Persistent, vexing and perplexing internet problems

tarnok

Some background may be useful. I live with two other people. We share a cable internet connection through a wireless router. Some time back we had a noticeable slowdown in our internet speed and a friend removed some malware from our computers. The situation, oddly enough, failed to improve. It has, in fact, become worse.

Webpages frequently and persistently refuse to load resulting in a "Could not connect" message from Firefox. When pages do load they are usually missing images or formatting data. Repeated scans with different programs have failed to reveal any viri. And here's the craziest thing of all. We're almost completely unable to visit any webpages, but experience no noticeable difficulty playing WoW. Not even with all three of us on at once.

So the explanation for this has to cover all three computers on a home network, but apply to webpage traffic but not WoW traffic.

Any help would be greatly appreciated.

Teth

Assuming you're using Windows (from the malware comment):

Check the hosts file on all of your systems (%systemdrive%\Windows\System32\Drivers\etc\hosts). All that should be there is "127.0.0.1 localhost" (no quotes). Next check the proxy settings on all of your browsers. Unless your ISP or work demands one, you should not be using a proxy. Some malware modifies both the host file and the proxy settings of your browser (yes, even Firefox).

Next cold boot a system (shut it completely off then start it), do a "start" > "run" > "cmd" > and issue the command "nslookup google.com". The first "Address:" listing should be the IP address of your router, which is providing name resolution (DNS) from your ISP. Now, do this command:

ipconfig /flushdns

Then perform another nslookup and see if that first Address: listing changed. Or, even the IP address(es) returned. Some malware actually modifies the registry entires responsible for setting your DNS servers regardless of what you configured manually within the NIC drivers/network config utils. If it was not your router's IP to begin with, or changes after the /flushdns, then you still have malware.

EDIT: in addition to these things, there's still various other registry settings related to the search provider your browser uses, and other things that will influence how name resolution and/or HTTP (web) requests are handled by the client (your computer). I have a feeling you all still have compromised systems.

tarnok

I'm about to do the reboot but before I do I wanted to mention that my host file is pretty large but at least partly because one of the anti-malware programs I'm using modified it to block known bad addresses. Is there any way I can tell if one of the entries is malicious?

tarnok

I got some alarming results which it looks like I'll have to type in manually.

First I did "nslookup www.google.com"

*** Can't find server name for address 192.168.1.1: Non-existent domain
*** Default servers are not available
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
Name:   www.l.google.com
Addresses: 74.125.65.147, 74.125.65.99, 74.125.65.103, 74.125.65.104
                74.125.65.105, 74.125.65.106
Aliases:   www.google.com

Then I got back here and thought that maybe I'd fucked it up by putting in the "www" so I tried just "nslookup google.com" and got this:

*** Can't find server name for address 192.168.1.1: Timed out
*** Default servers are not available
Server:  UnKnown
Address: 192.168.1.1

DNS request timed out.
       timeout was 2 seconds.
DNS request timed out.
       timeout was 2 seconds.
*** Request to UnKnown timed-out

192.168.1.1 is indeed my router. I was connected to it just the other day trying to see if I could update the firmware (an operation that I have determined I'll have to borrow my room mate's computer for).

SiliconStew

Certainly looks like DNS problems.

Go to Start -> Run. Type in (no quote marks in any of these) "cmd". In the command window, type in "ipconfig /all". Look for the entry for your wireless connection. What does it show for "DHCP Enabled" and "DNS Servers"?

If it is showing "Yes" and "192.168.1.1", then go into your router config page and try temporarily changing the DNS server settings to "8.8.8.8" and "8.8.4.4". Those are DNS servers run by google and will bypass any problems your ISP's servers might be having.

If it shows "No" and some other addresses, then go into the wireless network connection properties on your computer and temporarily change the DNS Servers to "8.8.8.8" and "8.8.4.4".

See if it clears up after changing those settings.

Teth

It's OK to get a bunch of IP addresses for one site. Aside from manually checking, not sure how to see if an entry is malicious.

Do a complete recycle, starting with your cable modem. Disconnect and power off your wifi router, then turn off the modem for a few minutes. Power on the modem and wait until it's done doing its thing, then your wifi router.

Once that's all good, I'd recommend updating the firmware in your router. Also, how old is that cable modem? Grab the model number and call up your ISP, make sure they still support it.

tarnok

Well, my friend was over last night and we seem to have gotten it straightened out.

We determined that since my girlfriend had the same symptoms on her laptop when she was here, but not at home the problem must be either with the router or our internet connection rather than a virus. With this in mind he looked at the router settings for a bit then upgraded the firmware and everything worked.

His theory is that when one of the computers was infected we used it to log into the router to change settings and the virus loaded a DNS header, I think is what he called it. It looked like our traffic was being routed through bumfuckistan and back, explaining the loooooong load times and timeouts.

Thank you for your help everyone. Have a happy new year and make sure to upgrade your firmware regularly.