I'm having a bizarre problem!

I don't know where else to post so I'm posting here in the Off-Topic forum. I hope that is what it is for.

This problem is crazy. To start, I'm running Windows XP Professional on a P4 system with 512MB of RAM. I'm connected to the Internet via DSL. I have a hardware firewall in front of my router system, and the router system itself is running Microsoft's ICS and Firewall. My system is running it's own firewall, Kerio Personal Firewall 2.1.4. All systems here are checked for new/needed hotfixes, service packs, and security problems at least every 48 hours.

About two weeks ago, no matter what application I'm in, if I go to the "Save As" dialog box in any program (Notepad even), and I click the Desktop logo, the system pauses a second or two, and attempts to access the network.

According to both my Kerio firewall (and my hardware firewall agrees), I get messages such as: 'WordPad MFC Application' from your computer wants to connect to cottbus.mayn.de [194.145.150.15], port 21" or ''Notepad' from your computer wants to connect to cottbus.mayn.de [194.145.150.15], port 21'. I've firewalled this site, but it still delays a few seconds while it tries to connect!

Investigating, I've found http://www.mayn.de/, a German website, and if I connect to cottbus.mayn.de via FTP, it looks to be a regular mirror site.

I've not yet contacted them to ask what's going on here.

Why would my computer ... Windows itself attempt to be connecting to this FTP site, no matter what application I use when accessing the desktop?

I've done a few things to track it down. I've used SysInternals AutoRuns 2.0 and removed all non-necessary things except the entries in ShellServiceObjectDelayLoad (CDBurn, PostBootReminder, SysTray, WebCheck) because I'm not sure how they work or how to re-add them. I've check for Spyware using SpyBoy SD and AdAware Plus, and I've checked for viruses using F-Prot and NOD32, latest versions of all software -- no results.

I then used SysInternals' JUNCTION and STREAM utilities to look to NTFS files that may be linked externally somehow - nothing.

Help!

Update: I messed with the ShellServiceObjectDelayLoad'ers and still did not fix the problem even with them all removed.

I'm at a loss. :-(

While you're already at SysInternals, try these programs to track it down a little more:

http://www.sysinternals.com/ntw2k/freeware...re/tdimon.shtml

http://www.sysinternals.com/ntw2k/source/regmon.shtml

http://www.sysinternals.com/ntw2k/source/filemon.shtml

It all sounds like some program somehow replaced / appended itself to a part of the TCP/IP functions (maybe via some DLL, it has been done before)...

I removed all Browser Helper Object entries from my Registry. Still the same issue. I have to go to work now but I will investigate this further when I get home!

Try scanning with Pest Patrol and maybe do virus checking with Housecall.

It "may" be something that antivirus software cannot detect, therefore try some anti-trojan software.

Trojan Remover - http://www.simplysup.com/
The Cleaner - http://www.moosoft.com/

try spybot search & destroy:

http://security.kolla.de/

its an excellent spyware/adware etc. detector, and its free.

Edit: I did a search and there was some info about that ftp site, e.g. theres a code part here with the cottbus address:

http://translate.google.com/translate?hl=e...-8%26oe%3DUTF-8

And i also found a lot of pages with users with a mayn.de ip..

OK.

I scanned using Trend HouseCall Online (HouseCall v5.50.0, Engine 6.150-1001, Pattern 417) and found nothing at all. So far now I've scanned the drive with F-Prot 3.12c (in DOS using NTFSDOS Pro) and NOD32, and Trend HouseCall without finding any viruses.

I didn't download PestPatrol because they required online registration to download and I didn't agree with their privacy policy (http://www.pestpatrol.com/Company/Privacy.asp) due to the fact I must e-mail them to opt-out rather than providing a way to immediately opt-out at the point of registration.

If didn't read the policy, I wouldn't know that I was going to be receiving special offers and advertisements from PestPatrol. I don't agree with that. I read the complete privacy policy and license agreement of all software I download and install, but most people do not.

Trojan remover is a cool program, it found some left-over QEMM stuff in my registry that XP was attempting to load at boot-time but was then skipping, so I removed that to make my boot speed supposedly faster, however, this didn't fix my problem.

The Cleaner found nothing either.

Spybot Search and Destroy was the first thing I ran actually. I have it scheduled to run once a day, and I update (or at least check for updates) at least every week. It isn't finding anything (other than the regular cookie files and temporary files I have it setup to delete).

I've seen a similar problem reported when a link or shortcut on the desktop actually is somehow linked to a FTP site or something similar, because the icon displayed is attempted to be fetched from the remote site.

I'm going to clean off my desktop, as I have about 150 items on it, and see what happens.

NOTE: A good side effect of this adventure is my machine is getting completely cleaned out and is running very quickly as I'm optimizing as I go along.

ALERT! ALERT! ALERT!

I fixed it!

I'm not sure what I did, my last two changes between testing were removing all icons from my Desktop (and from the disk completely if they were unnecessary) and moving them into the Documents folder, and disabling NetBIOS over TCP/IP and LMHOSTS lookup, and then rebooting.

So even though it is now fixed, I am puzzled at what caused it. I'm going to assume one of my files had an icon that was originally pulled from that FTP site, and that is why the system was attempting to access it, as this was reported as the cause of a similar problem at another site.

Two thumbs down for Windows/Internet/Explorer integration! I want my TCP/IP stack separate from my OS, maybe even running as a user-process with restricted access ala OpenVMS and other enterprise level operating systems I've used.

Agreed! I'm glad you found the solution.

With Netbios enabled over TCP IP and some fiddling with the LMhosts file it could quite possible to reroute common windows resources to remote addresses. That is the problem with Microsoft's strategy to integrate everything with everything else. The distinction between local and remote resources blurr and are indeed hardly different since they take many of the same paths. It is their goal that you will lease more and more software and own less and less. Everything is to be loaded or run over the network. Untill you own a computer and pay a monthly fee solely to lease their software which in the past you would have owned.

General security recommendations:

- Very Good Anivirus (KAV (ex-AVP) detects most viruses, Norton and F-Prot less, but Norton has better GUI i think. (UPDATE BASES)
- Firewall (Kerio! - check lisening sockets)
- try spybot search & destroy - http://security.kolla.de/ (update files, including beta updates)
- Disable all internet protocols exluding TCP/IP (leave, if You use, IPX), disable all net-hardware (eg. non used modem)
- Disable net-bios
----------------------------------
- Download software from official sites. I saw backdoored BitchX and Putty. One guy made "officiall" mirror of Putty program. It looks like original site. He wrote his own backdoor - AV`s don`t detect it.

It has been my experience that Eset NOD32 has about the highest rate of detection in real life. F-Prot is certaintly less, but is almost twice as fast but still detects most viruses trying to infect your system from e-mail or being run as executables -- it has a harder time with viruses deep inside of archived files and such when doing a filesystem scan.

I'd recommend Kerio Personal Firewall out of all of the personal firewalls available.

I've always had just TCP/IP on my system as well.