Hi,
My computer is sending and receiving packets, even when no programs request information from the internet. My friend says this is just normal internet traffic, but then again, normal internet traffic wouldnt cause your computer to dial the internet on its own...
Here is a hijack this log:
Logfile of HijackThis v1.98.2
Scan saved at 18:25:35, on 23/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Also I noticed that one of the svchosts has around 25,000k mem usage, which is abnormally large compared to the other process' of it.
Ive ran several spyware + antivirus checkers and so far all that comes up is some DSO exploits (despite numerous requests for spybot to remove it, it returns every time I reboot) and an ebay toolbar, which likewise, returns every time I reboot( not so bothered about that because other family members use it)
Well if anyone can offer me help, Id be very grateful.
NooNoo
August 23rd, 2004, 07:30 PM
Welcome to Windrivers Trying
True, but have you checked pccillin? you can check a box to let pc cillin dialup and connect for itself.
C:\PROGRA~1\FlashGet\jccatch.dll removal instructions (http://www.pestpatrol.com/pestinfo/f/flashget.asp)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
True, but have you checked pccillin? you can check a box to let pc cillin dialup and connect for itself.
After reading this I looked in pccillin, as it is unregistered I dont think it automatically connects to check for updates.
I also checked the rasuauto with the list of allowed autodials, the only one on was my homepage, and some IP addresses which I removed.
NooNoo
August 24th, 2004, 06:51 AM
did you remove the items I noted?
Trying
August 24th, 2004, 08:05 AM
Yes, I removed them all except this one: O17 - HKLM\System\CCS\Services\Tcpip\..\{68077353-2A1A-4E03-84AF-E89CE2C9F9E2}: NameServer = 195.92.195.95 195.92.195.94
As the IP address is that of my ISP, freeserve, so I assume it has something to do with my connection, and removing it only causes it to reappear on restart anyway.
NooNoo
August 25th, 2004, 10:06 AM
Do you share the internet connection between computers?
Do you have any scheduled jobs running?
Is there any pattern to when it dials?
Trying
August 25th, 2004, 10:56 AM
I do share an internet connection, but I disabled the network for the past few days.
Here is a HJT log after removing what you said, and some others which I didnt want: (took out processes)
Logfile of HijackThis v1.98.2
Scan saved at 13:07:59, on 24/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
And here is one after restart:
Logfile of HijackThis v1.98.2
Scan saved at 14:53:21, on 24/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
well thats just a portion of it, but its all pretty much the same...
NooNoo
August 25th, 2004, 11:48 AM
Trying, if you think I am going to check every one of those ips for authenticity, you have another think coming!!
Trying
August 25th, 2004, 12:00 PM
Trying, if you think I am going to check every one of those ips for authenticity, you have another think coming!!
No thats not what I intended. I just wanted you to take a look and see whether that looks like normal traffic, as I have no idea what any of that stuff means. You've helped me so much already, and I suspect that Im just beeing paranoid.
NooNoo
August 25th, 2004, 12:07 PM
Which firewall software are you using?
Trying
August 25th, 2004, 12:31 PM
its the one built in with PCC
NooNoo
August 26th, 2004, 08:05 AM
how to analyse firewall log faq (http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=14572)
PC-Cillin is a not a very friendly or easily configurable firewall. The log file gives you very basic information.
If you want to understand what the firewall log is telling you about, you need to either take a course in network protocols or look up the individual terms.
protocol defined here (http://www.webopedia.com/TERM/p/protocol.html)
Trying
August 26th, 2004, 10:00 AM
Thanks, I guess in future I should just google and find out such things myself.
-Lazy-
NooNoo
August 27th, 2004, 06:06 AM
yup - internet is one huge great encyclopaedia and google is about the best index of it.
daleallenbaker
August 4th, 2005, 12:44 AM
Hi.
I have been having a similar problem for the last few months and after lots of googling I have found very little in the way of answers to the aforementioned problem.
I'm going to try to restate the case a little, to address many of the issues people have brought up all over the Net. One thread blamed Lexmark for trying to dial home and, as much as I don’t like Lexmark engineers, because I have to repair the printers for a living, I don’t blame Lexmark because I believe something else is going on.
I installed Sygate Personal Firewall (free version) and it pops up a message to let me know:
ANYPROGRAM.EXE (anyprogram.exe) is trying to broadcast to [224.0.0.22]. Do you want to allow this program to access the network?
Now, I use the name anyprogram.exe, but I have seen this pop-up for MANY programs that have no business whatsoever accessing the network. The message I have up on my screen at the moment shows NTVDM.EXE is trying to broadcast to 224.0.0.22. Earlier my Klik & Play Pachinko for Win95 did it.
Now the protocol that is being used is IGMP and the address is, correctly, noted as being internal to the network. My concern is this:
If I was a naughty and smart virus writer, I would want to infect as many PCs as possible. I would probably do this through multiple infections using different applications. So, one part of the virus might simply open a few doors to allow access to other virii. Once granted access, other virii might acquire more access allowing more malicious virii to infest the machine and perpetrate DDoS attacks, send spam e-mail, etc.
That is my primary concern. Many of the suggestions on the Net are to allow the broadcast on the basis that it is internal only, so what could it hurt?
Here’s what it could hurt – once I grant access to 224.0.0.22 that application gets to continue to have free access past the firewall until the application stops running. So, when someone suggests that there is no danger in allowing this seemingly innocuous network connection, it opens a hole in the firewall that once tested as open could allow other malicious software onto the PC.
Now, I’m not saying this IS the case, only that it is possible. Sure, I may be paranoid, but there are people out to get me. Granted they don’t know it is me they are out to get, but that doesn’t mean they aren’t there. Truth is, they are trying to get you, too. Every time I hear or read tech news these days, people are always suggesting that the most spam, virii, and DDoS attacks come from Zombie machines (PCs that are infected and used without the owners knowledge).
Now, to be fair, I’m a little optimistic that nothing untoward is going on because I have regularly-updated AntiVir and Spybot S&D watching in realtime and with weekly scans. They find stuff every so often (more Spybot than AntiVir), but that hasn’t affected the 224.0.0.22 issue and I don’t like it that Pachinko, without network components, is trying to access my internal network.
Finally, my question is this:
Where is a network and firewall expert who has examined this issue and explained exactly what it is going on and, more importantly, why is it coming from programs that have no reason to connect to the network? A deciphering of the Binary Dump would lend a lot of credibility to the answer I’m hoping to receive.
Thanks!
Dale
Philbini
August 19th, 2005, 12:32 PM
Hello Daleallenbaker,
I am having a similar problem.
GcasDtSrv.exe is trying to access that same IP address.
It is started at startup and is using 98-99% of system resources so that my system just sits there doing nothing. I use the CTRL-ALT-DEL to open the task manager and end it. I'm still looking for information on how to end this. I'll let you know if I find anything and I'd appreciate it if you do the same. I run Ad-Aware, Spybot, and MS Antispyware as well as VCOM System Suite 5's firewall and virus protection. They all think everything is fine. Obviously it isn't. This isn't normal traffic in my opinion either. I'm not a savvy as a lot of others here. I just keep combing the net until I find someone that knows what it is.
geoscomp
August 19th, 2005, 03:02 PM
GcasDtSrv.exe is the executable file for Microsoft Antispyware
Philbini
August 22nd, 2005, 11:59 AM
Understood.
However depending on who you ask changes the answer on what the problem is. Some will tell you it's absolutely no threat at all and others will tell you that you are infected with a trojan. I'm positing another theory. I have scanned the living bejeezus out of my system and I'm already locked down pretty tight. I have minimal internet activity on my home machine because we are so far out in the sticks I only get 26.4 speeds (if I'm lucky). I *do not* believe I am infected. Yet I can't get around the fact that process is consuming those resources and is locking up my machine. At this point I believe certain configurations must cause problems with MS Antispyware. I deleted the program and my computer is back to its speedy self.
The combination of programs I was using for security prior to MS Antispyware was supposed to catch about 86% of everything out there. I switched to MS because it was supposed to catch about 91%. To me, that 5% isn't worth the hassle MS Antispyware has caused me.
Then again, I'm not that much of a techie-head. I'm always up for suggestions but I'm content to take the easy way out and eliminate the offending software. Unless it's a game. Don't mess with my gaming, man!
How about you, Baker? Any luck?
geoscomp
August 22nd, 2005, 12:24 PM
Do you have spysweeper installed as well? there have been reports of spysweeper causing significant system resource usage with microsoft antispyware installed
slgrieb
August 22nd, 2005, 08:04 PM
Just because you're paranoid doesn't mean that they all aren't out to get you! Still, nowadays, almost every single piece of software on your computer wants to update itself and if you have internet connection sharing turned on, just multiply that by the number of machines sharing the connection.
I'd suggest that if you have your dialup connection configured to connect automatically, you turn off that feature and don't let other computers on the network dial up on demand if you use internet connection sharing. If it is practical for you, I would REALLY suggest you dump dialup. Software updates keep getting bigger, web pages keep getting more graphically intensive, and prices for broadband continue to drop. More and more, dialup internet is just a replica of InterNet service, not the real thing.
BUDZZ
August 24th, 2005, 08:34 AM
Hi NooNoo
I have tried using housecall@trendmicro lately, after using it quite successfully in the past at home and at work, but lately, whilst using at home, I have had a problem on my pc and a laptop.
It downloads all the pattern files and scans ok, but when it reaches 100% and tries to roll over to Step (3), the summary page, it keeps on clicking as it does when opening a new internet page, and keeps downloading data but never rolls over. I have left it for well over half an hour to no avail.
The same thing happens on both my pc and laptop. Pc is XP PRO, laptop is running Win ME.
I tried ringing Trend but they dont offer any support for the online scan.
I believe I am infected with amongst others, trojan Downloader.JS.IstBar.m,( as discovered by F-secure online scanner) but neither my updated AVG, Spybot, A2 squared, TMAS-scan, Stinger, CWshredder can find anything.
Trend micro does find 2 infections, but due to the above problem, I cant find out what with.
Any thoughts
daleallenbaker
November 16th, 2005, 04:01 PM
From what I have found, the accesses seem to correlate to the addition of IPv6 to the P Cs. It still doesn't make any sense to me that IPv6 would cause what I perceive to be a big unnecessary security risk, but there you go.
st.daniel
December 24th, 2005, 11:07 AM
[QUOTE=daleallenbaker]Hi.
<snipped>
I installed Sygate Personal Firewall (free version) and it pops up a message to let me know:
ANYPROGRAM.EXE (anyprogram.exe) is trying to broadcast to [224.0.0.22]. Do you want to allow this program to access the network?
Now, I use the name anyprogram.exe, but I have seen this pop-up for MANY programs that have no business whatsoever accessing the network.
<snipped>
Answer:
When using Sygate,
go to Settings>Network Neighborhood (or Options>Network Neighborhood for
the free version)
Uncheck the box by "Permit me to browse and share both files and printers on this Network Connection".
The "..............224.0.0.22" message will stop appearing.
Your machine was/is looking for other Network machines.
st.daniel
December 25th, 2005, 01:26 PM
BTW If you still get the "...224.0.0.22", (after turning off Network Browse checkbox in Sygate) then you most likely have the "SSDP Discovery Service" set to Automatic (start type) under Control Panel>Administrative Tools>Services. This Service also checks your home network (for interactive devices). It can be set to Manual or Disabled by most users. [It's for UPnp devices; not commonly used, yet. Search for UPnP, if you're interested.]["Universal"Plug aNd Play, not to be confused with PnP.]
walpulio
January 27th, 2006, 08:11 PM
[QUOTE=daleallenbaker]Hi.
<snipped>
I installed Sygate Personal Firewall (free version) and it pops up a message to let me know:
ANYPROGRAM.EXE (anyprogram.exe) is trying to broadcast to [224.0.0.22]. Do you want to allow this program to access the network?
Now, I use the name anyprogram.exe, but I have seen this pop-up for MANY programs that have no business whatsoever accessing the network.
<snipped>
Answer:
When using Sygate,
go to Settings>Network Neighborhood (or Options>Network Neighborhood for
the free version)
Uncheck the box by "Permit me to browse and share both files and printers on this Network Connection".
The "..............224.0.0.22" message will stop appearing.
Your machine was/is looking for other Network machines.
I'm also having the same problem with many different programs broadcasting to 224.0.0.22. Your solution may stop the messages appearing (I've just tried it), but I stil don't understand the reasons for different programs trying that direction, which is related to IGMP V3, I think. In my case, I was finishing one simulation with a program that I designed (so I can assure that it has nothing to do with the network, not even updating), and Sygate gave that annonying message saying that it was broadcasting.
So, my question is, couldn't this be a case of hijacking?
Thank you.
slgrieb
January 28th, 2006, 03:39 PM
Well, all spyware issues and such aside, many (maybe even most) software these days wants to keep up to date and will try to connect to the Internet to do it. If your dialup connection is set to automatically connect whenever a program requests Internet access, it's going to be dialing virtually all the time even if only legitimate software is installed. This should be disabled unless you have a dedicated line.
windrivers.com
Copyright WebMediaBrands Inc., All Rights Reserved.