PDA

View Full Version : OT Network Buffs....You are Celeons last hope !



Celeon999
03-01-2007, 05:12 AM
Ok following complex story :

- I have two computers here at home.
- both are connected to a DSL Router.

Router IP : 192.168.178.1
My computer : 192.168.178.21 (sometimes 20 regarding who of us starts his computer first)


Following Situation :

1. Yesterday the Norton Virus Scanner of my girlfriend's computer detected a trojan horse.

2. Norton deleted the virus. But : Along with this her internet connection ceased to work for unknown reasons.

3. I looked into her configuration and she suddenly has an IP of 169.254.80.231
Subnetmask 255.255.0.0

Which is obviously the problem that no connection to the router can be established

After every reboot of the computer she has a different strange IP now but no 192.168.178.xx style IP like before.

It seems she does not get an DHCP IP from the router anymore.

So i changed the automatic retrieval for her IP`s to a pre-set one like 192.168.178.xx (20,21,22 etc)

Done this the effect is that she does not get an "limited or no connection error" message anymore but the internet still does not work.

Windows says "Connection established" without any error messages when i activate the LAN connection.

But she cant open any websites.

The TCP/IP settings screen shows that her computer sends packages but recieves 0.

What can i do ?

Ive tried several IP's but its always the same.

The computer sends but recieves nothing.

The windows firewall is deactivated, no other firewalls are running.

The router firewall has no AND NEVER HAD any settings regarding her computer except two rules that open ports for Bittorrent client.

I just put her cable into the router a few years ago and it instantly had internet connection , ive changed nothing, it just ceased to funtion from the moment of the Trojan detection yesterday.

Any ideas how i can get it work again ? http://forums.ubi.com/images/smilies/sadeyes.gif

VikingGrandad
03-01-2007, 05:21 AM
I'm not an expert in these things but maybe this will help: is the laptop finding the correct router IP address? If not, try adding the router IP manually too.

Also, don't necessarily trust Norton to remove the trojan. Download some other anti-virus/ant-malware software and run that too. I'm only saying this because Norton failed to properly remove a trojan from my PC because the virus had installed a 'root kit'. I managed to identify and detect this with AVG but even that didn't remove it properly. So I found a small removal tool that specifically deals with the particular trojan I had. It was all a bit scary but I got it fixed in the end. I have since removed Norton Antivirus and would never trust it again!

Minoos
03-01-2007, 05:34 AM
There are 2 things to look for:
- Hardware failure ( Damaged cable or network port )
- Software failure ( drivers or windows component )

Make sure that the cable used for your GF works with another machine and check that the router has a cable sense/activity led.

For the software part, use system restore to set everything back to a working state and then use a specific tool to delete the Trojan or find instructions to manually remove it.

Messervy
03-01-2007, 05:44 AM
Can you see the router if you type routers IP in your browser adress window?
Usually is 192.168.1.2 or 1.1

Celeon999
03-01-2007, 05:49 AM
The cables are ok, the connector LED is on.

The Nvidia Ethernet Controller is functioning properly.

I have never set any system restore point on her windows http://forums.ubi.com/images/smilies/sadeyes.gif

Do you think that the maybe still present Trojan blocks the connection ?

As i said , GF's Computer does not get an IP from the Router anymore. Dont know why.

Setting the IP by hand creates a connection which sends but does not recieve anything..... http://forums.ubi.com/images/smilies/sadeyes.gif

Celeon999
03-01-2007, 05:53 AM
Originally posted by Messervy:
Can you see the router if you type routers IP in your browser adress window?
Usually is 192.168.1.2 or 1.1

With wrong IP and with hand set IP i get this when i enter the Router IP 192.168.178.1

"The searched site couldnt be found"

From MY computer it works. http://forums.ubi.com/groupee_common/emoticons/icon_frown.gif

Minoos
03-01-2007, 05:55 AM
Nvidia Ethernet Controller
Your are probably in a sort of driver issue...

I had the same issue once with a nforce4 chipset board.
Excessive heat was the source of the problem ( 49?C measured on the chipset heatsink ).

Celeon999
03-01-2007, 06:01 AM
Originally posted by Minoos:
<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">Nvidia Ethernet Controller
Your are probably in a sort of driver issue...

I had the same issue once with a nforce4 chipset board.
Excessive heat was the source of the problem ( 49?C measured on the chipset heatsink ). </div></BLOCKQUOTE>

Hmmmm, i dont think so, it all started with that Virus found message yesterday, the computer was working all day before that.

Either the trojan or Norton screwed something up with the configuration. http://forums.ubi.com/images/smilies/sadeyes.gif

Minoos
03-01-2007, 06:07 AM
A photo of Celeon's system Big Grin
Just to combine the score with a visual.
http://www.lostpedia.com/images/thumb/0/0c/HatchComputer2.png/800px-HatchComputer2.png



Don't you own a bullet-proof machine?

Minoos
03-01-2007, 06:10 AM
Try this:
http://support.microsoft.com/kb/914440/en-us

K_Freddie
03-01-2007, 06:11 AM
Set the subnet mask to 255.255.255.0... more info later..
Check your router tables if you can. They might be advertising incorrect routing IP's on the web, thus messing up all other routers tables.

Messervy
03-01-2007, 06:12 AM
Check your setting in Internet protocol TCP/IP

They should look like this:

http://img.photobucket.com/albums/v675/Messervy/LAC.jpg

http://img.photobucket.com/albums/v675/Messervy/TCPIP.jpg

http://img.photobucket.com/albums/v675/Messervy/Advancec.jpg

http://img.photobucket.com/albums/v675/Messervy/Filtering.jpg

Celeon999
03-01-2007, 06:19 AM
@ Messervy


Thats what it looks like on my computer and my gf's computer.

But she does not get an proper IP from DHCP anymore. She gets a 169.254.xxx.xxx IP . http://forums.ubi.com/groupee_common/emoticons/icon_frown.gif

And when i manually set the IP it doesnt work either. http://forums.ubi.com/images/smilies/bigtears.gif

Messervy
03-01-2007, 06:30 AM
There is one thing you might want to try.
Plug the network cable from your Gf`s rig into your machine to eliminate the possibility of a router failure.
If it works then try to delete your (her) existing connection and create new one via network wizzard.

And yes as KF said, set the subnet mask to 255.255.255.0.

BTW did you try to reset the router?

Celeon999
03-01-2007, 06:41 AM
Yes did several resets of the router.

I tried to delete the connection but i cant , windows doesnt give me the option. (grey) http://forums.ubi.com/images/smilies/sadeyes.gif

The subnet mask gets automatically created according the ip you enter. When i enter the wanted IP 255.255.255.0 gets created automatically and it doesnt work.

The status of the connection changes from "No or limited connection" to "Connection established" but i cant access the internet.

When i look into the properties of the Lan Connection there is an statisic called Activity

There i see

Send : 201 (this value increases) and Recieved : 0

When i wait some time the "recieved" field shows a 3 or maybe 5 after 20 minutes (i assume these are pings from the router) but it stays exactly where it is when i try to access the internet.

So the connection is there but does only function in one direction.

I assumed that the Router Firewall blocks all traffic to Computer 2 for some unknown reason so i set a rule that allows it but nothing changed. (I didnt had this rule anyway as the computer was still working)

It just makes no sense and i cant figure out what the problems is http://forums.ubi.com/images/smilies/sadeyes.gif


When i manually set the ip to GF computer and i ping this address from my computer i get an answer without any problems.

Why does the ping arrive at her computer but nothing else ?

VikingGrandad
03-01-2007, 07:09 AM
Do you know the name of the trojan that Norton found?

Celeon999
03-01-2007, 07:17 AM
I believe it said "Mespam Trojan"

Minoos
03-01-2007, 07:21 AM
That would damage the windows networking:

http://www.symantec.com/security_response/writeup.jsp?d...0915-2914-99&tabid=3 (http://www.symantec.com/security_response/writeup.jsp?docid=2007-020915-2914-99&tabid=3)

While registering itself as an LSP, it modifies the contents of the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Winsock2\Parameters

The Trojan also creates the following registry key to store installation related information:
HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\Buibert

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
5. Reinstall the TCP/IP Protocol and restore the LSP order

To reinstall the TCP/IP Protocol and restore the LSP order

1. Click Start > Control Panel > Network Connections >Local Area Connection.
2. Click Properties.
3. Click Install
4. Select Protocol.
5. Click Add.
6. Click Have Disk
7. Browse to the %Windir%\inf folder.
8. Click Open.
9. Select Internet Protocol (TCP/IP).
10. Click OK.
11. Restart the computer.

Celeon999
03-01-2007, 07:30 AM
I will try this http://forums.ubi.com/images/smilies/25.gif

VikingGrandad
03-01-2007, 07:56 AM
Celeon - make sure you get rid of that trojan! Don't necessarily believe Norton if it says it has removed it. Keep an eye on the system processes to see if there are any suspicious items using lots of memory or doing lots of I/O writes etc.

Celeon999
03-01-2007, 08:28 AM
Ok here is my report :

Second virus scan was not successful so i did the hunt myself.


Once executed, the Trojan drops the following files:
%System%\rsvp32_2.dll - the dropped LSP DLL
%System%\sporder.dll - clean DLL



Ive found both an deleted them



The Trojan may save the message in one or more of the following files:
%System%\aosmx.dll
%System%\aimsmx.dll
%System%\ymsgsmx.dll
%System%\gtalsmx.dll
%System%\pfxzmtaim.dll
%System%\pfxzmtforum.dll
%System%\pfxzmtgtal.dll
%System%\pfxzmticq.dll
%System%\pfxzmtsmt.dll
%System%\pfxzmtsmtspm.dll
%System%\pfxzmtwbmail.dll
%System%\pfxzmtymsg.dll




Ive found those of them and deleted them

%System%\pfxzmtforum.dll
%System%\pfxzmtgtal.dll
%System%\pfxzmticq.dll
%System%\pfxzmtsmt.dll
%System%\pfxzmtsmtspm.dll
%System%\pfxzmtwbmail.dll
%System%\pfxzmtymsg.dll


The Trojan also creates the following registry key to store installation related information:
HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\Buibert

Ive erased that key


Ive reinstalled the TCP/IP protocol with the steps described.

But i dont know what "restore the LSP oder" means.


So far this all has propably destroyed the installed part of the trojan but it hasnt solved the problem http://forums.ubi.com/groupee_common/emoticons/icon_frown.gif

The internet still doesn not work and nothing changed with the symptoms.

The initial virus executable was not found and i have no idea where to find it.

There are a more than a dozen processes running in the task manager but i dont know what is what. http://forums.ubi.com/groupee_common/emoticons/icon_frown.gif

Messervy
03-01-2007, 08:31 AM
Simply type the name of the process in google search and you`ll be able to get at least a basic idea whhat kind of process it is.

Celeon999
03-01-2007, 09:08 AM
I have it !

Ive asked in a network related forum and someone told me that the TCP/IP stack might has been damaged by the trojan.

He gave me a link

This one here (http://www.iup.edu/house/resnet/winfix.shtm)


After running this little progi the internet functions again ! http://forums.ubi.com/images/smilies/partyhat.gif http://forums.ubi.com/images/smilies/16x16_smiley-happy.gif

The computer hangs on every start up for about 1 1/2 minutes during windows initialisation now but then starts and the internet works http://forums.ubi.com/images/smilies/clap.gif


Thanks to everyone for your help http://forums.ubi.com/images/smilies/11.gif http://forums.ubi.com/images/smilies/11.gif http://forums.ubi.com/images/smilies/11.gif


Of course Celeon will invent an epic hero story on how he ALONE solved the problem with his gigantic computer and programming knowledge, killed the dragon, hunted some terrorists down etc. to score a kiss from the GF when she comes home http://forums.ubi.com/images/smilies/inlove.gif

http://forums.ubi.com/images/smilies/35.gif

No not really. http://forums.ubi.com/groupee_common/emoticons/icon_biggrin.gif He will tell her that he got help http://forums.ubi.com/images/smilies/16x16_smiley-wink.gif

Stuntcow
03-01-2007, 09:38 AM
May not be much if any help, in the cases where I have come acrross that type of error. Even after cleaning with all the tools I could find and doing a repair from Windows. I had to reload windows on the system. Hope the fixes work for you. Sounds like the infection corrupted the internet connection in windows and now sure if there is a easy way to get it back. Good luck.

VikingGrandad
03-01-2007, 09:46 AM
I'm glad you got it fixed. http://forums.ubi.com/images/smilies/partyhat.gif

We all learn something when we share a problem like this. http://forums.ubi.com/images/smilies/25.gif

TAW_Oilburner
03-01-2007, 08:55 PM
Originally posted by Stuntcow:
May not be much if any help, in the cases where I have come acrross that type of error. Even after cleaning with all the tools I could find and doing a repair from Windows. I had to reload windows on the system. Hope the fixes work for you. Sounds like the infection corrupted the internet connection in windows and now sure if there is a easy way to get it back. Good luck.

Yep...not sure it was trojan related. This happened to a machine at work and we eventually just re-loaded the OS (I recognized that IP from hell the second I saw it). Some people say the number of the beast is 666, i beg to differ lol.