W2KPro loses connectivity after 5 mins on dial-up.

Post #122,844 by Meerkat 10/26/03 1:02:53 AM Reply	W2KPro loses connectivity after 5 mins on dial-up. Hi, Doing a bit of troubleshooting on a friend's PC and this particular problem has me flummoxed. After having being dialled up for 5 minutes, all connectivity to the ISP basically disappears. None of the ipconfig setting have changed, but everything becomes un-ping-able, except the IP address of the PC itself. I tried to release/renew the DCHP lease to see if that would do anything, but no joy (cant remember the actual error msg unfortunately). An ipconfig /all before and after the problem struck showed no differences. I checked the system event logs and that gave no clues either :( Their CDROM drive didn't work, so my plan of running AVG on it didn't come to fruition. These folks run IE and Outlook, so I'm guess/hoping its a virus. Just wondering if anyone has heard of this type of behaviour before. (Next time I go see them, I'm taking a CD-ROM drive with me as well, in order to run AVG, Ad-Aware, and get a Real Browser onto the system, too.) PS: Just learnt something. Safari doesn't support Undo when entering text into forms such as these. Man, that does suck. Yes, I just had to retype most of this message after a slip... John. Busy lad.
Post #122,845 by kmself 10/26/03 1:18:30 AM Reply	Try Knoppix if possible Note though that I (and other people) are reporting similar problems with [link\|http://www.earthlink.net/\|my brain-dead ISP]. Range of OSs from 'doze to 'nix. Noisy phone lines or lack of keepalives, bad firewalling, can all contribute. So don't blame the user yet. --\r\n Karsten M. Self [link\|mailto:kmself@ix.netcom.com\|kmself@ix.netcom.com]\r\n [link\|http://kmself.home.netcom.com/\|http://kmself.home.netcom.com/]\r\n What part of "gestalt" don't you understand?\r\n [link\|http://twiki.iwethey.org/twiki/bin/view/Main/\|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n \r\n Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html\|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
Post #122,852 by orion 10/26/03 8:28:24 AM 10/26/03 8:29:21 AM Reply	Did you try this: rip out the TCP/IP and Modem drivers and reinstall them. They could be damaged in some way. Very likely this happened as Windows is unstable that way. Did you try pinging the gateway or DNS IP address? Not the host names, but the IP addresses. If this doesn't ping, chances are the ISP dropped the TCP/IP connection on you but left the modem connection open. Also try from a DOS prompt: IPCONFIG /RELEASE IPCONFIG /RENEW See if that repairs the connection. As far as Virus scanning, you could copy small files you suspect are infected to a floppy disk and scan the floppy on a computer you know is not infected and has a Virus Scanner. Keep trying files until you find one that is infected or get tired of trying. Either that or take the hard drive out and mount it as a slave on another computer and scan it and don't otherwise access files on it from the primary hard drive. Once you have the hard drive on the other computer, you can copy whatever files you want to install on their hard drive. A bad CD-ROM is a good indication that something is seriously wrong with the computer. Could be bad hardware. I've heard of software destroying CD-ROMs before, but thought it was rare. Slashdot had an article on Mandrake 9.1 destroying LG CD-ROMs. I had a friend who had a DVD-ROM shatter a disk for some reason and it put pieces of plastic and dust all over the drive. No reason for doing that, but he had been downloading all sorts of programs from Kazaa and had over 20 trojans I cleaned off his system. So maybe a Trojan did it? I agree with Kmself, try Knoppix and see if you get the same problems there. If so, it is the ISP. If not, it is something wrong with Windows. Edit: Cited the wrong person for Knoppix suggestion. *"Lady I only speak two languages, English and Bad English!" - Corbin Dallas "The Fifth Element"* Edited by orion Oct. 26, 2003, 08:29:21 AM EST Expand All History
Post #122,855 by deSitter 10/26/03 10:00:18 AM Reply	sounds like a worm -drl
Post #122,858 by boxley 10/26/03 10:17:11 AM Reply	Does the ISP use a windoze RAS? Sounds like doze network authentication kicking him off. Saw the same thing with OSX into a dialup windoze lan. thanx, bill "You're just like me streak. You never left the free-fire zone.You think aspirins and meetings and cold showers are going to clean out your head. What you want is God's permission to paint the trees with the bad guys. That wont happen big mon." Clete questions, help? [link\|mailto:pappas@catholic.org\|email pappas at catholic.org]
Post #123,401 by Meerkat 10/30/03 6:02:09 AM 10/30/03 7:01:08 AM Reply	Problem solved (so far) Finally got Ad-Aware and AVG on there - their system had Nachi worm and MSBlaster worm. But - not any more :) So, am dialled up on the machine right now, and have passed the 20 minute mark with flying colours. So, I don't have to hand in my Geek badge after all :-) Thanks for your suggestions. Edit: Spelling/typos. John. Busy lad. Edited by Meerkat Oct. 30, 2003, 07:01:08 AM EST Expand All History
Post #124,332 by screamer 11/5/03 4:16:51 PM Reply	Don't remove nachi... it's a good worm Really... [link\|http://www.microsoft.com/security/antivirus/nachi.asp\|http://www.microsoft...tivirus/nachi.asp] I found it on one of my 2k servers last week (behind three firewalls - border router and sidewinder - running MacAffee Personal Firewall) Must have been when the fscker was booting up the very first time behind the NAT... Note to Win Admins... The frigging 10 seconds before MacAffee Firewall loads is more than enough time to be hacked. Pull the plug on your servers after reboot until desired time (or disable the nic). Speaking of W2K administration - I'm getting sick of patching W2K machines. It's a full time job. Just reading the security bulletins on a semi-weekly basis is tiresome. The server that got nachi has only 25 out, 80 and 443 open. All services (cept iis and SQL) have been turned off... How do you protect against this shit? Think about it. The "cracker/hacker/whatever" that wrote nachi was trying to help us out... Just bitching. Never mind. Just a few thoughts, Screamer But take your time, think a lot, Why, think of everything you've got. For you will still be here tomorrow, but your dreams may not. Y. Islam - Father and Son
Post #124,333 by Andrew Grygus 11/5/03 4:28:52 PM Reply	Remove nachi... it's a bad worm Network administrators found Nachi created more network traffic than Blaster did and brought operations to a crawl in some cases. [link\|http://www.aaxnet.com\|AAx]
Post #124,336 by Steve Lowe 11/5/03 4:40:59 PM Reply	It killed our network here Effectively an internal DoS. Nice? My ass! ----- Steve
Post #124,337 by screamer 11/5/03 4:44:37 PM Reply	Poor attempt at sarcasm on my part? I'm getting the feeling that the payload of nachi is an in your face "feeling sorry for you poor bastards"... No doubt that it creates traffic. Fortunately for me, all my firewalls stopped it from showing that side of itself. Hey, at least the firewalls are good for something... Just a few thoughts, Screamer But take your time, think a lot, Why, think of everything you've got. For you will still be here tomorrow, but your dreams may not. Y. Islam - Father and Son

Welcome to IWETHEY!