PC keeps dropping the internet connection. How can I force it to hang onto it? Why is it dropping it?

Specs:

Windows 7
Belkin Wireless N router
HD C: 172 GB
HD D: 115 GB
HD G: 465 GB external Rocstor HD
SW:
NAV 2010
Registry Mechanic 2010
Hijack This
AVG Free

My laptop keeps dropping the internet connection. There is no warning, it just drops it.

What I did and the results:
update NAV - run scan - clean
update Registry Mechanic - run scan - clean
update AVG Free - run scan - clean
Hijack This - run scan - ***will not complete***

I am assuming I must have a rootkit. How the heck do I get rid of it?? I looked at the Hijack This scan report and nothing seemed out of the ordinary other than that it stops early. I followed the instructions via DOS (suggested) and the action failed.

The action requested that failed:
1) RUN -> CMD -> notepad C:\Windows\System32\drivers\etc\hosts
2) delete items related to HiJack This

This command failed and never got to step 2

What should I be doing to get my computer to stop dropping the internet connection and otherwise behaving poorly?

Thanks!

LVL 10
Nancy McCulloughAsked:
Who is Participating?
 
JohnBusiness Consultant (Owner)Commented:
@cityqat - It is entirely within reason (many cases in my own experience) that your machine has been hosed beyond reasonable repair.

I would (now) make a complete backup of your email, favourites and documents. Then after some additional work, re-install the operating system if you cannot fix it.

... Thinkpads_User
0
 
scifo_dkCommented:
If you think its a rootkit, you could try with the Rootkitbuster:
http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=355®s=NABU&lang_loc=1#undefined

More info regarding that:
http://esupport.trendmicro.com/3/Using-the-Trend-Micro-RootkitBuster.aspx

When you say laptop, I assume you're running on wireless. Perhaps somethings blocking your connection? You can use inSSIDer to check the connection strength:
http://www.metageek.net/products/inssider/

Also, to get rid of common annoying spyware ect. you can use Superantispyware. It sounds trashy, but its very powerfull:
http://www.superantispyware.com/

Hope this helps.

//Scifo_dk
0
 
JohnBusiness Consultant (Owner)Commented:
I would start with rootkit revealer from System Internals (now Microsoft). I think it now runs on Windows 7.  See if that tells you if you have a rootkit problem.

Long term, you should not be running 2 antivrus software packages on one computer. Pick one and use it. Pick which you want, but I have to take AVG out of new clients because it fails to protect. NAV is better than that.

With respect to wireless connections, make sure your NIC power management is set to maximum performance (Device Manager, Windows Power manager and 3rd party power manager if you have one).

Start there, and let us know. ... Thinkpads_User
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
stubbsmc2Commented:
Hi there,
Well if you are having a hard time getting tools on Windows to complete and scan for a root kit then i would suggest downloading the Kaspersky rescue disk and burn it to make a live boot disk.  
 Download from
           http://support.kaspersky.com/faq/?qid=208282163
Then burn to disk using your favorite recorder (I like Infrarecorder)
NOTE: When you live boot accept all the defaults and it will boot you into a Linux KDE kernal with GUI.  If you have internet connected you can setup the nic card and get the very up to date definitions.
        Setup NIC - Click there version of "Start" lower left corner.  Setup NIC, Manually Define IP and  
       subnet - And run update
Even the quick scan should find any root kits.
Disinfect and then reboot.
good luck
matthew
0
 
Nancy McCulloughAuthor Commented:
wow - lots of replies. I will work on these tonight and let you know how far I get (and if i have success)

Thanks!
0
 
Nancy McCulloughAuthor Commented:
Forgot to mention that I do have wireless, but I prefer wired (faster) - so wired I am.
The internet has slowed to near turtle speed.....
0
 
kachroCommented:
hello
first try checking if there is some type of connection from your laptop to the internet and you're not aware of this.
run command prompt as administrator and type netstat (first close any program that might use internet connection, such as utorrent, outlook, etc). If you don't have any program open the netstat command sgould return no output. If you see any output, then try netstat -b. this command tells you which executable program has access to the internet.

write back the output, and maybe I could help you a little more!
0
 
Nancy McCulloughAuthor Commented:
Attached is the netstat results april-9.docx
0
 
kachroCommented:
citygat, please try to run netstat -b this time (as I mentioned in my previous post) so I can see which executables mantain those connections.

Thanks
0
 
Nancy McCulloughAuthor Commented:
When I try to run a rootkit revealer or buster program (I've tried 2 programs), this is the message I get:

"Unable to copy driver to System32/drivers. The program will now terminate. Verify that you are logged in as administrator and that the drive is not full, and then try again."
0
 
scifo_dkCommented:
You should run it as administrator. Right-click the program, and choose "Run as administrator". Then it should work.
0
 
Nancy McCulloughAuthor Commented:
I uninstalled AVG and as it completed the process of uninstallation, Rootkit Buster started running!
There is lots of results and I want to fix, but the screen dips below the toolbar at the bottom. ***dumb question alert*** How do i hide that bar in Windows 7?

These are the results:

[Edit to move log text to 'Code']
younghv


+----------------------------------------------------
| Trend Micro RootkitBuster 
| Module version: 3.60.0.1016
| Computer Name: RAT
| User Name: User
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
[HIDDEN_REGISTRY][Hidden Reg Value]:
	KeyPath   : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Recording\Restricted
	Root      : 0
	SubKey    : Restricted
	ValueName : ccc
	Data      : 48 E7 E 92 58 B3 13 E6 ...
	ValueType : 3
	AccessType: 0
	FullLength: 0x66
	DataSize  : 0xc8
[HIDDEN_REGISTRY][Hidden Reg Key]:
	KeyPath   : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002421d23ff5
	SubKey    : 002421d23ff5
	FullLength: 0x59
[HIDDEN_REGISTRY][Hidden Reg Value]:
	KeyPath   : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP
	Root      : 0
	SubKey    : DHCP
	ValueName : Collection
	Data      : 
	ValueType : 3
	AccessType: 0
	FullLength: 0x58
	DataSize  : 0
[HIDDEN_REGISTRY][Hidden Reg Value]:
	KeyPath   : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap
	Root      : 0
	SubKey    : RPC-EPMap
	ValueName : Collection
	Data      : 87 0 1 0 
	ValueType : 3
	AccessType: 0
	FullLength: 0x5d
	DataSize  : 0x4
[HIDDEN_REGISTRY][Hidden Reg Value]:
	KeyPath   : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo
	Root      : 0
	SubKey    : Teredo
	ValueName : Collection
	Data      : 
	ValueType : 3
	AccessType: 0
	FullLength: 0x5a
	DataSize  : 0
 5 hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

--== Service Win32 API Hook List ==--
[HOOKED_SERVICE_API]:
	Service API     : ZwAlertResumeThread
	Image Path      : 
	OriginalHandler : 0x830efe1d
	CurrentHandler  : 0x86615f28
	ServiceNumber   : 0xd
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwAlertThread
	Image Path      : 
	OriginalHandler : 0x8309dbf8
	CurrentHandler  : 0x86615008
	ServiceNumber   : 0xe
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwAllocateVirtualMemory
	Image Path      : 
	OriginalHandler : 0x8305f2eb
	CurrentHandler  : 0x86614940
	ServiceNumber   : 0x13
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwAlpcConnectPort
	Image Path      : 
	OriginalHandler : 0x83066cfd
	CurrentHandler  : 0x86db9138
	ServiceNumber   : 0x16
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwAssignProcessToJobObject
	Image Path      : 
	OriginalHandler : 0x8300a724
	CurrentHandler  : 0x866156d0
	ServiceNumber   : 0x2b
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwCreateMutant
	Image Path      : 
	OriginalHandler : 0x830920f5
	CurrentHandler  : 0x86615c78
	ServiceNumber   : 0x4a
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwCreateSymbolicLinkObject
	Image Path      : 
	OriginalHandler : 0x830223cb
	CurrentHandler  : 0x866153f0
	ServiceNumber   : 0x56
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwCreateThread
	Image Path      : 
	OriginalHandler : 0x830ee0b2
	CurrentHandler  : 0x86614e08
	ServiceNumber   : 0x57
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwCreateThreadEx
	Image Path      : 
	OriginalHandler : 0x8304c221
	CurrentHandler  : 0x866154e0
	ServiceNumber   : 0x58
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwDebugActiveProcess
	Image Path      : 
	OriginalHandler : 0x830c368c
	CurrentHandler  : 0x866157b0
	ServiceNumber   : 0x60
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwDuplicateObject
	Image Path      : 
	OriginalHandler : 0x8308f5a2
	CurrentHandler  : 0x86614b10
	ServiceNumber   : 0x6f
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwFreeVirtualMemory
	Image Path      : 
	OriginalHandler : 0x82ec6921
	CurrentHandler  : 0x86614760
	ServiceNumber   : 0x83
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwImpersonateAnonymousToken
	Image Path      : 
	OriginalHandler : 0x83005f56
	CurrentHandler  : 0x86615d68
	ServiceNumber   : 0x91
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwImpersonateThread
	Image Path      : 
	OriginalHandler : 0x8306bb19
	CurrentHandler  : 0x86615e48
	ServiceNumber   : 0x93
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwLoadDriver
	Image Path      : 
	OriginalHandler : 0x82fb428f
	CurrentHandler  : 0x86b04048
	ServiceNumber   : 0x9b
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwMapViewOfSection
	Image Path      : 
	OriginalHandler : 0x830923b7
	CurrentHandler  : 0x86614660
	ServiceNumber   : 0xa8
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwOpenEvent
	Image Path      : 
	OriginalHandler : 0x83094a47
	CurrentHandler  : 0x86615b98
	ServiceNumber   : 0xb1
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwOpenProcess
	Image Path      : C:\windows\system32\DRIVERS\AVGIDSShim.Sys
	OriginalHandler : 0x83094a11
	CurrentHandler  : 0x9501d780
	ServiceNumber   : 0xbe
	ModuleName      : AVGIDSShim.Sys
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwOpenProcessToken
	Image Path      : 
	OriginalHandler : 0x8304fdc1
	CurrentHandler  : 0x86614a30
	ServiceNumber   : 0xbf
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwOpenSection
	Image Path      : 
	OriginalHandler : 0x8309269a
	CurrentHandler  : 0x866159d8
	ServiceNumber   : 0xc2
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwOpenThread
	Image Path      : 
	OriginalHandler : 0x83093368
	CurrentHandler  : 0x86614c00
	ServiceNumber   : 0xc6
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwProtectVirtualMemory
	Image Path      : 
	OriginalHandler : 0x83093121
	CurrentHandler  : 0x866155e0
	ServiceNumber   : 0xd7
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwResumeThread
	Image Path      : 
	OriginalHandler : 0x830854af
	CurrentHandler  : 0x86614110
	ServiceNumber   : 0x130
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwSetContextThread
	Image Path      : 
	OriginalHandler : 0x830ef1b7
	CurrentHandler  : 0x866143b0
	ServiceNumber   : 0x13c
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwSetInformationProcess
	Image Path      : 
	OriginalHandler : 0x830608e5
	CurrentHandler  : 0x86614490
	ServiceNumber   : 0x14d
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwSetSystemInformation
	Image Path      : 
	OriginalHandler : 0x8309e2d5
	CurrentHandler  : 0x86615890
	ServiceNumber   : 0x15e
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwSuspendProcess
	Image Path      : 
	OriginalHandler : 0x830efd57
	CurrentHandler  : 0x86615ab8
	ServiceNumber   : 0x16e
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwSuspendThread
	Image Path      : 
	OriginalHandler : 0x830acb36
	CurrentHandler  : 0x866141f0
	ServiceNumber   : 0x16f
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwTerminateProcess
	Image Path      : C:\windows\system32\DRIVERS\AVGIDSShim.Sys
	OriginalHandler : 0x8307501d
	CurrentHandler  : 0x9501d830
	ServiceNumber   : 0x172
	ModuleName      : AVGIDSShim.Sys
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwTerminateThread
	Image Path      : C:\windows\system32\DRIVERS\AVGIDSShim.Sys
	OriginalHandler : 0x83087dc4
	CurrentHandler  : 0x9501d8d0
	ServiceNumber   : 0x173
	ModuleName      : AVGIDSShim.Sys
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwUnmapViewOfSection
	Image Path      : 
	OriginalHandler : 0x8308f1bc
	CurrentHandler  : 0x86614580
	ServiceNumber   : 0x181
	ModuleName      : 
	SDTType         : 0x0
[HOOKED_SERVICE_API]:
	Service API     : ZwWriteVirtualMemory
	Image Path      : C:\windows\system32\DRIVERS\AVGIDSShim.Sys
	OriginalHandler : 0x8309aa95
	CurrentHandler  : 0x9501d970
	ServiceNumber   : 0x18f
	ModuleName      : AVGIDSShim.Sys
	SDTType         : 0x0


--== Dump Hidden Port ==--
No hidden ports found.

--== Dump Kernel Code Patching ==--
No kernel code patching detected.

--== Dump Hidden Services ==--
No hidden services found.

Open in new window

0
 
Nancy McCulloughAuthor Commented:
oh sorry! I didn't know the results were that long! I will paste into a document next time - my bad.
0
 
Nancy McCulloughAuthor Commented:
@kachro - I try to run netstat -b and it says I have to elevate my position, though I am running as administrator..... what the heck?

@ EVERYBODY:

DO I NEED TO REINSTALL MY OS? Am I really at the end of my options?
0
 
JohnBusiness Consultant (Owner)Commented:
When you get deeply embedded malware and rootkit malware (the point of which is to steal your financial and banking information), so-called corrective software may have no option but to wreck the OS when making repairs. Further, some of this stuff is so severe that it lays in wait anyway.

So my comment was geared in this direction. I have seen it happen enough times.

If you can manage to clean it out, you might be lucky, but my experience is against it.

... Thinkpads_User
0
 
scifo_dkCommented:
I have to agree with thinkpads_user, you're best of, with a fresh install.

You can attempt to clean manually, but it's very comprehensive, and has a high risk of failue. And that is in my book a waste of time.

IF you wan't to try and fix it, you need to google all the entry's from the dump file, and see if one of them is recognized as a problem - and then look for a manual fix.
If all the entry's are fine, you can do a hijackthis to look at processes, and then google again
link to hijackthis: http://free.antivirus.com/hijackthis/

Again this is a very comprehensive solution, and it is not certain to end up good.
0
 
Nancy McCulloughAuthor Commented:
....am deep in the midst of the reinstallation of everything. ugh. I'll let you know how it goes as the day goes on.

Thx.
0
 
JohnBusiness Consultant (Owner)Commented:
This is Windows 7, so look for and find EMET V2 from Microsoft and install it (in addition to any AntiVirus). Read what it can do and set it up. Address Space Layout Randomization (enforced by EMET) goes a long way to preventing much malware. ... Thinkpads_User
0
 
Nancy McCulloughAuthor Commented:
K - everything is reinstalled and put back in order. My PC is *STILL* dropping the internet connection like a bad babysitter drops babies. grrrr....

I am gonna do some scans for rootkits. Perhaps I just put the rootkit back on my drive unknowingly? I'll keep ya posted.

0
 
JohnBusiness Consultant (Owner)Commented:
Bad news. I would be inclined to try again. Delete all partitions, set up a new one, do a full format, then install Windows 7 and nothing else until you check out the stability of the internet connection. You indeed may have put a rootkit back on.

... Thinkpads_User
0
 
Nancy McCulloughAuthor Commented:
I just got everything back to normal - a seemingly stable normal. I am gonna hold out to see if this thing starts behaving badly again. (I just can't sit here for another 7.5 hrs staring at the screen) If it starts the same shit, different pile.... well, we will have to cross that bridge when we come to it. I will call this a tepid and precarious solution. lol
0
 
Nancy McCulloughAuthor Commented:
Not sure if it will work for long (precarious and unpredictable connection), but for now things are relatively stable in comparison to what it was before we started.... Thank you for all your help!
0
 
JohnBusiness Consultant (Owner)Commented:
Thank you for the update. I was pleased to help. ... Thinkpads_User
0
 
scifo_dkCommented:
Your welcome! :)
0
 
stubbsmc2Commented:
Glad you got an accepted answer.  Just wanted to note though for accuracy sake and future problems people may face with virus and root kits.  Using boot CD's from the major Antivirus companies is a valid solution.  They are designed by companies like Kaspersky and Trend Micro to specifically remove hard to cure viruses to avoid a total system restore.  I have used the method on over a dozen windows machines from XP to 7 and all my clients are still running fine.  Is it a perfect solution all the time, no.  However even removing a virus/malware from within the OS can break your registry, or winsock and force reinstall.  There is always some potential for breakage.  Thus why backups are so important.
One final note.  I am newer here at participating in answers so please understand i respect and have used answers from high ranking experts on this site for some time.  Always a time tested source of knowledge and answers.      
0
 
Nancy McCulloughAuthor Commented:
Thank you all! I think my system was beyond salvation and needed the reinstall. Pain in the a**, but now it's working beautifully :) I am truly thankful that I have an external HD and backups of everything all over the gosh darned place on various modes (USB stick, DVD, HD, etc). Nothing was lost - a small miracle on its own!

Thanks again!



0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.