Please help - rare (?) issue

[AliasName]

I'm not sure where to start. This problem started yesterday, suddenly, without any changes to hardware, new software installations or changes to firewall / av settings. Thing is, my friend had this exact problem about 6 months ago - he suffered for two weeks, all the while scouring support fora for solutions (to problems that sounded similar, since he couldn't find any mention of his problem) and trying anything and everything - then he just gave up and reformatted.

I'm running XP SP2 on an Athlon 4600+ with 1GB of RAM. I use NOD32 with updated definitions, Comodo Personal Firewall, a custom HOSTS file (from http://www.mvps.org/winhelp2002/hosts.htm) and surf mostly with Firefox. As I said, no recent changes to anything. I used to run Spybot once a week but it only ever found trackcookies, so I was lulled into a false sense of security... if indeed my problem is caused by malware.

THE PROBLEM:
This problem comes and goes, but mostly it's here (80% of time), and it's unbearable.

Something is wrong with the way my entire OS is connecting to the internet. My impression is that connections are successful only after several retries.

When browsing (both browsers) this affects everything: 60% of the time when I type an address (or open a link or try to use the searchbar) I immediatly get the "The page cannot be displayed" page, then I need to hit Go or Refresh anywhere between 3 and 20 times before the browser begins the normal "Waiting..." "Connecting to..." "Transferring..." process.

When pages DO load, they contain anywhere between 90 and 0 percent of the images they should (the rest are broken) and often the pages are loaded without their stylesheets and are thus rendered illegible. To view them properly I need to reload five, ten times, each time by clicking reload multiple times until the browser responds.

As I said, this affects not only browsers. Filezilla needs multiple retries to connect to perfectly operational servers, Spybot needed me to hit "Download all updates" about 50 times before, one by one, each of the 5 files was procured (once it connect it can up/download large files without problem and in habitual speeds) without a "bad checksum" error.

Adaware's update dialogue box had me clicking back and forth for a minute before it connected and downloaded the update without a hitch. Emule needs me to double click a server's name four or five times, showing me this:

13/03/2007 01:49:15: Error while connecting to rohan (212.25.103.178:4232): Error 10038: An operation was attempted on something that is not a socket.
13/03/2007 01:49:15: Fatal Error while trying to connect. Internet connection might be down

...before it agrees to connect as if there's no problem.

I might be missing some other horrible symptoms, but you see how this a nightmare. Even writing this post (in notepad, of course, foreseeing the dozen submit>back>new>paste>submit cycles I'll have to go through) and uploading the file was an ordeal...


WHAT I DID SO FAR:
I've stumbled upon this page:
https://www.techspot.com/vb/topic50981.html

I didn't have the whole day to invest in this, but I did an online scan with BitDefender (my problem prevented the operation of the other three housecall engines) and removed a thing or two, I ran Spybot and Adaware and AVG, cleaned cookies, cache, prefetch... and for 40 minutes after a restart I actually thought the problem was gone. Now I'm here :-((

If you guys conclude that I should format, I will, but I want to know how to avoid this repeating.


Attached is the HiJackThis_v2.exe log file from today. I know I haven't followed all the steps yet, but I thought maybe it contains a clue...

 

[LinkedKube]

wow, that's new, someone help that poor soul

 

[AliasName]

Sorry this is a seperate message, but after many tries I just gave up and decided to try and post the text first, the more important part.

For some reason, in Avant Browser the page just wouldn't be submitted, and in Firefox the "Manage Attachments" button was replaced by the (linkless) line:

Valid file extensions: bmp dmp doc gif jpe jpeg jpg log pdf png psd txt zip


OK, uploading just doesn't work for me. I'll try "paste":
------------------

thanks for the sympathy...

i started writing the post at midnigh. now it's 2am. i say i didn't have the whole day to invest in this, but apart from a 3 hour break, i ****in did......

:.(

 

[howard_hopkinso]

Hello and welcome to Techspot.

The version of HijackThis you are using is not correct and looks to be a fake. Get rid of it immediately.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of AliasName only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[AliasName]

All is well...

Thanks for your help.

I couldn't afford to spend so many hours on the problem without any guaranty that I could solve it. I pulled out an Acronys image in 15 minutes and now I'm back to normal life, with an OS that feels fresher than I remembered was possible...

Any tips on how to avoid getting infected by this thing again?

By the way, maybe it's an Israeli thing, but since I've started telling people about this I've found out that two more of my friends have it. I don't know how, but they're living with it.... for now.


J.

 

[howard_hopkinso]

I`m glad your problem appears to be solved.

Take a look at this thread HERE. It`ll show you how you can make your system more secure.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of AliasName only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[AliasName]

Question

About protection apps:

It says in this guide to install SBS&D, immunize, and maybe run Adaware once in a while.

What about SBS&D's active protection and/or AVG Antispyware (scans / shield)?

 

[howard_hopkinso]

Taken from HERE.

What is the Resident TeaTimer?

The Resident TeaTimer is a new tool of Spybot-S&D which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options, how to deal with this process in the future: You can set TeaTimer to:

* be informed, when the process tries to start again
* automatically kill the process
* or generally allow the process to run

There is also an option to delete the file associated with this process.

In addition, TeaTimer detects, when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either "Allow" or "Deny" the change.

As TeaTimer is always running in the background, it takes some resources of about 5 MB.

Personally, I don`t have SS&D running in the background, but that`s purely my choice.

I normally recommend that the AVG Antispyware resident shield be turned of to save system resources.

Regards Howard

This thread is for the use of AliasName only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[AliasName]

I've overwritten my system partition with an image of a clean XP, before the ATI and motherboard drivers even.

I've followed all the instruction in the link you gave for making my XP safer.

(the only thing I haven't done yet is to move most of my activity to a non-admin account, because I'm still installing a bunch of stuff. I did do the rest tho, honest)

It all worked fine for... however long it was since I last wrote here.

I made a Hijackthis log (using the right version) shortly after restoring the image.

I woke up this morning to find The Problem.

I'll do my best to attach:
- a screen shot of allmovie.com
- a tearjerking screenshort of Slashdot (not for the faint hearted)
- the old, "clean" hijackthis log (hijackthis001.log)
- the fresh hijackthis log (hijackthis002.log)

I compared them by content and the only line in the new one that I can't account for is this:

O17 - HKLM\System\CCS\Services\Tcpip\..\{4920410E-45FC-483D-A5A4-C8DE6B4EBB6E}: NameServer = 212.117.129.5 212.116.161.40


Why now? I've installed a bunch of stuff yesterday (Photoshop, Flash 8, Sound Forge) but they're all programs I've used for months before The Problem started the last time, installed from the exact same installation files.


Maybe it's all just some ****ed-up Comodo PF behavior?


Help....

 

[AliasName]

I tried to use the edit button but it didn't show me the manage attachments option that way.

Sorry, but The Problem makes it almost impossible to follow through tasks that require several steps and submit buttons, since for every step there's an 80% chance of failure... so 0.2 x 0.2 x 0.2 x 0.2..... means it's a mini-miracle that i've managed to upload more than one file per msg at all...

 

[howard_hopkinso]

Here is some info on the 017 entry.

inetnum: 212.116.160.0 - 212.116.191.255
org: ORG-GLIC1-RIPE
netname: IL-GOLDENLINES-990713
descr: Golden Lines International Communication Services Ltd.
descr: PROVIDER Local Registry
country: IL
admin-c: DR5299-RIPE
tech-c: DR5299-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: AS9116-MNT
mnt-routes: AS9116-MNT
source: RIPE # Filtered

organisation: ORG-GLIC1-RIPE
org-name: Golden Lines International Communication Services Ltd.
org-type: LIR
address: 25 Hasivim St.
K. Matalon
address: 41970
address: Petach Tikva
address: Israel
phone: +972 72 2001000
phone: +972 72 2009064
fax-no: +972 72 2009074
admin-c: DR5299-RIPE
admin-c: KI373-RIPE
admin-c: MH21010-RIPE
admin-c: MEI-RIPE
admin-c: LF5865-RIPE
mnt-ref: AS9116-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

role: DNS REG
remarks: DNS Registration and LIR
remarks: Golden Lines International Communication Services Ltd.
address: Hasivim 25 Petach-Tikva,Israel
admin-c: KI373-RIPE
admin-c: MEI-RIPE
admin-c: LF5865-RIPE
tech-c: KI373-RIPE
tech-c: MEI-RIPE
tech-c: LF5865-RIPE
tech-c: MH21010-RIPE
tech-c: GLN12-RIPE
nic-hdl: DR5299-RIPE
mnt-by: AS9116-MNT
source: RIPE # Filtered
abuse-mailbox: abuse@012.net.il

If it doesn`t belong to your ISP, have HJT fix it.

I`d like you to have the following checked over at Jotti`s

Please visit this link http://virusscan.jotti.org/
* Click the Browse... button
* Navigate to the following file C:\Program Files\ReConnect.exe
* Click Open
* Please let me know the results.

Then do the same for this.

C:\Program Files\PowerManagerLite\PMLService.exe

Regards Howard

This thread is for the use of AliasName only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[AliasName]

It does belong to my ISP.

Jotti says the files are clean.

I've been using Reconnect.exe for a week now. The powermanager thing is the program that came with my UPS unit. Neither are files that my friends who've had/have this (or VERY similar) problem have.

What's next? I've saved quite a few images during this reinstallation process so I can easily roll back, but then I'm bound to get hit again...

 

[howard_hopkinso]

In that case, your HJT log is clean.

If you still suspect you have a malware problem, go and follow the instructions HERE, then post the requested log files.

Regards Howard

This thread is for the use of AliasName only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[AliasName]

Well, what other sort of problem can it be?

You've never heard of it before?

 

[howard_hopkinso]

All I`m saying is your HJT log is clean. That doesn`t necessarily mean your system is clean.

If you follow the instructions in the link I gave you and post the requested log files, I`ll have a better idea of what, if anything is lurking on your system.

Regards Howard

This thread is for the use of AliasName only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[DelJo63]

I compared them by content and the only line in the new one that I can't account for is this:

O17 - HKLM\System\CCS\Services\Tcpip\..\{4920410E-45FC-483D-A5A4-C8DE6B4EBB6E}: NameServer = 212.117.129.5 212.116.161.40

Even though it is associated with your ISP, it is totally unnecessary! DELETED IT

use run->cmd /k ipconfig /all to locate your DNS address for the ISP.
then enter NSLOOKUP www.google.com
you should get back $the-ip-address.
reenter NSLOOKUP $the-ip-address
and you should get back something like xxx.google.com

if both of these are true, your DNS lookup will work just fine without your
ISP tweek

edit:
$ nslookup www.google.com
Server: dns-cac-lb-01.orange.rr.com
Address: 66.75.164.90

Non-authoritative answer:
Name: www.l.google.com
Addresses: 66.102.7.99, 66.102.7.104, 66.102.7.147
Aliases: www.google.com

$ nslookup 66.102.7.99
Server: dns-cac-lb-01.orange.rr.com
Address: 66.75.164.90

Name: mc-in-f99.google.com
Address: 66.102.7.99
/edit

 

[AliasName]

I followed the steps. (howard's)

None of the scans found anything.

Here is the combofix log.

I'll try what jobeard suggested, and restore an image tomorrow...

Almost there...

I can't believe it was that simple.

I performed the test with nslookup, then I removed the line, restarted, and haven't seen any symptoms since! I checked this morning and things were still working fine but hijackthis revealed that the line was back in there, just like before. I removed it (no restart), and my browsers stopped working altogether. I restored it from back up (still no restart, not even of firefox), and they were working again, but with the usual "The Problem" symptoms.

And that's how I'm now able to write this.


Can someone please explain:
- What the hell is an "ISP tweek"?
- How it got into my registry?
- How it keeps getting back in?
- How do I stop it?

 

[howard_hopkinso]

Your Combofix log is clean.

No doubt jobeard will explain the ISP tweek stuff, as he is our resident guru on the subject.

Regards Howard

 

[DelJo63]

Can someone please explain:

1. - What the hell is an "ISP tweek"?
2. - How it got into my registry?
3. - How it keeps getting back in?
4. - How do I stop it?

THIS IS NOT A BROWSER SETTING AT ALL --

CONCLUSION: leave the hijack line item 017 alone, unplug from your router
wait one minute, reboot your system, and when the desktop is active again,
replug your internet connection to the router. This will resync your
system to the ISP settings.

APOLOGIES for sending you on a wild goose chase
A good example of the need to 'read twice, comment once!'.


I will complete the reasoning for future reference, however.
(1) ANYTHING that coerces your browser to use a specific dns or redirection is bogus.
Your TCP setup will always contain these items a gateway address to which your system sends all TCP traffic.
an IP address and a subnet mask that lets your NIC see, send, and recv traffic
a DNS address that is used to translate a name (like google.com) to a real IP address.
(all connections on the Internet are between your systems-ip-address and the
target-systems-ip-address).

These 'tweeks' are bogus as they ONLY apply to your browser.
Your email client, any FTP, AIM, or p2p usage does not get effected by these
mods to your browser! SO WHY USE THEM AT ALL?

When the tests show here are working,
your TCP networking is correct without the need for ANY modifications whatsoever.

(2) it's called REGEDIT, but if you didn't know that I strongly suggest you forget it immediately.
With one simple keystroke error, you can render your system useless.

(3-4) this is the crux of the issue

IMO, you should be able to rerun Hijackthis, get the report, and FIX the 017 entry.? *MAYBE*

While writting this reply, I just reread your hijack log:
>O17 - HKLM\System\CCS\Services\Tcpip...<
and compared to my registry :- NO SUCH ENTRY.
I believe CCS is shorthand(by hijackthis) for CurrentControlSet

the portion '{4920410E-45FC-483D-A5A4-C8DE6B4EBB6E}: NameServer'
appears to be the adaptor CLSID, key(NameServer) and the ip address.

The TCP/IP settings from the NIC do get stored in the registry --
normally the NameServer value is not stored here in this manner.

IT'S a TCP adaptor setting that is just atypical

 

[AliasName]

Hi

Thanks for your help, but I couldn't really understand from your message whether it's best to remove entry 17 or not. I can tell you that if I remove it and restart things work fine for more than a day each time.

I did what you described in "CONCLUSION:" and the line has now changed to:

O17 - HKLM\System\CCS\Services\Tcpip\..\{4920410E-45FC-483D-A5A4-C8DE6B4EBB6E}: NameServer = 212.116.161.40 212.117.129.200

Things were good for about a day (not sure, was at work) but now they're annoying again (at least for browsing, from what I can see right now). Shouldn't I just find a way to remove this line so that it doesn't come back? Things work fine without it...

(I didn't have time to follow all the tests on the page you linked to, but I did do all the first ones that have to do with the ISP, and passed)

(mind you, when I said that things are annoying I didn't mean they're as annoying as before)

 

[DelJo63]

hum; the 017 entry is a moving target and thus suspect. it is associated
with your ISP and stored in your adaptor settings.

try this;
using an ADMIN login, go to Network Connections
right click on your link to the IPS and select PROPERTIES
on the General Tab, click the ADVANCED button at the bottom
click the DNS tab

in the upper DNS Server box, select anything found and DELETE it.
same for the lower DNS suffixes box.​

click the WINS tab

delete anything in the WINS addresses
DISABLE LMHOSTS lookup​

In the NetBIOS settings

click the first radio button​

click OK to get back to the Properties and then CLOSE

disconnect the cable to your system from the router
wait one minute and then recable

 

[AliasName]

btw

does it change anything if i don't have a router?

i have a cable modem connected to my pc with a network cable.

 

[tomrca]

any help for identification ?

212.117.129.200 is found in Israel
IP Address: 212.117.129.200
Hostname: dnsbatz.012.net.il

IP Address: 212.116.161.40
Hostname: csd.knet.co.il

 

[DelJo63]

does it change anything if i don't have a router?
i have a cable modem connected to my pc with a network cable.

Not likely and as the routers NAT feature is a shield from direct attacks,
I would highly recommend you KEEP THE ROUTER.

 

[AliasName]

Not likely and as the routers NAT feature is a shield from direct attacks,
I would highly recommend you KEEP THE ROUTER.

No, i meant that I don't have a router. I never did.