Pages do not finish loading

[1trueshadow]

As of late my connection is sparatic (activity bursts for no reason, little or no activity while loading pages)
When opening a page, the majority of the page will load and then network activity stops alltogether. The browser continues to "attempt" to veiw the page but my ISP is not sending anymore, for instance the smiles on the left have not apeared yet, netscape is trying to load them but the activity indicator is showing nill

I have ran Nortan AV, Spybot, Ad-Aware and Highjack this did not turn up anything that would cause that (Posting the HJT report anyway)

Also, there is a large amount of errors that I am reciving from my ISP. Check this out....

And here is my HJT! log:
Scan saved at 3:13:54 PM, on 9/12/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Network ICE\BlackICE\rapapp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.profileofashadow.4t.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F662D2E7-A4A0-42ED-9551-67301DA44E3D}: NameServer = 66.103.227.34 216.234.106.87

 

[Rollin' Rog]

I don't see any issues with the HijackThis Scanlog.

One thing I would note is the substantial difference in error rate between sent and received. I'm no expert here, but I would speculate that this suggests the problem is less likely with your modem or phone line than your ISP and/or the routing of received packets from wherever you are connected to.

The connection speed is certainly deficient as well. For comparison, at 2 1/2 hours up time I have a received error rate of 3%

Another thing that is somewhat puzzling is the high compression rate. I have 10% sent and 3% received.

Personally I would have a talk with the ISP about these issues; perhaps a different dialup number might make a world of difference.

By the way, when you do get a lot of those partial page loads, you need to clear your Internet Cache to flush the incomplete files out of there, or you may continue to see the same thing if the browser simply reloads images or pages from cache.

 

[1trueshadow]

Thanx Rollin'
I noticed the error rate right off hand. At one time I was reciving 7 errors a minute!!

My compresion has always been high. Normal is about 30% sent and 10% recived

and I would rather switch ISP's then even attempt to talk to their tech support again. It doesnt mater what the question is, the anwser is always "its the phone companys fault"

 

[Rollin' Rog]

Yeah, it doesn't look like you are out in the boonies so there probably is no good excuse for that low connection speed and high error rate. Sometimes different dial-up numbers can help but you are not getting anything near where you should.

 

[1trueshadow]

It does not matter. No mater what compainy I use I always get a top speed of 26k. The errors however are a new problem.
I have sent a message to Michigan Connect.

Please keep this thread open until I recive a reply from them. Thanx.

 

[1trueshadow]

I was able to talk over the phone to the Owner\operator of my local ISP. This is what he thinks is happening:

About a week ago we had a huge electrical storm here in my city. Many lightning bolts hit ground. Ever sence then, He has been hearing reports from other local ISP including his own that connections are unstable and many of the users are reciveing errors like mine.

Being that this is a widespread problem affecting many ISPs, I beleve that damage was done to the local phone network in that storm. On monday I will be calling SBC and telling them what is going on at my end and asking if they could check my lines once more.

 

[Rollin' Rog]

Thanks for the follow-up. Let us know if they do confirm a problem on their end.

 

[1trueshadow]

SBC said they are not responsible for errors that I am receiving. I also asked them about my connection speeds and they told me that they only guarantee a speed of 14.4!!

I called back my ISP. All the local ISP's have CONFIRMED that the errors are being received from SBC phone service. Customers using other local phone companies are not affected. SBC still denies responsibility

As soon as I move out I'm switching to cable!! I wont even have a phone line! I will use my cell as my primary phone and Cable for internet. If they want to treat their customers this way then they better not be surprised when they have no customers left

 

[1trueshadow]

one more thing, activity STILL picks up while I am not doing anything, it could be a posible trojan unrelated to my error problem. It seems too controled to be just random reads. Do you know of a program I can use to find out just what programs are accessing the net?

 

[Rollin' Rog]

A firewall such as Zonealarm or Sygate would be your best bet for intercepting applications that try to connect outbound from your computer or blocking malicious inbound attempts. Both have free versions.

Alternately you could try you hand at interpreting the real time logs of something like tcpview, portmon and tdimon from system internals.

Tcpview is easy to use. Portmon is a little trickier, you have to set it up before you make a connection. The same is true for tdimon which has to be open before a connection is established. All three will show various views of tcp/ip activity.

http://www.sysinternals.com/

 

[1trueshadow]

The moment I started TCPView I found the following:

After I made this picture and opened Netscape almost 20 system:8 connections came up and 6 more SVHost Connections where established.

Someone please tell me what these programs do. I know that SVHost is part of windows, but its for if your running your computer like a server, is it not?

I have never heard of "system:8" until today. Any and all info would be great.

 

[1trueshadow]

If I disconnect all the SVCHost Connnections (other then the one pointing back at my own system of pheonix-omega of course) then my connection is fine!! My pages load completly and there is no big slowdown. In fact they are faster then ever!!

As far as I can tell system:8 is just a legit process doing its job. SVCHost however is alowing multipule unwanted connections to my system. How do I stop this from happening? Is there a way to disable SVCHost?

 

[Rollin' Rog]

Svchost is a host for many required services in XP/2K; you will see multiple instances in the Task Manager. Some you can end task, others not.

http://support.microsoft.com/?kbid=314056

The System8 is also a system process; I guess the designation varies, because on my system it is system4; I'm not sure what the difference signifies.

The IP I see it remotely connecting to is System Internals itself. Do you still have that page open?

I'm not sure you can do this on Win2k, but open a command prompt and enter:

tasklist /svc

do you see a list of services running under each task? Tasklist comes with XP pro, I'm not sure about 2k

 

[1trueshadow]

Win2K does not have that utillity, but tlist does the same thing as tasklist (Microsoft Knowlagebase Artical 250320)

On a hunch I opened up Black Ice and looked through the current attacks. (please see TSG thread "Attack Aganst My Firewall") The IP addresses of my current attacks (not the ones posted in the other thread) matched with the SVCHost connections.

I am going to search TSG's Security Forums for any information about SVCHost.

Thank you for all your help and insight RR. If there is anything I can do for you guys at TSG let me know (I would make a donation, but I am low on funds at the moment)

 

[Rollin' Rog]

Black Ice should be protecting you from the recent spate of rpc buffer overrun exploits, (even if you haven't installed the security patches), which can involve svchost, and I don't see port 135 open in TCPview, so I don't think you are vulnerable there.

The blocked incoming probes should not inhibit the system any unless there is an absolute flood of them, in which case they would affect your ISPs servers as well. They are certainly not directed at you in particular, since you are for all intents invisible on the web and the probes are just blind hits on an IP that is included in a scanning block

In any case, with a little work, using those System Intenal free ware tools, you can pretty much figure out what is going on at any given time.

You're most welcome for the help..