Is is the heart of the problem, perhaps. Thanks for your help and persistence. Most appreciated.
Posted on 10/22/2007 7:03:23 AM PDT by jdm
Like many folks, I leave my PC (running XP Home) on at all times (I reboot maybe once or twice a week).
When I got home last night, I noticed that the LAN icon in the lower-right of the screen said "A network cable is unplugged."
I checked all the physical connections and everything looked fine.
When I went into Network Connections, instead of just seeing dial-up and LAN options, there was a third connection I hadn't seen before, called VPN or Virtual Private Network.
The status said "connecting" not "connected." I tried to delete it for maybe 5-10 minutes to no avail. However, eventually I got it removed and then rebooted.
I then went back into LAN properties and reinserted my static details (IP, Subnet Mask, Default Gateway) which were given to me by my ISP back in 2004.
When I disable the connection and then re-enable it, the LAN icon in the bottom-right of the screen says that I'm connected. But five seconds later or so, it goes back to saying that a network cable is unplugged.
In the five seconds that it says it's connected, I right-clicked the LAN icon and choose "Repair" but that didn't seem to do any good.
I ran every anti-spyware and anti-virus scan you can think of, but there were no rogue items found.
Is the best thing to do to download the latest drivers for my network card and see if that does the trick? The drivers I have been using are very out of date. Not sure that is the problem, though.
I tried to download the driver file which is 12.5MB, but on this slow of dial-up (what I'm on right now), the status bar indicated the download would not be finished for 1-1/2 to 2 days.
I called my ISP and told them about this; they are looking into the problem, but may not get back to me until Wednesday or Thursday (I have satellite internet). Thought maybe some FReepers would chime in with some suggestions for resolution sooner than that.
I also know you can go to Start > Run > cmd, type in some netsche.winsock.reset type command, but not sure if that would resolve the problem or not.
Many thanks for any suggestions. I really, REALLY would appreciate it. If I left out any crucial details, please let me know.
Thank you.
My gut says you were jacked by cwshredder or a variant like qhost1. That’s why your dns was changed.
Do me a favor. Click on Run, then type in regedit hit enter. Now, click on edit and then find, and type in nameserverport, and post the numbers it reports, and then type in dhcpnameserver, and post the number it reports.
nameserverport = 0x00000089(137)
There are several instances of dhcpnameserver and no numbers/values which I can see.
They’re all located under: DHCP > Parameters > Options.
Under Options are eight sub-folders:
1, 15, 3, 44, 46, 47, 6 and DCHPNETBIOSOPTIONS
Yes, SuperAntiSpyware is something I installed. It’s not a rogue program or anything like that.
I ran CWShredder and it didn’t find any infected files. Neither did Spybot. Strange.
Your dhcp server should be like an ip i.e. 192.168.0.1 or ?
Is is the heart of the problem, perhaps. Thanks for your help and persistence. Most appreciated.
Also, when I opened up the last folder underneath the “Interfaces” tree, there is an entry called DHCPServer which has 255.255.255.255 as its value.
Find out from your isp what are your ip, subnet mask, gateway, and dns addresses assigned to you.
Then, open your Network Connections. Now, right click on and select Properties for your local connection.
Next, click on Internet Protocol (TCP/IP), and then click on the Properties button just below and to the right.
On the General Tab, you’ll see...
*Obtain an IP address automatically
*Use the following IP address.
Choose the second option by clicking the “Radio” button.
Now, enter your ip, subnet mask, and gateway addresses in the appropriate fields.
Do the same for the dns section.
Click OK. Now, reboot your pc, and then check your connection.
BTW, Did you modify your “Hosts” file yet?
Papa, My sincere apologies for taking so long to reply. To be 100% honest, this is the first time I’ve been able to get online (dial-up) since this afternoon. Something is messing with my services.msc.
For instance, in the Event Log it will say certain services terminated unexpectedly.
I see this as an error quite often in the Event Log:
“The account specified for this service is different from the account specified for other services running in the same process.”
Or certain services will stop because it will say the file can’t be found.
However, I did sfc /scannow at cmd, and it shows no errors (go figure!).
I can’t even get Plug & Play to start anymore.
I did enter all that information you suggested (Static IP, DNS, etc.) many days ago and rebooted, but it doesn’t seem to make things better. At least none of the info has changed to different values/numbers since I’ve inputted it. I would think if it was an active hack, that info would have changed again by now.
Something seriously messing up my computer big-time, but it’s not showing up via HiJackThis log, Spybot, etc.
When I ran Sophos Anti-Rootkit, it showed four rogue hidden items, but said two were not removable and another two were not recommended for clean-up (since removing them could permanently screw up my OS).
One of the hidden files which said it would remove for me, but not recommended to do so, was in my Java folder.
Maybe I got a Java virus?
My hosts file says it’s just a sample (# This is a sample HOSTS file used by Microsoft TCP/IP for Windows).
Do you know how you get your actual hosts file?
I followed the path you said (C:\WINDOWS\system32\drivers\etc), but don’t see it there.
hosts.default hasn’t been updated since July.
I’m not sure how to modify it. If you are able to advice on that front, I would be so very appreciative.
Thank you much.
There is NO hosts.default . It’s just hosts, without an extension.
Use the number I emailed you.
You’ve got Freepmail.
BTW, I finally found out what causes those (rogue?) processes to appear on my computer.
Whenever I double left click the Local Area Connection icon in the bottom right corner of my screen (right now it says “a network cable is unplugged,” as it has said all week) doing so launches that suspicious process.
If I click the Local Area Connection icon 10 times, then I’ll have 10 instances of that weird and hidden process running on my machine.
Trojan Remover found these (please see four screen-shots below).
They don't look like official items to me.
It appears as you’ve already gotten rid of the files, themselves, but not the damage they’ve done.
But still the "a network cable is unplugged" message appears in the bottom right of the screen.
I also ran a utility used often at Geeks To Go called SDFix in safe mode and that identified three trojans and apparently deleted them:
SDFix: Version 1.112
Run by Jeff on 10/29/2007 at 12:39 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\regedit.com - Deleted
C:\WINDOWS\system32\inst.dat - Deleted
C:\WINDOWS\system32\web.dat - Deleted
It also said it restored my original hosts file.
Now if only I can find a way to get rid of the "a network cable is unplugged" message and get back on high-speed internet.
I re-entered my IP and DNS info and rebooted. Didn't change anything, unfortunately.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.