Internet Connection Lost After Installation of Windows XP Service Pack 2 (WinXP SP2)

[ObsesivelyCurious]

Yet Another Frustrated WinXP SP 2 User

I need some good and detailed advice on the problem I encountered after
installing WinXP SP2 on my home computer. I hope this is the best
forum to post this question to, but if you know of a different group,
please, refer me there.

Here's my story, which I'll try to keep to a minimum - just
enough to describe things in detail. I have two computers at home: a
desktop and a laptop. Both of them sit behind a wireless router
(Linksys WRT54G) and a cable model (Motrola - can't recall the
model at this point). Both boxes run WinXP. I've been using this
setup smoothly and happily for some two years now relying on the
router's built in Firewall to protect me from malicious attempts of
the villains out there.

Unfortunately a couple of weeks ago I must have contracted some mutated
version of sasser which caused my lsass.exe to cease to function and
forced periodic system reboot. Alerted by this event I've decided to
bring my desktop up to the latest updates, and perhaps install some
software firewall on the box itself. I was able to successfully remove
the malware (and in the process found some more stuff, albeit less
malignant). Either way, after installing the first set of necessary
updates from MS I got everything working smoothly again... And here's
when I made a mistake.

I thought, if things are going so well, perhaps I should go ahead and
install Microsoft's recommended SP2, and I went for it. Installation
proceeded uneventfully and soon I had my brand new and shiny WinXP SP2.
Unfortunately, from that point on I have been unable to connect to the
internet. I've pored over gazillions of posts and discussion forums,
found some advice, applied it, and... got nothing. I even went as far
as restoring the system back to before SP2 (at which point everything
works fine) and reinstalling again, but to no avail.

Now, here's what I see exactly. My ipconfig shows everything as it
needs to be. Both my desktop (with SP2) and my laptop (without SP2)
get their IPs from the router via DHCP. I can also ping my router
(192.168.1.1) and my cable modem (192.168.100.1) just fine. I can ping
between the desktop and laptop as well. However, if I try to browse to
either one (http://192.168.1.1 or http://192.168.100.1) which normally
brings up a web based configuration interface, I get an IE error page
indicating it cannot connect. Also, when I try to ping something
outside my local network, the ping times out.

Now, this is the most bizarre part. Before I installed SP2 on my
desktop I took it offline by physically unplugging the network. During
the installation and even after I could access the internet from my
laptop without any issues. I could also view the configuration web
interfaces of both the router and the cable modem. When I later
plugged in the desktop with SP2 back onto my LAN I could still browse
happily on my laptop for a little while. I tried to navigate to my
router interface from my desktop, and after a very long delay, the
interface slowly came up. It was available for a few minutes, and then
went down (with the familiar error page in IE). I thought this must be
a problem with the desktop and SP2, but to my dismay I found out that
my laptop now can't access the internet or web interface of the
router either. It seems that SP2 on my desktop is somehow capable of
taking down the router with it!!!

As a background info, let me state that I have installed the latest
firmware on the router. I've also carefully reviewed any potential
malware on my box. I've run Ad-Aware and removed everything that
looked suspicious. I also scanned the system with HijackThis and
examined the log, but did not find anything that concerned me. I'd
be happy to post the log later when I'm back at my box, if that can
be relevant here.

Another interesting tidbit is that my "Internet Connection" under
Network Connections disappeared after I installed SP2. When I restored
to the previous state, I couldn't see it either. Later, after
re-installation of SP2, it popped up again, until everything went down,
and then it disappeared again.

I also have Symantec Internet Security 2003 installed. I had not used
it before, but I enabled it after I discovered and removed sasser.
I've tried disabling it, but this had no effect on my connectivity
problems. I also disabled the Windows Firewall, but to no avail.

Quite frankly I'm completely at a loss for a solution. If there is
anyone out there who could shed some light on my desperate situation, I
would greatly appreciate your opinion and advice.

Thanks a bunch,

Andrew

 

[Quaoar]

Yet Another Frustrated WinXP SP 2 User

I need some good and detailed advice on the problem I encountered
after installing WinXP SP2 on my home computer. I hope this is the
best forum to post this question to, but if you know of a different
group, please, refer me there.

Here's my story, which I'll try to keep to a minimum - just
enough to describe things in detail. I have two computers at home: a
desktop and a laptop. Both of them sit behind a wireless router
(Linksys WRT54G) and a cable model (Motrola - can't recall the
model at this point). Both boxes run WinXP. I've been using this
setup smoothly and happily for some two years now relying on the
router's built in Firewall to protect me from malicious attempts of
the villains out there.

Unfortunately a couple of weeks ago I must have contracted some
mutated version of sasser which caused my lsass.exe to cease to
function and forced periodic system reboot. Alerted by this event
I've decided to bring my desktop up to the latest updates, and
perhaps install some software firewall on the box itself. I was able
to successfully remove the malware (and in the process found some
more stuff, albeit less malignant). Either way, after installing the
first set of necessary updates from MS I got everything working
smoothly again... And here's when I made a mistake.

I thought, if things are going so well, perhaps I should go ahead and
install Microsoft's recommended SP2, and I went for it. Installation
proceeded uneventfully and soon I had my brand new and shiny WinXP
SP2. Unfortunately, from that point on I have been unable to connect
to the internet. I've pored over gazillions of posts and discussion
forums, found some advice, applied it, and... got nothing. I even
went as far as restoring the system back to before SP2 (at which
point everything works fine) and reinstalling again, but to no avail.

Now, here's what I see exactly. My ipconfig shows everything as it
needs to be. Both my desktop (with SP2) and my laptop (without SP2)
get their IPs from the router via DHCP. I can also ping my router
(192.168.1.1) and my cable modem (192.168.100.1) just fine. I can
ping between the desktop and laptop as well. However, if I try to
browse to either one (http://192.168.1.1 or http://192.168.100.1)
which normally brings up a web based configuration interface, I get
an IE error page indicating it cannot connect. Also, when I try to
ping something outside my local network, the ping times out.

Now, this is the most bizarre part. Before I installed SP2 on my
desktop I took it offline by physically unplugging the network.
During the installation and even after I could access the internet
from my laptop without any issues. I could also view the
configuration web interfaces of both the router and the cable modem.
When I later plugged in the desktop with SP2 back onto my LAN I could
still browse happily on my laptop for a little while. I tried to
navigate to my router interface from my desktop, and after a very
long delay, the interface slowly came up. It was available for a few
minutes, and then went down (with the familiar error page in IE). I
thought this must be a problem with the desktop and SP2, but to my
dismay I found out that my laptop now can't access the internet or
web interface of the
router either. It seems that SP2 on my desktop is somehow capable of
taking down the router with it!!!

As a background info, let me state that I have installed the latest
firmware on the router. I've also carefully reviewed any potential
malware on my box. I've run Ad-Aware and removed everything that
looked suspicious. I also scanned the system with HijackThis and
examined the log, but did not find anything that concerned me. I'd
be happy to post the log later when I'm back at my box, if that can
be relevant here.

Another interesting tidbit is that my "Internet Connection" under
Network Connections disappeared after I installed SP2. When I
restored to the previous state, I couldn't see it either. Later,
after re-installation of SP2, it popped up again, until everything
went down, and then it disappeared again.

I also have Symantec Internet Security 2003 installed. I had not used
it before, but I enabled it after I discovered and removed sasser.
I've tried disabling it, but this had no effect on my connectivity
problems. I also disabled the Windows Firewall, but to no avail.

Quite frankly I'm completely at a loss for a solution. If there is
anyone out there who could shed some light on my desperate situation,
I would greatly appreciate your opinion and advice.

Thanks a bunch,

Andrew

Google for winsockxpfix.exe. Run this to reset the registry keys
relating to TCP/IP. I have to use this after *every* windows update,
for whatever reason.

Q

 

[ObsesivelyCurious]

I've got WinSockXpFix.exe and I even started it, but when I tried to
run registry backup I got a bunch of errors, which I found
discouraging, and stopped for now. I'll give it a shot later.

On the other hand - judging from some other discussion thread I read on
a similar subject - I would think that since I can ping successfully
(at least withing my local network) the problem is not with the tcp/ip
stack. I could be wrong here.

One more piece of information. The problem does not seem to be limited
to the browser only. My MSN Messenger refuses to connect either, and
it doesn't seem like Windows Update is able to connect either. Does
this preclude some malware trying to hijack the browser? I have
Firefox installed and I tried it too after the first installation of
SP2, but I couldn't connect anywhere. I can give it another spin, but
I suspect the outcome will be similar.

Andrew

 

[Chuck]

I've got WinSockXpFix.exe and I even started it, but when I tried to
run registry backup I got a bunch of errors, which I found
discouraging, and stopped for now. I'll give it a shot later.

On the other hand - judging from some other discussion thread I read on
a similar subject - I would think that since I can ping successfully
(at least withing my local network) the problem is not with the tcp/ip
stack. I could be wrong here.

One more piece of information. The problem does not seem to be limited
to the browser only. My MSN Messenger refuses to connect either, and
it doesn't seem like Windows Update is able to connect either. Does
this preclude some malware trying to hijack the browser? I have
Firefox installed and I tried it too after the first installation of
SP2, but I couldn't connect anywhere. I can give it another spin, but
I suspect the outcome will be similar.

Andrew

Andrew,

The mysterious LSP / Winsock corruption can cause an assortment of ills, and
your symptoms are consistent with that. Partial connectivity problems, Internet
connectivity problems while local connectivity is unaffected, slow connectivity
are all possible symptoms. WinsockXPFix is only one of 4 possible corrective
procedures too.
<http://nitecruzr.blogspot.com/2005/05/problems-with-lsp-winsock-layer-in.html>

Another possibility that comes to mind is the MTU issue.
<http://nitecruzr.blogspot.com/2005/06/internet-connectivity-problems-caused.html>

Oh yeah, did you post your HJT log to any expert forum? Can you provide a link
if so?
<http://nitecruzr.blogspot.com/2005/05/interpreting-hijackthis-logs-with.html>

And is it possible that the laptop has an IP address of 192.168.1.100, not
192.168.100.1? Addresses 192.168.1.1 and 192.168.100.1 aren't on the same class
C subnet. Maybe if you post "ipconfig /all" from both computers, we could get a
picture of your problem.
<http://nitecruzr.blogspot.com/2005/05/troubleshooting-internet-service.html#AskingForHelp>

 

[ObsesivelyCurious]

Chuck,

Thanks for your response. I'll try to run WinSockXpFix when I get
home. Are there any precautions I should take, i.e. can it remove
stuff that should actually be is LSP?

I haven't posted my HijackThis log yet. Again, I'll get to it as soon
as I get home.

The IP addresses I posted where of the router (192.168.1.1) and the
cable modem (192.168.100.1). The laptop and desktop (the IPs of which
I didn't post here) get theirs via DHCP and these default to
192.168.1.100 for the desktop and 192.168.1.101 for the laptop.

Andrew

 

[ObsesivelyCurious]

Here's some more info regarding my setup and symptoms/causes.

First, all of my computers and the router are in the same subnet (given
their IP address), so I don't think there is a problem here. Plus,
this part of the setup has not changes from before SP2 installation.

Second, MTU shouldn't be an issue here. Again, this setting hasn't
changes since before SP2. Also, I can't access any websites
whatsoever. In fact, I can't even view the web interface of my own
router. Notice (see the original post) that the latter seem to
disappear "gradually". It was accessible and fine from my laptop, then
I could access it from my desktop, albeit very sluggishly, and finally
it disappeared altogether (from both laptop and desktop). This gradual
aspect has me quite confounded. Is it possible that my router gets
flooded with packets from my desktop? Something to the effect of
denial of service attack issued from my own box?

Third, I need to point out that I had, in fact, run LPS-Fix prior to
installing SP2. It found some stuff and removed it. Also, after
installation of SP2 its built in malware-removal tool seems to find
something and remove it. I can't remember off the top of my head what
exactly that is - some dll.

And finally, I have port forwarding set up in my router for HTTP (port
80) to my destkop. I run a web server on my desktop and I need it
visible from the outside world.

I'll post more info: HijackThis log and outcome of WinSockXpFix later
today.

Thanks for your help,

Andrew

 

[Chuck]

Chuck,

Thanks for your response. I'll try to run WinSockXpFix when I get
home. Are there any precautions I should take, i.e. can it remove
stuff that should actually be is LSP?

I haven't posted my HijackThis log yet. Again, I'll get to it as soon
as I get home.

The IP addresses I posted where of the router (192.168.1.1) and the
cable modem (192.168.100.1). The laptop and desktop (the IPs of which
I didn't post here) get theirs via DHCP and these default to
192.168.1.100 for the desktop and 192.168.1.101 for the laptop.

Andrew

Andrew,

If you have a standard LSP stack, you should be OK. OTOH, if you have any
custom network software, and it uses the LSP stack, you may end up reloading it.

You can run MSInfo32, and under Components - Network, you will see Protocol and
Winsock. That will give you an idea what is at risk. If there are any
non-Microsoft components, you can find them there.

Also, Autoruns (free) from
<http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml> will list all
Winsock components, and can be set to list only non-Microsoft components. If
you don't have Autoruns yet, get it. It's an excellent tool.
<http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html>

How do you address the cable modem, if it's on another subnet?

 

[ObsesivelyCurious]

Chuck,

I had checked my LSP stack using MSInfo32, but didn't have the time to
examine it in detail. Microsoft documentaion of fixing winsocks
problems said the standard stack should have 10 entries. Mine had 12,
so I assume I have something extra attached. Most likely its Symantec
Network Security. I'm not sure if both are it, or if the other entry
is something else. I'll check it out.

I don't have Autoruns yet. I'm glad you pointed it out. It sounds
like a great tool. I'll grab it when I get home.

I never thought much about the cable modem being on a different
subnet... These were the default settings and they always simply "just
worked". I could always ping it by IP and I could also access its web
interface by http://192.168.100.1. Is there something here that could
be causing problems with SP2? Why should a separate subnet be a
problem in the first place?

Thanks,

Andrew

 

[Chuck]

Chuck,

I had checked my LSP stack using MSInfo32, but didn't have the time to
examine it in detail. Microsoft documentaion of fixing winsocks
problems said the standard stack should have 10 entries. Mine had 12,
so I assume I have something extra attached. Most likely its Symantec
Network Security. I'm not sure if both are it, or if the other entry
is something else. I'll check it out.

I don't have Autoruns yet. I'm glad you pointed it out. It sounds
like a great tool. I'll grab it when I get home.

I never thought much about the cable modem being on a different
subnet... These were the default settings and they always simply "just
worked". I could always ping it by IP and I could also access its web
interface by http://192.168.100.1. Is there something here that could
be causing problems with SP2? Why should a separate subnet be a
problem in the first place?

Thanks,

Andrew

Andrew,

Your modem is outside the router, so your router sends the pings that way.
That's fine as long as your modem is the only one on the Internet using that
address. If that's the default, you probably have neighbors who have theirs
attached, and using the same address.

Watch out if you have Winsock entries for NIS. Any time you un install or
deactivate a Symantec product, you can get interesting results.

Also, remember that installing SP2 is never recommended as a reparative
procedure. You should only install SP2 to a well running system.

Finally, the 4 LSP repair tools (3 third party + 1 native Windows command) are
known to not duplicate each other. Many folks here have reported not getting a
solution from the first one that they tried. One helper here has been known to
point out that the netsh (native Windows) procedure doesn't always work.

 

[ObsesivelyCurious]

I see what you were getting at with the modem IP address. Doesn't the
modem expose two interfaces and therefore two IP address? One for the
local network and one for the outside world. The one I posted is the
local address that I can see on the inside. The other is obtained via
DHCP from my Comcast (my cable provider), and I don't remember it at
the moment.

What's your advice on NIS then? Should I try to uninstall it
completely and then remove anything that may be leftover in LSP? I've
had it installed for quite a while since it came in a bundle with
Antivirus along with some piece of hardware I bought, and I just never
cared to uninstall it, but simply disabled it. I've had it all running
in this fashion for the longest time without any issues at all.

My system was stable before I installed SP2. In other words, I took
care of all the issues I saw by running the malware removal tool(s) and
applying some security patches from MS. It all ran in a stable fashion
for a day, and then I decided to move on to SP2. Also, if I restore to
the point just before installation of SP2, I get back to a nice and
stable environment...

I'll give all the LSPs a spin. I hope none of them will do any damage
to what I need to run my network . I'll post what I get when I'm
done.

Andrew

 

[Chuck]

I see what you were getting at with the modem IP address. Doesn't the
modem expose two interfaces and therefore two IP address? One for the
local network and one for the outside world. The one I posted is the
local address that I can see on the inside. The other is obtained via
DHCP from my Comcast (my cable provider), and I don't remember it at
the moment.

What's your advice on NIS then? Should I try to uninstall it
completely and then remove anything that may be leftover in LSP? I've
had it installed for quite a while since it came in a bundle with
Antivirus along with some piece of hardware I bought, and I just never
cared to uninstall it, but simply disabled it. I've had it all running
in this fashion for the longest time without any issues at all.

My system was stable before I installed SP2. In other words, I took
care of all the issues I saw by running the malware removal tool(s) and
applying some security patches from MS. It all ran in a stable fashion
for a day, and then I decided to move on to SP2. Also, if I restore to
the point just before installation of SP2, I get back to a nice and
stable environment...

I'll give all the LSPs a spin. I hope none of them will do any damage
to what I need to run my network . I'll post what I get when I'm
done.

Andrew

Andrew,

A modem is a bridge - it bridges the voice line to Ethernet. It only has 1 IP
address. A router has 2 IP addresses.

If you're having network problems, like inability to access Internet sites, un
installing personal firewalls is a good place to start diagnosing the problem.
Check with Symantec before starting - there may be special un install procedures
you will need.

Incidentally, I just downloaded the newest version of Autoruns - V8.0 - and it
shows me 12 NetBIOS Winsock entries + 3 TCP/IP entries. So look carefully at
your list - you may be surprised.

 

[ObsesivelyCurious]

Chuck,

Looks like you've exposed a whole in my (somewhat patchy) knowledge of
computer networks. I guess the class I took was too long ago, or I was
dozing off when this topic was discussed. Of course, it is the router
that has both the local LAN and the "world" IP address. Just for
reference the internet-side IP is 24.20.235.200.

Now down to business. I've downloaded Autoruns per your advice and
indeed it is a fabulous tool. I did a scan, hid all the Microsoft
registered entries and analyzed what remained. First I jumped to the
Winsock tab. Much to my surprise there was nothing there that was not
Microsoft-registered. I suppose, all my 12 items I had referred to
before must be legitimate (I looked closely, and they appear that way
to me). I guess this suggests that the problem was not in the tcp/ip
stack, especially that I never had much trouble with pinging the world
(at least not until my SP2 box took down the router).

Anyway, subsequently I unchecked a couple of items in the "Logon"
section, including two related to Norton Internet Security, but left
many that I recongized as valid programs.

Then took a hatchet to the "Internet Explorer" section led by the
earlier symptoms that seemed to be related to IE. Many of the items in
there made sense to me (Google toolbar, Norton AntiVirus, Sun Java
Console, and a couple of others) but regardless I unchecked them all.

With that I rebooted my box and waited.... It came back up fine and
when I got to browsing things simply worked! So I think you hit the
nail on the head, and Autoruns is the right tool to have.

Now I need to re-enable the items one by one to pinpoint the culprit.
I'll post the info in a few minutes.

I will also post my HijackThis log here for now, cause after I
registered at Spyware Warrior, I need to wait for activation.

Thanks for your help,

Andrew

 

[Chuck]

Chuck,

Looks like you've exposed a whole in my (somewhat patchy) knowledge of
computer networks. I guess the class I took was too long ago, or I was
dozing off when this topic was discussed. Of course, it is the router
that has both the local LAN and the "world" IP address. Just for
reference the internet-side IP is 24.20.235.200.

Now down to business. I've downloaded Autoruns per your advice and
indeed it is a fabulous tool. I did a scan, hid all the Microsoft
registered entries and analyzed what remained. First I jumped to the
Winsock tab. Much to my surprise there was nothing there that was not
Microsoft-registered. I suppose, all my 12 items I had referred to
before must be legitimate (I looked closely, and they appear that way
to me). I guess this suggests that the problem was not in the tcp/ip
stack, especially that I never had much trouble with pinging the world
(at least not until my SP2 box took down the router).

Anyway, subsequently I unchecked a couple of items in the "Logon"
section, including two related to Norton Internet Security, but left
many that I recongized as valid programs.

Then took a hatchet to the "Internet Explorer" section led by the
earlier symptoms that seemed to be related to IE. Many of the items in
there made sense to me (Google toolbar, Norton AntiVirus, Sun Java
Console, and a couple of others) but regardless I unchecked them all.

With that I rebooted my box and waited.... It came back up fine and
when I got to browsing things simply worked! So I think you hit the
nail on the head, and Autoruns is the right tool to have.

Now I need to re-enable the items one by one to pinpoint the culprit.
I'll post the info in a few minutes.

I will also post my HijackThis log here for now, cause after I
registered at Spyware Warrior, I need to wait for activation.

Thanks for your help,

Andrew

Andrew,

Alright, that's a great start! Now I'll look forward to hearing what item it is
that caused the problem. Obviously it should be something that does TCP/IP -
and you said that MSN Messenger appears to be affected too.

 

[ObsesivelyCurious]

Chuck,

Just as I was about to proclaim complete victory last night.... (see
below)

Continuing my previous post...

I now re-enabled all Norton AntiVirus related entries in IE section,
rebooted the box, and everything is still working fine. I noticed only
one difference: my "Internet Connection" in Network Connections now has
the "Disabled" status when the box first came up. This does not,
however, prevent me from ping or browsing. I can also right-click it
and choose "Enable" which changes its state to "Connected".

I've also re-enabled Adobe Acrobat BHO as well as MS Money items, and
everything is still running fine. That's good news. Now what
remains is some unchecked logon and services items. Most of them
pertain to Norton AntiVirus or Internet Security....

.....an utter disaster struck! Little did I know that this would be the
last time I would see my system stable for the next 24 hours. Now, one
more restore point, several unsuccessfull virus scans, malware scans,
etc., and one sleepless night later I am back to square one.

When I re-enabled Symantec services I started seeing internet slowness
again. It didn't quite take down the router like before (I could still
use it just fine from my laptop), but pages took 10 times as long as
they should to download. So I decided to uncheck these services in
Autoruns hoping for a smooth ride concluded by possibly uninstallation
of the Symantec products, but - needless to say - that did not happen.
After a reboot I saw the same slowness symptoms, and soon afterward the
infamous error messages (lsass.exe) followed by a reboot started again.
Trying to get the system to a more stable state I restored to a point
before the changes I've made with Autoruns, but this didn't help, and
perhaps made things even worse, cause now I started seeing errors from
services.exe too.

I figure it had to be a virus of some sort, so I resorted to trying
antivirus software. I couldn't run Norton AntiVirus in a stable way -
the app crashed and the system followed. I grabbed Symanted Sasser
removal tool and did a system scan, which went through without a reboot
on 2nd or 3rd attempt and found nothing! I thought, maybe I got some
other worm, and found out about McAffee's stinger. I got that one too
and ran it. First in normal windows mode, in which it briefly splashed
something about a virus found in a single file, but I didn't have a
chance to even see the name, cause the app crashed too. I tried it a
few more times in normal mode and I didn't see any viruses, but the
scan never completed because of app and system crashes. Somwhere there
between furiously rubbing my red eys with contacts permanently
implanted in them and frantically pulling out my hair, my box started
randomly rebooting without any error messages whatsoever...

I restarted in safe mode, but even then the spontaneous reboots
continued. I attempted to run stinger again focusing first on
C:\Windows. It completed successfully and found nothing. Encouraged
by that, I started a full scan of both my hard drives, and completely
exhausted went to sleep.

This morning I found the box restarted again gleefully informing me
that "the system recovered from a serious error". I have no clue
whether the scan completed, cause the tool left no log file behind (at
least as far as I can tell). I started to suspect some hardware
problem on top of everything else, so I took out all my PCI cards, and
now I'm running the scan again.

I also took a peek and the system and application logs and I can see a
bunch of errors in there. I saved those for later, as I didn't have
the time to analyze them then. One thing that did jump at me - because
it looked strangely familiar, like a problem that I dealt with before -
were errors in the acpi module. I'll need to look into this more, as
this could be the reason for the random reboots without any errors.

Either way, if I can get this system back to some semblance of
stability I will feel quite proud of myself...

I'll report on the progress and any conclusions I reach.

Andrew

 

[Chuck]

Chuck,

Just as I was about to proclaim complete victory last night.... (see
below)

Continuing my previous post...

I now re-enabled all Norton AntiVirus related entries in IE section,
rebooted the box, and everything is still working fine. I noticed only
one difference: my "Internet Connection" in Network Connections now has
the "Disabled" status when the box first came up. This does not,
however, prevent me from ping or browsing. I can also right-click it
and choose "Enable" which changes its state to "Connected".

I've also re-enabled Adobe Acrobat BHO as well as MS Money items, and
everything is still running fine. That's good news. Now what
remains is some unchecked logon and services items. Most of them
pertain to Norton AntiVirus or Internet Security....

....an utter disaster struck! Little did I know that this would be the
last time I would see my system stable for the next 24 hours. Now, one
more restore point, several unsuccessfull virus scans, malware scans,
etc., and one sleepless night later I am back to square one.

When I re-enabled Symantec services I started seeing internet slowness
again. It didn't quite take down the router like before (I could still
use it just fine from my laptop), but pages took 10 times as long as
they should to download. So I decided to uncheck these services in
Autoruns hoping for a smooth ride concluded by possibly uninstallation
of the Symantec products, but - needless to say - that did not happen.
After a reboot I saw the same slowness symptoms, and soon afterward the
infamous error messages (lsass.exe) followed by a reboot started again.
Trying to get the system to a more stable state I restored to a point
before the changes I've made with Autoruns, but this didn't help, and
perhaps made things even worse, cause now I started seeing errors from
services.exe too.

I figure it had to be a virus of some sort, so I resorted to trying
antivirus software. I couldn't run Norton AntiVirus in a stable way -
the app crashed and the system followed. I grabbed Symanted Sasser
removal tool and did a system scan, which went through without a reboot
on 2nd or 3rd attempt and found nothing! I thought, maybe I got some
other worm, and found out about McAffee's stinger. I got that one too
and ran it. First in normal windows mode, in which it briefly splashed
something about a virus found in a single file, but I didn't have a
chance to even see the name, cause the app crashed too. I tried it a
few more times in normal mode and I didn't see any viruses, but the
scan never completed because of app and system crashes. Somwhere there
between furiously rubbing my red eys with contacts permanently
implanted in them and frantically pulling out my hair, my box started
randomly rebooting without any error messages whatsoever...

I restarted in safe mode, but even then the spontaneous reboots
continued. I attempted to run stinger again focusing first on
C:\Windows. It completed successfully and found nothing. Encouraged
by that, I started a full scan of both my hard drives, and completely
exhausted went to sleep.

This morning I found the box restarted again gleefully informing me
that "the system recovered from a serious error". I have no clue
whether the scan completed, cause the tool left no log file behind (at
least as far as I can tell). I started to suspect some hardware
problem on top of everything else, so I took out all my PCI cards, and
now I'm running the scan again.

I also took a peek and the system and application logs and I can see a
bunch of errors in there. I saved those for later, as I didn't have
the time to analyze them then. One thing that did jump at me - because
it looked strangely familiar, like a problem that I dealt with before -
were errors in the acpi module. I'll need to look into this more, as
this could be the reason for the random reboots without any errors.

Either way, if I can get this system back to some semblance of
stability I will feel quite proud of myself...

I'll report on the progress and any conclusions I reach.

Andrew

Andrew,

It's good to be experimental, that's one way to learn, but I suspect that you
may be a bit undiscriminating in stopping services. Many services are essential
system processes, and should not be stopped. You would do well to read a bit
about each service in question. BlackViper is a good web site to use for that
purpose, and here are two possible archive links to his web site:
<http://web.archive.org/web/20041130032640/http://www.blackviper.com/WinXP/servicecfg.htm>
<http://kye-u.hopto.org/mirror/blackviper/WinXP/servicecfg.htm>

One detail comes to mind. The "Internet Connection" in Network Connections is
quite likely the management interface for your router, not the connection
itself. The interface depends upon a couple services, Plug and Play and SSDP
Discovery. If you can manage your router using its web interface, this "device"
is not essential.

 

[ObsesivelyCurious]

Chuck,

Thanks for the advice. I'll make sure to check out the site. I have
been quite careful with disabling services, though. In fact I did not
disable anything of which the origin/purpose I couldn't determine. I
do suspect a virus of sorts, because of some really odd behavior I saw.
For one thing, when I checked the Winsock in Autoruns once I saw the
default list of MFAD TCP/IP items. At a different time, after a reboot
or two, a whole list of SPX/IPX appeared even though the protocol is
not attached to the network card. There was also an entry for RAW/IP.

There was another interesting symptom, although this could be a
coincidence. During my initial run of Stinger the virus detected (I
didn't catch the name) was found in msnmsg.exe. Earlier when I was
playing with Autoruns and unchecked the msnmsg.exe, and then refreshed
the list another msnmsg.exe entry would appear right next to the one I
disabled and it was alway checked. I didn't see this happening for any
other entry in Autoruns.

I'll have to examine the system log files to perhaps glean some
information from them. Hopefully my system is still up and running
when I come back home. Maybe then I'll be luck enough to see the
results of the virus scan as well...

Andrew

 

[ObsesivelyCurious]

One more thing. Do you have a favorite packet sniffer or network
analyzer that I could stick on my box when it becomes slightly more
stable to see what kind of traffic is going in and out? This could
help me determine if I do have some trojan horse or worm of other kind.

Thanks,

Andrew

 

[Chuck]

One more thing. Do you have a favorite packet sniffer or network
analyzer that I could stick on my box when it becomes slightly more
stable to see what kind of traffic is going in and out? This could
help me determine if I do have some trojan horse or worm of other kind.

Thanks,

Andrew

Andrew,

Check out my toolbox.
<http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html>

You should use Process Explorer and Port Explorer to start. And DUMeter to
watch the volume of traffic. And PingPlotter to watch the quality of your
service. And use Autoruns and HijackThis periodically as snapshots of your
system. And Everest periodically.

 

[Chuck]

Chuck,

Thanks for the advice. I'll make sure to check out the site. I have
been quite careful with disabling services, though. In fact I did not
disable anything of which the origin/purpose I couldn't determine. I
do suspect a virus of sorts, because of some really odd behavior I saw.
For one thing, when I checked the Winsock in Autoruns once I saw the
default list of MFAD TCP/IP items. At a different time, after a reboot
or two, a whole list of SPX/IPX appeared even though the protocol is
not attached to the network card. There was also an entry for RAW/IP.

There was another interesting symptom, although this could be a
coincidence. During my initial run of Stinger the virus detected (I
didn't catch the name) was found in msnmsg.exe. Earlier when I was
playing with Autoruns and unchecked the msnmsg.exe, and then refreshed
the list another msnmsg.exe entry would appear right next to the one I
disabled and it was alway checked. I didn't see this happening for any
other entry in Autoruns.

I'll have to examine the system log files to perhaps glean some
information from them. Hopefully my system is still up and running
when I come back home. Maybe then I'll be luck enough to see the
results of the virus scan as well...

Andrew

Andrew,

The actual Microsoft version of msnmsgr.exe (MSN Messenger) or msmsgs.exe
(Windows Messenger) is pretty resilient sometimes - I've had to kill it myself.
One of the reasons why I dumped S$ (of several reasons) was that if I wanted IM
protection, and I was going to protect MSN Messenger, NAV would start it
automatically, even if I didn't want it started (and I did NOT WANT IT STARTED
at system startup).

If the program you're talking about is spelled "msnmsg.exe", it may be an
imposter. The two IM programs, that I use, are spelled as I show above! The
program "msnmsg.exe" is possibly W32/RBot.
<http://www.google.com/search?q=msnmsg.exe&qt_s=Search&lr=&sa=N&tab=gw>

Any programs that I don't recognise, or trust, that I can actually find the
component in question, I submit to Jotti and VirusTotal for analysis. Takes
maybe 5 minutes of your time.
Jotti <http://virusscan.jotti.org/>
VirusTotal <http://www.virustotal.com/flash/index_en.html>

 

[ObsesivelyCurious]

Chuck,

Thanks for more advice. I've reviewed every single service that show
up either under Autoruns or in Windows Service management console
snap-in. They are all legitimate and the vast majority conforms to
BV's recommendations for the safe mode. I made a few adjustments using
my judgement.

Now, here's the scoop so far. When I came home after work today, I
found my system up and running in the safe mode as I had left it some 9
hours earlier with the stinger stil up, which is a great sign. I'm not
sure if I had mentioned it, but before I started the scan I took out
all the unnecessary PCI cards, so now all I have in is my graphics
card, the hard drives, floppy, DVD and CDRW. This seems to work for
now. Much to my surprise, stinger found absolutely no infections of
any kind.

So now I'm looking through the list of services, browser extensions,
winsock providers, etc. And here again one thing jumps at me. In
winsock providers I see a whole bunch of entries pertaining to SPX/IPX.
I can't verify this at this moment (since my network card is out), but
I'm 99.99% sure that I do NOT have SPX/IPX protocol installed. The
only thing I have is TCP/IP. I do use file and printer sharing, but
that shouldn't matter here. I find these entries highly suspicious,
especially that they seem to come back even after I have disabled them
using Autoruns.

I'll try to disable them again and boot up the system in normal mode,
still without any cards or network connectivity.

To be continued...

Andrew