Thanks, I guess in future I should just google and find out such things myself.
-Lazy-
Printable View
Thanks, I guess in future I should just google and find out such things myself.
-Lazy-
yup - internet is one huge great encyclopaedia and google is about the best index of it.
Hi.
I have been having a similar problem for the last few months and after lots of googling I have found very little in the way of answers to the aforementioned problem.
I'm going to try to restate the case a little, to address many of the issues people have brought up all over the Net. One thread blamed Lexmark for trying to dial home and, as much as I don’t like Lexmark engineers, because I have to repair the printers for a living, I don’t blame Lexmark because I believe something else is going on.
I installed Sygate Personal Firewall (free version) and it pops up a message to let me know:
ANYPROGRAM.EXE (anyprogram.exe) is trying to broadcast to [224.0.0.22]. Do you want to allow this program to access the network?
Now, I use the name anyprogram.exe, but I have seen this pop-up for MANY programs that have no business whatsoever accessing the network. The message I have up on my screen at the moment shows NTVDM.EXE is trying to broadcast to 224.0.0.22. Earlier my Klik & Play Pachinko for Win95 did it.
Now the protocol that is being used is IGMP and the address is, correctly, noted as being internal to the network. My concern is this:
If I was a naughty and smart virus writer, I would want to infect as many PCs as possible. I would probably do this through multiple infections using different applications. So, one part of the virus might simply open a few doors to allow access to other virii. Once granted access, other virii might acquire more access allowing more malicious virii to infest the machine and perpetrate DDoS attacks, send spam e-mail, etc.
That is my primary concern. Many of the suggestions on the Net are to allow the broadcast on the basis that it is internal only, so what could it hurt?
Here’s what it could hurt – once I grant access to 224.0.0.22 that application gets to continue to have free access past the firewall until the application stops running. So, when someone suggests that there is no danger in allowing this seemingly innocuous network connection, it opens a hole in the firewall that once tested as open could allow other malicious software onto the PC.
Now, I’m not saying this IS the case, only that it is possible. Sure, I may be paranoid, but there are people out to get me. Granted they don’t know it is me they are out to get, but that doesn’t mean they aren’t there. Truth is, they are trying to get you, too. Every time I hear or read tech news these days, people are always suggesting that the most spam, virii, and DDoS attacks come from Zombie machines (PCs that are infected and used without the owners knowledge).
Now, to be fair, I’m a little optimistic that nothing untoward is going on because I have regularly-updated AntiVir and Spybot S&D watching in realtime and with weekly scans. They find stuff every so often (more Spybot than AntiVir), but that hasn’t affected the 224.0.0.22 issue and I don’t like it that Pachinko, without network components, is trying to access my internal network.
Finally, my question is this:
Where is a network and firewall expert who has examined this issue and explained exactly what it is going on and, more importantly, why is it coming from programs that have no reason to connect to the network? A deciphering of the Binary Dump would lend a lot of credibility to the answer I’m hoping to receive.
Thanks!
Dale
Hello Daleallenbaker,
I am having a similar problem.
GcasDtSrv.exe is trying to access that same IP address.
It is started at startup and is using 98-99% of system resources so that my system just sits there doing nothing. I use the CTRL-ALT-DEL to open the task manager and end it. I'm still looking for information on how to end this. I'll let you know if I find anything and I'd appreciate it if you do the same. I run Ad-Aware, Spybot, and MS Antispyware as well as VCOM System Suite 5's firewall and virus protection. They all think everything is fine. Obviously it isn't. This isn't normal traffic in my opinion either. I'm not a savvy as a lot of others here. I just keep combing the net until I find someone that knows what it is.
GcasDtSrv.exe is the executable file for Microsoft Antispyware
Understood.
However depending on who you ask changes the answer on what the problem is. Some will tell you it's absolutely no threat at all and others will tell you that you are infected with a trojan. I'm positing another theory. I have scanned the living bejeezus out of my system and I'm already locked down pretty tight. I have minimal internet activity on my home machine because we are so far out in the sticks I only get 26.4 speeds (if I'm lucky). I *do not* believe I am infected. Yet I can't get around the fact that process is consuming those resources and is locking up my machine. At this point I believe certain configurations must cause problems with MS Antispyware. I deleted the program and my computer is back to its speedy self.
The combination of programs I was using for security prior to MS Antispyware was supposed to catch about 86% of everything out there. I switched to MS because it was supposed to catch about 91%. To me, that 5% isn't worth the hassle MS Antispyware has caused me.
Then again, I'm not that much of a techie-head. I'm always up for suggestions but I'm content to take the easy way out and eliminate the offending software. Unless it's a game. Don't mess with my gaming, man!
How about you, Baker? Any luck?
Do you have spysweeper installed as well? there have been reports of spysweeper causing significant system resource usage with microsoft antispyware installed
Just because you're paranoid doesn't mean that they all aren't out to get you! Still, nowadays, almost every single piece of software on your computer wants to update itself and if you have internet connection sharing turned on, just multiply that by the number of machines sharing the connection.
I'd suggest that if you have your dialup connection configured to connect automatically, you turn off that feature and don't let other computers on the network dial up on demand if you use internet connection sharing. If it is practical for you, I would REALLY suggest you dump dialup. Software updates keep getting bigger, web pages keep getting more graphically intensive, and prices for broadband continue to drop. More and more, dialup internet is just a replica of InterNet service, not the real thing.
Hi NooNoo
I have tried using housecall@trendmicro lately, after using it quite successfully in the past at home and at work, but lately, whilst using at home, I have had a problem on my pc and a laptop.
It downloads all the pattern files and scans ok, but when it reaches 100% and tries to roll over to Step (3), the summary page, it keeps on clicking as it does when opening a new internet page, and keeps downloading data but never rolls over. I have left it for well over half an hour to no avail.
The same thing happens on both my pc and laptop. Pc is XP PRO, laptop is running Win ME.
I tried ringing Trend but they dont offer any support for the online scan.
I believe I am infected with amongst others, trojan Downloader.JS.IstBar.m,( as discovered by F-secure online scanner) but neither my updated AVG, Spybot, A2 squared, TMAS-scan, Stinger, CWshredder can find anything.
Trend micro does find 2 infections, but due to the above problem, I cant find out what with.
Any thoughts
From what I have found, the accesses seem to correlate to the addition of IPv6 to the P Cs. It still doesn't make any sense to me that IPv6 would cause what I perceive to be a big unnecessary security risk, but there you go.
[QUOTE=daleallenbaker]Hi.
<snipped>
I installed Sygate Personal Firewall (free version) and it pops up a message to let me know:
ANYPROGRAM.EXE (anyprogram.exe) is trying to broadcast to [224.0.0.22]. Do you want to allow this program to access the network?
Now, I use the name anyprogram.exe, but I have seen this pop-up for MANY programs that have no business whatsoever accessing the network.
<snipped>
Answer:
When using Sygate,
go to Settings>Network Neighborhood (or Options>Network Neighborhood for
the free version)
Uncheck the box by "Permit me to browse and share both files and printers on this Network Connection".
The "..............224.0.0.22" message will stop appearing.
Your machine was/is looking for other Network machines.
BTW If you still get the "...224.0.0.22", (after turning off Network Browse checkbox in Sygate) then you most likely have the "SSDP Discovery Service" set to Automatic (start type) under Control Panel>Administrative Tools>Services. This Service also checks your home network (for interactive devices). It can be set to Manual or Disabled by most users. [It's for UPnp devices; not commonly used, yet. Search for UPnP, if you're interested.]["Universal"Plug aNd Play, not to be confused with PnP.]
[QUOTE=st.daniel]I'm also having the same problem with many different programs broadcasting to 224.0.0.22. Your solution may stop the messages appearing (I've just tried it), but I stil don't understand the reasons for different programs trying that direction, which is related to IGMP V3, I think. In my case, I was finishing one simulation with a program that I designed (so I can assure that it has nothing to do with the network, not even updating), and Sygate gave that annonying message saying that it was broadcasting.Quote:
Originally Posted by daleallenbaker
So, my question is, couldn't this be a case of hijacking?
Thank you.
Well, all spyware issues and such aside, many (maybe even most) software these days wants to keep up to date and will try to connect to the Internet to do it. If your dialup connection is set to automatically connect whenever a program requests Internet access, it's going to be dialing virtually all the time even if only legitimate software is installed. This should be disabled unless you have a dedicated line.