Keep losing browser capabilities

[Menno Hershberger]

This problem has plagued me the last two days. Out of the blue I start
getting "The page cannot be displayed" no matter where I try to go. I
can't even access my router (http://192.168.1.1). Mail, news, FTP, ping,
whois all continue to work just fine. I can telnet into my shell account
and use lynx. But Internet Explorer, Avanti Browser, and Mozilla
Firebird will all do nothing. I can reboot and they will work for a
limited amount of time, anywhere from 5 minutes to a half hour tops. Has
anyone here every experienced a problem like this?

 

[Menno Hershberger]

This problem has plagued me the last two days. Out of the blue I start
getting "The page cannot be displayed" no matter where I try to go. I
can't even access my router (http://192.168.1.1). Mail, news, FTP,
ping, whois all continue to work just fine. I can telnet into my shell
account and use lynx. But Internet Explorer, Avanti Browser, and
Mozilla Firebird will all do nothing. I can reboot and they will work
for a limited amount of time, anywhere from 5 minutes to a half hour
tops. Has anyone here every experienced a problem like this?

I should add I ran the WinsockFix. No difference. I've tried closing
everything that was running including antivirus. Windows firewall is not
turned on. I DO notice that the browser(s) are resolving hostnames
alright as in "Web site found... waiting for reply". There's nothing in
my hosts file. If I reboot to Windows 98, I have no problem there.

 

[Menno Hershberger]

I should add I ran the WinsockFix. No difference. I've tried closing
everything that was running including antivirus. Windows firewall is not
turned on. I DO notice that the browser(s) are resolving hostnames
alright as in "Web site found... waiting for reply". There's nothing in
my hosts file. If I reboot to Windows 98, I have no problem there.

Now I have reinstalled XP. I didn't figure that would help and I was
right.

 

[Malke]

Now I have reinstalled XP. I didn't figure that would help and I was
right.

When you say you reinstalled, do you mean a repair install or clean
format? If the latter, then I'd say you have hardware issues, possibly
your nic or your cables or even your router. If you just installed "on
top", then you haven't cleaned out the problem. My experience with
removing tricksy worms and other malware is that it is quite difficult
and the usual Spybot/Ad-aware/CWShredder isn't enough. I picked up a
tool to get rid of the Peper trojan from a thread in the forums on
www.computercops.biz. Run HijackThis and post your log in the forums on
www.spywareinfo.com. Read the sticky on how to do this first.

Malke

 

[Menno Hershberger]

When you say you reinstalled, do you mean a repair install or clean
format? If the latter, then I'd say you have hardware issues, possibly
your nic or your cables or even your router. If you just installed "on
top", then you haven't cleaned out the problem. My experience with
removing tricksy worms and other malware is that it is quite difficult
and the usual Spybot/Ad-aware/CWShredder isn't enough. I picked up a
tool to get rid of the Peper trojan from a thread in the forums on
www.computercops.biz. Run HijackThis and post your log in the forums on
www.spywareinfo.com. Read the sticky on how to do this first.

No, it was just a repair install... that's the reason I wasn't
surprised it didn't help. And I don't suspect hardware because I don't
have the problem in Windows 98 (I dual boot). I'll try HiJack This and
see what it comes up with. Thanks for the suggestion.

 

[Menno Hershberger]

When you say you reinstalled, do you mean a repair install or clean
format? If the latter, then I'd say you have hardware issues, possibly
your nic or your cables or even your router. If you just installed "on
top", then you haven't cleaned out the problem. My experience with
removing tricksy worms and other malware is that it is quite difficult
and the usual Spybot/Ad-aware/CWShredder isn't enough. I picked up a
tool to get rid of the Peper trojan from a thread in the forums on
www.computercops.biz. Run HijackThis and post your log in the forums on
www.spywareinfo.com. Read the sticky on how to do this first.

I did run HiJack this. I haven't submitted it yet but I didn't see
anything in there that I didn't recognize and it was all stuff that was
in there before this problem began. I have compared running processes in
task manager when it is working and when it isn't. There's no difference.
I re-updated my virus definitions again tonight. I did a full scan in
Safe Mode with Networking. During the almost 3 hours it was scanning I
was surfing the internet. After the scan was over, I remained in Safe
Mode and continued to browse. I just now rebooted into normal mode and
I'll bet before I finish this post I will have lost my browsing
capability again. Anyways, it seems to be some process that loads i
normal mode that doesn't in Safe Mode. I guess I'll try the "clean boot"
thing next and see if I can isolate it that way. The problem there is
that it always works for the first few minutes, so every time I make a
change, I'll have to give it a half hour or so before I know if I found
the culprit!
I was right... I just tried my browser again and it won't do anything!

 

[Malke]

I did run HiJack this. I haven't submitted it yet but I didn't see
anything in there that I didn't recognize and it was all stuff that
was in there before this problem began. I have compared running
processes in task manager when it is working and when it isn't.
There's no difference. I re-updated my virus definitions again
tonight. I did a full scan in Safe Mode with Networking. During the
almost 3 hours it was scanning I was surfing the internet. After the
scan was over, I remained in Safe Mode and continued to browse. I just
now rebooted into normal mode and I'll bet before I finish this post I
will have lost my browsing capability again. Anyways, it seems to be
some process that loads i normal mode that doesn't in Safe Mode. I
guess I'll try the "clean boot"
thing next and see if I can isolate it that way. The problem there is
that it always works for the first few minutes, so every time I make a
change, I'll have to give it a half hour or so before I know if I
found the culprit!
I was right... I just tried my browser again and it won't do
anything!

Did you call your ISP? Either it is software or hardware. You seem to
have exhausted all the software troubleshooting. So possibly some piece
of hardware is failing once it warms up. Change out the nic and cables.
I can't remember how you said you were getting to the Internet, but if
by dialup, change out your modem. If by dsl or cable, call your ISP to
change out *their* modem.

Malke

 

[Menno Hershberger]

Did you call your ISP? Either it is software or hardware. You seem to
have exhausted all the software troubleshooting. So possibly some piece
of hardware is failing once it warms up. Change out the nic and cables.
I can't remember how you said you were getting to the Internet, but if
by dialup, change out your modem. If by dsl or cable, call your ISP to
change out *their* modem.

I have a T1. Everything works but HTTP in XP. In XP Safe Mode with
Networking it works alright. I also have Windows 98 (dual boot) and it
works fine there too. It's not browsing right now, but I can still do
news just fine. FTP is fine. Mail is fine. Norton Live update won't work
(it's http). I went into msconfig and disabled *everything*. When it
rebooted (it took forever), http worked for about 10 minutes, then quit,
just like it always does.

 

[Malke]

Menno Hershberger wrote:

I have a T1. Everything works but HTTP in XP. In XP Safe Mode with
Networking it works alright. I also have Windows 98 (dual boot) and it
works fine there too. It's not browsing right now, but I can still do
news just fine. FTP is fine. Mail is fine. Norton Live update won't
work (it's http). I went into msconfig and disabled *everything*. When
it rebooted (it took forever), http worked for about 10 minutes, then
quit, just like it always does.

Hi, Menno. Then it must be something that is kicking in at that time in
Windows, maybe one of the Agobot trojans that is so hard to find. Do a
few things for me:

1. Make sure you have a real firewall like Sygate or Zonealarm installed
and have the notifications turned on. If it asks you if something even
a little bit odd can access the Internet, say "no" and make a note of
the name and location. You may have one of the Agobot/phatbot/gaobot
trojans that have been very hard to eradicate. I've been seeing this a
lot over the last few days. A box gets Sasser and then it gets
everything else, some of which aren't detected by Stinger and prevent
things like Live Update.

2. Find all the hosts files (including lmhosts) on your system and check
to be sure nothing is in there except:

127.0.0.1 localhost.

Let me know. It might be a while til I can get back to you because I'm
off now to pick up the kids and go directly to another Sasser-cleaning
call. However, I'll make sure to check back in the newsgroup before my
day is over (it's 2:25 PM in my world right now).

Malke

 

[Menno Hershberger]

Menno Hershberger wrote:



Hi, Menno. Then it must be something that is kicking in at that time
in Windows, maybe one of the Agobot trojans that is so hard to find.
Do a few things for me:

1. Make sure you have a real firewall like Sygate or Zonealarm
installed and have the notifications turned on. If it asks you if
something even a little bit odd can access the Internet, say "no" and
make a note of the name and location. You may have one of the
Agobot/phatbot/gaobot trojans that have been very hard to eradicate.
I've been seeing this a lot over the last few days. A box gets Sasser
and then it gets everything else, some of which aren't detected by
Stinger and prevent things like Live Update.

2. Find all the hosts files (including lmhosts) on your system and
check to be sure nothing is in there except:

127.0.0.1 localhost.

Let me know. It might be a while til I can get back to you because I'm
off now to pick up the kids and go directly to another Sasser-cleaning
call. However, I'll make sure to check back in the newsgroup before my
day is over (it's 2:25 PM in my world right now).

That's what I do too. Kinda humbles a guy to have to ask for help.
I'm glad it happened on my own computer at least. And yes, Norton
grabbed one of those Gaobot trojans just before that started
happening. It just popped up and said it had fixed it. Unfortunately
I think it got it off a customer's computer who I had networked. His
had two instances of Sasser and two or three of gaobot plus many
more. But I got his all cleaned up and it was working fine. I'm in
Safe Mode at the moment and it just keeps plugging away. Apparently
even though you disable EVERYTHING in msconfig, something is still
loading in normal mode that doesn't in safe mode.
Save the lecture about networking customer's computers....
I like to learn the hard way.
I do have Zone Alarm on here but I usually don't run it behind the
router. When I do, it never logs anything at all, That's the reason I
figured I didn't need it. If I plug a computer direct into the T1
without a firewall running, I can almost it will "catch" a virus in 10
minutes time. I forgot right offhand which one, but it's the one with
brasil.exe and that other slew of files and puts a long list in win.ini
(on Win98 computers)

 

[Malke]

That's what I do too. Kinda humbles a guy to have to ask for help.

I know what you mean, but false pride is a luxury intelligent people
can't afford. I've learned that the smartest thing to do sometimes is
admit you don't know. Life is too short to be stupid.

I'm glad it happened on my own computer at least. And yes, Norton
grabbed one of those Gaobot trojans just before that started
happening. It just popped up and said it had fixed it.
Unfortunately I think it got it off a customer's computer who I had
networked. His had two instances of Sasser and two or three of
gaobot plus many more. But I got his all cleaned up and it was
working fine. I'm in Safe Mode at the moment and it just keeps
plugging away. Apparently even though you disable EVERYTHING in
msconfig, something is still loading in normal mode that doesn't in
safe mode.

I just got back from the latest. She had three variants of Sasser and
Agobot. Check out this article about the W32.HLLW.Polybot, often known
as Agobot, Phatbot, and a slew of other bots - it is very helpful in
showing where to look:

http://securityresponse.symantec.com/avcenter/venc/data
w32.hllw.polybot.html

Of course, you've noted that the url wraps in my newsreader.

Save the lecture about networking customer's computers....
I like to learn the hard way.

Did I say anything? I didn't have to, did I? ;-)

I do have Zone Alarm on here but I usually don't run it behind the
router. When I do, it never logs anything at all, That's the reason I
figured I didn't need it. If I plug a computer direct into the T1
without a firewall running, I can almost it will "catch" a virus in 10
minutes time. I forgot right offhand which one, but it's the one with
brasil.exe and that other slew of files and puts a long list in
win.ini (on Win98 computers)

I actually do run Sygate free version on the Windows boxen, even though
I'm behind a router to the cable connection. I like having a firewall
for exactly the reason that if something slips in, I have a chance of
catching it trying to get out. This is the way I cleaned up a client's
computer yesterday - after using the Sasser removal tool and Stinger, I
still couldn't get Task Manager/regedit to run and yet I didn't see
anything strange in msconfig. Then the eTrust firewall flagged
something almost innocuous and >bang!< - gotcha, you b*st*rd!

So, I do think you've got something like a polybot and I think that the
firewall will help catch it. And as I said in my first post, check the
hosts files. Let me know how things go for you.

Cheers,

A Tired Malke

 

[Menno Hershberger]

I know what you mean, but false pride is a luxury intelligent people
can't afford. I've learned that the smartest thing to do sometimes is
admit you don't know. Life is too short to be stupid.


I just got back from the latest. She had three variants of Sasser and
Agobot. Check out this article about the W32.HLLW.Polybot, often known
as Agobot, Phatbot, and a slew of other bots - it is very helpful in
showing where to look:

http://securityresponse.symantec.com/avcenter/venc/data
w32.hllw.polybot.html

Read it... got the manual removal instructions. None of the files or
registry entries were on my computer.
I'll keep digging.
(Working on 2 at once at present)

-
There are 3 kinds of people: Those who can count & those who can't.

 

[Menno Hershberger]

I know what you mean, but false pride is a luxury intelligent people
can't afford. I've learned that the smartest thing to do sometimes is
admit you don't know. Life is too short to be stupid.


I just got back from the latest. She had three variants of Sasser and
Agobot. Check out this article about the W32.HLLW.Polybot, often known
as Agobot, Phatbot, and a slew of other bots - it is very helpful in
showing where to look:

http://securityresponse.symantec.com/avcenter/venc/data
w32.hllw.polybot.html

Of course, you've noted that the url wraps in my newsreader.


Did I say anything? I didn't have to, did I? ;-)

I actually do run Sygate free version on the Windows boxen, even though
I'm behind a router to the cable connection. I like having a firewall
for exactly the reason that if something slips in, I have a chance of
catching it trying to get out. This is the way I cleaned up a client's
computer yesterday - after using the Sasser removal tool and Stinger, I
still couldn't get Task Manager/regedit to run and yet I didn't see
anything strange in msconfig. Then the eTrust firewall flagged
something almost innocuous and >bang!< - gotcha, you b*st*rd!

So, I do think you've got something like a polybot and I think that the
firewall will help catch it. And as I said in my first post, check the
hosts files. Let me know how things go for you.

I seem to have temporary relief. I plugged directly into the T1 and
set it to let DHCP pick an IP. I had no problem then, except that I was
"out" of my network. So I left the settings the same and plugged it back
into my router and let my router assign me an IP. It still continued to
work. But I need my static IP since I have assignments to it in the
router (like PCAnywhere). So I switched it back to the way it always was
(static IP) and it is STILL working. Even after a couple of reboots,
it's been hanging in there for over 24 hours now. I must have jostled
*something* loose...
I hate it though. It's kinda like kicking something and it starts
working again. You never know what the damn problem was in the first
place.
Thanks for your suggestions and assistance. I too have been busy with
other people's problems... just got done with a 98 machine that had 38
instances of 11 viruses, and Pest Patrol got 2,358 "hits" on it...

 

[Malke]

I seem to have temporary relief. I plugged directly into the T1
and
set it to let DHCP pick an IP. I had no problem then, except that I
was "out" of my network. So I left the settings the same and plugged
it back into my router and let my router assign me an IP. It still
continued to work. But I need my static IP since I have assignments to
it in the
router (like PCAnywhere). So I switched it back to the way it always
was
(static IP) and it is STILL working. Even after a couple of reboots,
it's been hanging in there for over 24 hours now. I must have jostled
*something* loose...
I hate it though. It's kinda like kicking something and it starts
working again. You never know what the damn problem was in the first
place.
Thanks for your suggestions and assistance. I too have been busy
with
other people's problems... just got done with a 98 machine that had 38
instances of 11 viruses, and Pest Patrol got 2,358 "hits" on it...

Glad you got it worked out. As for your last sentence, I hear you.
However, don't forget the alternative - wipe it! Especially in the case
of the heavily infected Win98 box, because it will probably never run
right afterwards anyway.

Malke

 

[Menno Hershberger]

Glad you got it worked out.

I spoke too soon.... :-( - I was afraid of that.

 

[Guest]

Hi I am very interested in this issue because i work for a cable company in mexico and we have several clients wit
the same problem we have try the same things you mention plus the dns flush so if you have any other thing to tr
will be good as you mention the problem apear only on win XP and and only en web browsin

regards

 

[Will Denny]

Hi

Could you please quote the body of the message you are replying to?

--

Will Denny
MS-MVP Windows - Shell/User


message | Hi I am very interested in this issue because i work for a cable
company in mexico and we have several clients with
| the same problem we have try the same things you mention plus the dns
flush so if you have any other thing to try
| will be good as you mention the problem apear only on win XP and
and only en web browsing
|
|
| regards