Problem with my dial-up. Virus maybe?

[[]V[]essenjah]

Hey everyone,


Well, recently I've had some problems with my dial-up connect. When connect to the internet, the usual dail tone followed by the normal, loud annoying beeps and twitters it makes before it connects comes into play, it tells me I'm authorised and the icon with two computers shows up at the lower right hand corner of the task bar. Then, after a few seconds, pages start to time out. I tried the other numbers, same thing. Tried re-installing the driver, same thing, tried replacing the chord, same thing, made a new connection using the wizard, same thing, moved the modem into another slot and re-installed the drivers again, same thing. So, I called up my ISP service and they asked me to run a ping test. Ok, so I connected and ran a ping test. Got a report ping of 640ms as my Maximum, and a ping of 953ms as my minimum. Then it continued to report that it was timing out. Did this as second time, got a bunch of high pings and then it time out with a loss of 99%.
I reported it to technical support and he stated that it had something to do with my modem connection! So I tried everything I could think of to get it working. Nothing worked. I figured I might have been a virus but none of my virus scanners picked anything up (I use Norton and AntiVir Personal Edition 6. It has been doing this for 3 days. Then, I did a fresh windows install and everything seems to work just fine.
A few weeks ago, I gave myself a fresh install after a bunch of virus's attacked my computer while I was surfing the net and opened a strange page. Anyway, I didn't connect since I was detecting all kinds of virus's on my system. I of course backed up any files I could and deleted my drive, reformatted, and put a fresh install on my system. So, I would imagine there couldn't be any leftovers.Anyway, I did a fresh installation and everything seems to work fine but what could it have been? Also, if it was a virus, what would you guys recommend for anti-virus programs?

[suicide eddie]

possible it damaged or hijacked your tcp/ip. on xp/w2k you can safey uninstall/reinstall it. but first try this modem-tcp/ip diagnostic/optizmer http://www.geocities.com/wheelsmith2000/netopt.zip
its probably one of the few apps that actually does work.

[MD-2389]

Kevin, if there was a virus then backing up your files after the fact is really stupid. You're just re-infecting yourself dude.

That being said, it sounds like your winsock is b0rked. Download this and repair it.

[Arbitar]

hmm i have a solution to your dialup problem. get DSL

[[]V[]essenjah]

I didn't back them up this time, I backed them up before. I'm not talking about exe files or anything like that. The only files I transport back onto my machine are text, wordpad, MS3D, and Gmax files. Some Jpeg, OGF, Mpeg, and tga files will also go back in. These are files that I spent a good chunk of my life creating and I doubt a virus would infect.

"possible it damaged or hijacked your tcp/ip."

Hmmm you mean a dialer sort of program? Those just dial a long distance number and charge massive fees don't they? All my modem did here was time out. I sure hope not since I can't afford to pay massive ammounts of money. I also haven't traveled to any strange websites other than the DBB, Midnight Squadron Website and BB, the Mob website and BB, Kali.net, Paypal, and my e-mail aservices since my last re-installation of windows.

We don't have DSL where I live. I have been trying to get wireless for the past couple of weeks though. They should have checked me out for wireless by now.

[[]V[]essenjah]

also winsock? Sorry, not sure what you are getting to here.

[Jeff250]

You hadn't been using any of those "MTU" optimizer thingies lately, had you?

[[]V[]essenjah]

MTU Optimiser? You mean internet optimisers? Nope. Had one on my machine called Fastnet that I was using a while back. I couldn't remember the password I used for it though so it wouldn't let me in. I wonder if that would be a problem?

[[]V[]essenjah]

Hey Suicide, the linky is broky.

[MD-2389]

I didn't back them up this time, I backed them up before. I'm not talking about exe files or anything like that. The only files I transport back onto my machine are text, wordpad, MS3D, and Gmax files. Some Jpeg, OGF, Mpeg, and tga files will also go back in. These are files that I spent a good chunk of my life creating and I doubt a virus would infect.

You're not getting it dude. If you got infected with a bug, formatted, and restored your backup data that came into contact with said virus previously, you're just re-infecting your machine again. Its like drawing blood, dropping the vial onto the ground, and putting it back into your body. Its contaminated, no matter what you do, and now its in your system. If you get bit, you have to cut your losses and start from scratch. This is why when you backup your data, you actually keep it in a seperate location like on CD (or write it to a second hard drive and disconnect it).

"possible it damaged or hijacked your tcp/ip."

Hmmm you mean a dialer sort of program? Those just dial a long distance number and charge massive fees don't they? All my modem did here was time out. I sure hope not since I can't afford to pay massive ammounts of money. I also haven't traveled to any strange websites other than the DBB, Midnight Squadron Website and BB, the Mob website and BB, Kali.net, Paypal, and my e-mail aservices since my last re-installation of windows.

Uhh...no. He's referring to your winsock stack. This is NOT a dialer, but the information on how it needs to send data back and forth. Run the program I linked to and it should fix it.

[[]V[]essenjah]

"like on CD (or write it to a second hard drive and disconnect it)."


Oh, heh, I didn't back it up on the same drive bud. I actually did back it up on a disk and a second drive. (well actually the second drive doesn't have anything from my new drive on it and it is now inoperable other than for data. That was caused by my motherboard, cpu, and power supply being replaced along with adding in a second drive. So I should be able to just salvage off from that one shouldn't I?

It would really suck if I had to re-build over 40-50 different, very complex 3D models vertice by vertice again. Spent a couple of years doing that.

If I saved these files on a disk, it couldn't cause an infection unless I transported the virus over could it?

I was building some very important models for work that I saved on my extra drive previously to this attack. I had my 3D modeling program installed in this drive and accessed it from my C drive through a shortcut. As I understand, programs can't initiate if they are on another drive unless you try to access them from the drive you are using. So I would imagine they would be ok wouldn't they?

[MD-2389]

Oh, heh, I didn't back it up on the same drive bud. I actually did back it up on a disk and a second drive. (well actually the second drive doesn't have anything from my new drive on it and it is now inoperable other than for data. That was caused by my motherboard, cpu, and power supply being replaced along with adding in a second drive. So I should be able to just salvage off from that one shouldn't I?

Ok, so you changed your PS and mobo and it wouldn't boot up...thats what you're saying, right? If so, you could've gotten around that easily enough. All you had to do is boot off your windows CD (assuming you're running 2000 or XP) and repair your installation. You'd have to run Windows Update all over again, but you'd save yourself from a reformat/reinstall.

That being said, I want you to download a copy of Hijack THIS! and post the contens of the log it generates here. DON'T take a screenshot, copy and paste it.

If I can't find anything, I want you to do the following:

Copy everything you want to keep off of THAT drive and onto your C drive. Then disconnect your C drive entirely from the system (All you have to do is disconnect the power cord) and change your second drive to a master. I want you to boot off your windows CD and FORMAT that drive entirely. (DON'T do a quick format, do a full one.) Then I want you to run this command: "fdisk /mbr" without the quotes. This will clear anything out of your hard drive's master boot record (just incase one of the rare bugs that do try to hide there did try to do so). Then I want you to install only Windows and your anti-virus software of choice. Update your anti-virus software and then shut down your machine. Hook up the other drive (The one that I told you to move your data to) and change its jumper setting so that its a slave. Hook it up and then boot into windows safe mode (by hitting F8 before the windows logo shows up) and then scan the entire system for any infections.

If I saved these files on a disk, it couldn't cause an infection unless I transported the virus over could it?

Just sticking a disk in won't do anything. Its when you try to read the contents of that disk that you run the chance of executing something that shouldn't be there.

[Mobius]

MD - now you are making it sound like a Virus is going to get his sister pregnant just because that hard drive is in the same house.

No point in spreading FUD around the place.

Let's get a few things straight.

1) Virii need to RUN for anything to happen to you system.

2) Infected files, in and of themselves ARE NO DANGER unless the files are RUN.

3) You can SAFELY BACKUP DATA onto a CD/DVD or other hard drive - then format hard drive and do re-install clean. THEN - you can connect your backup drive (NOTHING WILL RUN FROM IT UNLESS YOU RUN IT!) and do a thorough scan of that disc with AV, ad-aware and Spybots.
--
Mess - there's just NO WAY your 3D files contain a virus. They are not executable files, and therefore can't contain executable code. They are data files, and nothing more.

Your ping and loss indicators to me, point to an ISP or phone line issue, and NOT your box. You probably wasted all that time and effort - sadly.

When pings are 650-950ms, that is a sure sign your ISP is hosing you, or you have such crappy telephone wire, that capacitance or other electrical interference is ruining the data connection.

Some sh!tty telephones can completely hose a dial up connection. Try unplugging EVERY phone in the house, and test again. If you still have no joy - then ring your phone company and ask them to test the noise and other specifications of your phone lines.

Typically, you should see first hop ping times on the order of 125ms with no more than 2% loss on a constant stream of traffic. PingPlotter would let you get a good picture of the quality of your connection - over an extended period.

If testing is superior late at night, and shagged in the early evening, it's a sure sign your ISP is hosing you - having oversold their dial-up bandwidth.

If your first hop ping time is higher than 150ms, then your ISP is buffering data (and need to be shot).

[Mobius]

Its when you try to read the contents of that disk that you run the chance of executing something that shouldn't be there.

That's complete rubbish. READ does NOT mean EXECUTE. Files that are VIEWABLE don't get EXECUTED in general. It's PROGRAMS which get infected, or which ARE infections.

Just don't brazenly click on any item you aren;t sure about!

Repeat after me: SCAN FIRST, THEN YOU'RE SAFE!

[[]V[]essenjah]

Glad to hear that guys. I don't have any exe files that can't be replaced easily. My bro also stated that I should be fine with 3D models. 3D models, image files, text and word documents are all I'm worried about. The rest I will re-download.

MD- how do you use this program and how do I make a log of it? I can't copy/paste the info it seems.

[MD-2389]

MD- how do you use this program and how do I make a log of it? I can't copy/paste the info it seems.

Dude, its really damn simple. All you gotta do is run the program and hit scan. Then click "save log", open it up in notepad and copy and paste the contents here.

That's complete rubbish. READ does NOT mean EXECUTE. Files that are VIEWABLE don't get EXECUTED in general. It's PROGRAMS which get infected, or which ARE infections.

Just don't brazenly click on any item you aren;t sure about!

You are aware that images (well, jpegs) can contain malicious code as well, and guess what happens when you open a folder containing them with the default explorer settings. We don't know if what caused his problem was a virus, worm, or a simple case of spyware hell. It never hurts to be really careful when dealing with crap like this. Yes I know I went a little overboard with the suggestion above, but its a guaranteed method of having a perfectly clean install to work with, without having to remove anything and stick it into another system and risking a second infection as well.

[[]V[]essenjah]

Yeah but they can't run as exe files. I actually got a copy of Windows XP today and installed it.

[[]V[]essenjah]

My current log file:

Logfile of HijackThis v1.98.2
Scan saved at 2:00:51 PM, on 11/1/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Messenjah\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8426381A-0D2C-4F0A-B4AC-236AC6B7B4FE}: NameServer = 69.20.128.5 69.20.129.5

[Top Wop]

O17 - HKLM\System\CCS\Services\Tcpip\..\{8426381A-0D2C-4F0A-B4AC-236AC6B7B4FE}: NameServer = 69.20.128.5 69.20.129.5 <----WTF is that?

Mess, I know the reason for your problem, and the answer to your solution. And im sure you know as well.

[MD-2389]

Yeah but they can't run as exe files.

I'm going to make this very simple for you since you don't seem to get the idea. By default, (in XP) Explorer is set to view any image as a thumbnail. Even any folder containing images will have thumbnails generated on the folder icon itself. Guess what you're doing when its generating that thumbnail. Thats right, you're loading that image into memory. If that image were to have malicious code....well, I think you get the idea now. Just because something isn't an exe doesn't mean it can't be executed.

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Unless you use Windows Messenger (MSN), kill it.

O17 - HKLM\System\CCS\Services\Tcpip\..\{8426381A-0D2C-4F0A-B4AC-236AC6B7B4FE}: NameServer = 69.20.128.5 69.20.129.5

Yay, you got hit by lop.com garbage. Kill it.

While you're at it, go here and kill those unnecessary services. (I'd go with the "SAFE" options if I were you.)

[[]V[]essenjah]

Yeah, I figured that out. I'll scan them before I place them back on my system. That would be a lot of textures to get rid of. About 30 or so per model. I've got probably over 50 or so models.... so that would be about 150 textures to re-make.

First off, I use Trillian which uses MSN So, I don't really want to kill that, no.


The second one you mentioned is the ip number my isp gave me in order to run a ping test on to see what my ping time is.

[fliptw]

you can kill MSN. Trillian doesn't rely on anything for it to work with MSN(thats the point)

[[]V[]essenjah]

Interesting..... killed it.


I just figured it pulled info from MSN Messenger. I didn't know Trillian ran seperatly from it. Figured it needed that to gain access to my list and such.