Wierd computer internet issue

spugnor

[H]F Junkie
Joined
May 2, 2001
Messages
11,220
Hey guys.

I got home this morning, and started the old bit box up, and everything was fine. Checking websites, reading e-mail, everything is kosher. Then i start getting "url could not be resolved errors". The typical reboot and re-initialise the modem do not work. I call tech support, and they can't help me.

In desperation, i re-install SP4 (for win 2k pro), and everything starts working again. For a while. Another reboot, and i'm back online. I'm currently scanning for viruses with AVG (updated today), and i'm finiding nothing.

This acts like a virus, but this is a relatively new install, and i haven't DL'd any software recently. Does this sound familier to anybody? I have downloaded the "fix" from microsoft for the new worm that's going around, but other than routine windowsn update type stuff, nothing has been downloaded to this machine.

I'm at a loss guys, can anybody help? :confused:
 

mohammedtaha

2[H]4U
Joined
Oct 14, 2004
Messages
3,648
Any weird looking processes in your taskmanager ?

Did you check msconfig and your registery startup processes ?

Maybe something went wrong when installing drivers ... i would say re-install windows but that's just a longer process ..
 

Paithar

[H]ard|Gawd
Joined
Jul 17, 2003
Messages
1,049
Just a thought but did you try any anti-spyware programs such as Adaware and Spybot Search & Destroy?
 

Ice Czar

Inscrutable
Joined
Jul 8, 2001
Messages
27,174
that sounds like what happened to me weekend before last
made doing the news like pulling teeth :rolleyes:
I was getting one in three dropped, I thought it was my ISP
I was getting unable to find host too for the email

I was fixing and securing an XP Home box during the week for the most part
and installing a securing a new W2K box to do the writing this weekend it was so bad
(only to loose a surge protector and router on Saturday :rolleyes: %#@#@# MOVs)

Im not seeing that now, but then the hotfixes are all brandspanking new and alot of them are "culmative" I put em in on Wednesday and Thursday.

the box it was happening on was "secured" to a pretty damn high degree
including processguard and WSH disabled, it wasnt a script adware infection, as I said I thought it was my ISP dicking with their servers late at night
 

spugnor

[H]F Junkie
Joined
May 2, 2001
Messages
11,220
Okay, downloaded both adaware and spybot S&D. Adaware quarantiened some "alexa" files, but spybot found nothing. Also AVG (the free version) did not find anything wrong. But i'm having internet access (according to my modem) when i'm not doing anything. I'm afraid my machine might be a zombie, and that's what's eating up my bandwidth.

I've checked everything i know to check, but still i have to keep rebooting just to be able to stay online for a few minutes. This sucks. If there was a worm/virus writer in front of me right now, i'd be going to jail for manslaughter. :mad:
 

SmokeRngs

[H]ard|DCer of the Month - April 2008
Joined
Aug 9, 2001
Messages
17,469
Do you have any type of firewall that you can install real quick and see what kind of hits it's getting? And maybe lock down everything except for port 80.

I don't know if this would help at all or if it's already been done, but you may see if you can get a different IP for the modem if you have dynamic IPs. If there is some type of scanning of your computer going on from the outside, this might stop it.

I'm afraid I don't have many suggestions to offer. I'm not a great security guy.

 

OldMX

2[H]4U
Joined
Mar 17, 2002
Messages
3,532
If your box was turned into an irc dcc-zombie server, see if at least they uploaded a cool movie or something hehe :D

j/k, try posting a hijackthis .log (full) and lets see if something weird shows up

oldmx

i mentioned the irc-dcc stuff because one of my customers was in that boat, they uploaded stealth, dukes of hazzard and some programs for the ircbot to dcc...dunno how was that done since the box is behind a firewalled router :(

oldmx
 

spugnor

[H]F Junkie
Joined
May 2, 2001
Messages
11,220
Hijack this showed 5 files. Two of wich were cookies to this site. The other 3 were deleted (some DLL's, which i don't remember the name of), we'll see if they show back up.
 

Ice Czar

Inscrutable
Joined
Jul 8, 2001
Messages
27,174
spugnor said:
Hijack this showed 5 files. Two of wich were cookies to this site. The other 3 were deleted (some DLL's, which i don't remember the name of), we'll see if they show back up.

most trojans come in two parts and you have to get both of them of it will reinfect
an .exe and a .dll

if something did get past your security its likely to be invisble now to both the OS and your AV, Id recommend running a scan with RootKitRevealer
the problem with that is it will likely ID a few legitimate entries as well and without a decent baseline for comaprision....
for instance it was IDing a d347.cfr entry in my latest baseline which is likely the entry for Daemon Tools SCSI driver in the hive, which I assume needs to be hidden for some reason

to a large extent the reason I did a new from scratch install last week was to get brand new baselines and test out employing XPLite and a new security strategy with a very streamlined minimilized OS and very strict rules at both the Firewall and w\ ProcessGuard and running a different shell
for instance I ripped out IE and WMP altogether after I completed the Hotfixes, now I have to manually download any additional hotfixes from technet

for instance http://www.microsoft.com/downloads/...96-1C37-47D2-82EF-0AC89905C88F&displayLang=en
for KB899588 (MS05-039)

works fine with just Firefox, no need for IE at all
 

Paithar

[H]ard|Gawd
Joined
Jul 17, 2003
Messages
1,049
Are you running a firewall? If not and you want a free one you might try ZoneAlarm. They have a free version. I haven't used it myself but I have a couple of friends that use it and they say it's pretty good. They haven't had any issues yet.
 

Rich Tate

Supreme [H]ardness
Joined
Jun 9, 2005
Messages
5,956
Grab this:http://www.snapfiles.com/get/winsockxpfix.html

That'll rewrite the entire xp TCP/IP which should take care of your on again off again issue. It could very well be TCP took a shit on you, and the activity you see is just your machine/router trying to find the other side.

Your machine sounds clean from what you've told us. Oh and nice post dragging me in here from genmay ;)

Let me know how it goes.

 

spugnor

[H]F Junkie
Joined
May 2, 2001
Messages
11,220
Update to this saga:

I went back and re-installed SP4, and that got me running again. But i'm still having issues where it will randomly start doing the "unable to resolve URL" stuff. Sometimes restarting mozilla will do the trick, sometimes it requires a reboot.

What i'm thinking of doing, is simply backing up my data (shouldn't take too long) and starting from a clean format. Does anyone have linkage to the FULL SP4 download for 2k? The only link i can find on the MS site is a glorified downloader, that requires internet connectivity to work. Which is obviously a bad idea with a new install. I'd be infected in minutes.
 

spugnor

[H]F Junkie
Joined
May 2, 2001
Messages
11,220
Sigh. Issues have returned with a vengence. I am convinced that my machine has been compromised, but i cannot figure out with what or how. Every thing i try is showing no problems, but the machine is not working as it should. I've never had my ass kicked like this before, and it's starting to piss me off.

I need to do a total system reformat and OS install, but i NEED those SP4 files before i do. Hell, i may need to upgrade to XP, which i am loath to do, as i am comfortable with 2K.
 

Ice Czar

Inscrutable
Joined
Jul 8, 2001
Messages
27,174
spugnor said:
Does anyone have linkage to the FULL SP4 download for 2k? The only link i can find on the MS site is a glorified downloader, that requires internet connectivity to work. Which is obviously a bad idea with a new install. I'd be infected in minutes.

1. W2K SP4 @ Technet
(select network installation)

2. How to Download Service Packs w\ Knoppix
a handy thing to know, even if you dont need it today

;)
 
Top