TechSpot

Please help - rare (?) issue

By AliasName
Mar 12, 2007
Topic Status:
Not open for further replies.
  1. I'm not sure where to start. This problem started yesterday, suddenly, without any changes to hardware, new software installations or changes to firewall / av settings. Thing is, my friend had this exact problem about 6 months ago - he suffered for two weeks, all the while scouring support fora for solutions (to problems that sounded similar, since he couldn't find any mention of his problem) and trying anything and everything - then he just gave up and reformatted.

    I'm running XP SP2 on an Athlon 4600+ with 1GB of RAM. I use NOD32 with updated definitions, Comodo Personal Firewall, a custom HOSTS file (from http://www.mvps.org/winhelp2002/hosts.htm) and surf mostly with Firefox. As I said, no recent changes to anything. I used to run Spybot once a week but it only ever found trackcookies, so I was lulled into a false sense of security... if indeed my problem is caused by malware.

    THE PROBLEM:
    This problem comes and goes, but mostly it's here (80% of time), and it's unbearable.

    Something is wrong with the way my entire OS is connecting to the internet. My impression is that connections are successful only after several retries.

    When browsing (both browsers) this affects everything: 60% of the time when I type an address (or open a link or try to use the searchbar) I immediatly get the "The page cannot be displayed" page, then I need to hit Go or Refresh anywhere between 3 and 20 times before the browser begins the normal "Waiting..." "Connecting to..." "Transferring..." process.

    When pages DO load, they contain anywhere between 90 and 0 percent of the images they should (the rest are broken) and often the pages are loaded without their stylesheets and are thus rendered illegible. To view them properly I need to reload five, ten times, each time by clicking reload multiple times until the browser responds.

    As I said, this affects not only browsers. Filezilla needs multiple retries to connect to perfectly operational servers, Spybot needed me to hit "Download all updates" about 50 times before, one by one, each of the 5 files was procured (once it connect it can up/download large files without problem and in habitual speeds) without a "bad checksum" error.

    Adaware's update dialogue box had me clicking back and forth for a minute before it connected and downloaded the update without a hitch. Emule needs me to double click a server's name four or five times, showing me this:

    13/03/2007 01:49:15: Error while connecting to rohan (212.25.103.178:4232): Error 10038: An operation was attempted on something that is not a socket.
    13/03/2007 01:49:15: Fatal Error while trying to connect. Internet connection might be down

    ...before it agrees to connect as if there's no problem.

    I might be missing some other horrible symptoms, but you see how this a nightmare. Even writing this post (in notepad, of course, foreseeing the dozen submit>back>new>paste>submit cycles I'll have to go through) and uploading the file was an ordeal...


    WHAT I DID SO FAR:
    I've stumbled upon this page:
    http://www.techspot.com/vb/topic50981.html

    I didn't have the whole day to invest in this, but I did an online scan with BitDefender (my problem prevented the operation of the other three housecall engines) and removed a thing or two, I ran Spybot and Adaware and AVG, cleaned cookies, cache, prefetch... and for 40 minutes after a restart I actually thought the problem was gone. Now I'm here :-((

    If you guys conclude that I should format, I will, but I want to know how to avoid this repeating.


    Attached is the HiJackThis_v2.exe log file from today. I know I haven't followed all the steps yet, but I thought maybe it contains a clue...
  2. LinkedKube

    LinkedKube TechSpot Project Baby Posts: 4,265   +41

    wow, that's new, someone help that poor soul
  3. AliasName

    AliasName TS Rookie Topic Starter

    Sorry this is a seperate message, but after many tries I just gave up and decided to try and post the text first, the more important part.

    For some reason, in Avant Browser the page just wouldn't be submitted, and in Firefox the "Manage Attachments" button was replaced by the (linkless) line:

    Valid file extensions: bmp dmp doc gif jpe jpeg jpg log pdf png psd txt zip


    OK, uploading just doesn't work for me. I'll try "paste":
    ------------------

    thanks for the sympathy...

    i started writing the post at midnigh. now it's 2am. i say i didn't have the whole day to invest in this, but apart from a 3 hour break, i ****in did......

    :.(
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    The version of HijackThis you are using is not correct and looks to be a fake. Get rid of it immediately.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of AliasName only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. AliasName

    AliasName TS Rookie Topic Starter

    All is well...

    Thanks for your help.

    I couldn't afford to spend so many hours on the problem without any guaranty that I could solve it. I pulled out an Acronys image in 15 minutes and now I'm back to normal life, with an OS that feels fresher than I remembered was possible...

    Any tips on how to avoid getting infected by this thing again?

    By the way, maybe it's an Israeli thing, but since I've started telling people about this I've found out that two more of my friends have it. I don't know how, but they're living with it.... for now.


    J.
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I`m glad your problem appears to be solved.

    Take a look at this thread HERE. It`ll show you how you can make your system more secure.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of AliasName only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. AliasName

    AliasName TS Rookie Topic Starter

    Question

    About protection apps:

    It says in this guide to install SBS&D, immunize, and maybe run Adaware once in a while.

    What about SBS&D's active protection and/or AVG Antispyware (scans / shield)?
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Taken from HERE.

    Personally, I don`t have SS&D running in the background, but that`s purely my choice.

    I normally recommend that the AVG Antispyware resident shield be turned of to save system resources.

    Regards Howard :)

    This thread is for the use of AliasName only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. AliasName

    AliasName TS Rookie Topic Starter

    I've overwritten my system partition with an image of a clean XP, before the ATI and motherboard drivers even.

    I've followed all the instruction in the link you gave for making my XP safer.

    (the only thing I haven't done yet is to move most of my activity to a non-admin account, because I'm still installing a bunch of stuff. I did do the rest tho, honest)

    It all worked fine for... however long it was since I last wrote here.

    I made a Hijackthis log (using the right version) shortly after restoring the image.

    I woke up this morning to find The Problem.

    I'll do my best to attach:
    - a screen shot of allmovie.com
    - a tearjerking screenshort of Slashdot (not for the faint hearted)
    - the old, "clean" hijackthis log (hijackthis001.log)
    - the fresh hijackthis log (hijackthis002.log)

    I compared them by content and the only line in the new one that I can't account for is this:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4920410E-45FC-483D-A5A4-C8DE6B4EBB6E}: NameServer = 212.117.129.5 212.116.161.40


    Why now? I've installed a bunch of stuff yesterday (Photoshop, Flash 8, Sound Forge) but they're all programs I've used for months before The Problem started the last time, installed from the exact same installation files.


    Maybe it's all just some ****ed-up Comodo PF behavior?


    Help.... :(
  10. AliasName

    AliasName TS Rookie Topic Starter

    I tried to use the edit button but it didn't show me the manage attachments option that way.

    Sorry, but The Problem makes it almost impossible to follow through tasks that require several steps and submit buttons, since for every step there's an 80% chance of failure... so 0.2 x 0.2 x 0.2 x 0.2..... means it's a mini-miracle that i've managed to upload more than one file per msg at all...
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Here is some info on the 017 entry.

    inetnum: 212.116.160.0 - 212.116.191.255
    org: ORG-GLIC1-RIPE
    netname: IL-GOLDENLINES-990713
    descr: Golden Lines International Communication Services Ltd.
    descr: PROVIDER Local Registry
    country: IL
    admin-c: DR5299-RIPE
    tech-c: DR5299-RIPE
    status: ALLOCATED PA
    mnt-by: RIPE-NCC-HM-MNT
    mnt-lower: AS9116-MNT
    mnt-routes: AS9116-MNT
    source: RIPE # Filtered

    organisation: ORG-GLIC1-RIPE
    org-name: Golden Lines International Communication Services Ltd.
    org-type: LIR
    address: 25 Hasivim St.
    K. Matalon
    address: 41970
    address: Petach Tikva
    address: Israel
    phone: +972 72 2001000
    phone: +972 72 2009064
    fax-no: +972 72 2009074
    admin-c: DR5299-RIPE
    admin-c: KI373-RIPE
    admin-c: MH21010-RIPE
    admin-c: MEI-RIPE
    admin-c: LF5865-RIPE
    mnt-ref: AS9116-MNT
    mnt-ref: RIPE-NCC-HM-MNT
    mnt-by: RIPE-NCC-HM-MNT
    source: RIPE # Filtered

    role: DNS REG
    remarks: DNS Registration and LIR
    remarks: Golden Lines International Communication Services Ltd.
    address: Hasivim 25 Petach-Tikva,Israel
    admin-c: KI373-RIPE
    admin-c: MEI-RIPE
    admin-c: LF5865-RIPE
    tech-c: KI373-RIPE
    tech-c: MEI-RIPE
    tech-c: LF5865-RIPE
    tech-c: MH21010-RIPE
    tech-c: GLN12-RIPE
    nic-hdl: DR5299-RIPE
    mnt-by: AS9116-MNT
    source: RIPE # Filtered
    abuse-mailbox: abuse@012.net.il

    If it doesn`t belong to your ISP, have HJT fix it.

    I`d like you to have the following checked over at Jotti`s

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file C:\Program Files\ReConnect.exe
    * Click Open
    * Please let me know the results.

    Then do the same for this.

    C:\Program Files\PowerManagerLite\PMLService.exe

    Regards Howard :)

    This thread is for the use of AliasName only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. AliasName

    AliasName TS Rookie Topic Starter

    It does belong to my ISP.

    Jotti says the files are clean.

    I've been using Reconnect.exe for a week now. The powermanager thing is the program that came with my UPS unit. Neither are files that my friends who've had/have this (or VERY similar) problem have.

    What's next? I've saved quite a few images during this reinstallation process so I can easily roll back, but then I'm bound to get hit again...
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    In that case, your HJT log is clean.

    If you still suspect you have a malware problem, go and follow the instructions HERE, then post the requested log files.

    Regards Howard :)

    This thread is for the use of AliasName only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  14. AliasName

    AliasName TS Rookie Topic Starter

    Well, what other sort of problem can it be?

    You've never heard of it before?
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    All I`m saying is your HJT log is clean. That doesn`t necessarily mean your system is clean.

    If you follow the instructions in the link I gave you and post the requested log files, I`ll have a better idea of what, if anything is lurking on your system.

    Regards Howard :)

    This thread is for the use of AliasName only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  16. jobeard

    jobeard TS Ambassador Posts: 13,408   +314

    Even though it is associated with your ISP, it is totally unnecessary! DELETED IT

    use run->cmd /k ipconfig /all to locate your DNS address for the ISP.
    then enter NSLOOKUP www.google.com
    you should get back $the-ip-address.
    reenter NSLOOKUP $the-ip-address
    and you should get back something like xxx.google.com

    if both of these are true, your DNS lookup will work just fine without your
    ISP tweek

    edit:
    $ nslookup www.google.com
    Server: dns-cac-lb-01.orange.rr.com
    Address: 66.75.164.90

    Non-authoritative answer:
    Name: www.l.google.com
    Addresses: 66.102.7.99, 66.102.7.104, 66.102.7.147
    Aliases: www.google.com

    $ nslookup 66.102.7.99
    Server: dns-cac-lb-01.orange.rr.com
    Address: 66.75.164.90

    Name: mc-in-f99.google.com
    Address: 66.102.7.99

    /edit
  17. AliasName

    AliasName TS Rookie Topic Starter

    I followed the steps. (howard's)

    None of the scans found anything.

    Here is the combofix log.

    I'll try what jobeard suggested, and restore an image tomorrow...

    Almost there...

    I can't believe it was that simple.

    I performed the test with nslookup, then I removed the line, restarted, and haven't seen any symptoms since! I checked this morning and things were still working fine but hijackthis revealed that the line was back in there, just like before. I removed it (no restart), and my browsers stopped working altogether. I restored it from back up (still no restart, not even of firefox), and they were working again, but with the usual "The Problem" symptoms.

    And that's how I'm now able to write this.


    Can someone please explain:
    - What the hell is an "ISP tweek"?
    - How it got into my registry?
    - How it keeps getting back in?
    - How do I stop it?
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your Combofix log is clean.

    No doubt jobeard will explain the ISP tweek stuff, as he is our resident guru on the subject.

    Regards Howard :)
  19. jobeard

    jobeard TS Ambassador Posts: 13,408   +314

    THIS IS NOT A BROWSER SETTING AT ALL --

    CONCLUSION: leave the hijack line item 017 alone, unplug from your router
    wait one minute, reboot your system, and when the desktop is active again,
    replug your internet connection to the router. This will resync your
    system to the ISP settings.

    APOLOGIES for sending you on a wild goose chase
    A good example of the need to 'read twice, comment once!'.
    :blush:

    I will complete the reasoning for future reference, however.
    (1) ANYTHING that coerces your browser to use a specific dns or redirection is bogus.
    Your TCP setup will always contain these items a gateway address to which your system sends all TCP traffic.
    an IP address and a subnet mask that lets your NIC see, send, and recv traffic
    a DNS address that is used to translate a name (like google.com) to a real IP address.
    (all connections on the Internet are between your systems-ip-address and the
    target-systems-ip-address).

    These 'tweeks' are bogus as they ONLY apply to your browser.
    Your email client, any FTP, AIM, or p2p usage does not get effected by these
    mods to your browser! SO WHY USE THEM AT ALL?

    When the tests show here are working,
    your TCP networking is correct without the need for ANY modifications whatsoever.

    (2) it's called REGEDIT, but if you didn't know that I strongly suggest you forget it immediately.
    With one simple keystroke error, you can render your system useless.

    (3-4) this is the crux of the issue

    IMO, you should be able to rerun Hijackthis, get the report, and FIX the 017 entry.? *MAYBE*

    While writting this reply, I just reread your hijack log:
    >O17 - HKLM\System\CCS\Services\Tcpip...<
    and compared to my registry :- NO SUCH ENTRY.
    I believe CCS is shorthand(by hijackthis) for CurrentControlSet :)

    the portion '{4920410E-45FC-483D-A5A4-C8DE6B4EBB6E}: NameServer'
    appears to be the adaptor CLSID, key(NameServer) and the ip address.

    The TCP/IP settings from the NIC do get stored in the registry --
    normally the NameServer value is not stored here in this manner.

    IT'S a TCP adaptor setting that is just atypical
  20. AliasName

    AliasName TS Rookie Topic Starter

    Hi

    Thanks for your help, but I couldn't really understand from your message whether it's best to remove entry 17 or not. I can tell you that if I remove it and restart things work fine for more than a day each time.

    I did what you described in "CONCLUSION:" and the line has now changed to:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4920410E-45FC-483D-A5A4-C8DE6B4EBB6E}: NameServer = 212.116.161.40 212.117.129.200


    Things were good for about a day (not sure, was at work) but now they're annoying again (at least for browsing, from what I can see right now). Shouldn't I just find a way to remove this line so that it doesn't come back? Things work fine without it...

    (I didn't have time to follow all the tests on the page you linked to, but I did do all the first ones that have to do with the ISP, and passed)

    (mind you, when I said that things are annoying I didn't mean they're as annoying as before)
  21. jobeard

    jobeard TS Ambassador Posts: 13,408   +314

    hum; the 017 entry is a moving target and thus suspect. it is associated
    with your ISP and stored in your adaptor settings.

    try this;
    using an ADMIN login, go to Network Connections
    right click on your link to the IPS and select PROPERTIES
    on the General Tab, click the ADVANCED button at the bottom
    click the DNS tab
    in the upper DNS Server box, select anything found and DELETE it.
    same for the lower DNS suffixes box.​
    click the WINS tab
    delete anything in the WINS addresses
    DISABLE LMHOSTS lookup​
    In the NetBIOS settings
    click the first radio button​
    click OK to get back to the Properties and then CLOSE

    disconnect the cable to your system from the router
    wait one minute and then recable
  22. AliasName

    AliasName TS Rookie Topic Starter

    btw

    does it change anything if i don't have a router?

    i have a cable modem connected to my pc with a network cable.
  23. tomrca

    tomrca TS Rookie Posts: 1,051

    any help for identification ?

    212.117.129.200 is found in Israel
    IP Address: 212.117.129.200
    Hostname: dnsbatz.012.net.il

    IP Address: 212.116.161.40
    Hostname: csd.knet.co.il
  24. jobeard

    jobeard TS Ambassador Posts: 13,408   +314

    Not likely and as the routers NAT feature is a shield from direct attacks,
    I would highly recommend you KEEP THE ROUTER.
  25. AliasName

    AliasName TS Rookie Topic Starter


    No, i meant that I don't have a router. I never did.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.