Is Big Brother Surfing With Me?
February 14, 2009 9:56 AM Subscribe
Very strange DSL behavior - Is it Big Brother?
I've been dealing with this daily now and after extensive research - I've pretty much concluded that something or someone is surfing with me. But maybe I'm wrong and it's something else.
For about 2 weeks I've been experiencing very weird ISP behavior. Dial up problems, weird error messages, disconnects and just plain slow surfing. My machine is a clean machine - no viruses, adware - trojans or cookies. No cache older than a few hours either.
All surfing, streaming, downloading were effected during these lags. I've run Hijack This and nothing seems out of the ordinary except 2 exceptions - which are
AF891CD7E25B}: NameServer = XXXXXX
O17 - HKLM\System\CS1\Services\Tcpip\..\{470F728C-8ABE-4657-B74C-AF891CD7E25B}: NameServer = XXXXXX
(I've x'd out the addy)
The only remedy that seems to work in this situation is CMD
netsh winsock reset catalog - and restarting. Then it works perfectly.
I'm running XP Pro on a pretty new machine. No network. I've run diagnostics and there don't seem to be any problems with the network card or the modem. The cable is fine as well. I've run msconfig and taken out anything that could be a problem or culprit. I've set up new dialers. Currently I have only 2 things that I can see running at start up - one is the AV and the other is a desktop clock - both when disabled did nothing to present the above mentioned problems.
I tried firewalling and disabling firewall - same results in both instances.
I've tried accessing the web via a different machine and had same exact issue. It's not the puter - it's the line. ISP will not admit to any fault or problem only mentioning that there have been some *problems on their end and the issues should be cleared up now*.
Should be mentioned - trying to surf via proxy gets me disconnected.
Could this be some kind of filter placed on my line by the ISP that only the complete reset rids me of (albeit temporarily)? I am currently out of the country living in a war zone where there have been cases of close monitoring. So this isn't completely out of left field.
Is there anyway to find out what/who is messing up my internet connection via tracking software and is there anyway I can track someone who is tracking me?
I've been dealing with this daily now and after extensive research - I've pretty much concluded that something or someone is surfing with me. But maybe I'm wrong and it's something else.
For about 2 weeks I've been experiencing very weird ISP behavior. Dial up problems, weird error messages, disconnects and just plain slow surfing. My machine is a clean machine - no viruses, adware - trojans or cookies. No cache older than a few hours either.
All surfing, streaming, downloading were effected during these lags. I've run Hijack This and nothing seems out of the ordinary except 2 exceptions - which are
AF891CD7E25B}: NameServer = XXXXXX
O17 - HKLM\System\CS1\Services\Tcpip\..\{470F728C-8ABE-4657-B74C-AF891CD7E25B}: NameServer = XXXXXX
(I've x'd out the addy)
The only remedy that seems to work in this situation is CMD
netsh winsock reset catalog - and restarting. Then it works perfectly.
I'm running XP Pro on a pretty new machine. No network. I've run diagnostics and there don't seem to be any problems with the network card or the modem. The cable is fine as well. I've run msconfig and taken out anything that could be a problem or culprit. I've set up new dialers. Currently I have only 2 things that I can see running at start up - one is the AV and the other is a desktop clock - both when disabled did nothing to present the above mentioned problems.
I tried firewalling and disabling firewall - same results in both instances.
I've tried accessing the web via a different machine and had same exact issue. It's not the puter - it's the line. ISP will not admit to any fault or problem only mentioning that there have been some *problems on their end and the issues should be cleared up now*.
Should be mentioned - trying to surf via proxy gets me disconnected.
Could this be some kind of filter placed on my line by the ISP that only the complete reset rids me of (albeit temporarily)? I am currently out of the country living in a war zone where there have been cases of close monitoring. So this isn't completely out of left field.
Is there anyway to find out what/who is messing up my internet connection via tracking software and is there anyway I can track someone who is tracking me?
Response by poster: I said is there anyway to find out VIA tracking software. Please re-read. And no. I'm not being paranoid. I know what I'm up against.
posted by watercarrier at 10:05 AM on February 14, 2009
posted by watercarrier at 10:05 AM on February 14, 2009
Have you tried capturing traffic via Ethereal/Wireshark and looking at that? Especially for the proxy case, that will give you an idea of where things are going and what response is coming back.
posted by kellyblah at 10:18 AM on February 14, 2009
posted by kellyblah at 10:18 AM on February 14, 2009
Response by poster: Kelly - I'm looking into Wireshark. Thanks for the head up on this.
posted by watercarrier at 10:20 AM on February 14, 2009
posted by watercarrier at 10:20 AM on February 14, 2009
I am not the expert you are looking for. I have experienced simular issues in the past. Reboot everything and performance improves for a bit then back in the crapper. Switched out modems with no effect. My ISP was helpful but it was still a mysterious pain. They finally provided a different kind of modem. This is where the part about me not being the expert you need comes in. The difference that I know between the modems is that the current one does not do wireless. I do not believe this is the relevant difference. The new modem fixed things.
watercarrier is trying to say someone could snoop on you without affecting your connection.
posted by pointilist at 10:29 AM on February 14, 2009
watercarrier is trying to say someone could snoop on you without affecting your connection.
posted by pointilist at 10:29 AM on February 14, 2009
Honestly, it sounds like you have flaky hardware. I doubt anyone is tracking you.
If you are sure someone is tracking you, why not boot into Linux with a Live CD? That should be a bit safer. If you are concerned that your ISP is tracking you, use Tor. That combination should thwart pretty much everyone.
Of course, someone could be parked in front of your house reading your monitor through the wall... but that is probably not likely.
posted by jrockway at 10:35 AM on February 14, 2009
If you are sure someone is tracking you, why not boot into Linux with a Live CD? That should be a bit safer. If you are concerned that your ISP is tracking you, use Tor. That combination should thwart pretty much everyone.
Of course, someone could be parked in front of your house reading your monitor through the wall... but that is probably not likely.
posted by jrockway at 10:35 AM on February 14, 2009
Best answer: Speaking from professional experience, the proper place to monitor network traffic is at the gateway, not on the machine. In that scenario, the tracking would be happening by way of software that logged the destination IP in the TCP packet headers. Presumably, every packet would be examined, so resetting your TCP stack would have no effect on things. Packet traces would not cause anything to appear in a HijackThis log.
The presence of a NameServer being added, as indicated by HT, suggests malware, not monitoring. We could help you more if you gave us the IP being set for that key; my guess is that some program is running in the background, watching for net connections, and then usurping your nameserver so as to redirect requests to whatever that nameserver is. That COULD be a way of monitoring all traffic, but it would be an incredibly inept and unlikely way of doing so, because any unexpected hardware (PDA, Linux system, etc.) would not be compromised by the malware.
To test this, try downloading Knoppix and running from a read-only filesystem (i.e., from the LiveCD). Nothing can be installed on read-only media, and it should alleviate the problem. Long term, wipe and re-install Windows whilst disconnected from the network, and fully patch the system with the latest hotfixes and service pack before reconnecting.
posted by ellF at 10:49 AM on February 14, 2009 [2 favorites]
The presence of a NameServer being added, as indicated by HT, suggests malware, not monitoring. We could help you more if you gave us the IP being set for that key; my guess is that some program is running in the background, watching for net connections, and then usurping your nameserver so as to redirect requests to whatever that nameserver is. That COULD be a way of monitoring all traffic, but it would be an incredibly inept and unlikely way of doing so, because any unexpected hardware (PDA, Linux system, etc.) would not be compromised by the malware.
To test this, try downloading Knoppix and running from a read-only filesystem (i.e., from the LiveCD). Nothing can be installed on read-only media, and it should alleviate the problem. Long term, wipe and re-install Windows whilst disconnected from the network, and fully patch the system with the latest hotfixes and service pack before reconnecting.
posted by ellF at 10:49 AM on February 14, 2009 [2 favorites]
Response by poster:
Thanks ellF - that's helpful and will look into that. Just wanted to reiterate the fact that once I do a complete CMD Reset everything works no problem. Was wondering where that figures in.
posted by watercarrier at 11:06 AM on February 14, 2009
Thanks ellF - that's helpful and will look into that. Just wanted to reiterate the fact that once I do a complete CMD Reset everything works no problem. Was wondering where that figures in.
posted by watercarrier at 11:06 AM on February 14, 2009
That a Winsock reset restores things is part of what makes me suspect malware -- you're forcing the system back to its defaults, after which I imagine whatever piece of software is running re-subverts your connection.
Give the LiveCD route a try. Easy to do, should rule in/out malware.
posted by ellF at 1:25 PM on February 14, 2009
Give the LiveCD route a try. Easy to do, should rule in/out malware.
posted by ellF at 1:25 PM on February 14, 2009
I would want to know who owns that IP address. There are many whois services. Here's one.
This could be a DNS server being added by your ISP dynamically, and maybe the server isn't working correctly, hence your slow performance, which is innocent. It could also be a DNS hijacker, although the fact that it's happening with more than one machine suggests that may not be it. I also recommend the Live CD idea.
I don't see any harm in posting the IP in your HJT log. What does running ipconfig when you're logged in to your dialup tell you?
posted by krinklyfig at 1:27 PM on February 14, 2009
This could be a DNS server being added by your ISP dynamically, and maybe the server isn't working correctly, hence your slow performance, which is innocent. It could also be a DNS hijacker, although the fact that it's happening with more than one machine suggests that may not be it. I also recommend the Live CD idea.
I don't see any harm in posting the IP in your HJT log. What does running ipconfig when you're logged in to your dialup tell you?
posted by krinklyfig at 1:27 PM on February 14, 2009
I had the same problem twice last year, same symptoms, and both times I just happened to have downloaded (or was actively downloading) torrents.
The fix?
I stopped all torrent activity and it magically started working again.
I tried every every fix you tried above, including calling the most evil cable company on earth and speaking to about 20 people, all of them, of course, certain that the cable company would never intentionally limit or break connectivity for any reason.
Of course they wouldn't. Of course not!
@#$% liars. ;D
posted by elpiconeroalcognac at 2:04 PM on February 14, 2009
The fix?
I stopped all torrent activity and it magically started working again.
I tried every every fix you tried above, including calling the most evil cable company on earth and speaking to about 20 people, all of them, of course, certain that the cable company would never intentionally limit or break connectivity for any reason.
Of course they wouldn't. Of course not!
@#$% liars. ;D
posted by elpiconeroalcognac at 2:04 PM on February 14, 2009
Could this be some kind of filter placed on my line by the ISP
Err, this isnt the 1960s. You dont need to send out a tech to install a "filter." If your ISP wanted your data then the network admin would type in a single command into a switch or router. You would never, ever know. I do this kind of thing all the time at work for security testing and audits.
I suggest you call your ISP and make a trouble ticket and lay off the conspiracy theories.
AF891CD7E25B}: NameServer = XXXXXX
This is your DNS server.
I am currently out of the country living in a war zone
I cant imagine infrastructure in a war zone being anything close to reliable. Thats probably the real answer here.
posted by damn dirty ape at 2:19 PM on February 14, 2009
Err, this isnt the 1960s. You dont need to send out a tech to install a "filter." If your ISP wanted your data then the network admin would type in a single command into a switch or router. You would never, ever know. I do this kind of thing all the time at work for security testing and audits.
I suggest you call your ISP and make a trouble ticket and lay off the conspiracy theories.
AF891CD7E25B}: NameServer = XXXXXX
This is your DNS server.
I am currently out of the country living in a war zone
I cant imagine infrastructure in a war zone being anything close to reliable. Thats probably the real answer here.
posted by damn dirty ape at 2:19 PM on February 14, 2009
On second look the above sounds a little uncompassionate. If youre really really worried, then mefi mail me your IP address and I can do some basic scans. Most likely youre just dropping packets from an unreliable connection.
posted by damn dirty ape at 2:21 PM on February 14, 2009
posted by damn dirty ape at 2:21 PM on February 14, 2009
DSL is completely flaky. I had intermittent connection problems for years with my provider (like forty-some service calls in two years). Got to know the techs personally.
At any rate, many of the problems were traced to water getting in the box at the head of our neighborhood where all of the connections to individual homes were made (can't for the life of me remember what they called that box…sorry). Finally, the regional manager in charge of all the ISP's infrastructure had my connection routed in through a differnet CO (central office), and, Shazam, all the problems stopped.
I've now switched to a cable provider, and find coax to be a much more reliable connection that twisted pairs.
Just curious…do your problems get worse when it rains? (Most of the current war zones I can think of are pretty arid, but it's worth a shot).
posted by dinger at 2:59 PM on February 14, 2009
At any rate, many of the problems were traced to water getting in the box at the head of our neighborhood where all of the connections to individual homes were made (can't for the life of me remember what they called that box…sorry). Finally, the regional manager in charge of all the ISP's infrastructure had my connection routed in through a differnet CO (central office), and, Shazam, all the problems stopped.
I've now switched to a cable provider, and find coax to be a much more reliable connection that twisted pairs.
Just curious…do your problems get worse when it rains? (Most of the current war zones I can think of are pretty arid, but it's worth a shot).
posted by dinger at 2:59 PM on February 14, 2009
Response by poster: Thanks everyone who responded.
There are a lot of good suggestions here that'll take sometime sorting through and working this out.
Just a few notes here -
If it is malware - none of my programs are picking up on it.
Re Linux - will go slowly with it - but it might be a good way to approach this.
Re Torrents - I don't.
Re ipconfig - not sure what I need to be looking at there.
Re rain - The episodic disconnects, error messages, weird lags happened during a dry period. No rain in the wires.
posted by watercarrier at 4:19 PM on February 14, 2009
There are a lot of good suggestions here that'll take sometime sorting through and working this out.
Just a few notes here -
If it is malware - none of my programs are picking up on it.
Re Linux - will go slowly with it - but it might be a good way to approach this.
Re Torrents - I don't.
Re ipconfig - not sure what I need to be looking at there.
Re rain - The episodic disconnects, error messages, weird lags happened during a dry period. No rain in the wires.
posted by watercarrier at 4:19 PM on February 14, 2009
Best answer: Also its feasible that this could be a hardware issue. Ram going bad or a disk going bad can easily cause this. Or a buggy driver.
You can run something like HDTune to scan your drive or MS's memory diagnostic tool to check your ram. You might want to update your video, ethernet, chipset, and BIOS while youre at it.
posted by damn dirty ape at 10:15 PM on February 14, 2009 [1 favorite]
You can run something like HDTune to scan your drive or MS's memory diagnostic tool to check your ram. You might want to update your video, ethernet, chipset, and BIOS while youre at it.
posted by damn dirty ape at 10:15 PM on February 14, 2009 [1 favorite]
WRT memory testing, this is the definitive free and easy tool to do it:
http://www.memtest.org/#downiso
posted by wastelands at 9:27 AM on February 15, 2009
http://www.memtest.org/#downiso
posted by wastelands at 9:27 AM on February 15, 2009
This thread is closed to new comments.
posted by nasreddin at 10:01 AM on February 14, 2009