Computer Help Requested (Vanity)

Self ^ | October 22, 2007 | Self

[jdm]

Like many folks, I leave my PC (running XP Home) on at all times (I reboot maybe once or twice a week).

When I got home last night, I noticed that the LAN icon in the lower-right of the screen said "A network cable is unplugged."

I checked all the physical connections and everything looked fine.

When I went into Network Connections, instead of just seeing dial-up and LAN options, there was a third connection I hadn't seen before, called VPN or Virtual Private Network.

The status said "connecting" not "connected." I tried to delete it for maybe 5-10 minutes to no avail. However, eventually I got it removed and then rebooted.

I then went back into LAN properties and reinserted my static details (IP, Subnet Mask, Default Gateway) which were given to me by my ISP back in 2004.

When I disable the connection and then re-enable it, the LAN icon in the bottom-right of the screen says that I'm connected. But five seconds later or so, it goes back to saying that a network cable is unplugged.

In the five seconds that it says it's connected, I right-clicked the LAN icon and choose "Repair" but that didn't seem to do any good.

I ran every anti-spyware and anti-virus scan you can think of, but there were no rogue items found.

Is the best thing to do to download the latest drivers for my network card and see if that does the trick? The drivers I have been using are very out of date. Not sure that is the problem, though.

I tried to download the driver file which is 12.5MB, but on this slow of dial-up (what I'm on right now), the status bar indicated the download would not be finished for 1-1/2 to 2 days.

I called my ISP and told them about this; they are looking into the problem, but may not get back to me until Wednesday or Thursday (I have satellite internet). Thought maybe some FReepers would chime in with some suggestions for resolution sooner than that.

I also know you can go to Start > Run > cmd, type in some netsche.winsock.reset type command, but not sure if that would resolve the problem or not.

Many thanks for any suggestions. I really, REALLY would appreciate it. If I left out any crucial details, please let me know.

Thank you.

[Gone_Postal]

turn it off *unplug it for about a min.
then *plug it back in and turn it on..*(Unplug if from the electric source)
most have a reset on them try that first

[Still Thinking]

And the light on the modem is green - I tried another Ethernet cable and that didn?t solve the problem.

Well, there should be lights at BOTH ends of the cable. And are you sure the light on the modem is for the Ethernet connection and not for the satellite side signal or power? Can you ping the modem? Get a tool like ipscan and scan your subnet, to see if you can see the modem. Try reseating your network card if not on the motherboard, or disabling the mothernoard one and adding one from the computer store (about $10-15). Then try talking introducing another PC on the house side of your modem, to see if you can see the current PC and/or see the modem. This may tell you which is not working. You may be able to disable the XP firewall temporarily to see if it makes a difference. I use Zone Alarm, and I have to make sure to make my own subnet a "Trusted Zone" or I can't even ping anyone in the LAN. If turning off the firewall makes everything work, you will need to make some configuration settings to allow the path to the modem. I also suggest using a third party firewall. Zone Alarm has a free version which is perfectly good. www.zonelabs.com

[jdm]

Based on troubleshooting, I think I’m going to have to try a new modem. There is only one place allocated for a light on the modem, but it’s for power, not for connectivity.

Based on everything I’ve done, it likely is not the network card (since it claims to be enabled and working fine).

Thanks everyone for your replies. Very much appreciated. If I find out the exact cause and problem and can fix it, I’ll post back with the details.

[jdm]

Thanks a lot for your posts.

The other thing that occurred to me would be to try the following:

Start > run > cmd > ipconfig /release > ipconfig /renew

The VPN attempted connection may have changed my IP to something default like 192.160.0.3.

I didn’t even think to do an ipconfig /all, to see what’s going on there.

Will try that when I get back home.

Hopefully that solves the problem since the network card seems to be working fine (and no reason to believe the modem is bad, other than I can’t find anything else to blame!).

Thanks again for your input and help.

[papasmurf]

Sorry I haven’t been on since my post. I’ve been installing an email server and migrating the mail, settings, and contacts, from 3 windows boxes to it.

I’ll be on most of the night.

[jdm]

Looks like the problem is a nasty rootkit infection. I now can’t even get online through dial-up (using someone else’s PC right now).

There is a process called /S /C {7007-ACC7-3202-1101-AAO2-20805FC1270E / I {10DF43C8-11D3-8B-34-006097DF58-D43 / X 0x401 ...

...running here and there on my machine.

It shows up for a few minutes, then disappears, only to reappear later, sometimes up to nine instances of it running simultaneously.

A file, a registry key? Both?

I am going to try removing it using AVG Anti-Rootkit and/or Icesword.

When I try to terminate these malicious processes, I get an “access denied” error, so I’m pretty much stonewalled.

HiJackThis and every other utility I’ve run doesn’t even show this process running.

Only thing that has showed it running is a software called Spyware Process Terminator.

When I do a Start > run > cmd > ipconfig I get a response such as: “a media is disconnected,” even though the network card is enabled and working fine (in fact, I updated the drivers last night). Plus, the Ethernet cable is plugged in and I’m 100% positive the problem isn’t with the cable.

Anyone have any experience removing rootkits? I hear they can be pretty hard to get rid.

Thanks again very much for your suggestions and help.

[Turbopilot]

There is a tool I have used called Rootkit Revealer (download and description at link - it's on Microsoft.com but the author is a long-time Windows engineer/tinkerer and wrote the program before he was hired into Microsoft) that can find rootkits. It compares files and processes viewed from the API level with raw file data; if there are discrepancies, it's possible that a malicious process (i.e. a rootkit) is keeping the raw data from being seen by the API.

It will show you whatever might be running, but doesn't have removal capabilities. Your best bet would probably be to Google whatever it finds to see if you can find manual removal instructions. Be warned that rootkits can be very, very difficult to remove from within the runtime environment; if you have one, you may need to boot from a different kernel (such as a Linux or WinPE LiveCD) to remove it. Many people advise that the only sure cure is to fdisk/format and reinstall everything from scratch.

[jdm]

Ug, doesn’t sound like much fun! Thanks for your reply. I actually am burning Rootkit Revealer to a CD to use later. Hopefully AVG Anti-Rootkit can fix the problem without me having to reformat and start from scratch. I’m not even sure it’s a rootkit, just speculating based on the fact that it’s pretty much invisible to every anti-virus/spyware software out there.

[papasmurf]

First thing...stop all internet activity, reboot into safe mode, open your network connections, go the tcp/ip properties, and change your DNS addy to the correct one.

Then, after starting up in safe mode, open your “Hosts” (Windows XP C:\WINDOWS\SYSTEM32\DRIVERS\ETC) and comment out every ip appearing address in it. Save it.

Then work on the root kit.

FRemail coming at you...

[jdm]

Got the dial-up working again, at least. I think a virus turned off a bunch of MS services. Once I restarted the AOL-related services (AOL is what I use for dial-up - just a back-up) I was able to log onto AOL with no problems.

Rootkit scans didn't turn up any suspcious items, so that was good.

However, this screenshot below disturbs me. See the two items circled in red? I don't know what those are. Sometimes there are up to nine instances of them running simultaneously.

Any idea if that's spyware? No software I've used can identify them except for Spydetector.

And if I try to delete those processes or stop them, I get an "access denied" message.

Not sure how to get rid of them.

I understand if you're tired of giving input on my sad situation, but thought it was worth another try. I appreciate your posts very much.

[jdm]

and change your DNS addy to the correct one.

I forgot to add:

How did you know the DNS addresses had changed?! You were right - they had changed. Maybe hacked? I changed them back (to the proper numbers) and they haven't changed again.

Still get that "a network cable is unplugged" message, no matter what.

On the phone on hold with my ISP right now, to see if the problem is the modem and not actually spyware.

ipconfig just gives me "Ethernet Adapter Local Area Connection: Media state ... media disconnected" (even though nothing is disconnected).

[papasmurf]

You’re using IE for AOL?

Click mon Tool>Manage Add Ons. Look for a Browser Helper Object (BHO) that you are sure you didn’t install, or wasn’t installed by a reputable company...I know Microsoft is there too, it’s ok. LOL

Disable it/them, and rerun your report.

[papasmurf]

Yes, classic “jacking”, hijacked the dns so you have to connect through their servers.

[papasmurf]

“ipconfig just gives me “Ethernet Adapter Local Area Connection: Media state ... media disconnected” (even though nothing is disconnected).”

You’re on dial up and have your router disconnected, right? Then, that would be normal.

[papasmurf]

All of the other Suspicious items you have above the two starting with /s /c are in my database as belonging to verifiable softwares.

[jdm]

My hijackthis log is clean. No BHO or anything.

<You’re on dial up and have your router disconnected, right? Then, that would be normal.

When I'm disconnected from dial-up it says there is media disconnected, which never happened before. I used to have an "always connected" connection so doing ipconfig at any time would return results.

However, ever since I've had the red x through the LAN icon in the bottom right of the screen, doing an ipconfig returns the "media disconnected" error message. Maybe this is normal, though, considering my circumstances.

The new modem should be here on Friday. Not sure that will resolve the problem, though, if the problem was/is really spyware.

Despite changing the DNS to the proper addresses, I still can't get online with LAN, just dial-up.

For the five seconds that I appear to be connected, the speed drops from 100 mbps to 10 mbps in a second or two, before giving the "a network cable is unplugged" message.

Any idea why that would be?

Thanks again very much for all your posts. Most helpful and appreciated.

[papasmurf]

Do you have a home network? Can you connect to another machine using your network, if you have one?

Are you using any wireless at all on that machine?

[jdm]

Not a home network. Just one computer.

No wireless either.

I guess I will just have to see if the new modem they’re sending (should arrive on Friday) fixes the problem.

If not, not sure where else to look for a solution.

Hopefully don’t have to end up re-formatting (and that may not even solve the problem).

[jdm]

The other thing I noticed when going to services.msc is this:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Whenever I start the service it stops itself within seconds. It’s pretty crucial for this to be running whenever the machine is on, isn’t it?

Also, in the Event Log is this...

The following boot drivers failed to load:

SASDIFSV
SASKUTIL

However, when I go to “Device Manager” and pull up network adapters, I see “Intel(R) PRO/100 VE Network Connection” and there’s no red circle or yellow exclamation marks through it.

It says this device is working properly, until I go to the “Link Speed” tab and choose “Diagnostics.” The tests under the “Hardware” section all pass, but the one’s under “Connection” and “Link” fail.

Says the adapter has no link.

New modem should be here within the next few hours. Hopefully that will fix the problem, but it’s a shot in the dark.

[papasmurf]

I don’t know that you should have those as “boot drivers”. They are services for Super Anti Spyware, and are scheduled to start when you start your pc. Is that something you installed?

mscorsvw is a compiler for dot net applications. it runs after you start the pc, compiles, then shuts off and goes away.