladace od vyrobce PC/MB... (zastarele a/nebo "vytunene"/modifikovane zastarale verze)
    ZAKLADNI reseni: pouzit ovladace z OS
    LEPSI reseni: pouzit ovladace z Windows Update
    SPRAVNE reseni: pouzit ovladace od vyrobce chipsetu (Intel, AMD, Nvidia a pod)

    MP

    17. června 2010 17:53
    Moderátor